streamnative · tuteng · Oct 24, 2025 · Oct 24, 2025 · Oct 24, 2025 · Oct 24, 2025
@@ -10,12 +10,21 @@ metadata:
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   rules:
-  - to:
+  - {{- if and .Values.pulsar_detector.authorizationPolicy .Values.pulsar_detector.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.pulsar_detector.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.pulsar_detector.authorizationPolicy .Values.pulsar_detector.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.pulsar_detector.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "{{ .Values.pulsar_detector.port }}"
+    {{- end }}
   action: ALLOW
   selector:
     matchLabels:
       component: {{ .Values.pulsar_detector.component }}
-{{- end }}
+{{- end }}
@@ -11,13 +11,22 @@ metadata:
 spec:
   action: ALLOW
   rules:
-  - to:
+  - {{- if and .Values.functions.authorizationPolicy .Values.functions.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.functions.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.functions.authorizationPolicy .Values.functions.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.functions.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "{{ .Values.functions.ports.http }}"
         {{- if and .Values.tls.enabled .Values.tls.functions.enabled }}
         - "{{ .Values.functions.ports.https }}"
         {{- end }}
+    {{- end }}
   selector:
     matchLabels:
       {{- include "pulsar.template.labels" . | nindent 6 }}

@@ -10,10 +10,19 @@ metadata:
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   rules:
-  - to:
+  - {{- if and .Values.grafana.authorizationPolicy .Values.grafana.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.grafana.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.grafana.authorizationPolicy .Values.grafana.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.grafana.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "{{ .Values.grafana.port }}"
+    {{- end }}
   action: ALLOW
   selector:
     matchLabels:

@@ -10,14 +10,24 @@ metadata:
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   rules:
-  - from:
+  - {{- if and .Values.prometheus.authorizationPolicy .Values.prometheus.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.prometheus.authorizationPolicy.from | indent 4 }}
+    {{- else }}
+    from:
     - source:
         namespaces:
         - {{ template "pulsar.namespace" . }}
-  - to:
+    {{- end }}
+    {{- if and .Values.prometheus.authorizationPolicy .Values.prometheus.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.prometheus.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "{{ .Values.prometheus.port }}"
+    {{- end }}
   action: ALLOW
   selector:
     matchLabels:

@@ -11,14 +11,23 @@ metadata:
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   rules:
-  - to:
+  - {{- if and .Values.proxy.authorizationPolicy .Values.proxy.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.proxy.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.proxy.authorizationPolicy .Values.proxy.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.proxy.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "6650"
         - "8080"
         {{- if .Values.proxy.websocket }}
         - "9090"
         {{- end }}
+    {{- end }}
   action: ALLOW
   selector:
     matchLabels:

@@ -0,0 +1,29 @@
+#
+# Copyright (c) 2019 - 2024 StreamNative, Inc.. All Rights Reserved.
+#
+
+{{- if and .Values.components.toolset .Values.istio.enabled }}
+{{- if or (and .Values.toolset.authorizationPolicy .Values.toolset.authorizationPolicy.from) (and .Values.toolset.authorizationPolicy .Values.toolset.authorizationPolicy.to) }}
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}"
+  namespace: {{ template "pulsar.namespace" . }}
+spec:
+  rules:
+  - {{- if and .Values.toolset.authorizationPolicy .Values.toolset.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.toolset.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.toolset.authorizationPolicy .Values.toolset.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.toolset.authorizationPolicy.to | indent 4 }}
+    {{- end }}
+  action: ALLOW
+  selector:
+    matchLabels:
+      {{- include "pulsar.matchLabels" . | nindent 6 }}
+      component: {{ .Values.toolset.component }}
+{{- end }}
+{{- end }}
+
@@ -1411,6 +1411,26 @@ broker:
 ## templates/function-worker-configmap.yaml
 ##
 functions:
+  # Istio AuthorizationPolicy configuration
+  # Configure the 'from' and 'to' sections to restrict sources and operations
+  # If 'to' is not specified, default ports (8080, 8443 for HTTPS) will be used
+  # Example:
+  # authorizationPolicy:
+  #   from:
+  #   - source:
+  #       principals: ["cluster.local/ns/default/sa/pulsar-broker"]
+  #   - source:
+  #       namespaces: ["pulsar"]
+  #   to:
+  #   - operation:
+  #       ports: ["8080", "8443"]
+  #       methods: ["GET", "POST"]
+  #       paths: ["/metrics"]
+  #       hosts: ["function-worker.pulsar.svc.cluster.local"]
+  authorizationPolicy:
+    from: []
+    to: []
+
   component: functions-worker
   enableCustomizerRuntime: false
   useDedicatedRunner: false
@@ -1513,6 +1533,26 @@ functions:
 ## templates/pulsar-detector-statefulset.yaml
 ##
 pulsar_detector:
+  # Istio AuthorizationPolicy configuration
+  # Configure the 'from' and 'to' sections to restrict sources and operations
+  # If 'to' is not specified, default port (9000) will be used
+  # Example:
+  # authorizationPolicy:
+  #   from:
+  #   - source:
+  #       principals: ["cluster.local/ns/default/sa/pulsar-admin"]
+  #   - source:
+  #       namespaces: ["pulsar"]
+  #   to:
+  #   - operation:
+  #       ports: ["9000"]
+  #       methods: ["GET", "POST"]
+  #       paths: ["/metrics"]
+  #       hosts: ["pulsar-detector.pulsar.svc.cluster.local"]
+  authorizationPolicy:
+    from: []
+    to: []
+
   component: pulsar-detector
   replicaCount: 1
   labels: {}
@@ -1586,6 +1626,26 @@ proxy:
   # The template field can totally change the log config of the component. The value is a string, which is the content of the log config file.
     template: {}
 
+  # Istio AuthorizationPolicy configuration
+  # Configure the 'from' and 'to' sections to restrict sources and operations
+  # If 'to' is not specified, default ports (6650, 8080, 9090) will be used
+  # Example:
+  # authorizationPolicy:
+  #   from:
+  #   - source:
+  #       principals: ["cluster.local/ns/default/sa/pulsar-client"]
+  #   - source:
+  #       namespaces: ["pulsar"]
+  #   to:
+  #   - operation:
+  #       ports: ["6650", "8080", "9090"]
+  #       methods: ["GET", "POST"]
+  #       paths: ["/metrics"]
+  #       hosts: ["proxy.pulsar.svc.cluster.local"]
+  authorizationPolicy:
+    from: []
+    to: []
+
   # use a component name that matches your grafana configuration
   # so the metrics are correctly rendered in grafana dashboard
   component: proxy
@@ -1700,6 +1760,25 @@ proxy:
 ## templates/toolset-deployment.yaml
 ##
 toolset:
+  # Istio AuthorizationPolicy configuration
+  # Configure the 'from' and 'to' sections to restrict sources and operations
+  # Toolset is a headless service, no default 'to' ports are specified
+  # Example:
+  # authorizationPolicy:
+  #   from:
+  #   - source:
+  #       principals: ["cluster.local/ns/default/sa/pulsar-admin"]
+  #   - source:
+  #       namespaces: ["pulsar"]
+  #   to:
+  #   - operation:
+  #       ports: ["8080"]
+  #       methods: ["GET", "POST"]
+  #       hosts: ["toolset.pulsar.svc.cluster.local"]
+  authorizationPolicy:
+    from: []
+    to: []
+
   component: toolset
   useProxy: false
   installBusybox: true
@@ -1817,6 +1896,25 @@ configmapReload:
 ## templates/prometheus-deployment.yaml
 ##
 prometheus:
+  # Istio AuthorizationPolicy configuration
+  # Configure the 'from' and 'to' sections to restrict sources and operations
+  # If 'from' is not specified, default will allow from the same namespace
+  # If 'to' is not specified, default port (9090) will be used
+  # Example:
+  # authorizationPolicy:
+  #   from:
+  #   - source:
+  #       namespaces: ["pulsar"]
+  #   to:
+  #   - operation:
+  #       ports: ["9090"]
+  #       methods: ["GET", "POST"]
+  #       paths: ["/metrics", "/api/*"]
+  #       hosts: ["prometheus.pulsar.svc.cluster.local"]
+  authorizationPolicy:
+    from: []
+    to: []
+
   component: prometheus
   replicaCount: 1
   scrape:
@@ -1964,6 +2062,26 @@ datadog:
 ## templates/grafana-statefulset.yaml
 ##
 grafana:
+  # Istio AuthorizationPolicy configuration
+  # Configure the 'from' and 'to' sections to restrict sources and operations
+  # If 'to' is not specified, default port (3000) will be used
+  # Example:
+  # authorizationPolicy:
+  #   from:
+  #   - source:
+  #       principals: ["cluster.local/ns/default/sa/grafana-user"]
+  #   - source:
+  #       namespaces: ["pulsar"]
+  #   to:
+  #   - operation:
+  #       ports: ["3000"]
+  #       methods: ["GET", "POST"]
+  #       paths: ["/api/*"]
+  #       hosts: ["grafana.pulsar.svc.cluster.local"]
+  authorizationPolicy:
+    from: []
+    to: []
+
   component: grafana
   grafana.ini:
     paths:

@@ -10,12 +10,21 @@ metadata:
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   rules:
-  - to:
+  - {{- if and .Values.pulsar_detector.authorizationPolicy .Values.pulsar_detector.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.pulsar_detector.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.pulsar_detector.authorizationPolicy .Values.pulsar_detector.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.pulsar_detector.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "{{ .Values.pulsar_detector.port }}"
+    {{- end }}
   action: ALLOW
   selector:
     matchLabels:
       component: {{ .Values.pulsar_detector.component }}
-{{- end }}
+{{- end }}
@@ -11,13 +11,22 @@ metadata:
 spec:
   action: ALLOW
   rules:
-  - to:
+  - {{- if and .Values.functions.authorizationPolicy .Values.functions.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.functions.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.functions.authorizationPolicy .Values.functions.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.functions.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "{{ .Values.functions.ports.http }}"
         {{- if and .Values.tls.enabled .Values.tls.functions.enabled }}
         - "{{ .Values.functions.ports.https }}"
         {{- end }}
+    {{- end }}
   selector:
     matchLabels:
       {{- include "pulsar.template.labels" . | nindent 6 }}

@@ -10,10 +10,19 @@ metadata:
   namespace: {{ template "pulsar.namespace" . }}
 spec:
   rules:
-  - to:
+  - {{- if and .Values.grafana.authorizationPolicy .Values.grafana.authorizationPolicy.from }}
+    from:
+{{ toYaml .Values.grafana.authorizationPolicy.from | indent 4 }}
+    {{- end }}
+    {{- if and .Values.grafana.authorizationPolicy .Values.grafana.authorizationPolicy.to }}
+    to:
+{{ toYaml .Values.grafana.authorizationPolicy.to | indent 4 }}
+    {{- else }}
+    to:
     - operation:
         ports:
         - "{{ .Values.grafana.port }}"
+    {{- end }}
   action: ALLOW
   selector:
     matchLabels: