We check that all our Service
objects match Istios port convention (start with http- or named http for example). For this we developed a policy that rejects any ports that don’t match and allow opting out via namespace labels.
package k8svalidistioserviceportname violation[{"msg": msg}] { valid := "^(grpc|http|http2|https|mongo|mysql|redis|tcp|tls|udp)($|-)" service := input.review.object port := service.spec.ports[_] not valid_port(port, valid) msg := sprintf( "%v %v %v: port name must match %v to be routable by Istio", [service.kind, service.metadata.namespace, service.metadata.name, valid] ) } valid_port(port, valid) { port.name re_match(valid, port.name) }
package k8svalidistioserviceportname test_ignores_exact_match { count(violation) == 0 with input as {"review":{"object":{"kind":"Service","metadata":{"name":"truth-service","namespace":"mesh-enabled"},"spec":{"ports":[{"name":"https"}]}}}} } test_ignores_prefix_match { count(violation) == 0 with input as {"review":{"object":{"kind":"Service","metadata":{"name":"truth-service","namespace":"mesh-enabled"},"spec":{"ports":[{"name":"https-foobar"}]}}}} } test_blocks_bad_match { count(violation) == 1 with input as {"review":{"object":{"kind":"Service","metadata":{"name":"truth-service","namespace":"mesh-enabled"},"spec":{"ports":[{"name":"httpsfoobar"}]}}}} } test_blocks_empty { count(violation) == 1 with input as {"review":{"object":{"kind":"Service","metadata":{"name":"truth-service","namespace":"mesh-enabled"},"spec":{"ports":[{}]}}}} } test_blocks_multiple_bad { count(violation) == 1 with input as {"review":{"object":{"kind":"Service","metadata":{"name":"truth-service","namespace":"mesh-enabled"},"spec":{"ports":[{}, {}]}}}} }