Skip to content

Instantly share code, notes, and snippets.

@nrjpoddar
Last active April 5, 2021 14:50
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save nrjpoddar/d5a2ed84227a8b76f5a59e48b5a2539b to your computer and use it in GitHub Desktop.
#!/bin/bash
set -eEuo pipefail
RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m'
INGRESS_LABEL="istio=ingressgateway"
INGRESS_NAMESPACE="istio-system"
INGRESS_LABEL_KEY=$(echo $INGRESS_LABEL | cut -d '=' -f 1)
INGRESS_LABEL_VAL=$(echo $INGRESS_LABEL | cut -d '=' -f 2)
ingress_pod=$(kubectl -n $INGRESS_NAMESPACE get pod \
-l $INGRESS_LABEL \
-o jsonpath='{.items[0].metadata.name}' || true)
if [ -z "$ingress_pod" ]; then
echo "No ingress pod found in \"${INGRESS_NAMESPACE}\" with label selectors \"${INGRESS_LABEL}\""
exit 1
fi
echo "Inspecting Istio ingress gateway pod \"${ingress_pod}\" in \"${INGRESS_NAMESPACE}\" namespace"
ingress_ports=$(istioctl proxy-config listeners \
$ingress_pod.$INGRESS_NAMESPACE \
| awk 'NR > 1 {print $2}')
function check_port {
local policy_name=$1
local port=$2
local found=false
local ip
for ip in $ingress_ports; do
if [ "$ip" == "$port" ]; then
found=true
break
fi
done
if ! $found; then
echo -e "${RED} Authorization Policy \"$policy_name\" has port \"$port\" that needs to be migrated. ${NC}"
fi
}
authz_policies=$(kubectl -n $INGRESS_NAMESPACE get authorizationpolicies | awk 'NR > 1 {print $1}')
echo -e "Checking Authorization Policies attached to \"$ingress_pod\"\n"
for p in $authz_policies; do
policy=$(kubectl -n $INGRESS_NAMESPACE get authorizationpolicy $p -o json)
label_selector=$(echo "${policy}" |\
jq -r --arg KEY "$INGRESS_LABEL_KEY" '.spec.selector.matchLabels[$KEY]')
if [ $label_selector != $INGRESS_LABEL_VAL ]; then
continue
fi
policy_ports=$(echo "${policy}" | jq -r '.spec.rules[]|select(.to)|.to[]|.operation|select(.ports)|.ports[]')
policy_notports=$(echo "${policy}" | jq -r '.spec.rules[]|select(.to)|.to[]|.operation|select(.notPorts)|.notPorts[]')
for pp in $policy_ports; do
check_port $p $pp
done
for pp in $policy_notports; do
check_port $p $pp
done
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment