TIS1301 - Workload Not Covered by Any Authorization Policy

The workload is not covered by any AuthorizationPolicy.

Recommendation: Add an AuthorizationPolicy for Workload Security

To ensure that workloads are protected from unauthorized access, create an AuthorizationPolicy that matches the workload's labels. This provides explicit rules for who can access the workload.

Examples

1. Workload Without Authorization Policy

   Deployment:

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: my-app
     namespace: example-namespace
   spec:
     selector:
       matchLabels:
         app: my-app
     template:
       metadata:
         labels:
           app: my-app
       spec:
         containers:
         - name: my-app-container
           image: my-app-image

   Explanation: The workload defined in the Deployment does not have an associated AuthorizationPolicy to control access. Without an AuthorizationPolicy, there are no explicit rules about which entities can or cannot access this workload, which could lead to unintended or unauthorized access.

Recommendation

Add an AuthorizationPolicy with a selector that matches the workload’s label selector to control access to the workload.

1. Add AuthorizationPolicy to Protect the Workload

   Create an AuthorizationPolicy that applies to the workload by matching its labels.

   apiVersion: security.istio.io/v1beta1
   kind: AuthorizationPolicy
   metadata:
     name: my-app-authz-policy
     namespace: example-namespace
   spec:
     selector:
       matchLabels:
         app: my-app
     rules:
     - from:
       - source:
           principals: ["cluster.local/ns/example-namespace/sa/my-app-service-account"]

   Explanation: The AuthorizationPolicy restricts access to workloads that have the label app: my-app. Only requests originating from the specified service account (my-app-service-account) are allowed, ensuring that access to the workload is controlled.