Deploy AuthorizationPolicy

Apps Operator Duration: 5 min | Persona: Apps Operator

In this section, you will deploy a granular and specific AuthorizationPolicy for the Whereami namespace. At the end that’s where you will finally have a working Whereami app :)

Initialize variables:

WORK_DIR=~/
source ${WORK_DIR}acm-workshop-variables.sh

Define AuthorizationPolicy

Define a fine granular AuthorizationPolicy:

cat <<EOF > ${WORK_DIR}$WHERE_AMI_DIR_NAME/base/authorizationpolicy_whereami.yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: whereami
spec:
  selector:
    matchLabels:
      app: whereami
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/${INGRESS_GATEWAY_NAMESPACE}/sa/${INGRESS_GATEWAY_NAME}
    to:
    - operation:
        ports:
        - "8080"
        methods:
        - GET
EOF

Update the Kustomize base overlay:

cd ${WORK_DIR}$WHERE_AMI_DIR_NAME/base
kustomize edit add resource authorizationpolicy_whereami.yaml

Deploy Kubernetes manifests

cd ${WORK_DIR}$WHERE_AMI_DIR_NAME/
git add . && git commit -m "Whereami AuthorizationPolicy" && git push origin main

Check deployments

List the Kubernetes resources managed by Config Sync in GKE cluster for the Whereami app repository:

gcloud alpha anthos config sync repo describe \
    --project $TENANT_PROJECT_ID \
    --managed-resources all \
    --sync-name repo-sync \
    --sync-namespace $WHEREAMI_NAMESPACE

Wait and re-run this command above until you see "status": "SYNCED" for this RepoSync. All the managed_resources listed should have STATUS: Current as well.

List the GitHub runs for the Whereami app repository:

cd ${WORK_DIR}$WHERE_AMI_DIR_NAME && gh run list

Check the Whereami app

Navigate to the Whereami app, click on the link displayed by the command below:

echo -e "https://${WHERE_AMI_INGRESS_GATEWAY_HOST_NAME}"

You should now have the Whereami app working successfully. Congrats!