fix: Only required istio exemptions for ztunnel and cni

defenseunicorns · Jan 6, 2025 · 10a251c · 10a251c
1 parent cae9ed5
commit 10a251c
Showing 1 changed file with 26 additions and 16 deletions.
diff --git a/src/istio/common/chart/templates/exemptions.yaml b/src/istio/common/chart/templates/exemptions.yaml
@@ -9,21 +9,31 @@ metadata:
 spec:
   exemptions:
     - policies:
-        - DisallowPrivileged
-        - RequireNonRootUser
-        - RestrictSELinuxType
-        - RestrictHostPathWrite
-        - RestrictVolumeTypes
-        - DisallowHostNamespaces
-        - DisallowSELinuxOptions
-        - DropAllCapabilities
-        - RestrictCapabilities
-        - RestrictHostPathWrite
-        - RestrictHostPorts
-        - RestrictProcMount
-        - RestrictSeccomp
+        - DisallowPrivileged # CNI plugin requries NET_ADMIN, NET_RAW, SYS_PTRACE, SYS_ADMIN, and DAC_OVERRIDE capabilities
+        - RequireNonRootUser # CNI plugin requires root
+        - RestrictVolumeTypes # CNI plugin uses 'hostPath' volume type
+        - DisallowHostNamespaces # CNI plugin requires host namespace access for networking
+        - DropAllCapabilities # CNI plugin requries NET_ADMIN, NET_RAW, SYS_PTRACE, SYS_ADMIN, and DAC_OVERRIDE capabilities
+        - RestrictCapabilities # CNI plugin requries NET_ADMIN, NET_RAW, SYS_PTRACE, SYS_ADMIN, and DAC_OVERRIDE capabilities
+        - RestrictHostPathWrite # CNI plugin requires access to write to CNI
+        - RestrictHostPorts # CNI plugin requires access to host ports
       matcher:
         namespace: istio-system
-        name: "^.*"
-      title: "istio exemptions"
-      description: "Istio does some privileged things"
+        kind: pod
+        name: "istio-cni-node.*"
+      title: "Istio CNI exemptions"
+      description: "Exemptions necessary for Istio CNI to manage network configurations and ensure proper traffic routing"
+    - policies:
+        - DisallowPrivileged # ztunnel requries NET_ADMIN, NET_RAW, ane SYS_ADMIN capabilities
+        - RequireNonRootUser # ztunnel requires root
+        - RestrictVolumeTypes # ztunnel uses 'hostPath' volume type
+        - DisallowHostNamespaces # ztunnel requires host namespace access for networking
+        - DropAllCapabilities # ztunnel requries NET_ADMIN, NET_RAW, SYS_PTRACE, SYS_ADMIN, and DAC_OVERRIDE capabilities
+        - RestrictCapabilities # ztunnel requries NET_ADMIN, NET_RAW, SYS_PTRACE, SYS_ADMIN, and DAC_OVERRIDE capabilities
+        - RestrictHostPathWrite # ztunnel requires access to write to CNI
+      matcher:
+        namespace: istio-system
+        kind: pod
+        name: "ztunnel.*"
+      title: "Istio ztunnel exemptions"
+      description: "Exemptions necessary for ztunnel to manage network traffic and ensure secure data plane operations"