UDS Package
Package
Section titled “Package”Namespaces are a common boundary for isolating workloads in multi-tenant clusters. When defining a UDS Package resource, consider the implications for all workloads that exist in the target namespace. If the UDS Package that you are defining has configurations that conflict with each other or would be simplified by using a separate UDS Package definition, consider using a separate Kubernetes namespace. Read more about namespaces and mulitenancy here.
The UDS Operator seamlessly enables the following enhancements and protections for your workloads:
- Enabling Istio Sidecar Injection:
- The operator facilitates the activation of Istio sidecar injection within namespaces where the CR is deployed.
- Support for Istio Ambient Mode:
- Packages can now opt into Istio’s Ambient mode by setting
spec.network.serviceMesh.mode: ambient
. This provides service mesh capabilities and security without sidecars, reducing resource overhead.
- Packages can now opt into Istio’s Ambient mode by setting
- Establishing Default-Deny Ingress/Egress Network Policies:
- It sets up default-deny network policies for both ingress and egress, creating a foundational security posture.
- Implementing Layered Allow-List Approach:
- A layered allow-list approach is applied on top of default-deny network policies. This includes essential defaults like Istio requirements and DNS egress.
- Providing Targeted Remote Endpoints Network Policies:
- The operator creates targeted network policies for remote endpoints, such as
KubeAPI
andCloudMetadata
. This approach aims to enhance policy management by reducing redundancy (DRY) and facilitating dynamic bindings in scenarios where static definitions are impractical.
- The operator creates targeted network policies for remote endpoints, such as
- Creating Istio Virtual Services and Related Ingress Gateway Network Policies:
- In addition, the operator is responsible for generating Istio Virtual Services and the associated network policies for the ingress gateway.
- SSO Group Authentication:
- Group authentication determines who can access the application based on keycloak group membership.
- At this time
anyOf
allows defining a list of groups, a user must belong to at least one of them. - Custom client
protocolMapper
’s that will be created alongside the client and added to the client’s dedicated scope.
- Authservice Protection:
- Authservice authentication provides application agnostic SSO for applications that opt-in.
Example UDS Package CR
Section titled “Example UDS Package CR”apiVersion: uds.dev/v1alpha1kind: Packagemetadata: name: grafana namespace: grafanaspec: network: # Expose rules generate Istio VirtualServices and related network policies expose: - service: grafana selector: app.kubernetes.io/name: grafana host: grafana gateway: admin port: 80 targetPort: 3000
# Allow rules generate NetworkPolicies allow: - direction: Egress selector: app.kubernetes.io/name: grafana remoteGenerated: Anywhere
- direction: Egress remoteNamespace: monitoring remoteSelector: app.kubernetes.io/name: alertmanager port: 9093 description: "Alertmanager Datasource"
# SSO allows for the creation of Keycloak clients and with automatic secret generation and protocolMappers sso: - name: Grafana Dashboard clientId: uds-core-admin-grafana redirectUris: - "https://grafana.admin.{{ .Values.domain }}/login/generic_oauth" groups: anyOf: - /UDS Core/Admin # Define protocolMappers to be created as dedicated scopes for the client protocolMappers: - name: username protocol: "openid-connect" protocolMapper: "oidc-usermodel-property-mapper" config: user.attribute: "username" claim.name: "username" userinfo.token.claim: "true" - name: email protocol: "openid-connect" protocolMapper: "oidc-usermodel-property-mapper" config: user.attribute: "email" claim.name: "email" userinfo.token.claim: "true"
This example may not contain all fields, the full specification for the Package CR is documented here. In addition, there is a JSON schema published here for use in your IDE.