feat(ws): add Istio AuthorizationPolicy for nb-backend #324

Signed-off-by: Liav Weiss (EXT-Nokia) <[email protected]>

Author: Liav Weiss (EXT-Nokia)

workspaces/backend/manifests/kustomize/options/istio/destination-rule.yaml

@@ -0,0 +1,9 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: backend
+spec:
+  host: nb-backend.kubeflow-system.svc.cluster.local
+  trafficPolicy:
+    tls:
+      mode: ISTIO_MUTUAL

workspaces/backend/manifests/kustomize/options/istio/istio-authorization-policy.yaml

@@ -0,0 +1,12 @@
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: backend
+spec:
+  action: ALLOW
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: kubeflow-notebooks
+      app.kubernetes.io/component: backend
+  rules:
+  - {}

workspaces/backend/manifests/kustomize/options/istio/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namePrefix: nb-
+
+resources:
+- istio-authorization-policy.yaml
+- destination-rule.yaml
+- virtual-service.yaml

workspaces/backend/manifests/kustomize/options/istio/virtual-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: backend
+spec:
+  gateways:
+  - kubeflow-gateway
+  hosts:
+  - '*'
+  http:
+  - match:
+    - uri:
+        prefix: /workspaces/api/
+    route:
+    - destination:
+        host: nb-backend.kubeflow-system.svc.cluster.local
+        port:
+          number: 4000