1. Using kubernetes batch with security.istio.io

    TypeScript

    If you're aiming to deploy a Kubernetes batch job within an Istio-enabled cluster, you'll want to consider how Istio's security features apply to the batch workload. Istio provides a set of security features that can be applied at various levels of the stack, from the edge of the mesh to deep within the microservice.

    Here we are going to cover a Pulumi code that consists of two main parts:

    1. The Kubernetes Job: A Kubernetes job is a construct that allows you to run a pod (or a group of pods) to completion. Batch jobs are useful for running short-lived, high-volume computations or tasks.

    2. Istio Security Configuration: Istio uses ServiceEntry and AuthorizationPolicy resources from its security.istio.io API group to dictate the security rules for services within the service mesh, including those initiated by batch jobs. However, you would typically apply Istio configurations to long-running services rather than to short-lived batch jobs.

    Given that batch jobs are ephemeral and can be varied in nature, you would commonly want your job to simply have the correct role-based access control (RBAC) permissions to interact with other services within your Kubernetes cluster.

    In the case of Istio, it means ensuring your Kubernetes ServiceAccount associated with the job has the right AuthorizationPolicy configured if you're making calls to other services in the mesh that enforce such policies.

    Here's a simple TypeScript program that uses Pulumi to set up a Kubernetes batch job, alongside a hypothetical Istio AuthorizationPolicy for the job's service account, assuming that the service account needs to interact with another service within the mesh.

    import * as k8s from "@pulumi/kubernetes"; import * as pulumi from "@pulumi/pulumi"; // Create a Kubernetes batch job using the v1/Job API const batchJob = new k8s.batch.v1.Job("batch-job", { metadata: { // Specify the namespace if necessary, otherwise default is used namespace: "default", }, spec: { // Job-specific specs, such as parallelism and completions parallelism: 1, completions: 1, template: { // Pod template for the job spec: { containers: [{ name: "my-batch-job", image: "my-batch-job-image", command: ["sh", "-c", "echo Hello, Kubernetes! && sleep 60"], // Example command }], restartPolicy: "Never", }, }, }, }); // Define an Istio AuthorizationPolicy for the ServiceAccount the job would use const authPolicy = new k8s.apiextensions.CustomResource("authorization-policy", { apiVersion: "security.istio.io/v1beta1", // Make sure to match the version with your cluster's Istio version kind: "AuthorizationPolicy", metadata: { // The policy should be in the same namespace as the ServiceAccount and services it relates to namespace: "default", name: "batch-job-auth-policy", }, spec: { // Policy specification specifying the action - typically ALLOW or DENY action: "ALLOW", rules: [{ // Assuming the batch job needs to access an HTTP service on port 8080 to: [{ operation: { methods: ["GET"], // Replace with the actual paths that your batch job needs to access paths: ["/some/service/api"], }, }], // Apply this policy to the service account used by the batch job when: [{ key: "source.principal", values: ["cluster.local/ns/default/sa/my-service-account"], }], }], // Selector to specify the workloads to apply this policy to selector: { matchLabels: { "app": "my-batch-job-app", }, }, }, }, { dependsOn: [batchJob] }); // Make sure to create the job before the policy // Export the batch job name export const batchJobName = batchJob.metadata.name; // Export the authorization policy name export const authPolicyName = authPolicy.metadata.name;

    Explanation:

    • A Kubernetes Job named batch-job is declared. It prints "Hello, Kubernetes!" and sleeps for 60 seconds. This is just a simulation for a batch process that you'd replace with your actual job workload.

    • An Istio AuthorizationPolicy named authorization-policy is declared to allow the job's service account to make GET requests to /some/service/api. Adjust the methods and paths to fit the APIs that your job needs to consume.

    • The service account used by the job (my-service-account) needs to be pre-created and associated correctly with the batch job's pods. The values field under when is where you specify the ServiceAccount.

    • The dependsOn is a hint to Pulumi about resource ordering, ensuring that the batch job is created before the AuthorizationPolicy. The AuthorizationPolicy also includes a selector which you can use to target specific workloads and is set to match the labels of the job's pods.

    • exports at the end expose the names of the resources created.

    This code provides a starting point and high-level overview of handling Istio security with Kubernetes batch jobs in Pulumi. Depending upon the specifics of your workload and cluster, you might need to further tweak the RBAC roles, the job's API version, and the Istio security policies. Always refer to the latest versions of the Pulumi and Kubernetes/Istio APIs for available properties and configurations.