Enforce Istio TLS on Hosts and Host Subnets

Once a routing decision has been made, a DestinationRule can be used to define how traffic should be sent to another service. The trafficPolicy object can control how TLS is handled to the destination host. This policy enforces that the TLS mode cannot be set to a value of `DISABLE`.

Policy Definition

/istio/enforce-tls-hosts-host-subnets/enforce-tls-hosts-host-subnets.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: enforce-tls-hosts-host-subnets
 5  annotations:
 6    policies.kyverno.io/title: Enforce Istio TLS on Hosts and Host Subnets
 7    policies.kyverno.io/category: Istio
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: DestinationRule
10    kyverno.io/kyverno-version: 1.8.0
11    policies.kyverno.io/minversion: 1.6.0
12    kyverno.io/kubernetes-version: "1.24"
13    policies.kyverno.io/description: >- 
14      Once a routing decision has been made, a DestinationRule can be used to define how traffic
15      should be sent to another service. The trafficPolicy object can control how TLS is handled
16      to the destination host. This policy enforces that the TLS mode cannot be set to a value
17      of `DISABLE`.
18spec:
19  validationFailureAction: Audit
20  background: true
21  rules:
22  - name: destrule
23    match:
24      any:
25      - resources:
26          kinds:
27          - DestinationRule
28    validate:
29      message: "TLS may not be disabled for the trafficPolicy in any host."
30      pattern:
31        =(spec):
32          =(trafficPolicy):
33            =(tls):
34              =(mode): "!DISABLE"

Create policy issue