sentinel-ai/tsb-sentinel-security.yaml at main · alam-cloud/sentinel-ai · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: sentinel-mesh-security
  tenant: devsecops
  workspace: security-ops
spec:
  # Require mTLS for all Sentinel communications
  authentication:
    mode: REQUIRED
    jwt:
      issuer: https://tetrate.io/sentinel
      audiences:
        - sentinel-ai
      forwardPayloadHeader: x-sentinel-jwt

  authorization:
    mode: CUSTOM
    # Only Sentinel AI can apply policies
    rules:
      - name: allow-sentinel-policy
        from:
          - source:
              principals: ["cluster.local/ns/sentinel-ns/sa/sentinel-ai"]
        to:
          - operation:
              methods: ["POST"]
              paths: ["/api/policy/*"]
        when:
          - key: request.auth.claims[role]
            values: ["security-admin"]

      # Allow TSB webhooks to send logs
      - name: allow-tsb-logs
        from:
          - source:
              principals: ["cluster.local/ns/istio-system/sa/tsb-operator"]
        to:
          - operation:
              methods: ["POST"]
              paths: ["/api/tetrate/ingest"]

      # Allow mesh services to query health
      - name: allow-health-checks
        to:
          - operation:
              methods: ["GET"]
              paths: ["/api/health", "/api/mesh/topology"]

---
# Workload-specific security for critical services
apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  name: critical-services-protection
  tenant: devsecops
  workspace: production
spec:
  trafficSelector:
    - service: payment-service
      namespace: backend
  authentication:
    mode: REQUIRED
  authorization:
    mode: ENFORCE
    rules:
      - name: sentinel-auto-block
        from:
          - source:
              notPrincipals: ["cluster.local/ns/sentinel-ns/sa/sentinel-ai"]
        to:
          - operation:
              methods: ["*"]
        # Sentinel can dynamically add principals here via API
---
apiVersion: security.tsb.tetrate.io/v2
kind: Group
metadata:
  name: sentinel-operators
  tenant: devsecops
spec:
  members:
    - serviceAccounts:
        - cluster.local/ns/sentinel-ns/sa/sentinel-ai
  role: EDITOR  # Can create TrafficSettings/SecuritySettings