Add flag to administratively enable APIs on bootstrap #25009
Merged
Commits on Apr 25, 2023
-
api: Add helper to administratively disable APIs
Signed-off-by: Joe Stringer <joe@cilium.io>
-
daemon: Add Cells for Cilium API specifications
This preparatory commit introduces a new Cell for each Swagger API Specification in order to allow reuse earlier on during the agent initialization / lifecycle. No functional changes intended. Signed-off-by: Joe Stringer <joe@cilium.io>
-
api: Add flags to configure API access from spec
Use the autogenerated API specifications in order to populate "allowed APIs" flags in the api specification objects for each API. This code will be hooked in for usage in subsequent commits. Signed-off-by: Joe Stringer <joe@cilium.io>
Commits on Apr 26, 2023
-
api: Reuse newly introduced API spec in API cells
Now that there's dedicated cells to provide the API specs for each API, each server can now directly depend on those rather than doing their own swagger spec instantiation. Signed-off-by: Joe Stringer <joe@cilium.io>
-
daemon: Add flags for API access allowlist
Add new flag(s) to the daemon which restrict the ability for API clients to call certain API endpoints. The new option is an allowlist of Pascalized API endpoints that may be allowed, or optionally a Prefix followed by the '*' character in order to allow a wildcard of API endpoints, for example "*" for all API endpoints, or "Get*" for all GET endpoints. Set the default to allow all ("*") API modifications so that there is no change in behaviour for existing deployments. Signed-off-by: Joe Stringer <joe@cilium.io> -
daemon: Add warning for disabled APIs
The newly added API access flags are very flexible in the APIs that they allow to be administratively disabled, but there are some options that are really required for any standard Cilium operations. Add some basic sanity checking before applying the user configuration in these cases, as it could lead to unexpected results such as inability to keep the Cilium agent running or inability to deploy new endpoints. Signed-off-by: Joe Stringer <joe@cilium.io>
-
health: Rename variable to avoid pkg conflict
pkg/api will be used in an upcoming commit, so rename the variable in this function to avoid that conflict. Signed-off-by: Joe Stringer <joe@cilium.io>
-
daemon: Add cilium-health API restrictions flag
Similar to the recent commit to administratively enable/disable support for agent API endpoints, extend this support to the cilium-health API exposed by nodes as well. Signed-off-by: Joe Stringer <joe@cilium.io>
-
operator: Rename variable to avoid pkg conflict
Signed-off-by: Joe Stringer <joe@cilium.io>
-
operator: Add operator API restrictions flag
For now this is not particularly important as the operator only has a /healthz API to get the health of the operator. However, if we ever extend this API in future then it could become useful to consistently apply API restrictions via the new flag. Signed-off-by: Joe Stringer <joe@cilium.io>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.