-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add flag to administratively enable APIs on bootstrap #25009
Add flag to administratively enable APIs on bootstrap #25009
Commits on Apr 25, 2023
-
api: Add helper to administratively disable APIs
Signed-off-by: Joe Stringer <joe@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 4fffdf1 - Browse repository at this point
Copy the full SHA 4fffdf1View commit details -
daemon: Add Cells for Cilium API specifications
This preparatory commit introduces a new Cell for each Swagger API Specification in order to allow reuse earlier on during the agent initialization / lifecycle. No functional changes intended. Signed-off-by: Joe Stringer <joe@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 9d99c41 - Browse repository at this point
Copy the full SHA 9d99c41View commit details -
api: Add flags to configure API access from spec
Use the autogenerated API specifications in order to populate "allowed APIs" flags in the api specification objects for each API. This code will be hooked in for usage in subsequent commits. Signed-off-by: Joe Stringer <joe@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 016ca94 - Browse repository at this point
Copy the full SHA 016ca94View commit details
Commits on Apr 26, 2023
-
api: Reuse newly introduced API spec in API cells
Now that there's dedicated cells to provide the API specs for each API, each server can now directly depend on those rather than doing their own swagger spec instantiation. Signed-off-by: Joe Stringer <joe@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for b588ed7 - Browse repository at this point
Copy the full SHA b588ed7View commit details -
daemon: Add flags for API access allowlist
Add new flag(s) to the daemon which restrict the ability for API clients to call certain API endpoints. The new option is an allowlist of Pascalized API endpoints that may be allowed, or optionally a Prefix followed by the '*' character in order to allow a wildcard of API endpoints, for example "*" for all API endpoints, or "Get*" for all GET endpoints. Set the default to allow all ("*") API modifications so that there is no change in behaviour for existing deployments. Signed-off-by: Joe Stringer <joe@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 96f78e7 - Browse repository at this point
Copy the full SHA 96f78e7View commit details -
daemon: Add warning for disabled APIs
The newly added API access flags are very flexible in the APIs that they allow to be administratively disabled, but there are some options that are really required for any standard Cilium operations. Add some basic sanity checking before applying the user configuration in these cases, as it could lead to unexpected results such as inability to keep the Cilium agent running or inability to deploy new endpoints. Signed-off-by: Joe Stringer <joe@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 5c5a83c - Browse repository at this point
Copy the full SHA 5c5a83cView commit details -
health: Rename variable to avoid pkg conflict
pkg/api will be used in an upcoming commit, so rename the variable in this function to avoid that conflict. Signed-off-by: Joe Stringer <joe@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 92ef39a - Browse repository at this point
Copy the full SHA 92ef39aView commit details -
daemon: Add cilium-health API restrictions flag
Similar to the recent commit to administratively enable/disable support for agent API endpoints, extend this support to the cilium-health API exposed by nodes as well. Signed-off-by: Joe Stringer <joe@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for 4fc327d - Browse repository at this point
Copy the full SHA 4fc327dView commit details -
operator: Rename variable to avoid pkg conflict
Signed-off-by: Joe Stringer <joe@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for fa03194 - Browse repository at this point
Copy the full SHA fa03194View commit details -
operator: Add operator API restrictions flag
For now this is not particularly important as the operator only has a /healthz API to get the health of the operator. However, if we ever extend this API in future then it could become useful to consistently apply API restrictions via the new flag. Signed-off-by: Joe Stringer <joe@cilium.io>
Configuration menu - View commit details
-
Copy full SHA for bdf566f - Browse repository at this point
Copy the full SHA bdf566fView commit details