Operator: Adds authorization to the operator API #7111
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #7111 +/- ##
==========================================
+ Coverage 64.45% 64.46% +0.01%
==========================================
Files 236 237 +1
Lines 21669 21704 +35
==========================================
+ Hits 13966 13991 +25
- Misses 6504 6512 +8
- Partials 1199 1201 +2 ☔ View full report in Codecov by Sentry. |
JoshVanL
force-pushed
the
operator-api-authz
branch
from
2875788
to
714ba59
Compare
JoshVanL
force-pushed
the
operator-api-authz
branch
from
714ba59
to
f35c9f2
Compare
JoshVanL
added
the
autoupdate
|
/test-version-skew |
Dapr Version Skew test (dapr-sidecar-master - 1.12.2)Commit ref: ff7bf61 ❌ Version Skew tests failedPlease check the logs for details on the error. |
Dapr Version Skew test (control-plane-master - 1.12.2)Commit ref: ff7bf61 ❌ Version Skew tests failedPlease check the logs for details on the error. |
JoshVanL
force-pushed
the
operator-api-authz
branch
from
8cf7f9b
to
2c3b862
Compare
7 tasks
Today, the operator does no authorization on clients making requests for resources. This means that it is currently possible for any authenticated client to get any Component/HTTPEndpoint/Resiliency in any namespace. This includes the ability for any client is able to get Dapr secrets in any namespace. PR updates the operator to add authorization to the operator API. The API server will ensure that the client's identity (SPIFFE ID) resides in the same namespace as the requested resource namespace. This is done by parsing the clients SPIFFE SVID of the mTLS connection. If the client does not reside in the same namespace, then the request is rejected with a permission denied. --- The health server has been updated so that a target number can be given where the health server will only return healthy once the consumer has given the target number of healthy calls. This is useful for the operator so that the operator only reports healthy once all informers and servers have started. Without this change, clients would attempt to connect to the API server when it wasn't actually ready to serve requests. This was surfaced in the integration tests. The PR adds an authz operator integration test which proves that the API server will only honour requests with clients in the appropriate namespace. The Kubernetes intergration process now has the ability to serve HTTP/2.0 informer requests from the API server controller runtime informers- added so that informer reliant functions (`ComponentUpdate`, `HTTPEndpointUpdate`, etc.) can be handled. Updates `tests/util/pki` so that it can respond with a context which includes the SPIFFE ID of the client, used for operator authz unit tests. Signed-off-by: joshvanl <me@joshvanl.dev>
Signed-off-by: joshvanl <me@joshvanl.dev>
Signed-off-by: joshvanl <me@joshvanl.dev>
Signed-off-by: joshvanl <me@joshvanl.dev>
list Signed-off-by: joshvanl <me@joshvanl.dev>
JoshVanL
force-pushed
the
operator-api-authz
branch
from
dd0dd29
to
a2a051b
Compare
|
/test-version-skew |
Dapr Version Skew e2e test (control-plane-master - 1.12.3)Commit ref: e953fc8 ✅ Version Skew tests passed |
Dapr Version Skew e2e test (dapr-sidecar-master - 1.12.3)Commit ref: e953fc8 ❌ Version Skew tests failedPlease check the logs for details on the error. |
Dapr Version Skew integration test (control-plane-master - 1.12.3)Commit ref: e953fc8 ❌ Version Skew tests failedPlease check the logs for details on the error. |
Dapr Version Skew integration test (dapr-sidecar-master - 1.12.3)Commit ref: e953fc8 ❌ Version Skew tests failedPlease check the logs for details on the error. |
|
LGTM but need to make sure this is backward compatible, ie. 1.12 sidecars connecting to edge/1.13 control plane. |
|
/test-version-skew |
Dapr Version Skew e2e test (control-plane-master - 1.12.3)Commit ref: 22b55da ✅ Version Skew tests passed |
Dapr Version Skew integration test (dapr-sidecar-master - 1.12.3)Commit ref: 22b55da ❌ Version Skew tests failedPlease check the logs for details on the error. |
Dapr Version Skew integration test (control-plane-master - 1.12.3)Commit ref: 22b55da ❌ Version Skew tests failedPlease check the logs for details on the error. |
Dapr Version Skew e2e test (dapr-sidecar-master - 1.12.3)Commit ref: 22b55da ✅ Version Skew tests passed |
yaron2
approved these changes
Jan 11, 2024
DeepanshuA
pushed a commit
to DeepanshuA/dapr
that referenced
this pull request
Jan 11, 2024
* Operator: Adds authorization to the operator API Today, the operator does no authorization on clients making requests for resources. This means that it is currently possible for any authenticated client to get any Component/HTTPEndpoint/Resiliency in any namespace. This includes the ability for any client is able to get Dapr secrets in any namespace. PR updates the operator to add authorization to the operator API. The API server will ensure that the client's identity (SPIFFE ID) resides in the same namespace as the requested resource namespace. This is done by parsing the clients SPIFFE SVID of the mTLS connection. If the client does not reside in the same namespace, then the request is rejected with a permission denied. --- The health server has been updated so that a target number can be given where the health server will only return healthy once the consumer has given the target number of healthy calls. This is useful for the operator so that the operator only reports healthy once all informers and servers have started. Without this change, clients would attempt to connect to the API server when it wasn't actually ready to serve requests. This was surfaced in the integration tests. The PR adds an authz operator integration test which proves that the API server will only honour requests with clients in the appropriate namespace. The Kubernetes intergration process now has the ability to serve HTTP/2.0 informer requests from the API server controller runtime informers- added so that informer reliant functions (`ComponentUpdate`, `HTTPEndpointUpdate`, etc.) can be handled. Updates `tests/util/pki` so that it can respond with a context which includes the SPIFFE ID of the client, used for operator authz unit tests. Signed-off-by: joshvanl <me@joshvanl.dev> * Linting Signed-off-by: joshvanl <me@joshvanl.dev> * Fix util test PKI options Signed-off-by: joshvanl <me@joshvanl.dev> * Fixes util.GenPKI for e2e service_invocation Signed-off-by: joshvanl <me@joshvanl.dev> * Remove unused integration framework grpc processes Signed-off-by: joshvanl <me@joshvanl.dev> * Linting Signed-off-by: joshvanl <me@joshvanl.dev> * Fix integration test operator informer by returning empty resiliency list Signed-off-by: joshvanl <me@joshvanl.dev> --------- Signed-off-by: joshvanl <me@joshvanl.dev> Co-authored-by: Dapr Bot <56698301+dapr-bot@users.noreply.github.com>
cicoyle
pushed a commit
to cicoyle/dapr
that referenced
this pull request
May 24, 2024
* Operator: Adds authorization to the operator API Today, the operator does no authorization on clients making requests for resources. This means that it is currently possible for any authenticated client to get any Component/HTTPEndpoint/Resiliency in any namespace. This includes the ability for any client is able to get Dapr secrets in any namespace. PR updates the operator to add authorization to the operator API. The API server will ensure that the client's identity (SPIFFE ID) resides in the same namespace as the requested resource namespace. This is done by parsing the clients SPIFFE SVID of the mTLS connection. If the client does not reside in the same namespace, then the request is rejected with a permission denied. --- The health server has been updated so that a target number can be given where the health server will only return healthy once the consumer has given the target number of healthy calls. This is useful for the operator so that the operator only reports healthy once all informers and servers have started. Without this change, clients would attempt to connect to the API server when it wasn't actually ready to serve requests. This was surfaced in the integration tests. The PR adds an authz operator integration test which proves that the API server will only honour requests with clients in the appropriate namespace. The Kubernetes intergration process now has the ability to serve HTTP/2.0 informer requests from the API server controller runtime informers- added so that informer reliant functions (`ComponentUpdate`, `HTTPEndpointUpdate`, etc.) can be handled. Updates `tests/util/pki` so that it can respond with a context which includes the SPIFFE ID of the client, used for operator authz unit tests. Signed-off-by: joshvanl <me@joshvanl.dev> * Linting Signed-off-by: joshvanl <me@joshvanl.dev> * Fix util test PKI options Signed-off-by: joshvanl <me@joshvanl.dev> * Fixes util.GenPKI for e2e service_invocation Signed-off-by: joshvanl <me@joshvanl.dev> * Remove unused integration framework grpc processes Signed-off-by: joshvanl <me@joshvanl.dev> * Linting Signed-off-by: joshvanl <me@joshvanl.dev> * Fix integration test operator informer by returning empty resiliency list Signed-off-by: joshvanl <me@joshvanl.dev> --------- Signed-off-by: joshvanl <me@joshvanl.dev> Co-authored-by: Dapr Bot <56698301+dapr-bot@users.noreply.github.com> Signed-off-by: Cassandra Coyle <cassie@diagrid.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Today, the operator does no authorization on clients making requests for
resources. This means that it is currently possible for any
authenticated client to get any Component/HTTPEndpoint/Resiliency in any
namespace. This includes the ability for any client is able to get
Dapr secrets in any namespace.
PR updates the operator to add authorization to the operator API. The
API server will ensure that the client's identity (SPIFFE ID) resides in
the same namespace as the requested resource namespace. This is done by
parsing the clients SPIFFE SVID of the mTLS connection.
If the client does not reside in the same namespace, then the request is
rejected with a permission denied.
The health server has been updated so that a target number can be given
where the health server will only return healthy once the consumer has
given the target number of healthy calls. This is useful for the
operator so that the operator only reports healthy once all informers
and servers have started. Without this change, clients would attempt to
connect to the API server when it wasn't actually ready to serve
requests. This was surfaced in the integration tests.
The PR adds an authz operator integration test which proves that the API
server will only honour requests with clients in the appropriate
namespace.
The Kubernetes intergration process now has the ability to serve
HTTP/2.0 informer requests from the API server controller runtime
informers- added so that informer reliant functions (
ComponentUpdate,HTTPEndpointUpdate, etc.) can be handled.Updates
tests/util/pkiso that it can respond with a context whichincludes the SPIFFE ID of the client, used for operator authz unit
tests.
Signed-off-by: joshvanl me@joshvanl.dev
Part of #5756