Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance authz #323

Closed
hzxuzhonghu opened this issue May 11, 2024 · 1 comment · Fixed by #407
Closed

Enhance authz #323

hzxuzhonghu opened this issue May 11, 2024 · 1 comment · Fixed by #407
Assignees
@tacslon @supercharge-xsy
Labels
kind/feature
Milestone
v0.4

Comments

@hzxuzhonghu
Copy link
Member

What would you like to be added:

  1. Currently we support only src ip, port authorizationpolicy. Some more dimesions should be supported.
type Match struct {
	state         protoimpl.MessageState
	sizeCache     protoimpl.SizeCache
	unknownFields protoimpl.UnknownFields

	Namespaces          []*StringMatch `protobuf:"bytes,1,rep,name=namespaces,proto3" json:"namespaces,omitempty"`
	NotNamespaces       []*StringMatch `protobuf:"bytes,2,rep,name=not_namespaces,json=notNamespaces,proto3" json:"not_namespaces,omitempty"`
	Principals          []*StringMatch `protobuf:"bytes,3,rep,name=principals,proto3" json:"principals,omitempty"`
	NotPrincipals       []*StringMatch `protobuf:"bytes,4,rep,name=not_principals,json=notPrincipals,proto3" json:"not_principals,omitempty"`
	SourceIps           []*Address     `protobuf:"bytes,5,rep,name=source_ips,json=sourceIps,proto3" json:"source_ips,omitempty"`
	NotSourceIps        []*Address     `protobuf:"bytes,6,rep,name=not_source_ips,json=notSourceIps,proto3" json:"not_source_ips,omitempty"`
	DestinationIps      []*Address     `protobuf:"bytes,7,rep,name=destination_ips,json=destinationIps,proto3" json:"destination_ips,omitempty"`
	NotDestinationIps   []*Address     `protobuf:"bytes,8,rep,name=not_destination_ips,json=notDestinationIps,proto3" json:"not_destination_ips,omitempty"`
	DestinationPorts    []uint32       `protobuf:"varint,9,rep,packed,name=destination_ports,json=destinationPorts,proto3" json:"destination_ports,omitempty"`
	NotDestinationPorts []uint32       `protobuf:"varint,10,rep,packed,name=not_destination_ports,json=notDestinationPorts,proto3" json:"not_destination_ports,omitempty"`
}

  1. currently authz is done async in userspace, while it do reset on xdp hook point, so before the authz run successfully, we may miss some packets, and uncorrectly let them go to the server instances.

  2. Client may be aware of the conneciton rst after a longe time ~1minute

Why is this needed:
@hzxuzhonghu hzxuzhonghu added this to the v0.4 milestone May 11, 2024
@hzxuzhonghu
Copy link
Member Author

/assign @supercharge-xsy @tacslon

@supercharge-xsy supercharge-xsy mentioned this issue May 30, 2024
Merged
@tacslon tacslon mentioned this issue Jun 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tacslon tacslon

@supercharge-xsy supercharge-xsy

Labels
kind/feature
Projects
None yet
Milestone
v0.4
Development

Successfully merging a pull request may close this issue.

Simplify byteorder transformation & remove magic number in Authz tacslon/kmesh
3 participants
@hzxuzhonghu @tacslon @supercharge-xsy