Skip to content

Commit

Permalink
policy: Validate ServerAuthorization resources (#8076)
Browse files Browse the repository at this point in the history
`ServerAuthorization` resources are not validated by the admission
controller.

This change enables validation for `ServerAuthorization` resources,
based on changes to the admission controller proposed as a part of
#8007. This admission controller is generalized to
support arbitrary resource types. The `ServerAuthoriation` validation
currently only ensures that network blocks are valid CIDRs and that they
are coherent. We use the new _schemars_ feature of `ipnet` v2.4.0 to
support using IpNet data structures directly in the custom resource
type bindings.

This change also adds an integration test to validate that the admission
controller behaves as expected.

Signed-off-by: Oliver Gould <ver@buoyant.io>
  • Loading branch information
olix0r authored Mar 16, 2022
1 parent 960c181 commit c445c72
Show file tree
Hide file tree
Showing 27 changed files with 380 additions and 97 deletions.
10 changes: 10 additions & 0 deletions Cargo.lock
Original file line number Diff line number Diff line change
Expand Up @@ -612,6 +612,10 @@ name = "ipnet"
version = "2.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "35e70ee094dc02fd9c13fdad4940090f22dbd6ac7c9e7094a46cf0232a50bc7c"
dependencies = [
"schemars",
"serde",
]

[[package]]
name = "itertools"
Expand Down Expand Up @@ -852,10 +856,12 @@ name = "linkerd-policy-controller"
version = "0.1.0"
dependencies = [
"anyhow",
"async-trait",
"clap",
"drain",
"futures",
"hyper",
"ipnet",
"jemallocator",
"k8s-openapi",
"kube",
Expand All @@ -865,6 +871,7 @@ dependencies = [
"linkerd-policy-controller-k8s-api",
"linkerd-policy-controller-k8s-index",
"parking_lot 0.12.0",
"serde",
"serde_json",
"thiserror",
"tokio",
Expand Down Expand Up @@ -901,6 +908,7 @@ dependencies = [
name = "linkerd-policy-controller-k8s-api"
version = "0.1.0"
dependencies = [
"ipnet",
"k8s-openapi",
"kube",
"schemars",
Expand Down Expand Up @@ -939,7 +947,9 @@ dependencies = [
"kube",
"linkerd-policy-controller-k8s-api",
"rand",
"schemars",
"serde",
"serde_json",
"tokio",
"tokio-test",
"tracing",
Expand Down
4 changes: 3 additions & 1 deletion charts/linkerd-control-plane/templates/destination-rbac.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,9 @@ webhooks:
- operations: ["CREATE", "UPDATE"]
apiGroups: ["policy.linkerd.io"]
apiVersions: ["v1alpha1", "v1beta1"]
resources: ["servers"]
resources:
- serverauthorizations
- servers
sideEffects: None
---
apiVersion: rbac.authorization.k8s.io/v1
Expand Down
4 changes: 3 additions & 1 deletion cli/cmd/testdata/install_controlplane_tracing_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion cli/cmd/testdata/install_custom_domain.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion cli/cmd/testdata/install_custom_registry.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion cli/cmd/testdata/install_default.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion cli/cmd/testdata/install_default_token.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion cli/cmd/testdata/install_ha_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion cli/cmd/testdata/install_ha_with_overrides_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion cli/cmd/testdata/install_heartbeat_disabled_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion cli/cmd/testdata/install_helm_control_plane_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion cli/cmd/testdata/install_helm_control_plane_output_ha.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion cli/cmd/testdata/install_helm_output_ha_labels.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion cli/cmd/testdata/install_no_init_container.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion cli/cmd/testdata/install_output.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion cli/cmd/testdata/install_proxy_ignores.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion cli/cmd/testdata/install_values_file.golden

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions policy-controller/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -12,16 +12,19 @@ rustls-tls = ["kube/rustls-tls"]

[dependencies]
anyhow = "1"
async-trait = "0.1"
clap = { version = "3", default-features = false, features = ["derive", "env", "std"] }
drain = "0.1"
futures = { version = "0.3", default-features = false }
k8s-openapi = { version = "0.14", features = ["v1_20"] }
hyper = { version = "0.14", features = ["http1", "http2", "runtime", "server"] }
ipnet = { version = "2", default-features = false }
linkerd-policy-controller-core = { path = "./core" }
linkerd-policy-controller-grpc = { path = "./grpc" }
linkerd-policy-controller-k8s-index = { path = "./k8s/index" }
linkerd-policy-controller-k8s-api = { path = "./k8s/api" }
parking_lot = "0.12"
serde = "1"
serde_json = "1"
thiserror = "1"
tracing = "0.1"
Expand Down
1 change: 1 addition & 0 deletions policy-controller/k8s/api/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ publish = false
[dependencies]
k8s-openapi = { version = "0.14", default-features = false, features = ["v1_20"] }
kube = { version = "0.69", default-features = false, features = ["client", "derive", "runtime"] }
ipnet = { version = "2.4", features = ["json"] }
schemars = "0.8"
serde = { version = "1", features = ["derive"] }
serde_json = "1"
Expand Down
5 changes: 3 additions & 2 deletions policy-controller/k8s/api/src/policy/server_authorization.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
use super::super::labels;
use ipnet::IpNet;
use kube::CustomResource;
use schemars::JsonSchema;
use serde::{Deserialize, Serialize};
Expand Down Expand Up @@ -56,8 +57,8 @@ pub struct MeshTls {

#[derive(Deserialize, Serialize, Clone, Debug, JsonSchema)]
pub struct Network {
pub cidr: String,
pub except: Option<Vec<String>>,
pub cidr: IpNet,
pub except: Option<Vec<IpNet>>,
}

/// References a Kubernetes `ServiceAccount` instance.
Expand Down
17 changes: 7 additions & 10 deletions policy-controller/k8s/index/src/server_authorization.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ use ahash::{AHashMap as HashMap, AHashSet as HashSet};
use anyhow::{anyhow, bail, Result};
use futures::prelude::*;
use linkerd_policy_controller_core::{
ClientAuthentication, ClientAuthorization, IdentityMatch, IpNet, NetworkMatch,
ClientAuthentication, ClientAuthorization, IdentityMatch, NetworkMatch,
};
use linkerd_policy_controller_k8s_api::{
self as k8s,
Expand Down Expand Up @@ -189,15 +189,12 @@ fn mk_server_authz(

let networks = if let Some(nets) = spec.client.networks {
nets.into_iter()
.map(|policy::server_authorization::Network { cidr, except }| {
let net = cidr.parse::<IpNet>()?;
debug!(%net, "Unauthenticated");
let except = except
.into_iter()
.flatten()
.map(|cidr| cidr.parse().map_err(Into::into))
.collect::<Result<Vec<IpNet>>>()?;
Ok(NetworkMatch { net, except })
.map(|net| {
debug!(net = %net.cidr, "Unauthenticated");
Ok(NetworkMatch {
net: net.cidr,
except: net.except.unwrap_or_default(),
})
})
.collect::<Result<Vec<NetworkMatch>>>()?
} else {
Expand Down
Loading

0 comments on commit c445c72

Please sign in to comment.