Skip to content

Commit

Permalink
Introduce AuthorizationPolicy CRDs
Browse files Browse the repository at this point in the history 
Issue #7709 proposes new Custom Resource types to support generalized
authorization policies:

- `AuthorizationPolicy`
- `MeshTLSAuthentication`
- `NetworkAuthentication`

This change introduces these CRDs to the default linkerd installation
(via the `linkerd-crds` chart) and updates the policy controller's
to handle these resource types. The policy admission controller
validates that these resource reference only suppported types.

This new functionality is tested at multiple levels:

* `linkerd-policy-controller-k8s-index` includes unit tests for the
  indexer to test how events update the index;
* `linkerd-policy-test` includes integration tests that run in-cluster
  to validate that the gRPC API updates as resources are manipulated;
* `linkerd-policy-test` includes integration tests that exercise the
  admission controller's resource validation; and
* `linkerd-policy-test` includes integration tests that ensure that
  proxies honor authorization resources.

This change does NOT update Linkerd's control plane and extensions to
use these new authorization primitives. Furthermore, the `linkerd` CLI
does not yet support inspecting these new resource types. These
enhancements will be made in followup changes.

Signed-off-by: Oliver Gould <ver@buoyant.io>
  • Loading branch information
@olix0r
olix0r committed Mar 29, 2022
1 parent 6602407 commit c773716
Show file tree
Hide file tree
Showing 54 changed files with 6,647 additions and 507 deletions.
3 changes: 3 additions & 0 deletions Cargo.lock
View file
Original file line number Diff line number Diff line change
Expand Up @@ -914,6 +914,7 @@ name = "linkerd-policy-controller"
version = "0.1.0"
dependencies = [
"anyhow",
"async-stream",
"async-trait",
"clap",
"drain",
Expand Down Expand Up @@ -958,6 +959,7 @@ dependencies = [
"futures",
"linkerd-policy-controller-core",
"linkerd2-proxy-api",
"maplit",
"tokio",
"tonic",
"tracing",
Expand Down Expand Up @@ -989,6 +991,7 @@ dependencies = [
"kubert",
"linkerd-policy-controller-core",
"linkerd-policy-controller-k8s-api",
"maplit",
"parking_lot",
"tokio",
"tokio-stream",
Expand Down
6 changes: 6 additions & 0 deletions charts/linkerd-control-plane/templates/destination-rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,9 @@ webhooks:
apiGroups: ["policy.linkerd.io"]
apiVersions: ["v1alpha1", "v1beta1"]
resources:
- authorizationpolicies
- networkauthentications
- meshtlsauthentications
- serverauthorizations
- servers
sideEffects: None
Expand All @@ -190,6 +193,9 @@ rules:
- apiGroups:
- policy.linkerd.io
resources:
- authorizationpolicies
- meshtlsauthentications
- networkauthentications
- servers
- serverauthorizations
verbs:
Expand Down
95 changes: 95 additions & 0 deletions charts/linkerd-crds/templates/policy/authorization-policy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: authorizationpolicies.policy.linkerd.io
annotations:
{{ include "partials.annotations.created-by" . }}
labels:
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
linkerd.io/control-plane-ns: {{.Release.Namespace}}
spec:
group: policy.linkerd.io
scope: Namespaced
names:
kind: AuthorizationPolicy
plural: authorizationpolicies
singular: authorizationpolicy
shortNames: []
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required: [spec]
properties:
spec:
description: >-
Authorizes clients to communicate with Linkerd-proxied server resources.
type: object
required: [targetRef, requiredAuthenticationRefs]
properties:
targetRef:
description: >-
TargetRef references a resource to which the authorization policy applies.
type: object
required: [kind, name]
# Modified from the gateway API.
# Copyright 2020 The Kubernetes Authors
properties:
group:
description: >-
Group is the group of the referent. When empty, the Kubernetes core API
group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: >-
Kind is the kind of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
requiredAuthenticationRefs:
description: >-
RequiredAuthenticationRefs enumerates a set of required authentications
type: array
items:
type: object
required: [kind, name]
properties:
group:
description: >-
Group is the group of the referent. When empty, the Kubernetes core API
group is inferred."
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: >-
Kind is the kind of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: >-
Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: >-
Name is the name of the referent. When unspecified, this authentication
refers to the local namespace.
maxLength: 253
type: string
82 changes: 82 additions & 0 deletions charts/linkerd-crds/templates/policy/meshtls-authentication.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: meshtlsauthentications.policy.linkerd.io
annotations:
{{ include "partials.annotations.created-by" . }}
labels:
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
linkerd.io/control-plane-ns: {{.Release.Namespace}}
spec:
group: policy.linkerd.io
scope: Namespaced
names:
kind: MeshTLSAuthentication
plural: meshtlsauthentications
singular: meshtlsauthentication
shortNames: []
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required: [spec]
properties:
spec:
description: >-
MeshTLSAuthentication defines a list of authenticated client IDs
to be referenced by an `AuthenticationPolicy`.
type: object
oneOf:
- required: [identities]
- required: [identityRefs]
properties:
identities:
description: >-
Authorizes clients with the provided proxy identity strings (as provided via
MTLS)
The `*` prefix can be used to match all identities in
a domain. An identity string of `*` indicates that
all authentication clients are authorized.
type: array
items:
type: string
pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
identityRefs:
type: array
items:
type: object
required:
- kind
properties:
group:
description: >-
Group is the group of the referent. When empty, the Kubernetes core API
group is inferred."
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: >-
Kind is the kind of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: >-
Name is the name of the referent. When unspecified, this refers to all
resources of the specified Group and Kind in the specified namespace.
maxLength: 253
minLength: 1
type: string
namespace:
description: >-
Name is the name of the referent. When unspecified, this authentication
refers to the local namespace.
maxLength: 253
type: string
50 changes: 50 additions & 0 deletions charts/linkerd-crds/templates/policy/network-authentication.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: networkauthentications.policy.linkerd.io
annotations:
{{ include "partials.annotations.created-by" . }}
labels:
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
linkerd.io/control-plane-ns: {{.Release.Namespace}}
spec:
group: policy.linkerd.io
scope: Namespaced
names:
kind: NetworkAuthentication
plural: networkauthentications
singular: networkauthentication
shortNames: []
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required: [spec]
properties:
spec:
description: >-
NetworkAuthentication defines a list of authenticated client
networks to be referenced by an `AuthenticationPolicy`.
type: object
required: [networks]
properties:
networks:
type: array
items:
type: object
required: [cidr]
properties:
cidr:
description: >-
The CIDR of the network to be authorized.
type: string
except:
description: >-
A list of IP networks/addresses not to be included in the above `cidr`.
type: array
items:
type: string
3 changes: 3 additions & 0 deletions cli/cmd/install.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,9 @@ Otherwise, you can use the --ignore-cluster flag to overwrite the existing globa

var (
templatesCrdFiles = []string{
"templates/policy/authorization-policy.yaml",
"templates/policy/meshtls-authentication.yaml",
"templates/policy/network-authentication.yaml",
"templates/policy/server.yaml",
"templates/policy/server-authorization.yaml",
"templates/serviceprofile.yaml",
Expand Down
Loading

0 comments on commit c773716

Please sign in to comment.