-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Issue #7709 proposes new Custom Resource types to support generalized authorization policies: - `AuthorizationPolicy` - `MeshTLSAuthentication` - `NetworkAuthentication` This change introduces these CRDs to the default linkerd installation (via the `linkerd-crds` chart) and updates the policy controller's to handle these resource types. The policy admission controller validates that these resource reference only suppported types. This new functionality is tested at multiple levels: * `linkerd-policy-controller-k8s-index` includes unit tests for the indexer to test how events update the index; * `linkerd-policy-test` includes integration tests that run in-cluster to validate that the gRPC API updates as resources are manipulated; * `linkerd-policy-test` includes integration tests that exercise the admission controller's resource validation; and * `linkerd-policy-test` includes integration tests that ensure that proxies honor authorization resources. This change does NOT update Linkerd's control plane and extensions to use these new authorization primitives. Furthermore, the `linkerd` CLI does not yet support inspecting these new resource types. These enhancements will be made in followup changes. Signed-off-by: Oliver Gould <ver@buoyant.io>
- Loading branch information
Showing
54 changed files
with
6,655 additions
and
514 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
95 changes: 95 additions & 0 deletions
95
charts/linkerd-crds/templates/policy/authorization-policy.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
|
|
||
| --- | ||
| apiVersion: apiextensions.k8s.io/v1 | ||
| kind: CustomResourceDefinition | ||
| metadata: | ||
| name: authorizationpolicies.policy.linkerd.io | ||
| annotations: | ||
| {{ include "partials.annotations.created-by" . }} | ||
| labels: | ||
| helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} | ||
| linkerd.io/control-plane-ns: {{.Release.Namespace}} | ||
| spec: | ||
| group: policy.linkerd.io | ||
| scope: Namespaced | ||
| names: | ||
| kind: AuthorizationPolicy | ||
| plural: authorizationpolicies | ||
| singular: authorizationpolicy | ||
| shortNames: [] | ||
| versions: | ||
| - name: v1alpha1 | ||
| served: true | ||
| storage: true | ||
| schema: | ||
| openAPIV3Schema: | ||
| type: object | ||
| required: [spec] | ||
| properties: | ||
| spec: | ||
| description: >- | ||
| Authorizes clients to communicate with Linkerd-proxied server resources. | ||
| type: object | ||
| required: [targetRef, requiredAuthenticationRefs] | ||
| properties: | ||
| targetRef: | ||
| description: >- | ||
| TargetRef references a resource to which the authorization policy applies. | ||
| type: object | ||
| required: [kind, name] | ||
| # Modified from the gateway API. | ||
| # Copyright 2020 The Kubernetes Authors | ||
| properties: | ||
| group: | ||
| description: >- | ||
| Group is the group of the referent. When empty, the Kubernetes core API | ||
| group is inferred. | ||
| maxLength: 253 | ||
| pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ | ||
| type: string | ||
| kind: | ||
| description: >- | ||
| Kind is the kind of the referent. | ||
| maxLength: 63 | ||
| minLength: 1 | ||
| pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ | ||
| type: string | ||
| name: | ||
| description: Name is the name of the referent. | ||
| maxLength: 253 | ||
| minLength: 1 | ||
| type: string | ||
| requiredAuthenticationRefs: | ||
| description: >- | ||
| RequiredAuthenticationRefs enumerates a set of required authentications | ||
| type: array | ||
| items: | ||
| type: object | ||
| required: [kind, name] | ||
| properties: | ||
| group: | ||
| description: >- | ||
| Group is the group of the referent. When empty, the Kubernetes core API | ||
| group is inferred." | ||
| maxLength: 253 | ||
| pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ | ||
| type: string | ||
| kind: | ||
| description: >- | ||
| Kind is the kind of the referent. | ||
| maxLength: 63 | ||
| minLength: 1 | ||
| pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ | ||
| type: string | ||
| name: | ||
| description: >- | ||
| Name is the name of the referent. | ||
| maxLength: 253 | ||
| minLength: 1 | ||
| type: string | ||
| namespace: | ||
| description: >- | ||
| Name is the name of the referent. When unspecified, this authentication | ||
| refers to the local namespace. | ||
| maxLength: 253 | ||
| type: string |
82 changes: 82 additions & 0 deletions
82
charts/linkerd-crds/templates/policy/meshtls-authentication.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,82 @@ | ||
| --- | ||
| apiVersion: apiextensions.k8s.io/v1 | ||
| kind: CustomResourceDefinition | ||
| metadata: | ||
| name: meshtlsauthentications.policy.linkerd.io | ||
| annotations: | ||
| {{ include "partials.annotations.created-by" . }} | ||
| labels: | ||
| helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} | ||
| linkerd.io/control-plane-ns: {{.Release.Namespace}} | ||
| spec: | ||
| group: policy.linkerd.io | ||
| scope: Namespaced | ||
| names: | ||
| kind: MeshTLSAuthentication | ||
| plural: meshtlsauthentications | ||
| singular: meshtlsauthentication | ||
| shortNames: [] | ||
| versions: | ||
| - name: v1alpha1 | ||
| served: true | ||
| storage: true | ||
| schema: | ||
| openAPIV3Schema: | ||
| type: object | ||
| required: [spec] | ||
| properties: | ||
| spec: | ||
| description: >- | ||
| MeshTLSAuthentication defines a list of authenticated client IDs | ||
| to be referenced by an `AuthenticationPolicy`. | ||
| type: object | ||
| oneOf: | ||
| - required: [identities] | ||
| - required: [identityRefs] | ||
| properties: | ||
| identities: | ||
| description: >- | ||
| Authorizes clients with the provided proxy identity strings (as provided via | ||
| MTLS) | ||
| The `*` prefix can be used to match all identities in | ||
| a domain. An identity string of `*` indicates that | ||
| all authentication clients are authorized. | ||
| type: array | ||
| items: | ||
| type: string | ||
| pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$' | ||
| identityRefs: | ||
| type: array | ||
| items: | ||
| type: object | ||
| required: | ||
| - kind | ||
| properties: | ||
| group: | ||
| description: >- | ||
| Group is the group of the referent. When empty, the Kubernetes core API | ||
| group is inferred." | ||
| maxLength: 253 | ||
| pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ | ||
| type: string | ||
| kind: | ||
| description: >- | ||
| Kind is the kind of the referent. | ||
| maxLength: 63 | ||
| minLength: 1 | ||
| pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ | ||
| type: string | ||
| name: | ||
| description: >- | ||
| Name is the name of the referent. When unspecified, this refers to all | ||
| resources of the specified Group and Kind in the specified namespace. | ||
| maxLength: 253 | ||
| minLength: 1 | ||
| type: string | ||
| namespace: | ||
| description: >- | ||
| Name is the name of the referent. When unspecified, this authentication | ||
| refers to the local namespace. | ||
| maxLength: 253 | ||
| type: string |
50 changes: 50 additions & 0 deletions
50
charts/linkerd-crds/templates/policy/network-authentication.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| --- | ||
| apiVersion: apiextensions.k8s.io/v1 | ||
| kind: CustomResourceDefinition | ||
| metadata: | ||
| name: networkauthentications.policy.linkerd.io | ||
| annotations: | ||
| {{ include "partials.annotations.created-by" . }} | ||
| labels: | ||
| helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} | ||
| linkerd.io/control-plane-ns: {{.Release.Namespace}} | ||
| spec: | ||
| group: policy.linkerd.io | ||
| scope: Namespaced | ||
| names: | ||
| kind: NetworkAuthentication | ||
| plural: networkauthentications | ||
| singular: networkauthentication | ||
| shortNames: [] | ||
| versions: | ||
| - name: v1alpha1 | ||
| served: true | ||
| storage: true | ||
| schema: | ||
| openAPIV3Schema: | ||
| type: object | ||
| required: [spec] | ||
| properties: | ||
| spec: | ||
| description: >- | ||
| NetworkAuthentication defines a list of authenticated client | ||
| networks to be referenced by an `AuthenticationPolicy`. | ||
| type: object | ||
| required: [networks] | ||
| properties: | ||
| networks: | ||
| type: array | ||
| items: | ||
| type: object | ||
| required: [cidr] | ||
| properties: | ||
| cidr: | ||
| description: >- | ||
| The CIDR of the network to be authorized. | ||
| type: string | ||
| except: | ||
| description: >- | ||
| A list of IP networks/addresses not to be included in the above `cidr`. | ||
| type: array | ||
| items: | ||
| type: string |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.