Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce AuthorizationPolicy CRDs #8007

Merged
merged 10 commits into from
Mar 30, 2022
Merged

Introduce AuthorizationPolicy CRDs #8007

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
c773716
Introduce AuthorizationPolicy CRDs
olix0r Mar 29, 2022
187074a
Remove unneeded async-stream dependency
olix0r Mar 30, 2022
a82bde1
-ws
olix0r Mar 30, 2022
993fd41
Merge branch 'main' into ver/authz-crd
olix0r Mar 30, 2022
5527ad3
golden
olix0r Mar 30, 2022
988b290
fixup comment
olix0r Mar 30, 2022
4ceea5f
Update CRD descriptions to clarify authentication requirements
olix0r Mar 30, 2022
5720c30
fixup/wrap descriptions
olix0r Mar 30, 2022
2752428
Make e2e test names uniform
olix0r Mar 30, 2022
4fc3e7e
tests: Increase timeouts from 60s to 120s; delete pods after exit sta…
olix0r Mar 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Cargo.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -958,6 +958,7 @@ dependencies = [
"futures",
"linkerd-policy-controller-core",
"linkerd2-proxy-api",
"maplit",
"tokio",
"tonic",
"tracing",
Expand Down Expand Up @@ -989,6 +990,7 @@ dependencies = [
"kubert",
"linkerd-policy-controller-core",
"linkerd-policy-controller-k8s-api",
"maplit",
"parking_lot",
"tokio",
"tokio-stream",
Expand Down
6 changes: 6 additions & 0 deletions charts/linkerd-control-plane/templates/destination-rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,9 @@ webhooks:
apiGroups: ["policy.linkerd.io"]
apiVersions: ["v1alpha1", "v1beta1"]
resources:
- authorizationpolicies
- networkauthentications
- meshtlsauthentications
- serverauthorizations
- servers
sideEffects: None
Expand All @@ -190,6 +193,9 @@ rules:
- apiGroups:
- policy.linkerd.io
resources:
- authorizationpolicies
- meshtlsauthentications
- networkauthentications
- servers
- serverauthorizations
verbs:
Expand Down
99 changes: 99 additions & 0 deletions charts/linkerd-crds/templates/policy/authorization-policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: authorizationpolicies.policy.linkerd.io
annotations:
{{ include "partials.annotations.created-by" . }}
labels:
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
linkerd.io/control-plane-ns: {{.Release.Namespace}}
spec:
group: policy.linkerd.io
scope: Namespaced
names:
kind: AuthorizationPolicy
plural: authorizationpolicies
singular: authorizationpolicy
shortNames: []
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required: [spec]
properties:
spec:
description: >-
Authorizes clients to communicate with Linkerd-proxied server
resources.
type: object
required: [targetRef, requiredAuthenticationRefs]
properties:
targetRef:
olix0r marked this conversation as resolved.
Show resolved Hide resolved
description: >-
TargetRef references a resource to which the authorization
policy applies.
type: object
required: [kind, name]
# Modified from the gateway API.
# Copyright 2020 The Kubernetes Authors
properties:
group:
description: >-
Group is the group of the referent. When empty, the
Kubernetes core API group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: >-
Kind is the kind of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
requiredAuthenticationRefs:
description: >-
RequiredAuthenticationRefs enumerates a set of required
authentications. ALL authentications must be satisfied for
the authorization to apply. If any of the referred objects
cannot be found, the authorization will be ignored.
type: array
items:
type: object
required: [kind, name]
properties:
group:
description: >-
Group is the group of the referent. When empty, the
Kubernetes core API group is inferred."
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: >-
Kind is the kind of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: >-
Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: >-
Name is the name of the referent. When unspecified,
this authentication refers to the local namespace.
maxLength: 253
type: string
86 changes: 86 additions & 0 deletions charts/linkerd-crds/templates/policy/meshtls-authentication.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: meshtlsauthentications.policy.linkerd.io
annotations:
{{ include "partials.annotations.created-by" . }}
labels:
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
linkerd.io/control-plane-ns: {{.Release.Namespace}}
spec:
group: policy.linkerd.io
scope: Namespaced
names:
kind: MeshTLSAuthentication
plural: meshtlsauthentications
singular: meshtlsauthentication
shortNames: []
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required: [spec]
properties:
spec:
description: >-
MeshTLSAuthentication defines a list of authenticated client IDs
to be referenced by an `AuthorizationPolicy`. If a client
connection has the mutually-authenticated identity that matches
ANY of the of the provided identities, the connection is
considered authenticated.
type: object
oneOf:
- required: [identities]
- required: [identityRefs]
properties:
identities:
description: >-
Authorizes clients with the provided proxy identity strings
(as provided via MTLS)
The `*` prefix can be used to match all identities in
a domain. An identity string of `*` indicates that
all authentication clients are authorized.
type: array
items:
type: string
pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
identityRefs:
type: array
items:
type: object
required:
- kind
properties:
group:
description: >-
Group is the group of the referent. When empty, the
Kubernetes core API group is inferred."
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: >-
Kind is the kind of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: >-
Name is the name of the referent. When unspecified,
this refers to all resources of the specified Group
and Kind in the specified namespace.
maxLength: 253
minLength: 1
type: string
namespace:
description: >-
Name is the name of the referent. When unspecified,
this authentication refers to the local namespace.
maxLength: 253
type: string
53 changes: 53 additions & 0 deletions charts/linkerd-crds/templates/policy/network-authentication.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: networkauthentications.policy.linkerd.io
annotations:
{{ include "partials.annotations.created-by" . }}
labels:
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
linkerd.io/control-plane-ns: {{.Release.Namespace}}
spec:
group: policy.linkerd.io
scope: Namespaced
names:
kind: NetworkAuthentication
plural: networkauthentications
singular: networkauthentication
shortNames: []
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required: [spec]
properties:
spec:
description: >-
NetworkAuthentication defines a list of authenticated client
networks to be referenced by an `AuthorizationPolicy`. If a
client connection originates from ANY of the of the provided
networks, the connection is considered authenticated.
type: object
required: [networks]
properties:
networks:
type: array
items:
type: object
required: [cidr]
properties:
cidr:
description: >-
The CIDR of the network to be authorized.
type: string
except:
description: >-
A list of IP networks/addresses not to be included in
the above `cidr`.
type: array
items:
type: string
3 changes: 3 additions & 0 deletions cli/cmd/install.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,9 @@ Otherwise, you can use the --ignore-cluster flag to overwrite the existing globa

var (
templatesCrdFiles = []string{
"templates/policy/authorization-policy.yaml",
"templates/policy/meshtls-authentication.yaml",
"templates/policy/network-authentication.yaml",
"templates/policy/server.yaml",
"templates/policy/server-authorization.yaml",
"templates/serviceprofile.yaml",
Expand Down
Loading