Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce AuthorizationPolicy CRDs #8007

Merged
merged 10 commits into from
Mar 30, 2022
Merged

Introduce AuthorizationPolicy CRDs #8007

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
c773716
Introduce AuthorizationPolicy CRDs
olix0r Mar 29, 2022
187074a
Remove unneeded async-stream dependency
olix0r Mar 30, 2022
a82bde1
-ws
olix0r Mar 30, 2022
993fd41
Merge branch 'main' into ver/authz-crd
olix0r Mar 30, 2022
5527ad3
golden
olix0r Mar 30, 2022
988b290
fixup comment
olix0r Mar 30, 2022
4ceea5f
Update CRD descriptions to clarify authentication requirements
olix0r Mar 30, 2022
5720c30
fixup/wrap descriptions
olix0r Mar 30, 2022
2752428
Make e2e test names uniform
olix0r Mar 30, 2022
4fc3e7e
tests: Increase timeouts from 60s to 120s; delete pods after exit sta…
olix0r Mar 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions Cargo.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -914,6 +914,7 @@ name = "linkerd-policy-controller"
version = "0.1.0"
dependencies = [
"anyhow",
"async-stream",
"async-trait",
"clap",
"drain",
Expand Down Expand Up @@ -958,6 +959,7 @@ dependencies = [
"futures",
"linkerd-policy-controller-core",
"linkerd2-proxy-api",
"maplit",
"tokio",
"tonic",
"tracing",
Expand Down Expand Up @@ -989,6 +991,7 @@ dependencies = [
"kubert",
"linkerd-policy-controller-core",
"linkerd-policy-controller-k8s-api",
"maplit",
"parking_lot",
"tokio",
"tokio-stream",
Expand Down
6 changes: 6 additions & 0 deletions charts/linkerd-control-plane/templates/destination-rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,9 @@ webhooks:
apiGroups: ["policy.linkerd.io"]
apiVersions: ["v1alpha1", "v1beta1"]
resources:
- authorizationpolicies
- networkauthentications
- meshtlsauthentications
- serverauthorizations
- servers
sideEffects: None
Expand All @@ -190,6 +193,9 @@ rules:
- apiGroups:
- policy.linkerd.io
resources:
- authorizationpolicies
- meshtlsauthentications
- networkauthentications
- servers
- serverauthorizations
verbs:
Expand Down
95 changes: 95 additions & 0 deletions charts/linkerd-crds/templates/policy/authorization-policy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@

olix0r marked this conversation as resolved.
Show resolved Hide resolved
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: authorizationpolicies.policy.linkerd.io
annotations:
{{ include "partials.annotations.created-by" . }}
labels:
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
linkerd.io/control-plane-ns: {{.Release.Namespace}}
spec:
group: policy.linkerd.io
scope: Namespaced
names:
kind: AuthorizationPolicy
plural: authorizationpolicies
singular: authorizationpolicy
shortNames: []
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required: [spec]
properties:
spec:
description: >-
Authorizes clients to communicate with Linkerd-proxied server resources.
type: object
required: [targetRef, requiredAuthenticationRefs]
properties:
targetRef:
olix0r marked this conversation as resolved.
Show resolved Hide resolved
description: >-
TargetRef references a resource to which the authorization policy applies.
type: object
required: [kind, name]
# Modified from the gateway API.
# Copyright 2020 The Kubernetes Authors
properties:
group:
description: >-
Group is the group of the referent. When empty, the Kubernetes core API
group is inferred.
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: >-
Kind is the kind of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
requiredAuthenticationRefs:
description: >-
RequiredAuthenticationRefs enumerates a set of required authentications
type: array
items:
type: object
required: [kind, name]
properties:
group:
description: >-
Group is the group of the referent. When empty, the Kubernetes core API
group is inferred."
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: >-
Kind is the kind of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: >-
Name is the name of the referent.
maxLength: 253
minLength: 1
type: string
namespace:
description: >-
Name is the name of the referent. When unspecified, this authentication
refers to the local namespace.
maxLength: 253
type: string
82 changes: 82 additions & 0 deletions charts/linkerd-crds/templates/policy/meshtls-authentication.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: meshtlsauthentications.policy.linkerd.io
annotations:
{{ include "partials.annotations.created-by" . }}
labels:
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
linkerd.io/control-plane-ns: {{.Release.Namespace}}
spec:
group: policy.linkerd.io
scope: Namespaced
names:
kind: MeshTLSAuthentication
plural: meshtlsauthentications
singular: meshtlsauthentication
shortNames: []
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required: [spec]
properties:
spec:
description: >-
MeshTLSAuthentication defines a list of authenticated client IDs
to be referenced by an `AuthenticationPolicy`.
type: object
oneOf:
- required: [identities]
- required: [identityRefs]
properties:
identities:
description: >-
Authorizes clients with the provided proxy identity strings (as provided via
MTLS)

The `*` prefix can be used to match all identities in
a domain. An identity string of `*` indicates that
all authentication clients are authorized.
type: array
items:
type: string
pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
identityRefs:
type: array
items:
type: object
required:
- kind
properties:
group:
description: >-
Group is the group of the referent. When empty, the Kubernetes core API
group is inferred."
maxLength: 253
pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
kind:
description: >-
Kind is the kind of the referent.
maxLength: 63
minLength: 1
pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$
type: string
name:
description: >-
Name is the name of the referent. When unspecified, this refers to all
resources of the specified Group and Kind in the specified namespace.
maxLength: 253
minLength: 1
type: string
namespace:
description: >-
Name is the name of the referent. When unspecified, this authentication
refers to the local namespace.
maxLength: 253
type: string
50 changes: 50 additions & 0 deletions charts/linkerd-crds/templates/policy/network-authentication.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: networkauthentications.policy.linkerd.io
annotations:
{{ include "partials.annotations.created-by" . }}
labels:
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
linkerd.io/control-plane-ns: {{.Release.Namespace}}
spec:
group: policy.linkerd.io
scope: Namespaced
names:
kind: NetworkAuthentication
plural: networkauthentications
singular: networkauthentication
shortNames: []
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required: [spec]
properties:
spec:
description: >-
NetworkAuthentication defines a list of authenticated client
networks to be referenced by an `AuthenticationPolicy`.
type: object
required: [networks]
properties:
networks:
type: array
items:
type: object
required: [cidr]
properties:
cidr:
description: >-
The CIDR of the network to be authorized.
type: string
except:
description: >-
A list of IP networks/addresses not to be included in the above `cidr`.
type: array
items:
type: string
3 changes: 3 additions & 0 deletions cli/cmd/install.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,9 @@ Otherwise, you can use the --ignore-cluster flag to overwrite the existing globa

var (
templatesCrdFiles = []string{
"templates/policy/authorization-policy.yaml",
"templates/policy/meshtls-authentication.yaml",
"templates/policy/network-authentication.yaml",
"templates/policy/server.yaml",
"templates/policy/server-authorization.yaml",
"templates/serviceprofile.yaml",
Expand Down
Loading