Introduce AuthorizationPolicy CRDs #8007
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
olix0r
force-pushed
the
ver/authz-crd
branch
30 times, most recently
from
9aac732 to
8fb5b02
Compare
olix0r
added a commit
that referenced
this pull request
Mar 16, 2022
`ServerAuthorization` resources are not validated by the admission controller. This change enables validation for `ServerAuthorization` resources, based on changes to the admission controller proposed as a part of #8007. This admission controller is generalized to support arbitrary resource types. The `ServerAuthoriation` validation currently only ensures that network blocks are valid CIDRs and that they are coherent. We use the new _schemars_ feature of `ipnet` v2.4.0 to support using IpNet data structures directly in the custom resource type bindings. This change also adds an integration test to validate that the admission controller behaves as expected. Signed-off-by: Oliver Gould <ver@buoyant.io>
olix0r
added a commit
that referenced
this pull request
Mar 16, 2022
`ServerAuthorization` resources are not validated by the admission controller. This change enables validation for `ServerAuthorization` resources, based on changes to the admission controller proposed as a part of #8007. This admission controller is generalized to support arbitrary resource types. The `ServerAuthoriation` validation currently only ensures that network blocks are valid CIDRs and that they are coherent. We use the new _schemars_ feature of `ipnet` v2.4.0 to support using IpNet data structures directly in the custom resource type bindings. This change also adds an integration test to validate that the admission controller behaves as expected. Signed-off-by: Oliver Gould <ver@buoyant.io>
olix0r
commented
Mar 29, 2022
Issue #7709 proposes new Custom Resource types to support generalized authorization policies: - `AuthorizationPolicy` - `MeshTLSAuthentication` - `NetworkAuthentication` This change introduces these CRDs to the default linkerd installation (via the `linkerd-crds` chart) and updates the policy controller's to handle these resource types. The policy admission controller validates that these resource reference only suppported types. This new functionality is tested at multiple levels: * `linkerd-policy-controller-k8s-index` includes unit tests for the indexer to test how events update the index; * `linkerd-policy-test` includes integration tests that run in-cluster to validate that the gRPC API updates as resources are manipulated; * `linkerd-policy-test` includes integration tests that exercise the admission controller's resource validation; and * `linkerd-policy-test` includes integration tests that ensure that proxies honor authorization resources. This change does NOT update Linkerd's control plane and extensions to use these new authorization primitives. Furthermore, the `linkerd` CLI does not yet support inspecting these new resource types. These enhancements will be made in followup changes. Signed-off-by: Oliver Gould <ver@buoyant.io>
olix0r
commented
Mar 29, 2022
adleong
approved these changes
Mar 30, 2022
Signed-off-by: Oliver Gould <ver@buoyant.io>
kleimkuhler
approved these changes
Mar 30, 2022
| .filter(|authn| authn.targets_kind::<MeshTLSAuthentication>()) | ||
| .count(); | ||
| if mtls_authns_count > 1 { | ||
| bail!("only a single MeshTLSAuthentication may be set"); |
There was a problem hiding this comment.
This makes sense but was not immediately obvious. I don't think it's a lack of documentation, more just leaving this comment as an explanation to myself. In order for multiple identities to be authorized by an AuthorizationPolicy, we only can select at most one MeshTLSAuthentication. This MeshTLSAuthentication can select multiple identities though, so all those identities will be authorized clients to whatever the targetRef is.
Signed-off-by: Oliver Gould <ver@buoyant.io>
Signed-off-by: Oliver Gould <ver@buoyant.io>
Signed-off-by: Oliver Gould <ver@buoyant.io>
Signed-off-by: Oliver Gould <ver@buoyant.io>
…tus detected to free resources Signed-off-by: Oliver Gould <ver@buoyant.io>
olix0r
added a commit
that referenced
this pull request
Mar 31, 2022
`ServerAuthorization` resources are not validated by the admission controller. This change enables validation for `ServerAuthorization` resources, based on changes to the admission controller proposed as a part of #8007. This admission controller is generalized to support arbitrary resource types. The `ServerAuthoriation` validation currently only ensures that network blocks are valid CIDRs and that they are coherent. We use the new _schemars_ feature of `ipnet` v2.4.0 to support using IpNet data structures directly in the custom resource type bindings. This change also adds an integration test to validate that the admission controller behaves as expected. Signed-off-by: Oliver Gould <ver@buoyant.io> (cherry picked from commit c445c72) Signed-off-by: Oliver Gould <ver@buoyant.io>
olix0r
added a commit
that referenced
this pull request
Mar 31, 2022
`ServerAuthorization` resources are not validated by the admission controller. This change enables validation for `ServerAuthorization` resources, based on changes to the admission controller proposed as a part of #8007. This admission controller is generalized to support arbitrary resource types. The `ServerAuthoriation` validation currently only ensures that network blocks are valid CIDRs and that they are coherent. We use the new _schemars_ feature of `ipnet` v2.4.0 to support using IpNet data structures directly in the custom resource type bindings. This change also adds an integration test to validate that the admission controller behaves as expected. Signed-off-by: Oliver Gould <ver@buoyant.io> (cherry picked from commit c445c72) Signed-off-by: Oliver Gould <ver@buoyant.io>
olix0r
added a commit
that referenced
this pull request
Apr 7, 2022
`ServerAuthorization` resources are not validated by the admission controller. This change enables validation for `ServerAuthorization` resources, based on changes to the admission controller proposed as a part of #8007. This admission controller is generalized to support arbitrary resource types. The `ServerAuthoriation` validation currently only ensures that network blocks are valid CIDRs and that they are coherent. We use the new _schemars_ feature of `ipnet` v2.4.0 to support using IpNet data structures directly in the custom resource type bindings. This change also adds an integration test to validate that the admission controller behaves as expected. Signed-off-by: Oliver Gould <ver@buoyant.io> (cherry picked from commit c445c72) Signed-off-by: Oliver Gould <ver@buoyant.io>
olix0r
added a commit
that referenced
this pull request
Apr 8, 2022
`ServerAuthorization` resources are not validated by the admission controller. This change enables validation for `ServerAuthorization` resources, based on changes to the admission controller proposed as a part of #8007. This admission controller is generalized to support arbitrary resource types. The `ServerAuthoriation` validation currently only ensures that network blocks are valid CIDRs and that they are coherent. We use the new _schemars_ feature of `ipnet` v2.4.0 to support using IpNet data structures directly in the custom resource type bindings. This change also adds an integration test to validate that the admission controller behaves as expected. Signed-off-by: Oliver Gould <ver@buoyant.io> (cherry picked from commit c445c72) Signed-off-by: Oliver Gould <ver@buoyant.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #7709 proposes new Custom Resource types to support generalized
authorization policies:
AuthorizationPolicyMeshTLSAuthenticationNetworkAuthenticationThis change introduces these CRDs to the default linkerd installation
(via the
linkerd-crdschart) and updates the policy controller'sto handle these resource types. The policy admission controller
validates that these resource reference only suppported types.
This new functionality is tested at multiple levels:
linkerd-policy-controller-k8s-indexincludes unit tests for theindexer to test how events update the index;
linkerd-policy-testincludes integration tests that run in-clusterto validate that the gRPC API updates as resources are manipulated;
linkerd-policy-testincludes integration tests that exercise theadmission controller's resource validation; and
linkerd-policy-testincludes integration tests that ensure thatproxies honor authorization resources.
This change does NOT update Linkerd's control plane and extensions to
use these new authorization primitives. Furthermore, the
linkerdCLIdoes not yet support inspecting these new resource types. These
enhancements will be made in followup changes.