Skip to content
This repository has been archived by the owner on Jul 11, 2023. It is now read-only.

pkg/*: add api to list traffic targets composed of associated routes #2221

Merged
merged 2 commits into from
Dec 17, 2020

Conversation

shashankram
Copy link
Member

@shashankram shashankram commented Dec 17, 2020

Description:
Adds an API to retrieve a list of traffic target objects along
with their associated routes (limited to TCP). The traffic target
objects will be used to directly map to RBAC policies configured
on the upstream proxy.

This API will be leveraged to implement RBAC policies for TCP traffic.
For ex., the following TrafficTarget policy and TCPRoute will generate
an RBAC policy as seen below.

kind: TCPRoute
metadata:
  name: tcp-route
  namespace: default
spec:
  matches:
    ports:
    - 8080
---
kind: TrafficTarget
metadata:
  name: test
  namespace: default
spec:
  destination:
    kind: ServiceAccount
    name: sa-1
    namespace: default
  rules:
  - kind: TCPRoute
    name: tcp-route
  sources:
  - kind: ServiceAccount
    name: sa-2
    namespace: default
---

rbac_policy on proxy with identity default/sa-1

{
	{
		name: "test"
		principals: {"default/sa-2"},
		permissions: {destination_port: 8080},
	},
}

Part of #1521

Affected area:

  • New Functionality [X]
  • Documentation [ ]
  • Install [ ]
  • Control Plane [ ]
  • CLI Tool [ ]
  • Certificate Management [ ]
  • Networking [ ]
  • Metrics [ ]
  • SMI Policy [ ]
  • Security [ ]
  • Tests [ ]
  • CI System [ ]
  • Performance [ ]
  • Other [ ]

Please answer the following questions with yes/no.

  • Does this change contain code from or inspired by another project? If so, did you notify the maintainers and provide attribution?
    No

Adds an API to retrieve a list of traffic target objects along
with their associated routes (limited to TCP). The traffic target
objects will be used to directly map to RBAC policies configured
on the upstream proxy.

This API will be leveraged to implement RBAC policies for TCP traffic.
For ex., the following TrafficTarget policy and TCPRoute will generate
an RBAC policy as seen below.

```
kind: TCPRoute
metadata:
  name: tcp-route
  namespace: default
spec:
  matches:
    ports:
    - 8080
---
kind: TrafficTarget
metadata:
  name: test
  namespace: default
spec:
  destination:
    kind: ServiceAccount
    name: sa-1
    namespace: default
  rules:
  - kind: TCPRoute
    name: tcp-route
  sources:
  - kind: ServiceAccount
    name: sa-2
    namespace: default
---
```

rbac_policy on proxy with identity `default/sa-1`
```
{
	{
		name: "test"
		principals: {"default/sa-2"},
		permissions: {destination_port: 8080},
	},
}
```

Part of openservicemesh#1521

Signed-off-by: Shashank Ram <shashr2204@gmail.com>
@shashankram shashankram marked this pull request as ready for review December 17, 2020 22:31
@shashankram shashankram requested a review from a team as a code owner December 17, 2020 22:31
@shashankram shashankram merged commit 85f8810 into openservicemesh:main Dec 17, 2020
@shashankram shashankram deleted the tcproute branch December 17, 2020 23:32
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants