-
Notifications
You must be signed in to change notification settings - Fork 28
[WIP] Document authorization policies using Service Mesh #96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Document authorization policies using Service Mesh #96
Conversation
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
✅ Deploy Preview for jazzy-shortbread-5f62b7 ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: pierDipi The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
f7a9f0d
to
0cbd988
Compare
namespace: knative-eventing | ||
spec: { } <1> | ||
---- | ||
<1> Disallow any operations to every workload that is part of the service mesh in the `knative-eventing` namespace. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the flow, of denying anything and than open it up
paths: [ "/authz-tests/*" ] <3> | ||
---- | ||
<1> Allow workloads in the `authz-tests` namespace | ||
<2> To post events to Knative brokers in the `authz-tests` namespace. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we say that this is only true for the MT-Channel-based broker? (instead of generic Knative Brokers):
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure
$ oc apply -f <filename> | ||
---- | ||
|
||
. Create a `AuthorizationPolicy` in the `knative-eventing` namespace to allow `mt-broker-ingress` in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this all seem to render as bold?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know it looks fine on the website preview https://deploy-preview-96--jazzy-shortbread-5f62b7.netlify.app/docs/latest/serverless-eventing/service-mesh/eventing-service-mesh-mt-channel-based-broker-authorization:
post events to a Knative Broker with class MTChannelBasedBroker. | ||
|
||
. Create a `AuthorizationPolicy` in the `knative-eventing` namespace to allow pods | ||
in the `authz-tests` namespace to send events to Knative Brokers in the same `authz-tests` namespace: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to allow pods in the
authz-tests
namespace
should we clarifiy this is for all pods? E.g. not just the container source image/pod?
---- | ||
|
||
. Create a `AuthorizationPolicy` in the `knative-eventing` namespace to allow `mt-broker-ingress` in | ||
the `knative-eventing` namespace to post events to the `InMemoryChannel` dispatcher: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I may overthink here.
But perhaps some may wonder on why the ingress posts to the dispatcher?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I can add a little sentence
. Create a `AuthorizationPolicy` in the `knative-eventing` namespace to allow `imc-dispatcher` in | ||
the `knative-eventing` namespace to post events to the `mt-broker-filter`: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess same as above. but I am not really sure if this doc needs to explain all in depth :-)
|
||
.Verification | ||
|
||
You can verify that the events were sent to the Knative event sink by looking at the message dumper function logs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I really like the E2E example, and the detailed configuration example here for patching/configuring all the components needed, in order to make this work
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall, looks good to me! I have just some minor nits. And I haven't tested this myself.
:description: Access control for Knative Brokers with {SMProductName} | ||
|
||
By default, every workload is allowed to send events to a Knative Broker, with {SMProductName}, we can | ||
apply policies to control who can post events to Knative brokers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
apply policies to control who can post events to Knative brokers. | |
apply policies to control who can post events to Knative Brokers. |
|
||
+ | ||
we have denied access to every workload to the knative-eventing namespace, which disallows the | ||
`ContainerSource` `heartbeat-source-mt-channel-based-broker` to send events to the Knative `Broker` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
`ContainerSource` `heartbeat-source-mt-channel-based-broker` to send events to the Knative `Broker` | |
ContainerSource `heartbeat-source-mt-channel-based-broker` to send events to the Knative Broker |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure about this but highlighting also the type (ContainerSource) in the same way as the name looks strange.
Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
64bc4e3
to
75961a7
Compare
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Done in #97 |
Based on #95