diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc index 68c6a652..8ae07783 100644 --- a/modules/ROOT/nav.adoc +++ b/modules/ROOT/nav.adoc @@ -4,6 +4,9 @@ *** xref:serverless-eventing:service-mesh/eventing-service-mesh-setup.adoc[Setup Eventing with OpenShift Service Mesh] *** xref:serverless-eventing:service-mesh/eventing-service-mesh-containersource.adoc[Using ContainerSource with OpenShift Service Mesh] *** xref:serverless-eventing:service-mesh/eventing-service-mesh-sinkbinding.adoc[Using SinkBinding with OpenShift Service Mesh] +*** xref:serverless-eventing:service-mesh/eventing-service-mesh-mt-channel-based-broker-authorization.adoc[Access control for Knative Broker with class MTChannelBasedBroker using OpenShift Service Mesh] +*** xref:serverless-eventing:service-mesh/eventing-service-mesh-kafka-broker-authorization.adoc[Access control for Knative Broker with class Kafka using OpenShift Service Mesh] +*** xref:serverless-eventing:service-mesh/eventing-service-mesh-kafka-channel-authorization.adoc[Access control for Knative Channel for Apache Kafka using OpenShift Service Mesh] * Serverless Logic ** xref:serverless-logic:about.adoc[About OpenShift Serverless Logic] ** User Guides diff --git a/modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-kafka-broker-authorization.adoc b/modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-kafka-broker-authorization.adoc new file mode 100644 index 00000000..31f400af --- /dev/null +++ b/modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-kafka-broker-authorization.adoc @@ -0,0 +1,345 @@ += Access control for Knative Broker with class Kafka using {SMProductName} +:compat-mode!: +// Metadata: +:description: Access control for Knative Broker with class Kafka using {SMProductName} + +By default, every workload is allowed to send events to a Knative Broker, with {SMProductName}, we can +apply policies to control who can post events to Knative brokers for Apache Kafka. + +.Prerequisites + +* You have followed the setup {SMProductShortName} with {ServerlessProductName} procedure. + +.Setup procedure + +. Create a `Broker` with class `Kafka` in a namespace that is member of the `ServiceMeshMemberRoll`: ++ +[source,yaml] +---- +apiVersion: eventing.knative.dev/v1 +kind: Broker +metadata: + name: kafka-broker-br + namespace: authz-tests <1> + annotations: + eventing.knative.dev/broker.class: Kafka +spec: + config: + apiVersion: v1 + kind: ConfigMap + name: kafka-broker-config + namespace: knative-eventing +---- +<1> A namespace that is member of the `ServiceMeshMemberRoll`. + +. Apply the `Broker` resource: ++ +[source,terminal] +---- +$ oc apply -f +---- + +. Create a `ContainerSource` in a namespace that is member of the `ServiceMeshMemberRoll`: ++ +[source,yaml] +---- +apiVersion: sources.knative.dev/v1 +kind: ContainerSource +metadata: + name: heartbeat-source-kafka-broker + namespace: authz-tests <1> +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: 'true' <2> + spec: + containers: + - image: quay.io/openshift-knative/heartbeats + name: heartbeats + args: + - --period=1 + env: + - name: POD_NAME + value: "mypod" + - name: POD_NAMESPACE + value: "authz-tests" + sink: + ref: + apiVersion: eventing.knative.dev/v1 + kind: Broker + name: kafka-broker-br +---- +<1> A namespace that is member of the `ServiceMeshMemberRoll`. +<2> Injects {SMProductShortName} sidecars into the `ContainerSource` pods. + +. Apply the `ContainerSource` resource: ++ +[source,terminal] +---- +$ oc apply -f +---- + +. Create a consumer service, consisting of `Trigger`, `Service`, and `Pod`, in a namespace that is member of the `ServiceMeshMemberRoll`: ++ +[source,yaml] +---- +apiVersion: eventing.knative.dev/v1 +kind: Trigger +metadata: + name: kafka-broker-tr + namespace: authz-tests <1> +spec: + broker: kafka-broker-br + subscriber: + ref: + apiVersion: v1 + kind: Service + name: event-display +--- +apiVersion: v1 +kind: Service +metadata: + name: event-display + namespace: authz-tests <1> +spec: + selector: + app: event-display + ports: + - protocol: TCP + port: 80 + targetPort: 8080 +--- +apiVersion: v1 +kind: Pod +metadata: + name: event-display + namespace: authz-tests <1> + annotations: + sidecar.istio.io/inject: 'true' <2> + labels: + app: event-display +spec: + containers: + - name: event-display + image: quay.io/openshift-knative/knative-eventing-sources-event-display + ports: + - containerPort: 8080 +---- +<1> A namespace that is member of the `ServiceMeshMemberRoll`. +<2> Injects {SMProductShortName} sidecars into the pod. + +. Apply the consumer service resources: ++ +[source,terminal] +---- +$ oc apply -f +---- + +.Securing access to the Knative broker for Apache Kafka + +By default, every workload is allowed to send events to a Knative broker, with {SMProductName}, we can +apply a policy to deny posting events by default. + +.Apply a deny by default authorization policy + +. Create a deny by default `AuthorizationPolicy` in the `knative-eventing` namespace: ++ +[source,yaml] +---- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: deny-all-by-default + namespace: knative-eventing +spec: { } <1> +---- +<1> Disallow any operations to every workload that is part of the service mesh in the `knative-eventing` namespace. + +. Apply the `AuthorizationPolicy` resource: ++ +[source,terminal] +---- +$ oc apply -f +---- + +. Verify access is denied + ++ +we have denied access to every workload to the knative-eventing namespace, which disallows the +`ContainerSource` `heartbeat-source-kafka-broker` to send events to the Knative `Broker` +`kafka-broker-br`, therefore, we should see the following lines in the `heartbeats` pods: + ++ +[source,terminal] +---- +$ oc logs $(oc get pod -n authz-tests -o name | grep heartbeat-source-kafka-broker) -c heartbeats -n authz-tests +---- ++ +.Example output +[source,terminal] +---- +2023/06/13 10:17:04 sending cloudevent to http://kafka-broker-ingress.knative-eventing.svc.cluster.local/authz-tests/kafka-broker-br +2023/06/13 10:17:04 failed to send cloudevent: 403: +2023/06/13 10:17:05 sending cloudevent to http://kafka-broker-ingress.knative-eventing.svc.cluster.local/authz-tests/kafka-broker-br +2023/06/13 10:17:05 failed to send cloudevent: 403: +---- + +.Authorize Knative Kafka controller to probe Knative Kafka resources + +The `kafka-controller` component probes Knative resources for readiness, so that it +can report and mark them as `Ready` when they are actually ready to serve requests. + +Probes are HTTP(S) GET requests sent from the `kafka-controller` to the data plane pods, including: +`kafka-broker-receiver`, `kafka-channel-receiver`, and `kafka-sink-receiver`. + +To authorize the `kafka-controller` to send probe requests, we can: + +. Create `AuthorizationPolicy` in the `knative-eventing` namespace to allow Knative Kafka controller +in the `knative-eventing` namespace to probe for readiness Knative Kafka resources: ++ +[source,yaml] +---- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-probe-kafka-broker-receiver + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" <2> + rules: + - from: <1> + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + to: <2> + - operation: + methods: [ "GET" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-probe-kafka-sink-receiver + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" <3> + rules: + - from: <1> + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + to: <3> + - operation: + methods: [ "GET" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-probe-kafka-channel-receiver + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" <4> + rules: + - from: <1> + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + to: <4> + - operation: + methods: [ "GET" ] +---- +<1> Allow the Knative Kafka controller +<2> To probe the Knative Kafka Broker receiver +<3> To probe the Knative Kafka Sink receiver +<4> To probe the Knative Kafka Channel receiver + +. Apply the `AuthorizationPolicy` resource: ++ +[source,terminal] +---- +$ oc apply -f +---- + +.Authorize source to post events to Knative broker for Apache Kafka + +In the previous section, we denied access to Knative Eventing workloads, we can now grant permissions to +post events to a Knative Broker with class Kafka: + +. Create a `AuthorizationPolicy` in the `knative-eventing` namespace to allow pods +in the `authz-tests` namespace to send events to Knative Brokers in the same `authz-tests` namespace: ++ +[source,yaml] +---- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-authz-tests-kafka-broker + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" <2> + rules: + - from: <1> + - source: + namespaces: [ "authz-tests" ] + to: <2> + - operation: + methods: [ "POST" ] + paths: [ "/authz-tests/*" ] <3> +---- +<1> Allow workloads in the `authz-tests` namespace +<2> To post events to Knative brokers in the `authz-tests` namespace. +<3> Knative Broker with class `Kafka` accepts events on HTTP path following the pattern: `//`. + +. Apply the `AuthorizationPolicy` resource: ++ +[source,terminal] +---- +$ oc apply -f +---- + +.Verification + +You can verify that the events were sent to the Knative event sink by looking at the message dumper function logs. + +. Enter the command: ++ +[source,terminal] +---- +$ oc logs $(oc get pod -n authz-tests -o name | grep event-display) -c event-display -n authz-tests +---- ++ +.Example output +[source,terminal] +---- +# TODO: fix output +☁️ cloudevents.Event +Validation: valid +Context Attributes, + specversion: 1.0 + type: dev.knative.eventing.samples.heartbeat + source: https://knative.dev/eventing-contrib/cmd/heartbeats/#authz-tests/mypod + id: 2b72d7bf-c38f-4a98-a433-608fbcdd2596 + time: 2019-10-18T15:23:20.809775386Z + contenttype: application/json +Extensions, + beats: true + heart: yes + the: 42 +Data, + { + "id": 1, + "label": "" + } +---- diff --git a/modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-kafka-channel-authorization.adoc b/modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-kafka-channel-authorization.adoc new file mode 100644 index 00000000..baa143ba --- /dev/null +++ b/modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-kafka-channel-authorization.adoc @@ -0,0 +1,348 @@ += Access control for Knative channel for Apache Kafka using {SMProductName} +:compat-mode!: +// Metadata: +:description: Access control for Knative channel for Apache Kafka using {SMProductName} + +By default, every workload is allowed to send events to a Knative channel, with {SMProductName}, we can +apply policies to control who can post events to Knative channels for Apache Kafka. + +.Prerequisites + +* You have followed the setup {SMProductShortName} with {ServerlessProductName} procedure. + +.Setup procedure + +. Create a `KafkaChannel` in a namespace that is member of the `ServiceMeshMemberRoll`: ++ +[source,yaml] +---- +apiVersion: messaging.knative.dev/v1beta1 +kind: KafkaChannel +metadata: + name: kafka-channel + namespace: authz-tests <1> +spec: + numPartitions: 10 + replicationFactor: 3 + delivery: + retry: 12 + backoffPolicy: exponential + backoffDelay: PT1S +---- +<1> A namespace that is member of the `ServiceMeshMemberRoll`. + +. Apply the `KafkaChannel` resource: ++ +[source,terminal] +---- +$ oc apply -f +---- + +. Create a `ContainerSource` in a namespace that is member of the `ServiceMeshMemberRoll`: ++ +[source,yaml] +---- +apiVersion: sources.knative.dev/v1 +kind: ContainerSource +metadata: + name: heartbeat-source-kafka-channel + namespace: authz-tests <1> +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: 'true' <2> + spec: + containers: + - image: quay.io/openshift-knative/heartbeats + name: heartbeats + args: + - --period=1 + env: + - name: POD_NAME + value: "mypod-channel" + - name: POD_NAMESPACE + value: "authz-tests" + sink: + ref: + apiVersion: messaging.knative.dev/v1beta1 + kind: KafkaChannel + name: kafka-channel +---- +<1> A namespace that is member of the `ServiceMeshMemberRoll`. +<2> Injects {SMProductShortName} sidecars into the `ContainerSource` pods. + +. Apply the `ContainerSource` resource: ++ +[source,terminal] +---- +$ oc apply -f +---- + +. Create a consumer service, consisting of `Subscription`, `Service`, and `Pod`, in a namespace that is member of the `ServiceMeshMemberRoll`: ++ +[source,yaml] +---- +apiVersion: messaging.knative.dev/v1 +kind: Subscription +metadata: + name: subscription + namespace: authz-tests <1> +spec: + channel: + apiVersion: messaging.knative.dev/v1beta1 + kind: KafkaChannel + name: kafka-channel + subscriber: + ref: + apiVersion: v1 + kind: Service + name: event-display +--- +apiVersion: v1 +kind: Service +metadata: + name: event-display + namespace: authz-tests <1> +spec: + selector: + app: event-display + ports: + - protocol: TCP + port: 80 + targetPort: 8080 +--- +apiVersion: v1 +kind: Pod +metadata: + name: event-display + namespace: authz-tests <1> + annotations: + sidecar.istio.io/inject: 'true' <2> + labels: + app: event-display +spec: + containers: + - name: event-display + image: quay.io/openshift-knative/knative-eventing-sources-event-display + ports: + - containerPort: 8080 +---- +<1> A namespace that is member of the `ServiceMeshMemberRoll`. +<2> Injects {SMProductShortName} sidecars into the pod. + +. Apply the consumer service resources: ++ +[source,terminal] +---- +$ oc apply -f +---- + +.Securing access to the Knative channel for Apache Kafka + +By default, every workload is allowed to send events to a Knative channel, with {SMProductName}, we can +apply a policy to deny posting events by default. + +.Apply a deny by default authorization policy + +. Create a deny by default `AuthorizationPolicy` in the `knative-eventing` namespace: ++ +[source,yaml] +---- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: deny-all-by-default + namespace: knative-eventing +spec: { } <1> +---- +<1> Disallow any operations to every workload that is part of the service mesh in the `knative-eventing` namespace. + +. Apply the `AuthorizationPolicy` resource: ++ +[source,terminal] +---- +$ oc apply -f +---- + +. Verify access is denied + ++ +we have denied access to every workload to the knative-eventing namespace, which disallows the +`ContainerSource` `heartbeat-source-kafka-channel` to send events to the Knative `KafkaChannel` +`kafka-channel`, therefore, we should see the following lines in the `heartbeats` pods: + ++ +[source,terminal] +---- +$ oc logs $(oc get pod -n authz-tests -o name | grep heartbeat-source-kafka-channel) -c heartbeats -n authz-tests +---- ++ +.Example output +[source,terminal] +---- +# TODO: fix output +2023/06/13 10:17:04 sending cloudevent to http://kafka-channel-ingress.knative-eventing.svc.cluster.local/authz-tests/kafka-broker-br +2023/06/13 10:17:04 failed to send cloudevent: 403: +2023/06/13 10:17:05 sending cloudevent to http://kafka-broker-ingress.knative-eventing.svc.cluster.local/authz-tests/kafka-broker-br +2023/06/13 10:17:05 failed to send cloudevent: 403: +---- + +.Authorize Knative Kafka controller to probe Knative Kafka resources + +The `kafka-controller` component probes Knative resources for readiness, so that it +can report and mark them as `Ready` when they are actually ready to serve requests. + +Probes are HTTP(S) GET requests sent from the `kafka-controller` to the data plane pods, including: +`kafka-broker-receiver`, `kafka-channel-receiver`, and `kafka-sink-receiver`. + +To authorize the `kafka-controller` to send probe requests, we can: + +. Create `AuthorizationPolicy` in the `knative-eventing` namespace to allow Knative Kafka controller +in the `knative-eventing` namespace to probe for readiness Knative Kafka resources: ++ +[source,yaml] +---- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-probe-kafka-broker-receiver + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" <2> + rules: + - from: <1> + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + to: <2> + - operation: + methods: [ "GET" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-probe-kafka-sink-receiver + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" <3> + rules: + - from: <1> + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + to: <3> + - operation: + methods: [ "GET" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-probe-kafka-channel-receiver + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" <4> + rules: + - from: <1> + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + to: <4> + - operation: + methods: [ "GET" ] +---- +<1> Allow the Knative Kafka controller +<2> To probe the Knative Kafka Broker receiver +<3> To probe the Knative Kafka Sink receiver +<4> To probe the Knative Kafka Channel receiver + +. Apply the `AuthorizationPolicy` resource: ++ +[source,terminal] +---- +$ oc apply -f +---- + +.Authorize source to post events to Knative channel for Apache Kafka + +In the previous section, we denied access to Knative Eventing workloads, we can now grant permissions to +post events to a Knative Broker with class Kafka: + +. Create a `AuthorizationPolicy` in the `knative-eventing` namespace to allow pods +in the `authz-tests` namespace to send events to Knative Brokers in the same `authz-tests` namespace: ++ +[source,yaml] +---- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-authz-tests-kafka-channel + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" <2> + rules: + - from: <1> + - source: + namespaces: [ "authz-tests" ] + to: <2> + - operation: + hosts: [ "*.authz-tests.svc.cluster.local" ] <3> + methods: [ "POST" ] +---- +<1> Allow workloads in the `authz-tests` namespace +<2> To post events to Knative channels for Apache Kafka in the `authz-tests` namespace. +<3> Knative channel for Apache Kafka accepts events on HTTP host following the pattern: `..svc.`. + +. Apply the `AuthorizationPolicy` resource: ++ +[source,terminal] +---- +$ oc apply -f +---- + +.Verification + +You can verify that the events were sent to the Knative event sink by looking at the message dumper function logs. + +. Enter the command: ++ +[source,terminal] +---- +$ oc logs $(oc get pod -n authz-tests -o name | grep event-display) -c event-display -n authz-tests +---- ++ +.Example output +[source,terminal] +---- +# TODO: fix output +☁️ cloudevents.Event +Validation: valid +Context Attributes, + specversion: 1.0 + type: dev.knative.eventing.samples.heartbeat + source: https://knative.dev/eventing-contrib/cmd/heartbeats/#authz-tests/mypod + id: 2b72d7bf-c38f-4a98-a433-608fbcdd2596 + time: 2019-10-18T15:23:20.809775386Z + contenttype: application/json +Extensions, + beats: true + heart: yes + the: 42 +Data, + { + "id": 1, + "label": "" + } +---- diff --git a/modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-mt-channel-based-broker-authorization.adoc b/modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-mt-channel-based-broker-authorization.adoc new file mode 100644 index 00000000..d1e8bf73 --- /dev/null +++ b/modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-mt-channel-based-broker-authorization.adoc @@ -0,0 +1,328 @@ += Access control for Knative Broker with class MTChannelBasedBroker using {SMProductName} +:compat-mode!: +// Metadata: +:description: Access control for Knative Broker with class MTChannelBasedBroker using {SMProductName} + +By default, every workload is allowed to send events to a Knative Broker, with {SMProductName}, we can +apply policies to control who can post events to Knative brokers. + +.Prerequisites + +* You have followed the setup {SMProductShortName} with {ServerlessProductName} procedure. + +.Setup procedure + +. Create a `Broker` with class `MTChannelBasedBroker` in a namespace that is member of the `ServiceMeshMemberRoll`: ++ +[source,yaml] +---- +apiVersion: eventing.knative.dev/v1 +kind: Broker +metadata: + name: channel-based-broker-br + namespace: authz-tests <1> + annotations: + eventing.knative.dev/broker.class: MTChannelBasedBroker +spec: + config: + apiVersion: v1 + kind: ConfigMap + name: config-br-default-channel + namespace: knative-eventing +---- +<1> A namespace that is member of the `ServiceMeshMemberRoll`. + +. Apply the `Broker` resource: ++ +[source,terminal] +---- +$ oc apply -f +---- + +. Create a `ContainerSource` in a namespace that is member of the `ServiceMeshMemberRoll`: ++ +[source,yaml] +---- +apiVersion: sources.knative.dev/v1 +kind: ContainerSource +metadata: + name: heartbeat-source-mt-channel-based-broker + namespace: authz-tests <1> +spec: + template: + metadata: + annotations: + sidecar.istio.io/inject: 'true' <2> + spec: + containers: + - image: quay.io/openshift-knative/heartbeats + name: heartbeats + args: + - --period=1 + env: + - name: POD_NAME + value: "mypod" + - name: POD_NAMESPACE + value: "authz-tests" + sink: + ref: + apiVersion: eventing.knative.dev/v1 + kind: Broker + name: channel-based-broker-br +---- +<1> A namespace that is member of the `ServiceMeshMemberRoll`. +<2> Injects {SMProductShortName} sidecars into the `ContainerSource` pods. + +. Apply the `ContainerSource` resource: ++ +[source,terminal] +---- +$ oc apply -f +---- + +. Create a consumer service, consisting of `Trigger`, `Service`, and `Pod`, in a namespace that is member of the `ServiceMeshMemberRoll`: ++ +[source,yaml] +---- +apiVersion: eventing.knative.dev/v1 +kind: Trigger +metadata: + name: channel-based-broker-tr + namespace: authz-tests <1> +spec: + broker: channel-based-broker-br + subscriber: + ref: + apiVersion: v1 + kind: Service + name: event-display +--- +apiVersion: v1 +kind: Service +metadata: + name: event-display + namespace: authz-tests <1> +spec: + selector: + app: event-display + ports: + - protocol: TCP + port: 80 + targetPort: 8080 +--- +apiVersion: v1 +kind: Pod +metadata: + name: event-display + namespace: authz-tests <1> + annotations: + sidecar.istio.io/inject: 'true' <2> + labels: + app: event-display +spec: + containers: + - name: event-display + image: quay.io/openshift-knative/knative-eventing-sources-event-display + ports: + - containerPort: 8080 +---- +<1> A namespace that is member of the `ServiceMeshMemberRoll`. +<2> Injects {SMProductShortName} sidecars into the pod. + +. Apply the consumer service resources: ++ +[source,terminal] +---- +$ oc apply -f +---- + +.Securing access to the Knative Broker + +By default, every workload is allowed to send events to a Knative Broker, with {SMProductName}, we can +apply a policy to deny posting events by default. + +.Apply a deny by default authorization policy + +. Create a deny by default `AuthorizationPolicy` in the `knative-eventing` namespace: ++ +[source,yaml] +---- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: deny-all-by-default + namespace: knative-eventing +spec: { } <1> +---- +<1> Disallow any operations to every workload that is part of the service mesh in the `knative-eventing` namespace. + +. Apply the `AuthorizationPolicy` resource: ++ +[source,terminal] +---- +$ oc apply -f +---- + +. Verify access is denied + ++ +we have denied access to every workload to the knative-eventing namespace, which disallows the +`ContainerSource` `heartbeat-source-mt-channel-based-broker` to send events to the Knative `Broker` +`channel-based-broker-br`, therefore, we should see the following lines in the `heartbeats` pods: + ++ +[source,terminal] +---- +$ oc logs $(oc get pod -n authz-tests -o name | grep heartbeat-source-mt-channel-based-broker) -c heartbeats -n authz-tests +---- ++ +.Example output +[source,terminal] +---- +2023/06/13 10:17:04 sending cloudevent to http://broker-ingress.knative-eventing.svc.cluster.local/authz-tests/channel-based-broker-br +2023/06/13 10:17:04 failed to send cloudevent: 403: +2023/06/13 10:17:05 sending cloudevent to http://broker-ingress.knative-eventing.svc.cluster.local/authz-tests/channel-based-broker-br +2023/06/13 10:17:05 failed to send cloudevent: 403: +---- + +.Authorize source to post events to Knative Broker + +In the previous section, we denied access to Knative Eventing workloads, we can now grant permissions to +post events to a Knative Broker with class MTChannelBasedBroker: + +. Create a `AuthorizationPolicy` in the `knative-eventing` namespace to allow pods +in the `authz-tests` namespace to send events to Knative Brokers in the same `authz-tests` namespace: ++ +[source,yaml] +---- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-authz-tests-mt-channel-based-broker + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" <2> + rules: + - from: <1> + - source: + namespaces: [ "authz-tests" ] + to: <2> + - operation: + methods: [ "POST" ] + paths: [ "/authz-tests/*" ] <3> +---- +<1> Allow workloads in the `authz-tests` namespace +<2> To post events to Knative brokers in the `authz-tests` namespace. +<3> Knative Broker with class `MTChannelBasedBroker` accepts events on HTTP path following the pattern: `//`. + +. Apply the `AuthorizationPolicy` resource: ++ +[source,terminal] +---- +$ oc apply -f +---- + +. Create a `AuthorizationPolicy` in the `knative-eventing` namespace to allow `mt-broker-ingress` in +the `knative-eventing` namespace to post events to the `InMemoryChannel` dispatcher: ++ +[source,yaml] +---- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-mt-channel-based-broker-ingress-to-imc-dispatcher + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" <2> + rules: + - from: <1> + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-ingress" ] + to: <2> + - operation: + methods: [ "POST" ] +---- +<1> Allow `mt-broker-ingress` in the `knative-eventing` namespace. +<2> To post events to the `InMemoryChannel` dispatcher. + +. Apply the `AuthorizationPolicy` resource: ++ +[source,terminal] +---- +$ oc apply -f +---- + +. Create a `AuthorizationPolicy` in the `knative-eventing` namespace to allow `imc-dispatcher` in +the `knative-eventing` namespace to post events to the `mt-broker-filter`: ++ +[source,yaml] +---- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-imc-dispatcher-to-mt-channel-based-broker-filter + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-filter" <2> + rules: + - from: <1> + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] + to: <2> + - operation: + methods: [ "POST" ] +---- +<1> Allow `imc-dispatcher` in the `knative-eventing` namespace. +<2> To post events to the `mt-broker-filter`. + +. Apply the `AuthorizationPolicy` resource: ++ +[source,terminal] +---- +$ oc apply -f +---- + +.Verification + +You can verify that the events were sent to the Knative event sink by looking at the message dumper function logs. + +. Enter the command: ++ +[source,terminal] +---- +$ oc logs $(oc get pod -n authz-tests -o name | grep event-display) -c event-display -n authz-tests +---- ++ +.Example output +[source,terminal] +---- +☁️ cloudevents.Event +Validation: valid +Context Attributes, + specversion: 1.0 + type: dev.knative.eventing.samples.heartbeat + source: https://knative.dev/eventing-contrib/cmd/heartbeats/#event-test/mypod + id: 2b72d7bf-c38f-4a98-a433-608fbcdd2596 + time: 2019-10-18T15:23:20.809775386Z + contenttype: application/json +Extensions, + beats: true + heart: yes + the: 42 +Data, + { + "id": 1, + "label": "" + } +---- diff --git a/modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-setup.adoc b/modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-setup.adoc index 08810339..b5afcab8 100644 --- a/modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-setup.adoc +++ b/modules/serverless-eventing/pages/service-mesh/eventing-service-mesh-setup.adoc @@ -37,9 +37,11 @@ spec: members: <1> - knative-serving - knative-eventing + - authz-tests <2> - ---- <1> A list of namespaces to be integrated with {SMProductShortName}. +<2> Example namespace that will be used to showcase certain functionalities. + [IMPORTANT] ====