Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(kuma-cp) TrafficPermission for ExternalServices #1957

Merged
merged 4 commits into from
May 11, 2021
Merged

feat(kuma-cp) TrafficPermission for ExternalServices #1957

merged 4 commits into from
May 11, 2021

Conversation

jakubdyszkiewicz
Copy link
Contributor

Summary

TrafficPermission support for ExternalServices.
With regular services we have a sidecar on both ends, so we execute traffic permission on the destination side.

With ExternalServcies there is no sidecar on the destination end, so we cannot apply the policy.
However, if we have Mesh passthrough false we control all the traffic (if traffic is unfamiliar to a mesh, we block it).

We can use this capability to use TrafficPermission with ExternalServices. This means that if you don't have TrafficPermission for a given ExternalService, we will omit this ExternalService when generating Envoy config.
Omitting a service will result as we don't have ExternalService defined at all meaning that the traffic is blocked.

Implementation

Implementation was tricky because with regular services we just match inbound of the dataplane, because we are blocking incoming traffic. Here we want to block the outgoing traffic from the dataplane.
We cannot match outbound of the dataplane and remove it because we need to mimic the same behavior as the service was in the mesh.

If we were to match outbound, the following policies

type: TrafficPermission
name: backend-to-httpbin
mesh: default
sources:
  - match:
      kuma.io/service: 'backend'
destinations:
  - match:
      kuma.io/service: 'httpbin'
---
type: TrafficPermission
name: web-to-httpbin
mesh: default
sources:
  - match:
      kuma.io/service: 'web'
destinations:
  - match:
      kuma.io/service: 'httpbin'

Would allow the traffic from both backend and web to httpbin, but this is not consistent with the current behavior!
We want to match the most specific policy for httpbin as it was a service in the mesh.

To do this, in the XDS watchdog I take all external services and match them one by one with traffic permissions.
This operation is common for all dataplanes in the given mesh so we could cache this but I don't think this will be a bottleneck with the majority of cases.

Breaking change

This is a breaking change in my opinion and it should be merged only to master because previously we did not require Traffic Permission to External Services, we do now.

Documentation

  • In progress

@jakubdyszkiewicz jakubdyszkiewicz requested a review from a team as a code owner May 6, 2021 14:43
lobkovilya
lobkovilya approved these changes May 11, 2021
View reviewed changes
pkg/xds/cache/cla/cache.go Outdated Show resolved Hide resolved
@jakubdyszkiewicz
fix comment
e374234 
Signed-off-by: Jakub Dyszkiewicz <[email protected]>
@jakubdyszkiewicz jakubdyszkiewicz merged commit fe70177 into master May 11, 2021
@jakubdyszkiewicz jakubdyszkiewicz deleted the chore/ex-services-tp branch May 11, 2021 11:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lobkovilya lobkovilya lobkovilya approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jakubdyszkiewicz @lobkovilya