Define targetRef proto #2888
Define targetRef proto #2888
Conversation
|
Skipping CI for Draft Pull Request. |
istio-testing
added
the
do-not-merge/work-in-progress
|
😊 Welcome @jaellio! This is either your first contribution to the Istio api repo, or it's been You can learn more about the Istio working groups, code of conduct, and contributing guidelines Thanks for contributing! Courtesy of your friendly welcome wagon. |
istio-testing
added
the
size/L
|
/test all |
istio-testing
removed
the
do-not-merge/work-in-progress
There was a problem hiding this comment.
Left few comments - interesting that K8S spec doesn't seem to have a section in targetRef, but it does in parentRef in HttpRoute.
That's a pretty large problem for our policies - a gateway may have 100 hostnames and ports, having policy with targetRef=gateway implies the rules apply to all 100, and if users are not careful to add matches on hostname in the policy - bad things happen. Even if they do, it's pretty inefficient.
That could be worked around with gateway merging ( only one listener per gateway ), not sure if that got implemented.
I think that will be a little hard.
I think ideally we need to record the reference relationships and trigger handling after the gateway occur, but that would be expensive. Or it could also triggerc a full xds like what we do now. Not sure how this intermediate dependency compared with direct dependency. |
I wasn't fully aware that Istio APIs didn't have status until pondering this question. IMO, this is a blocker for adopting policy attachment correctly:
If we implement status, we can report "gateway.networking.k8s.io/Gateway my-gateway does not exist" as an "Invalid" condition. From there, if the Gateway is created afterwards, there's no extra xDS push required; the policy would be taken into account when building the first push context. If the reverse happens (Gateway is created before policy) then yes a full push should probably occur. |
|
Ther could be some use case like ratelimiting, we need both targetRef and workload selector to apply the ratelimiting policy to a specific client workload. |
I'm a bit confused; why would targetRef or workloadSelector have anything to do with the client workload? Policy attaches to the producer service, no? |
jaellio
force-pushed
the
createTargetRefProto
branch
from
1cbbbe0
to
2383030
Compare
The user need the limit th especific workload only. Nope, the policy can/should also work on consumer side. |
|
To my knowledge, Ambient only has producer waypoints/policy. Is that correct @linsun @howardjohn? That decision predates me |
| // Optional. The targetRef specifies the waypoint the policy should be | ||
| // applied to. The targeted resource specified will determine which | ||
| // workloads the authorization policy applies to. The targeted resource | ||
| // must be a waypoint. The waypoint must be in the same namespace as | ||
| // the authorization policy. | ||
| // | ||
| // If not set, the policy is applied as defined by the selector. |
There was a problem hiding this comment.
Should we clarify if targetRef not set, it could mean namespace scoped waypoint?
There was a problem hiding this comment.
I think this might be better captured in an example.
|
Hi folks (cc @keithmattix @hzxuzhonghu @howardjohn etc), Wanted to share some inconsistency between namespace scoped authz policy vs workload centric authz policy. For namespace scoped authz policy, I can continue to use the same authz policy for sidecar and ambient workloads. For workload scoped authz policy, I would have to create a new authz policy for ambient workloads (using targetRef) along with existing authz policy for sidecar as I start to migrate sidecar to ambient. Is my understanding correct? If so, what do you think of supporting worload selector and targetRef (as OR relationship but allow users to declare both) and Istio can apply to it based on data plane option where workload selector is only relevant for sidecar and targetRef is only relevant for ambient waypoints? |
|
@linsun AuthZ policy in particular has some nuances, specifically in the context of the layer targeted authorization policy proposal that is awaiting approval. If possible, could we move forward with these API changes and hash out the implementation details in the authorization policy PR? That being said, I think your suggestion matches the direction that @whitneygriffith is going on her implementation |
|
Lin - no matter what, users will need to change their workload selectors
for waypoints based on decisions prior to this (that policies apply to the
waypoint, not backends). This PR doesn't change that.
…On Thu, Aug 31, 2023 at 6:43 AM Keith Mattix II ***@***.***> wrote:
@linsun <https://github.com/linsun> AuthZ policy in particular has some
nuances, specifically in the context of the layer targeted authorization
policy proposal that is awaiting approval. If possible, could we move
forward with these API changes and hash out the implementation details in
the authorization policy PR?
—
Reply to this email directly, view it on GitHub
<#2888 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXNJXXL4XHQB75GU6GTXYCIGPANCNFSM6AAAAAA3JFGBBI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Agreed, user will need to change, just trying to minimize changes for them. @keithmattix @jaellio i am good with the PR overall. made a comment earlier: #2888 (comment) |
Signed-off-by: Jackie Elliott <[email protected]>
ProxyConfig, and RequestAuthentication. Need more examples. Signed-off-by: Jackie Elliott <[email protected]>
Signed-off-by: Jackie Elliott <[email protected]>
comments. Added release note for targetRef. Signed-off-by: Jackie Elliott <[email protected]>
use of taretRef. Signed-off-by: Jackie Elliott <[email protected]>
Signed-off-by: Jackie Elliott <[email protected]>
examples. Signed-off-by: Jackie Elliott <[email protected]>
complete Signed-off-by: Jackie Elliott <[email protected]>
Signed-off-by: Jackie Elliott <[email protected]>
oneof to wasm plugin. Signed-off-by: Jackie Elliott <[email protected]>
Signed-off-by: Jackie Elliott <[email protected]>
Signed-off-by: Jackie Elliott <[email protected]>
Signed-off-by: Jackie Elliott <[email protected]>
targeted resource Signed-off-by: Jackie Elliott <[email protected]>
Signed-off-by: Jackie Elliott <[email protected]>
jaellio
force-pushed
the
createTargetRefProto
branch
from
7144031
to
ec70317
Compare
| // multiple child resources. The PolicyTargetReference will be used instead of | ||
| // a WorkloadSelector in the RequestAuthentication, AuthorizationPolicy, | ||
| // Telemetry, and WasmPlugin CRDs to target k8s Gateway. | ||
| message PolicyTargetReference { |
There was a problem hiding this comment.
Can we give an example YAML referencing a Gateway? Its probably not obvious to most people
There was a problem hiding this comment.
Added an AuthorizationPolicy example in selector.proto. Is this where you were looking for an example?
Signed-off-by: Jackie Elliott <[email protected]>
Signed-off-by: Jackie Elliott <[email protected]>
Resolves #2885.
Part of Replacing WorkloadSelector with TargetRef for Waypoints
Adds a targetRef proto based on the policy attachment concept in Gateway API. Adds the targetRef field to AuthorizationPolicy, RequestAuthentication, Telemetry, and WasmPlugin protos.
Notable changes from design doc: (copied from this comment)
Remaining work: