Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implementing policy attachment GEP #736

Merged
merged 4 commits into from
Aug 11, 2021
Merged

Implementing policy attachment GEP #736

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
725dd0b
Adding documentation for policy attachment model
robscott Jul 24, 2021
cb8e97d
Improvements to policy attachment docs, symlinking docs images
robscott Aug 4, 2021
fa70c18
Cleaning up policy docs in response to PR feedback
robscott Aug 10, 2021
f35e993
Updating Policy images to match new direction, other doc tweaks
robscott Aug 11, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions apis/v1alpha2/policy_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
/*
Copyright 2021 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v1alpha2

// PolicyTargetReference identifies an API object to apply policy to. This
// should be used as part of Policy resources that can target Gateway API
// resources. For more information on how this policy attachment model works,
// and a sample Policy resource, refer to the policy attachment documentation
// for Gateway API.
type PolicyTargetReference struct {
// Group is the group of the target resource.
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
Group string `json:"group"`

// Kind is kind of the target resource.
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
Kind string `json:"kind"`

// Name is the name of the target resource.
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
Name string `json:"name"`
hbagdi marked this conversation as resolved.
Show resolved Hide resolved

// Namespace is the namespace of the referent. When unspecified, the local
// namespace is inferred. Even when policy targets a resource in a different
// namespace, it MUST only apply to traffic originating from the same
// namespace as the policy.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, let's say we have gateway-a in gateway-ns namespace and route-b in route-ns namespace.

If I've a policy that in gateway-ns that targets a route-b and I also have a policy in route-ns that targets route-b, the hierarchy is policy in gateway-ns > policy in route-ns.
Is that right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that's my interpretation, but you've got me thinking that we may want to add more restrictions around cross-namespace policy attachment. I think the primary use case was for a mesh implementation to be able to apply policy to requests originating from the local namespace to a given destination. There's clearly also use cases for Gateway as you described above, but they may become messier than intended and/or be difficult for an implementation to support. I was about to suggest that we should make this an "Extended" concept, but the whole idea of policy attachment is already extended. So that's a long way of saying that I think your interpretation is correct, but we probably need to communicate that implementations can choose to not support cross-namespace policy.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but we probably need to communicate that implementations can choose to not support cross-namespace policy.

Since we are not sure, I recommend keeping cross-namespace policy for gateway out of scope. There is a need for sure but punting on would be for the best. There are a lot of other features here and we shouldn't feel pressured.

//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
// +optional
Namespace *string `json:"namespace,omitempty"`

// ClassName is the name of the class this policy should apply to. When
// unspecified, the policy will apply to all classes that support it.
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
// +optional
ClassName *string `json:"className,omitempty"`
}
25 changes: 25 additions & 0 deletions apis/v1alpha2/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion site-src/geps/gep-713.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# GEP-713: Policy Attachment

* Issue: [#713](https://github.com/kubernetes-sigs/gateway-api/issues/713)
* Status: Implementable
* Status: Implemented

## TLDR

Expand Down
1 change: 1 addition & 0 deletions site-src/images
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
v1alpha2/images
Binary file removed site-src/images/api-model.png
View file
Open in desktop
Binary file not shown.
Binary file removed site-src/images/gateway-roles.png
View file
Open in desktop
Binary file not shown.
Binary file removed site-src/images/gateway-route-binding.png
View file
Open in desktop
Binary file not shown.
Binary file removed site-src/images/http-routing.png
View file
Open in desktop
Binary file not shown.
1 change: 0 additions & 1 deletion site-src/images/httproute-basic-example.svg
View file
Open in desktop

This file was deleted.

275 changes: 0 additions & 275 deletions site-src/images/schema-uml.svg
View file
Open in desktop

This file was deleted.

Binary file removed site-src/images/simple-split.png
View file
Open in desktop
Binary file not shown.
Binary file removed site-src/images/single-service-gateway.png
View file
Open in desktop
Binary file not shown.
3 changes: 0 additions & 3 deletions site-src/images/tls-overview.svg
View file
Open in desktop

This file was deleted.

Binary file removed site-src/images/traffic-splitting-1.png
View file
Open in desktop
Binary file not shown.
Binary file removed site-src/images/traffic-splitting-2.png
View file
Open in desktop
Binary file not shown.
Binary file removed site-src/images/traffic-splitting-3.png
View file
Open in desktop
Binary file not shown.
Binary file added site-src/v1alpha2/images/policy/hierarchy.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added site-src/v1alpha2/images/policy/ingress-attachment.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added site-src/v1alpha2/images/policy/ingress-complex.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added site-src/v1alpha2/images/policy/ingress-simple.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added site-src/v1alpha2/images/policy/mesh-complex.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added site-src/v1alpha2/images/policy/mesh-simple.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading