Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(MeshTrafficPermission): support permissive mtls #8171

Merged
merged 1 commit into from
Oct 30, 2023
Merged

fix(MeshTrafficPermission): support permissive mtls #8171

merged 1 commit into from
Oct 30, 2023

Conversation

jakubdyszkiewicz
Copy link
Contributor

Checklist prior to review

Fix #8152

I noticed that we put RBAC filter even for filterChains without mTLS on them.
This PR fixes this so we put RBAC filters only on listeners with Kuma's mTLS (by checking transport socket match).

This was also the case for TrafficPermission, not only for MeshTrafficPermission.

Why was it not caught by E2E test?
It was not a problem when you have "allow any to any" policy, because in this case even though we put RBAC filter it has principal "any" which matches any traffic in the end.

  • Link to relevant issue as well as docs and UI issues --
  • This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as a image registry) and it will work on Windows, system specific functions like syscall.Mkfifo have equivalent implementation on the other OS --
  • Tests (Unit test, E2E tests, manual test on universal and k8s) --
    • Don't forget ci/ labels to run additional/fewer tests
  • Do you need to update UPGRADE.md? --
  • Does it need to be backported according to the backporting policy? (this GH action will add "backport" label based on these file globs, if you want to prevent it from adding the "backport" label use no-backport-autolabel label) --

@jakubdyszkiewicz jakubdyszkiewicz requested a review from a team as a code owner October 27, 2023 14:19
@jakubdyszkiewicz jakubdyszkiewicz requested review from michaelbeaumont and lukidzi and removed request for a team October 27, 2023 14:19
@jakubdyszkiewicz jakubdyszkiewicz merged commit 0e0489f into kumahq:master Oct 30, 2023
11 checks passed
@jakubdyszkiewicz jakubdyszkiewicz deleted the fix/permissive-traffic-permission branch October 30, 2023 09:39
@github-actions
Copy link
Contributor

github-actions bot commented Oct 30, 2023
edited
Loading

backporting to release-2.1 with action

backporting to release-2.0 with action
backporting to release-2.4 with action
backporting to release-2.2 with action

@kumahq kumahq bot mentioned this pull request Oct 30, 2023
Closed
kumahq bot pushed a commit that referenced this pull request Oct 30, 2023
@jakubdyszkiewicz @kumahq
fix(MeshTrafficPermission): support permissive mtls (#8171)
e8576d4 
Signed-off-by: Jakub Dyszkiewicz <[email protected]>
This was referenced Oct 30, 2023
Merged
Merged
kumahq bot pushed a commit that referenced this pull request Oct 30, 2023
@jakubdyszkiewicz @kumahq
fix(MeshTrafficPermission): support permissive mtls (#8171)
70c5957 
Signed-off-by: Jakub Dyszkiewicz <[email protected]>
kumahq bot pushed a commit that referenced this pull request Oct 30, 2023
@jakubdyszkiewicz @kumahq
fix(MeshTrafficPermission): support permissive mtls (#8171)
0567277 
Signed-off-by: Jakub Dyszkiewicz <[email protected]>
kumahq bot pushed a commit that referenced this pull request Oct 30, 2023
@jakubdyszkiewicz @kumahq
fix(MeshTrafficPermission): support permissive mtls (#8171)
d23acfd 
Signed-off-by: Jakub Dyszkiewicz <[email protected]>
This was referenced Oct 30, 2023
Closed
Merged
kumahq bot pushed a commit that referenced this pull request Oct 30, 2023
@jakubdyszkiewicz @kumahq
fix(MeshTrafficPermission): support permissive mtls (#8171)
c4e7ea9 
Signed-off-by: Jakub Dyszkiewicz <[email protected]>
jakubdyszkiewicz added a commit that referenced this pull request Oct 30, 2023
@kumahq @jakubdyszkiewicz
fix(MeshTrafficPermission): support permissive mtls (backport of #8171)…
9e0ea88 
… (#8176)

Signed-off-by: Jakub Dyszkiewicz <[email protected]>
Co-authored-by: Jakub Dyszkiewicz <[email protected]>
jakubdyszkiewicz added a commit that referenced this pull request Oct 30, 2023
@kumahq @jakubdyszkiewicz
fix(MeshTrafficPermission): support permissive mtls (backport of #8171)…
24e6bb9 
… (#8175)

Signed-off-by: Jakub Dyszkiewicz <[email protected]>
Co-authored-by: Jakub Dyszkiewicz <[email protected]>
jakubdyszkiewicz added a commit that referenced this pull request Oct 30, 2023
@kumahq @jakubdyszkiewicz
fix(MeshTrafficPermission): support permissive mtls (backport of #8171)…
bad24d6 
… (#8178)

Signed-off-by: Jakub Dyszkiewicz <[email protected]>
Co-authored-by: Jakub Dyszkiewicz <[email protected]>
@BrewTestBot BrewTestBot mentioned this pull request Nov 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelbeaumont michaelbeaumont michaelbeaumont approved these changes

@lukidzi lukidzi Awaiting requested review from lukidzi lukidzi is a code owner automatically assigned from kumahq/kuma-maintainers

Assignees
No one assigned
Labels
backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Permissive mTLS does not work with MeshTrafficPermission
2 participants
@jakubdyszkiewicz @michaelbeaumont