Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit access policy implementation #12846

Merged
merged 2 commits into from
Jul 26, 2024
Merged

Audit access policy implementation #12846

merged 2 commits into from
Jul 26, 2024

Conversation

alpeb
Copy link
Member

@alpeb alpeb commented Jul 15, 2024
edited
Loading

Followup to #12845

This expands the policy controller index in the following ways:

  • Adds the new Audit variant to the DefaultPolicy enum
  • Expands the function that synthesizes the authorizations for a given default policy (DefaultPolicy::default_authzs) so that it also creates an Unauthenticated client auth and a allow-all NetworkMatch for the new Audit default policy.
  • Now that a Server can have a default policy different than Deny, when generating InboundServer authorizations (PolicyIndex::client_authzs) make sure to append the default authorizations when DefaultPolicy is Allow or Audit

Also, the admission controller ensures the new accessPolicy field contains a valid value.

Tests

New integration tests added:

  • e2e_audit.rs exercising first the audit policy in Server, and then at the namespace level
  • in admit_server.rs a new test checks invalid accessPolicy values are rejected.
  • in inbound_api.rs server_with_audit_policy verifies the synthesized audit authorization is returned for a Server with accessPolicy=audit

Note

Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.

@alpeb alpeb requested a review from a team as a code owner July 15, 2024 22:52
@alpeb alpeb marked this pull request as draft July 15, 2024 22:55
@alpeb alpeb changed the title Audit mode implementation Audit access policy implementation Jul 15, 2024
alpeb added a commit that referenced this pull request Jul 16, 2024
@alpeb
Expand tests to account for audit access policy
17eb633 
Followup to #12846, branched off alpeb/policy-audit-impl

This fixes the policy controller unit and integration tests by accounting for the new Audit default policy and the new accessPolicy field in Server.

New integration tests added:

- e2e_audit.rs exercising first the audit policy in Server, and then at the namespace level
- in admit_server.rs a new test checks invalid accessPolicy values are rejected.
- in inbound_api.rs server_with_audit_policy verifies the synthesized audit authorization is returned for a Server with accessPolicy=audit
@alpeb alpeb mentioned this pull request Jul 16, 2024
Merged
@alpeb alpeb marked this pull request as ready for review July 16, 2024 13:46
Base automatically changed from alpeb/policy-audit-crd to main July 22, 2024 14:01
adleong
adleong reviewed Jul 22, 2024
View reviewed changes
Copy link
Member

@adleong adleong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like there are some rust check errors

policy-controller/k8s/index/src/defaults.rs Outdated Show resolved Hide resolved
policy-controller/k8s/index/src/inbound/index.rs Outdated Show resolved Hide resolved
@alpeb
Copy link
Member Author

alpeb commented Jul 23, 2024

Ready for review again 👍 Note the CI Rust failures are from the tests, which I've addressed separately in #12847

@alpeb alpeb force-pushed the alpeb/policy-audit-impl branch 2 times, most recently from a9caff0 to a0ded8a Compare July 23, 2024 18:58
alpeb added a commit that referenced this pull request Jul 23, 2024
@alpeb
Expand tests to account for audit access policy
5670f17 
Followup to #12846, branched off alpeb/policy-audit-impl

This fixes the policy controller unit and integration tests by accounting for the new Audit default policy and the new accessPolicy field in Server.

New integration tests added:

- e2e_audit.rs exercising first the audit policy in Server, and then at the namespace level
- in admit_server.rs a new test checks invalid accessPolicy values are rejected.
- in inbound_api.rs server_with_audit_policy verifies the synthesized audit authorization is returned for a Server with accessPolicy=audit
alpeb added a commit that referenced this pull request Jul 25, 2024
@alpeb
Expand tests to account for audit access policy
b196083 
Followup to #12846, branched off alpeb/policy-audit-impl

This fixes the policy controller unit and integration tests by accounting for the new Audit default policy and the new accessPolicy field in Server.

New integration tests added:

- e2e_audit.rs exercising first the audit policy in Server, and then at the namespace level
- in admit_server.rs a new test checks invalid accessPolicy values are rejected.
- in inbound_api.rs server_with_audit_policy verifies the synthesized audit authorization is returned for a Server with accessPolicy=audit
@alpeb
Audit access policy implementation
9ad80a5 
Followup to #12845

This expands the policy controller index in the following ways:

- Adds the new Audit variant to the DefaultPolicy enum
- Expands the function that synthesizes the authorizations for a given default policy (DefaultPolicy::default_authzs) so that it also creates an Unauthenticated client auth and a allow-all NetworkMatch for the new Audit default policy.
- Now that a Server can have a default policy different than Deny, when generating InboundServer authorizations (PolicyIndex::client_authzs) make sure to append the default authorizations when DefaultPolicy is Allow or Audit

Also, the admission controller ensures the new accessPolicy field contains a valid value.

Required test changes are addressed in #12847. Also note you'll need the proxy changes at linkerd/linkerd2-proxy#3068 to make this work.

Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.
alpeb added a commit that referenced this pull request Jul 26, 2024
@alpeb
Expand tests to account for audit access policy
aa8f607 
Followup to #12846, branched off alpeb/policy-audit-impl

This fixes the policy controller unit and integration tests by accounting for the new Audit default policy and the new accessPolicy field in Server.

New integration tests added:

- e2e_audit.rs exercising first the audit policy in Server, and then at the namespace level
- in admit_server.rs a new test checks invalid accessPolicy values are rejected.
- in inbound_api.rs server_with_audit_policy verifies the synthesized audit authorization is returned for a Server with accessPolicy=audit
@alpeb
Expand tests to account for audit access policy (#12847)
e5e1b1e 
Followup to #12846, branched off alpeb/policy-audit-impl

This fixes the policy controller unit and integration tests by accounting for the new Audit default policy and the new accessPolicy field in Server.

New integration tests added:

- e2e_audit.rs exercising first the audit policy in Server, and then at the namespace level
- in admit_server.rs a new test checks invalid accessPolicy values are rejected.
- in inbound_api.rs server_with_audit_policy verifies the synthesized audit authorization is returned for a Server with accessPolicy=audit

Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.
@alpeb alpeb merged commit a9fa176 into main Jul 26, 2024
42 checks passed
@alpeb alpeb deleted the alpeb/policy-audit-impl branch July 26, 2024 18:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mateiidavid mateiidavid mateiidavid approved these changes

@adleong adleong adleong approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alpeb @adleong @mateiidavid