Audit mode #1805
Merged
Audit mode #1805
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Jul 16, 2024
alpeb
added a commit
to linkerd/linkerd2
that referenced
this pull request
Jul 23, 2024
Followup to #12845 This expands the policy controller index in the following ways: - Adds the new Audit variant to the DefaultPolicy enum - Expands the function that synthesizes the authorizations for a given default policy (DefaultPolicy::default_authzs) so that it also creates an Unauthenticated client auth and a allow-all NetworkMatch for the new Audit default policy. - Now that a Server can have a default policy different than Deny, when generating InboundServer authorizations (PolicyIndex::client_authzs) make sure to append the default authorizations when DefaultPolicy is Allow or Audit Also, the admission controller ensures the new accessPolicy field contains a valid value. Required test changes are addressed in #12847. Also note you'll need the proxy changes at linkerd/linkerd2-proxy#3068 to make this work. Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.
alpeb
added a commit
to linkerd/linkerd2
that referenced
this pull request
Jul 25, 2024
Followup to #12845 This expands the policy controller index in the following ways: - Adds the new Audit variant to the DefaultPolicy enum - Expands the function that synthesizes the authorizations for a given default policy (DefaultPolicy::default_authzs) so that it also creates an Unauthenticated client auth and a allow-all NetworkMatch for the new Audit default policy. - Now that a Server can have a default policy different than Deny, when generating InboundServer authorizations (PolicyIndex::client_authzs) make sure to append the default authorizations when DefaultPolicy is Allow or Audit Also, the admission controller ensures the new accessPolicy field contains a valid value. Required test changes are addressed in #12847. Also note you'll need the proxy changes at linkerd/linkerd2-proxy#3068 to make this work. Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.
alpeb
added a commit
to linkerd/linkerd2
that referenced
this pull request
Jul 26, 2024
Followup to #12845 This expands the policy controller index in the following ways: - Adds the new Audit variant to the DefaultPolicy enum - Expands the function that synthesizes the authorizations for a given default policy (DefaultPolicy::default_authzs) so that it also creates an Unauthenticated client auth and a allow-all NetworkMatch for the new Audit default policy. - Now that a Server can have a default policy different than Deny, when generating InboundServer authorizations (PolicyIndex::client_authzs) make sure to append the default authorizations when DefaultPolicy is Allow or Audit Also, the admission controller ensures the new accessPolicy field contains a valid value. Required test changes are addressed in #12847. Also note you'll need the proxy changes at linkerd/linkerd2-proxy#3068 to make this work. Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.
alpeb
added a commit
to linkerd/linkerd2
that referenced
this pull request
Jul 26, 2024
Followup to #12846, branched off alpeb/policy-audit-impl This fixes the policy controller unit and integration tests by accounting for the new Audit default policy and the new accessPolicy field in Server. New integration tests added: - e2e_audit.rs exercising first the audit policy in Server, and then at the namespace level - in admit_server.rs a new test checks invalid accessPolicy values are rejected. - in inbound_api.rs server_with_audit_policy verifies the synthesized audit authorization is returned for a Server with accessPolicy=audit Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.
alpeb
added a commit
to linkerd/linkerd2
that referenced
this pull request
Jul 26, 2024
Followup to #12845 This expands the policy controller index in the following ways: - Adds the new Audit variant to the DefaultPolicy enum - Expands the function that synthesizes the authorizations for a given default policy (DefaultPolicy::default_authzs) so that it also creates an Unauthenticated client auth and a allow-all NetworkMatch for the new Audit default policy. - Now that a Server can have a default policy different than Deny, when generating InboundServer authorizations (PolicyIndex::client_authzs) make sure to append the default authorizations when DefaultPolicy is Allow or Audit Also, the admission controller ensures the new accessPolicy field contains a valid value. ## Tests New integration tests added: - e2e_audit.rs exercising first the audit policy in Server, and then at the namespace level - in admit_server.rs a new test checks invalid accessPolicy values are rejected. - in inbound_api.rs server_with_audit_policy verifies the synthesized audit authorization is returned for a Server with accessPolicy=audit > [!NOTE] > Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.
alpeb
force-pushed
the
alpeb/audit
branch
2 times, most recently
from
a4108ea
to
84bb578
Compare
- Added Audit Mode section to the Authorization Policy feature article. - Expanded the reference doc for `Servers` to include the new `accessPolicy` field. - Updated the "Further Considerations" section in the Restricting Access To Services article to account for audit mode.
kflynn
approved these changes
Aug 9, 2024
alpeb
added a commit
that referenced
this pull request
Aug 13, 2024
* Audit mode - Added Audit Mode section to the Authorization Policy feature article. - Expanded the reference doc for `Servers` to include the new `accessPolicy` field. - Updated the "Further Considerations" section in the Restricting Access To Services article to account for audit mode.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Serversto include the newaccessPolicyfield.