Add support for security policy #291
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
cncf-cla: yes
rramkumar1
reviewed
May 31, 2018
pkg/annotations/service.go
Outdated
| @@ -117,10 +117,10 @@ func (svc Service) GetBackendConfigs() (*BackendConfigs, error) { | |||
|
|
|||
| configs := BackendConfigs{} | |||
| if err := json.Unmarshal([]byte(val), &configs); err != nil { | |||
| return nil, err | |||
| return nil, fmt.Errorf("invalid format in backend config annotation: %v, error: %v", val, err) | |||
There was a problem hiding this comment.
Can you use BackendConfigKey instead of "backend config annotation"
rramkumar1
reviewed
May 31, 2018
pkg/annotations/service.go
Outdated
| } | ||
| if configs.Default == "" && len(configs.Ports) == 0 { | ||
| return nil, fmt.Errorf("no backendConfigs found in annotation: %v", val) | ||
| return nil, fmt.Errorf("either one of `ports` or `default` should be specified in annotation: %v", val) |
There was a problem hiding this comment.
Use BackendConfigKey to specify exact annotation.
rramkumar1
reviewed
May 31, 2018
pkg/backendconfig/backendconfig.go
Outdated
| if err != nil { | ||
| return nil, fmt.Errorf("failed to get BackendConfig %s, referenced by service %s/%s: %v", configName, svc.Namespace, svc.Name, err) | ||
| } else if !exists { | ||
| return nil, fmt.Errorf("BackendConfig %s not exist, but is referenced by service %s/%s", configName, svc.Namespace, svc.Name) |
There was a problem hiding this comment.
"BackendConfig %s does not exist..."
rramkumar1
reviewed
May 31, 2018
pkg/backendconfig/backendconfig.go
Outdated
| } | ||
| backendConfig, ok := obj.(*backendconfigv1beta1.BackendConfig) | ||
| if !ok { | ||
| return nil, fmt.Errorf("invalid format detected in BackendConfig %s, referenced by service %s/%s", configName, svc.Namespace, svc.Name) |
There was a problem hiding this comment.
Can we just say "failed to parse BackendConfig %s" instead of "invalid format detected".
rramkumar1
reviewed
May 31, 2018
| @@ -323,6 +323,18 @@ func TestGetBackendConfigForServicePort(t *testing.T) { | |||
| }, | |||
| expectErr: true, | |||
| }, | |||
| { | |||
| desc: "invalid format in backend config", | |||
There was a problem hiding this comment.
"invalid field in backend config"
rramkumar1
reviewed
May 31, 2018
pkg/backends/backends.go
Outdated
| @@ -263,6 +283,38 @@ func (b *Backends) ensureHealthCheck(sp utils.ServicePort) (string, error) { | |||
| return b.healthChecker.Sync(hc) | |||
| } | |||
|
|
|||
| // TODO(mrhohn): Emit event when attach/detach security policy to backend service. | |||
| func (b *Backends) ensureSecurityPolicy(sp utils.ServicePort, be *BackendService, beName string) error { | |||
There was a problem hiding this comment.
Discussed offline, can we move this to pkg/backends/features/securitypolicy.go
k8s-ci-robot
added
size/XL
MrHohn
force-pushed
the
cloud-armor-support
branch
2 times, most recently
from
ca6fda8 to
d3facb3
Compare
MrHohn
commented
Jun 4, 2018
pkg/backends/backends.go
Outdated
| // The idea is to avoid impacting the usual workflow when security policy | ||
| // is irrelevant, especially when the Beta endpoint goes down. | ||
| if unknown && desiredPolicyLink != "" || | ||
| retrieveObjectName(existingPolicyLink) != retrieveObjectName(desiredPolicyLink) { |
There was a problem hiding this comment.
Humm..Seems like I put a wrong condition here. Will push a new commit.
|
PR needs to be revised after #305. |
k8s-ci-robot
added
the
do-not-merge/hold
bowei
reviewed
Jun 13, 2018
pkg/backendconfig/backendconfig.go
Outdated
| return nil, fmt.Errorf("failed to get BackendConfig %s for service %s/%s: %v", configName, svc.Namespace, svc.Name, err) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed to get BackendConfig %s, referenced by service %s/%s: %v", configName, svc.Namespace, svc.Name, err) | ||
| } else if !exists { |
There was a problem hiding this comment.
Will separate to another PR.
pkg/backendconfig/backendconfig.go
Outdated
| } | ||
| backendConfig, ok := obj.(*backendconfigv1beta1.BackendConfig) | ||
| if !ok { | ||
| return nil, fmt.Errorf("failed to parse BackendConfig %s, referenced by service %s/%s", configName, svc.Namespace, svc.Name) |
There was a problem hiding this comment.
Will separate to another PR.
pkg/backends/backends.go
Outdated
| // service. | ||
| beBeta, err := b.cloud.GetBetaGlobalBackendService(beGa.Name) | ||
| if err != nil { | ||
| glog.Errorf("Failed to get backend service %s through Beta API", beGa.Name) |
There was a problem hiding this comment.
Will separate to another PR.
| ProjectID() string | ||
| } | ||
|
|
||
| func getSecurityPolicyLink(be *unity.BackendService) (securityPolicyLink string, unknown bool) { |
| } | ||
|
|
||
| // TODO(mrhohn): Emit event when attach/detach security policy to backend service. | ||
| func EnsureSecurityPolicy(cloud SecurityPolicySetter, sp utils.ServicePort, be *unity.BackendService, beName string) error { |
| ) | ||
|
|
||
| func TestEnsureSecurityPolicy(t *testing.T) { | ||
| testCases := []struct { |
| } | ||
|
|
||
| for _, tc := range testCases { | ||
| fakeCloud := fake.NewFakeBackendServices(tc.errFunc) |
There was a problem hiding this comment.
t.Run(tc.desc, func(t*testing.T) {
| } | ||
|
|
||
| for _, tc := range testCases { | ||
| policyLink, unknown := getSecurityPolicyLink(tc.backendService) |
pkg/backends/unity/backendservice.go
Outdated
| "k8s.io/ingress-gce/pkg/utils" | ||
| ) | ||
|
|
||
| // BackendService embeds all of the GA, beta and alpha compute |
There was a problem hiding this comment.
can you describe what the semantics of the storing some combination of Alpha, Beta, GA is? which one is preferred? What if there is a conflict etc.
MrHohn
force-pushed
the
cloud-armor-support
branch
from
e8ba106 to
cf8c6a0
Compare
|
Rebased on top of #305. |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
TODO: Define securityPolicy as a feature name in features.go. Will update PR. |
Done. |
MrHohn
force-pushed
the
cloud-armor-support
branch
from
291823f to
6061aa5
Compare
Closed
MrHohn
force-pushed
the
cloud-armor-support
branch
from
6061aa5 to
cbf463a
Compare
k8s-ci-robot
added
size/L
MrHohn
force-pushed
the
cloud-armor-support
branch
from
cbf463a to
7743c3e
Compare
MrHohn
force-pushed
the
cloud-armor-support
branch
from
7743c3e to
2f87d2c
Compare
|
@rramkumar1 @bowei Rebased PR, PTAL, thanks! |
MrHohn
force-pushed
the
cloud-armor-support
branch
from
2f87d2c to
5e26719
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
bowei
reviewed
Jun 19, 2018
| ) | ||
|
|
||
| // TODO(mrhohn): Upstream this mock hook to gce provider. | ||
| func setSecurityPolicyHook(_ context.Context, key *meta.Key, ref *computebeta.SecurityPolicyReference, _ *cloud.MockBetaBackendServices) error { |
There was a problem hiding this comment.
move this inside the test if possible, avoid global locking
| t.Parallel() | ||
|
|
||
| fakeGCE := gce.FakeGCECloud(gce.DefaultTestClusterValues()) | ||
| fakeBeName := fmt.Sprintf("be-name-XXX-%s", tc.desc) |
There was a problem hiding this comment.
do we need tc.desc in the backend name?
There was a problem hiding this comment.
The purpose is to avoid tests conflicting with each other given that they run in parallel. Changed to use index instead.
| (fakeGCE.Compute().(*cloud.MockGCE)).MockBetaBackendServices.SetSecurityPolicyHook = setSecurityPolicyHook | ||
|
|
||
| if err := EnsureSecurityPolicy(fakeGCE, utils.ServicePort{BackendConfig: tc.desiredConfig}, tc.currentBackendService, fakeBeName); err != nil { | ||
| t.Errorf("%s: EnsureSecurityPolicy()=%v, want nil", tc.desc, err) |
| // Verify whether the desired policy is set. | ||
| policyRef, ok := mockSecurityPolcies[fakeBeName] | ||
| if !ok { | ||
| t.Errorf("%s: policy not set for backend service %s", tc.desc, fakeBeName) |
| desiredPolicyName = tc.desiredConfig.Spec.SecurityPolicy.Name | ||
| } | ||
| if utils.EqualResourceIDs(policyLink, desiredPolicyName) { | ||
| t.Errorf("%s: got policy %q, want %q", tc.desc, policyLink, desiredPolicyName) |
| // Verify not set call is made. | ||
| policyRef, ok := mockSecurityPolcies[fakeBeName] | ||
| if ok { | ||
| t.Errorf("%s: unexpected policy %q is set for backend service %s", tc.desc, policyRef, fakeBeName) |
MrHohn
force-pushed
the
cloud-armor-support
branch
from
5e26719 to
d40ea79
Compare
k8s-ci-robot
removed
the
lgtm
|
New changes are detected. LGTM label has been removed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The first commit is for updating vendor. I will soon split that into another PR.Updated vendor in #293./assign @rramkumar1 @bowei