feat(policy): add interfaces for policy plugins

Rework the way policy plugins work to be able to handle policy matching in the plugin
kumahq · Aug 25, 2022 · 31569a1 · 31569a1
1 parent 22c157d
commit 31569a1
Show file tree

Hide file tree

Showing 6 changed files with 227 additions and 123 deletions.
diff --git a/pkg/core/plugins/interfaces.go b/pkg/core/plugins/interfaces.go
@@ -5,10 +5,13 @@ import (
 
 	"github.com/kumahq/kuma/pkg/api-server/authn"
 	core_ca "github.com/kumahq/kuma/pkg/core/ca"
+	core_mesh "github.com/kumahq/kuma/pkg/core/resources/apis/mesh"
 	core_store "github.com/kumahq/kuma/pkg/core/resources/store"
 	core_runtime "github.com/kumahq/kuma/pkg/core/runtime"
 	secret_store "github.com/kumahq/kuma/pkg/core/secrets/store"
+	core_xds "github.com/kumahq/kuma/pkg/core/xds"
 	"github.com/kumahq/kuma/pkg/events"
+	xds_context "github.com/kumahq/kuma/pkg/xds/context"
 )
 
 type Plugin interface{}
@@ -80,3 +83,10 @@ type AuthnAPIServerPlugin interface {
 	Plugin
 	NewAuthenticator(PluginContext) (authn.Authenticator, error)
 }
+
+// PolicyPlugin a plugin to add a Policy to Kuma
+type PolicyPlugin interface {
+	Plugin
+	MatchedPolicies(dataplane *core_mesh.DataplaneResource, resources xds_context.Resources) (core_xds.TypedMatchingPolicies, error)
+	Apply(rs *core_xds.ResourceSet, proxy *core_xds.Proxy) error
+}
diff --git a/pkg/core/plugins/registry.go b/pkg/core/plugins/registry.go
@@ -16,6 +16,7 @@ const (
 	runtimePlugin       pluginType = "runtime"
 	caPlugin            pluginType = "ca"
 	authnAPIServer      pluginType = "authn-api-server"
+	policyPlugin        pluginType = "policy"
 )
 
 type PluginName string
@@ -39,6 +40,7 @@ type Registry interface {
 	RuntimePlugins() map[PluginName]RuntimePlugin
 	CaPlugins() map[PluginName]CaPlugin
 	AuthnAPIServer() map[PluginName]AuthnAPIServerPlugin
+	PolicyPlugins() map[PluginName]PolicyPlugin
 }
 
 type RegistryMutator interface {
@@ -59,6 +61,7 @@ func NewRegistry() MutableRegistry {
 		runtime:        make(map[PluginName]RuntimePlugin),
 		ca:             make(map[PluginName]CaPlugin),
 		authnAPIServer: make(map[PluginName]AuthnAPIServerPlugin),
+		policy:         make(map[PluginName]PolicyPlugin),
 	}
 }
 
@@ -72,6 +75,7 @@ type registry struct {
 	runtime        map[PluginName]RuntimePlugin
 	ca             map[PluginName]CaPlugin
 	authnAPIServer map[PluginName]AuthnAPIServerPlugin
+	policy         map[PluginName]PolicyPlugin
 }
 
 func (r *registry) ResourceStore(name PluginName) (ResourceStorePlugin, error) {
@@ -106,6 +110,10 @@ func (r *registry) RuntimePlugins() map[PluginName]RuntimePlugin {
 	return r.runtime
 }
 
+func (r *registry) PolicyPlugins() map[PluginName]PolicyPlugin {
+	return r.policy
+}
+
 func (r *registry) BootstrapPlugins() []BootstrapPlugin {
 	var plugins []BootstrapPlugin
 	for _, plugin := range r.bootstrap {
@@ -172,6 +180,12 @@ func (r *registry) Register(name PluginName, plugin Plugin) error {
 		}
 		r.authnAPIServer[name] = authn
 	}
+	if policy, ok := plugin.(PolicyPlugin); ok {
+		if old, exists := r.authnAPIServer[name]; exists {
+			return pluginAlreadyRegisteredError(policyPlugin, name, old, policy)
+		}
+		r.policy[name] = policy
+	}
 	return nil
 }
 

diff --git a/pkg/core/xds/matched_policies.go b/pkg/core/xds/matched_policies.go
@@ -9,29 +9,43 @@ import (
 	core_model "github.com/kumahq/kuma/pkg/core/resources/model"
 )
 
+type MatchingPolicyMap map[core_model.ResourceType][]core_model.Resource
+
+// TypedMatchingPolicies all policies of this type matching
+type TypedMatchingPolicies struct {
+	Type              core_model.ResourceType
+	InboundPolicies   map[mesh_proto.InboundInterface][]core_model.Resource
+	OutboundPolicies  map[mesh_proto.OutboundInterface][]core_model.Resource
+	ServicePolicies   map[ServiceName][]core_model.Resource
+	DataplanePolicies []core_model.Resource
+}
 type MatchedPolicies struct {
 	// Inbound(Listener) -> Policy
 	TrafficPermissions    TrafficPermissionMap
 	FaultInjections       FaultInjectionMap
 	RateLimitsInbound     InboundRateLimitsMap
 	CustomInboundPolicies []map[mesh_proto.InboundInterface]core_model.Resource
+	InboundPolicies       map[mesh_proto.InboundInterface]MatchingPolicyMap
 
 	// Service(Cluster) -> Policy
 	TrafficLogs     TrafficLogMap
 	HealthChecks    HealthCheckMap
 	CircuitBreakers CircuitBreakerMap
 	Retries         RetryMap
+	ServicePolicies map[ServiceName]MatchingPolicyMap
 
 	// Outbound(Listener) -> Policy
 	Timeouts           TimeoutMap
 	RateLimitsOutbound OutboundRateLimitsMap
 	// Actual Envoy Configuration is generated without taking this TrafficRoutes into account
-	TrafficRoutes RouteMap
+	TrafficRoutes    RouteMap
+	OutboundPolicies map[mesh_proto.OutboundInterface]MatchingPolicyMap
 
 	// Dataplane -> Policy
 	TrafficTrace *core_mesh.TrafficTraceResource
 	// Actual Envoy Configuration is generated without taking this ProxyTemplate into account
-	ProxyTemplate *core_mesh.ProxyTemplateResource
+	ProxyTemplate     *core_mesh.ProxyTemplateResource
+	DataplanePolicies MatchingPolicyMap
 }
 
 type AttachmentType int64
@@ -190,6 +204,11 @@ func getInboundMatchedPolicies(matchedPolicies *MatchedPolicies) map[mesh_proto.
 			result[inbound] = append(result[inbound], customList)
 		}
 	}
+	for inbound, policyMap := range matchedPolicies.InboundPolicies {
+		for _, elts := range policyMap {
+			result[inbound] = append(result[inbound], elts...)
+		}
+	}
 
 	return result
 }
@@ -203,8 +222,13 @@ func getOutboundMatchedPolicies(matchedPolicies *MatchedPolicies) map[mesh_proto
 	for outbound, rl := range matchedPolicies.RateLimitsOutbound {
 		result[outbound] = append(result[outbound], rl)
 	}
-	for outboud, tr := range matchedPolicies.TrafficRoutes {
-		result[outboud] = append(result[outboud], tr)
+	for outbound, tr := range matchedPolicies.TrafficRoutes {
+		result[outbound] = append(result[outbound], tr)
+	}
+	for outbound, policyMap := range matchedPolicies.OutboundPolicies {
+		for _, elts := range policyMap {
+			result[outbound] = append(result[outbound], elts...)
+		}
 	}
 
 	return result
@@ -225,6 +249,11 @@ func getServiceMatchedPolicies(matchedPolicies *MatchedPolicies) map[ServiceName
 	for service, retry := range matchedPolicies.Retries {
 		result[service] = append(result[service], retry)
 	}
+	for service, policyMap := range matchedPolicies.ServicePolicies {
+		for _, elts := range policyMap {
+			result[service] = append(result[service], elts...)
+		}
+	}
 
 	return result
 }
@@ -237,6 +266,9 @@ func getDataplaneMatchedPolicies(matchedPolicies *MatchedPolicies) []core_model.
 	if matchedPolicies.ProxyTemplate != nil {
 		resources = append(resources, matchedPolicies.ProxyTemplate)
 	}
+	for _, elts := range matchedPolicies.DataplanePolicies {
+		resources = append(resources, elts...)
+	}
 	return resources
 }