Skip to content

Commit

Permalink
fix(policies): improve targetRef validation
Browse files Browse the repository at this point in the history 
- disallow setting name with `kind: Mesh` as it's unclear what it will mean
- disallow setting mesh with all kinds as it's unclear what it will mean too
- disallow using `MeshHTTPRoute` the thing is not even defined
- rewrite validator for targetRef to use the same wording everwhere

Fix #5165

Signed-off-by: Charly Molter <charly.molter@konghq.com>

make targetRef compulsory
  • Loading branch information
@lahabana
lahabana committed Oct 21, 2022
1 parent 826cd4c commit be831c6
Show file tree
Hide file tree
Showing 18 changed files with 370 additions and 374 deletions.
6 changes: 6 additions & 0 deletions pkg/api-server/inspect_endpoints_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -339,6 +339,9 @@ var _ = Describe("Inspect WS", func() {
},
From: []*policies_api.MeshTrafficPermission_From{
{
TargetRef: &common_api.TargetRef{
Kind: "Mesh",
},
Default: &policies_api.MeshTrafficPermission_Conf{
Action: "ALLOW",
},
Expand Down Expand Up @@ -1105,6 +1108,9 @@ var _ = Describe("Inspect WS", func() {
},
From: []*policies_api.MeshTrafficPermission_From{
{
TargetRef: &common_api.TargetRef{
Kind: "Mesh",
},
Default: &policies_api.MeshTrafficPermission_Conf{
Action: "ALLOW",
},
Expand Down
3 changes: 3 additions & 0 deletions pkg/api-server/testdata/inspect_dataplane.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@
},
"from": [
{
"targetRef": {
"kind": "Mesh"
},
"default": {
"action": "ALLOW"
}
Expand Down
4 changes: 0 additions & 4 deletions pkg/core/xds/rules.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -218,10 +218,6 @@ func newConf(t reflect.Type) (proto.Message, error) {
}

func asSubset(tr *common_api.TargetRef) (Subset, error) {
if tr == nil {
// syntactic sugar, empty targetRef means targetRef{kind: Mesh}
return Subset{}, nil
}
switch tr.GetKindEnum() {
case common_api.TargetRef_Mesh:
return Subset{}, nil
Expand Down
3 changes: 1 addition & 2 deletions pkg/core/xds/testdata/rules/06.policy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,10 @@ name: mt-1
spec:
targetRef:
kind: Mesh
name: mesh-1
default:
tags:
- name: team
literal: core
backends:
- zipkin:
url: http://jaeger-collector.mesh-observability:9411/api/v2/spans
url: http://jaeger-collector.mesh-observability:9411/api/v2/spans
3 changes: 1 addition & 2 deletions pkg/core/xds/testdata/rules/07.policy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ name: mt-1
spec:
targetRef:
kind: Mesh
name: mesh-1
default:
tags:
- name: team
Expand All @@ -26,4 +25,4 @@ spec:
literal: support
backends:
- datadog:
url: http://ingest.datadoghq.eu:8126
url: http://ingest.datadoghq.eu:8126
3 changes: 1 addition & 2 deletions pkg/plugins/policies/matchers/match.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,7 @@ func MatchedPolicies(rType core_model.ResourceType, dpp *core_mesh.DataplaneReso
return core_xds.TypedMatchingPolicies{}, errors.Errorf("resource type %v doesn't support TargetRef matching", rType)
}

targetRef := spec.GetTargetRef()
selectedInbounds := inboundsSelectedByTargetRef(targetRef, dpp, gateway)
selectedInbounds := inboundsSelectedByTargetRef(spec.GetTargetRef(), dpp, gateway)
if len(selectedInbounds) == 0 {
// DPP is not matched by the policy
continue
Expand Down
4 changes: 0 additions & 4 deletions pkg/plugins/policies/matchers/testdata/match/dataplanepolicies/01.golden.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ items:
action: ALLOW
targetRef:
kind: Mesh
name: default
targetRef:
kind: Mesh
type: MeshTrafficPermission
Expand All @@ -23,7 +22,6 @@ items:
action: ALLOW
targetRef:
kind: Mesh
name: default
targetRef:
kind: MeshSubset
tags:
Expand All @@ -39,7 +37,6 @@ items:
action: ALLOW
targetRef:
kind: Mesh
name: default
targetRef:
kind: MeshService
name: web
Expand All @@ -54,7 +51,6 @@ items:
action: ALLOW
targetRef:
kind: Mesh
name: default
targetRef:
kind: MeshServiceSubset
name: web
Expand Down
7 changes: 0 additions & 7 deletions pkg/plugins/policies/matchers/testdata/match/dataplanepolicies/01.policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ spec:
from:
- targetRef:
kind: Mesh
name: default
default:
action: ALLOW
---
Expand All @@ -24,7 +23,6 @@ spec:
from:
- targetRef:
kind: Mesh
name: default
default:
action: ALLOW
---
Expand All @@ -38,7 +36,6 @@ spec:
from:
- targetRef:
kind: Mesh
name: default
default:
action: ALLOW
---
Expand All @@ -53,7 +50,6 @@ spec:
from:
- targetRef:
kind: Mesh
name: default
default:
action: ALLOW
---
Expand All @@ -67,7 +63,6 @@ spec:
from:
- targetRef:
kind: Mesh
name: default
default:
action: ALLOW
---
Expand All @@ -83,7 +78,6 @@ spec:
from:
- targetRef:
kind: Mesh
name: default
default:
action: ALLOW
---
Expand All @@ -99,6 +93,5 @@ spec:
from:
- targetRef:
kind: Mesh
name: default
default:
action: ALLOW
8 changes: 0 additions & 8 deletions pkg/plugins/policies/matchers/testdata/match/dataplanepolicies/02.golden.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ items:
action: ALLOW
targetRef:
kind: Mesh
name: default
targetRef:
kind: Mesh
type: MeshTrafficPermission
Expand All @@ -23,7 +22,6 @@ items:
action: ALLOW
targetRef:
kind: Mesh
name: default
targetRef:
kind: Mesh
type: MeshTrafficPermission
Expand All @@ -37,7 +35,6 @@ items:
action: ALLOW
targetRef:
kind: Mesh
name: default
targetRef:
kind: MeshSubset
tags:
Expand All @@ -53,7 +50,6 @@ items:
action: ALLOW
targetRef:
kind: Mesh
name: default
targetRef:
kind: MeshSubset
tags:
Expand All @@ -69,7 +65,6 @@ items:
action: ALLOW
targetRef:
kind: Mesh
name: default
targetRef:
kind: MeshService
name: web
Expand All @@ -84,7 +79,6 @@ items:
action: ALLOW
targetRef:
kind: Mesh
name: default
targetRef:
kind: MeshService
name: web
Expand All @@ -99,7 +93,6 @@ items:
action: ALLOW
targetRef:
kind: Mesh
name: default
targetRef:
kind: MeshServiceSubset
name: web
Expand All @@ -116,7 +109,6 @@ items:
action: ALLOW
targetRef:
kind: Mesh
name: default
targetRef:
kind: MeshServiceSubset
name: web
Expand Down
8 changes: 0 additions & 8 deletions pkg/plugins/policies/matchers/testdata/match/dataplanepolicies/02.policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ spec:
from:
- targetRef:
kind: Mesh
name: default
default:
action: ALLOW
---
Expand All @@ -27,7 +26,6 @@ spec:
from:
- targetRef:
kind: Mesh
name: default
default:
action: ALLOW
---
Expand All @@ -40,7 +38,6 @@ spec:
from:
- targetRef:
kind: Mesh
name: default
default:
action: ALLOW
---
Expand All @@ -53,7 +50,6 @@ spec:
from:
- targetRef:
kind: Mesh
name: default
default:
action: ALLOW
---
Expand All @@ -67,7 +63,6 @@ spec:
from:
- targetRef:
kind: Mesh
name: default
default:
action: ALLOW
---
Expand All @@ -81,7 +76,6 @@ spec:
from:
- targetRef:
kind: Mesh
name: default
default:
action: ALLOW
---
Expand All @@ -96,7 +90,6 @@ spec:
from:
- targetRef:
kind: Mesh
name: default
default:
action: ALLOW
---
Expand All @@ -111,6 +104,5 @@ spec:
from:
- targetRef:
kind: Mesh
name: default
default:
action: ALLOW
1 change: 0 additions & 1 deletion pkg/plugins/policies/matchers/testdata/match/dataplanepolicies/03.policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,5 @@ spec:
from:
- targetRef:
kind: Mesh
name: default
default:
action: ALLOW
1 change: 0 additions & 1 deletion pkg/plugins/policies/matchers/testdata/match/dataplanepolicies/04.policies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,5 @@ spec:
from:
- targetRef:
kind: Mesh
name: default
default:
action: ALLOW
Loading

0 comments on commit be831c6

Please sign in to comment.