Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ExternalServices shouldn't rely on the existence of a TrafficPermission #6589

Closed
1 task done
lahabana opened this issue Apr 21, 2023 · 6 comments · Fixed by #8745
Closed
1 task done

ExternalServices shouldn't rely on the existence of a TrafficPermission #6589

lahabana opened this issue Apr 21, 2023 · 6 comments · Fixed by #8745
Assignees
@lukidzi
Labels
area/policies kind/design Design doc or related triage/accepted The issue was reviewed and is complete enough to start working on it
Milestone
2.6.x

Comments

@lahabana
Copy link
Contributor

lahabana commented Apr 21, 2023
edited by lukidzi
Loading

Description

When delete default TrafficPermission then ExternalServices don't work at all. Kuma generates outbounds for ES based on the TrafficPermission policy (no permission -> no outbound).

Can we just have a RBAC filter on the external service listener? What happens with Egress?
@lahabana lahabana added triage/pending This issue will be looked at on the next triage meeting kind/design Design doc or related triage/accepted The issue was reviewed and is complete enough to start working on it area/policies and removed triage/pending This issue will be looked at on the next triage meeting labels Apr 21, 2023
@lobkovilya lobkovilya mentioned this issue Jun 20, 2023
Merged
6 tasks
@github-actions github-actions bot added the triage/stale Inactive for some time. It will be triaged again label Jul 24, 2023
@github-actions
Copy link
Contributor

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant, please comment on it or attend the next triage meeting.

@lahabana lahabana removed the triage/stale Inactive for some time. It will be triaged again label Jul 24, 2023
@github-actions github-actions bot added the triage/stale Inactive for some time. It will be triaged again label Oct 23, 2023
@github-actions
Copy link
Contributor

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed.
If you think this issue is still relevant, please comment on it or attend the next triage meeting.

@lukidzi lukidzi mentioned this issue Oct 25, 2023
Merged
5 tasks
@lahabana lahabana removed the triage/stale Inactive for some time. It will be triaged again label Nov 2, 2023
@lahabana
Copy link
Contributor Author

lahabana commented Nov 2, 2023

Should we close this now? @lukidzi ?

@slonka
Copy link
Contributor

slonka commented Nov 7, 2023

This is still a problem, we shouldn't close this ☝️

@slonka slonka changed the title ExternalServices shouldn't rely on the existence of a trafficPermission ExternalServices shouldn't rely on the existence of a TrafficPermission Nov 7, 2023
@cbugneac-nex
Copy link

I'm on Kuma version 2.4.3 and decided to migrate to MeshTrafficPermission from TrafficPermission. Created default allow all initially to not break working things:

---
apiVersion: kuma.io/v1alpha1
kind: MeshTrafficPermission
metadata:
  namespace: kuma-system
  name: allow-all-default
  labels:
    kuma.io/mesh: default
spec:
  from:
  - default:
      action: AllowWithShadowDeny
    targetRef:
      kind: Mesh
  targetRef:
    kind: Mesh

And now access to ExternalServices doesn't work even if I add explicit MeshTrafficPermissions for ExternalServices.

@bartsmykla bartsmykla changed the title ExternalServices shouldn't rely on the existence of a TrafficPermission ExternalServices shouldn't rely on the existence of a TrafficPermission Nov 20, 2023
@lukidzi
Copy link
Contributor

lukidzi commented Nov 22, 2023
edited
Loading

My idea to change the behavior:

  • Remove matching service with TrafficPermisson
  • Deliver all ExternalServices to Dataplanes when there is no TrafficPermission/MeshTrafficPermission defined
    • If ReachableServices are defined we filter out ExternalServices
    • TrafficPermission/MeshTrafficPermission for ExternalServices has only impact when using Egress

I am not sure the best way to handle Auto ReachableServices, they are relying on the MTP so the user would need to define policy to have access or we could deliver all ES until there is a policy matching ES but it seems a bit complicated.

Can we just have an RBAC filter on the external service listener? What happens with Egress?

I don't think that we should define RBAC in outgoing traffic, just configure RBAC when using egress. Should we allow all when no policy or deny and require the user to define it?

@jakubdyszkiewicz jakubdyszkiewicz mentioned this issue Nov 27, 2023
Closed
This was referenced Jan 2, 2024
Closed
Merged
@lahabana lahabana added this to the 2.6.x milestone Jan 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lukidzi lukidzi

Labels
area/policies kind/design Design doc or related triage/accepted The issue was reviewed and is complete enough to start working on it
Projects
None yet
Milestone
2.6.x
Development

Successfully merging a pull request may close this issue.

feat(ExternalService): make ExternalServices independent of TrafficPermission lukidzi/kuma
4 participants
@lahabana @slonka @lukidzi @cbugneac-nex