Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(inbound): Log traffic with the 'audit' policy #3068

Merged
merged 4 commits into from
Jul 26, 2024
Merged

feat(inbound): Log traffic with the 'audit' policy #3068

merged 4 commits into from
Jul 26, 2024

Conversation

alpeb
Copy link
Member

@alpeb alpeb commented Jul 15, 2024
edited
Loading

Audit mode is triggered by the policy controller, which will create an authorization named "audit" allowing traffic for the given target. When the proxy processes an authorization with such name it will log it at INFO.

Also, add "audit" to the possible values for
LINKERD2_PROXY_INBOUND_DEFAULT_POLICY, whose effect is the same as "all-unauthenticated".

Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.

@alpeb alpeb requested a review from a team as a code owner July 15, 2024 19:54
@alpeb alpeb force-pushed the alpeb/policy-audit-mode branch from 5d90db0 to 9e23f08 Compare July 15, 2024 19:54
@alpeb
Audit mode
a3f0e53 
Audit mode is triggered by the policy controller, which will create an
authorization named "audit" allowing traffic for the given target. When
the proxy processes an authorization with such name it will log it at
INFO.

Also, add "audit" to the possible values for
`LINKERD2_PROXY_INBOUND_DEFAULT_POLICY`, whose effect is the same as
"all-unauthenticated".
@alpeb alpeb force-pushed the alpeb/policy-audit-mode branch from 9e23f08 to a3f0e53 Compare July 15, 2024 20:02
@alpeb alpeb changed the title Audit mode Audit policy Jul 15, 2024
This was referenced Jul 16, 2024
Merged
Merged
mateiidavid
mateiidavid reviewed Jul 17, 2024
View reviewed changes
Copy link
Member

@mateiidavid mateiidavid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a small question on parsing default policies. I was also wondering if it's worth adding some tests.

Integration tests have a policy controller mock that implements the inbound and outbound interfaces (see https://github.com/linkerd/linkerd2-proxy/blob/main/linkerd/app/integration/src/policy.rs). There are also some unit tests in:

I wonder if it makes sense to add a test or two to ensure this all behaves as expected.

linkerd/app/src/env.rs Outdated
@@ -1008,7 +1008,7 @@ fn parse_default_policy(
"all-authenticated" => {
Ok(inbound::policy::defaults::all_authenticated(detect_timeout).into())
}
"all-unauthenticated" => {
"all-unauthenticated" | "audit" => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: if we treat this as an all-unauthenticated by default, when we create the default policy will it still have the correct metadata?

What would happen if for example we have an audit default policy and we get an inbound connection? Will we still log with the audit labels?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great point, I missed that! This is hard to test manually, but your pointers above might help. Moving the PR into draft till I address this.

@alpeb alpeb marked this pull request as draft July 17, 2024 15:44
@alpeb
Fix LINKERD2_PROXY_INBOUND_DEFAULT_POLICY=audit
57b0e03 
I've added a new new branch in the matcher parsing LINKERD2_PROXY_INBOUND_DEFAULT_POLICY that creates a similiar ServerPolicy that for all_unauthenticated, but named "audit", which is what causes the special log entry to be produced. I tested this manually using a proxy with a hard-coded `policy::Config::Fixed` policy with an audit default ServerPolicy to avoid overriding LINKERD2_PROXY_INBOUND_DEFAULT_POLICY's policy with something coming from the policy controller.

As for tests, I couldn't quite find a place for this that didn't duplicate what we already have for all_unauthenticated. We could add something with some tracing subscriber that would catch the log entry but not sure if it's worth it. Open to more suggestions.
@alpeb
Copy link
Member Author

alpeb commented Jul 17, 2024

I've added a new new branch in the matcher parsing LINKERD2_PROXY_INBOUND_DEFAULT_POLICY that creates a similiar ServerPolicy as the one used for all_unauthenticated, but named "audit", this name being the only thing that causes the special log entry to be produced. I tested this manually using a proxy with a hard-coded policy::Config::Fixed policy with an audit default ServerPolicy to avoid overriding LINKERD2_PROXY_INBOUND_DEFAULT_POLICY's policy with something coming from the policy controller.

As for unit/integration tests, I couldn't quite find a place for this that didn't duplicate what we already have for all_unauthenticated. We could add something with some tracing subscriber that would catch the log entry but not sure if it's worth it. Open to more suggestions.

@alpeb alpeb marked this pull request as ready for review July 17, 2024 21:06
alpeb added a commit to linkerd/linkerd2 that referenced this pull request Jul 23, 2024
@alpeb
Audit access policy implementation
a0ded8a 
Followup to #12845

This expands the policy controller index in the following ways:

- Adds the new Audit variant to the DefaultPolicy enum
- Expands the function that synthesizes the authorizations for a given default policy (DefaultPolicy::default_authzs) so that it also creates an Unauthenticated client auth and a allow-all NetworkMatch for the new Audit default policy.
- Now that a Server can have a default policy different than Deny, when generating InboundServer authorizations (PolicyIndex::client_authzs) make sure to append the default authorizations when DefaultPolicy is Allow or Audit

Also, the admission controller ensures the new accessPolicy field contains a valid value.

Required test changes are addressed in #12847. Also note you'll need the proxy changes at linkerd/linkerd2-proxy#3068 to make this work.

Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.
alpeb added a commit to linkerd/linkerd2 that referenced this pull request Jul 25, 2024
@alpeb
Audit access policy implementation
5ff8d95 
Followup to #12845

This expands the policy controller index in the following ways:

- Adds the new Audit variant to the DefaultPolicy enum
- Expands the function that synthesizes the authorizations for a given default policy (DefaultPolicy::default_authzs) so that it also creates an Unauthenticated client auth and a allow-all NetworkMatch for the new Audit default policy.
- Now that a Server can have a default policy different than Deny, when generating InboundServer authorizations (PolicyIndex::client_authzs) make sure to append the default authorizations when DefaultPolicy is Allow or Audit

Also, the admission controller ensures the new accessPolicy field contains a valid value.

Required test changes are addressed in #12847. Also note you'll need the proxy changes at linkerd/linkerd2-proxy#3068 to make this work.

Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.
olix0r
olix0r approved these changes Jul 26, 2024
View reviewed changes
linkerd/proxy/server-policy/src/meta.rs Outdated Show resolved Hide resolved
@olix0r olix0r changed the title Audit policy feat(inbound): Log traffic with the 'audit' policy Jul 26, 2024
@olix0r olix0r enabled auto-merge (squash) July 26, 2024 15:40
@olix0r olix0r merged commit fd76e81 into main Jul 26, 2024
15 checks passed
@olix0r olix0r deleted the alpeb/policy-audit-mode branch July 26, 2024 15:43
alpeb added a commit to linkerd/linkerd2 that referenced this pull request Jul 26, 2024
@alpeb
Audit access policy implementation
9ad80a5 
Followup to #12845

This expands the policy controller index in the following ways:

- Adds the new Audit variant to the DefaultPolicy enum
- Expands the function that synthesizes the authorizations for a given default policy (DefaultPolicy::default_authzs) so that it also creates an Unauthenticated client auth and a allow-all NetworkMatch for the new Audit default policy.
- Now that a Server can have a default policy different than Deny, when generating InboundServer authorizations (PolicyIndex::client_authzs) make sure to append the default authorizations when DefaultPolicy is Allow or Audit

Also, the admission controller ensures the new accessPolicy field contains a valid value.

Required test changes are addressed in #12847. Also note you'll need the proxy changes at linkerd/linkerd2-proxy#3068 to make this work.

Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mateiidavid mateiidavid mateiidavid left review comments

@olix0r olix0r olix0r approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alpeb @olix0r @mateiidavid