Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Audit access policy implementation #12846

Merged
merged 2 commits into from
Jul 26, 2024
Merged

Audit access policy implementation #12846

merged 2 commits into from
Jul 26, 2024

Conversation

alpeb
Copy link
Member

@alpeb alpeb commented Jul 15, 2024

Followup to #12845

This expands the policy controller index in the following ways:

  • Adds the new Audit variant to the DefaultPolicy enum
  • Expands the function that synthesizes the authorizations for a given default policy (DefaultPolicy::default_authzs) so that it also creates an Unauthenticated client auth and a allow-all NetworkMatch for the new Audit default policy.
  • Now that a Server can have a default policy different than Deny, when generating InboundServer authorizations (PolicyIndex::client_authzs) make sure to append the default authorizations when DefaultPolicy is Allow or Audit

Also, the admission controller ensures the new accessPolicy field contains a valid value.

Tests

New integration tests added:

  • e2e_audit.rs exercising first the audit policy in Server, and then at the namespace level
  • in admit_server.rs a new test checks invalid accessPolicy values are rejected.
  • in inbound_api.rs server_with_audit_policy verifies the synthesized audit authorization is returned for a Server with accessPolicy=audit

Note

Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.

@alpeb alpeb requested a review from a team as a code owner July 15, 2024 22:52
@alpeb alpeb marked this pull request as draft July 15, 2024 22:55
@alpeb alpeb changed the title Audit mode implementation Audit access policy implementation Jul 15, 2024
alpeb added a commit that referenced this pull request Jul 16, 2024
Followup to #12846, branched off alpeb/policy-audit-impl

This fixes the policy controller unit and integration tests by accounting for the new Audit default policy and the new accessPolicy field in Server.

New integration tests added:

- e2e_audit.rs exercising first the audit policy in Server, and then at the namespace level
- in admit_server.rs a new test checks invalid accessPolicy values are rejected.
- in inbound_api.rs server_with_audit_policy verifies the synthesized audit authorization is returned for a Server with accessPolicy=audit
@alpeb alpeb marked this pull request as ready for review July 16, 2024 13:46
@alpeb alpeb force-pushed the alpeb/policy-audit-crd branch from 3bad724 to d537592 Compare July 18, 2024 22:15
@alpeb alpeb force-pushed the alpeb/policy-audit-impl branch from 60ccfec to 7cf3c97 Compare July 18, 2024 22:17
Base automatically changed from alpeb/policy-audit-crd to main July 22, 2024 14:01
@alpeb alpeb force-pushed the alpeb/policy-audit-impl branch from 7cf3c97 to dd2c9fa Compare July 22, 2024 14:47
Copy link
Member

@adleong adleong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like there are some rust check errors

policy-controller/k8s/index/src/defaults.rs Outdated Show resolved Hide resolved
policy-controller/k8s/index/src/inbound/index.rs Outdated Show resolved Hide resolved
@alpeb
Copy link
Member Author

alpeb commented Jul 23, 2024

Ready for review again 👍 Note the CI Rust failures are from the tests, which I've addressed separately in #12847

@alpeb alpeb force-pushed the alpeb/policy-audit-impl branch 2 times, most recently from a9caff0 to a0ded8a Compare July 23, 2024 18:58
alpeb added a commit that referenced this pull request Jul 23, 2024
Followup to #12846, branched off alpeb/policy-audit-impl

This fixes the policy controller unit and integration tests by accounting for the new Audit default policy and the new accessPolicy field in Server.

New integration tests added:

- e2e_audit.rs exercising first the audit policy in Server, and then at the namespace level
- in admit_server.rs a new test checks invalid accessPolicy values are rejected.
- in inbound_api.rs server_with_audit_policy verifies the synthesized audit authorization is returned for a Server with accessPolicy=audit
@alpeb alpeb force-pushed the alpeb/policy-audit-impl branch from a0ded8a to 5ff8d95 Compare July 25, 2024 11:38
alpeb added a commit that referenced this pull request Jul 25, 2024
Followup to #12846, branched off alpeb/policy-audit-impl

This fixes the policy controller unit and integration tests by accounting for the new Audit default policy and the new accessPolicy field in Server.

New integration tests added:

- e2e_audit.rs exercising first the audit policy in Server, and then at the namespace level
- in admit_server.rs a new test checks invalid accessPolicy values are rejected.
- in inbound_api.rs server_with_audit_policy verifies the synthesized audit authorization is returned for a Server with accessPolicy=audit
Followup to #12845

This expands the policy controller index in the following ways:

- Adds the new Audit variant to the DefaultPolicy enum
- Expands the function that synthesizes the authorizations for a given default policy (DefaultPolicy::default_authzs) so that it also creates an Unauthenticated client auth and a allow-all NetworkMatch for the new Audit default policy.
- Now that a Server can have a default policy different than Deny, when generating InboundServer authorizations (PolicyIndex::client_authzs) make sure to append the default authorizations when DefaultPolicy is Allow or Audit

Also, the admission controller ensures the new accessPolicy field contains a valid value.

Required test changes are addressed in #12847. Also note you'll need the proxy changes at linkerd/linkerd2-proxy#3068 to make this work.

Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.
@alpeb alpeb force-pushed the alpeb/policy-audit-impl branch from 5ff8d95 to 9ad80a5 Compare July 26, 2024 16:26
alpeb added a commit that referenced this pull request Jul 26, 2024
Followup to #12846, branched off alpeb/policy-audit-impl

This fixes the policy controller unit and integration tests by accounting for the new Audit default policy and the new accessPolicy field in Server.

New integration tests added:

- e2e_audit.rs exercising first the audit policy in Server, and then at the namespace level
- in admit_server.rs a new test checks invalid accessPolicy values are rejected.
- in inbound_api.rs server_with_audit_policy verifies the synthesized audit authorization is returned for a Server with accessPolicy=audit
Followup to #12846, branched off alpeb/policy-audit-impl

This fixes the policy controller unit and integration tests by accounting for the new Audit default policy and the new accessPolicy field in Server.

New integration tests added:

- e2e_audit.rs exercising first the audit policy in Server, and then at the namespace level
- in admit_server.rs a new test checks invalid accessPolicy values are rejected.
- in inbound_api.rs server_with_audit_policy verifies the synthesized audit authorization is returned for a Server with accessPolicy=audit

Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.
@alpeb alpeb merged commit a9fa176 into main Jul 26, 2024
42 checks passed
@alpeb alpeb deleted the alpeb/policy-audit-impl branch July 26, 2024 18:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants