-
Notifications
You must be signed in to change notification settings - Fork 600
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support filters in EventPolicy resources #8114
Comments
What happens when |
I guess if from:
- sub: *
filters:
cesql: ... For the RequestReply use case, we would probably need two policies:
Does this make sense @pierDipi ? |
In YAML these 2 points translates into? |
I believe that the yamls would be something along the lines of: apiVersion: eventing.knative.dev/v1alpha1
kind: EventPolicy
metadata:
name: request-reply-ingress-policy
namespace: knative-eventing
spec:
to:
- ref:
apiVersion: "apps/v1"
kind: Deployment
name: request-reply
from:
- sub: *
filters:
cesql: "NOT KN_FROM_OIDC_IDENTITY(broker oidc identity)" apiVersion: eventing.knative.dev/v1alpha1
kind: EventPolicy
metadata:
name: request-reply-ingress-policy
namespace: knative-eventing
spec:
to:
- ref:
apiVersion: "apps/v1"
kind: Deployment
name: request-reply
from:
- sub: broker oidc identity
filters:
cesql: "KN_VERIFY_CORRELATION_ID(correlation_id, 'secret1', 'secret2')"
# no filters, allow everything Note: for this approach to work, we needed some way to say "not from a certain oidc identity". I did that by adding another CESQL function here. Another approach would be to allow specifyin relative URIs on the references in |
From offline discussions with @pierDipi , the EventPolicies would be:
Using this approach, the proposed approach for event filters works, so I will be going forwards with that in a PR soon /triage accepted |
Problem
To make the EventPolicy more powerful for users, we should add support for defining
filters
which run at ingress and determine which events pass. Given that the current behaviour for ingress of a component which has multiple EventPolicies applying to it is to have the event pass as long as it matches one of the policies, the way EventPolicies should be handled when there is a filter present is (in pseudocode):Persona:
Which persona is this feature for? Developers, system administrators
Exit Criteria
E2E tests where events only pass ingress if they pass the filters
Time Estimate (optional):
How many developer-days do you think this may take to resolve? 3-5
Additional context (optional)
Add any other context about the feature request here.
The text was updated successfully, but these errors were encountered: