Skip to content
This repository has been archived by the owner on Jul 11, 2023. It is now read-only.

envoy/rbac: add support for server side RBAC fitler #2054

Merged
merged 2 commits into from
Nov 14, 2020
Merged

envoy/rbac: add support for server side RBAC fitler #2054

merged 2 commits into from
Nov 14, 2020

Conversation

shashankram
Copy link
Member

@shashankram shashankram commented Nov 13, 2020
edited
Loading

Description:
This change introduces an RBAC filter in the inbound mesh filter
chain. Currently, the RBAC filter grants full access to client identities
(ServiceAccounts) that are permitted by an SMI traffic target policy.
HTTP filtering based on HTTP routes still happens within RDS.
The RBAC filter is omitted in permissive mode.

This change is a part of #1964 and is required by #1521.

Affected area:

  • New Functionality [ ]
  • Documentation [ ]
  • Install [ ]
  • Control Plane [X]
  • CLI Tool [ ]
  • Certificate Management [ ]
  • Networking [ ]
  • Metrics [ ]
  • SMI Policy [ ]
  • Security [ ]
  • Tests [ ]
  • CI System [ ]
  • Performance [ ]
  • Other [ ]

Please answer the following questions with yes/no.

  • Does this change contain code from or inspired by another project? If so, did you notify the maintainers and provide attribution?
    No

@shashankram shashankram added the wip Work-in-Progress label Nov 13, 2020
@shashankram shashankram removed the wip Work-in-Progress label Nov 13, 2020
@shashankram shashankram marked this pull request as ready for review November 13, 2020 20:40
@shashankram shashankram requested a review from a team as a code owner November 13, 2020 20:40
draychev
draychev reviewed Nov 13, 2020
View reviewed changes
Copy link
Contributor

@draychev draychev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good stuff! This is an important piece!

I tend to read unit tests to understand how something work. To me unit tests are also documentation.
I left a few small comments around tweaking the tests so these are easier to read as prose.

pkg/envoy/lds/rbac_test.go Show resolved Hide resolved
pkg/envoy/lds/rbac_test.go Outdated Show resolved Hide resolved
pkg/envoy/lds/rbac_test.go
mockCatalog := catalog.NewMockMeshCataloger(mockCtrl)
proxySvcAccount := service.K8sServiceAccount{Name: "sa-1", Namespace: "ns-1"}

lb := &listenerBuilder{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not use newListenerBuilder()?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because this allows to fill in minimal stuff into the object needed to build the filter. When a new field is added to the struct, if the test fails it helps find dependency issues faster.

pkg/envoy/lds/response.go Show resolved Hide resolved
pkg/envoy/lds/response.go Show resolved Hide resolved
pkg/envoy/lds/rbac.go Show resolved Hide resolved
pkg/envoy/lds/rbac.go Outdated Show resolved Hide resolved
pkg/envoy/lds/types.go Show resolved Hide resolved
pkg/envoy/lds/response.go Show resolved Hide resolved
pkg/envoy/lds/rbac.go Show resolved Hide resolved
eduser25
eduser25 previously approved these changes Nov 13, 2020
View reviewed changes
@shashankram
envoy/rbac: add support for server side RBAC fitler
d43e4f2 
This change introduces an RBAC filter in the inbound mesh filter
chain. Currently, the RBAC filter grants full access to client
identities that are permitted by an SMI traffic target policy.
HTTP filtering based on HTTP routes still happens within RDS.
The RBAC filter is omitted in permissive mode.

This change is a part of openservicemesh#1964 and is required by openservicemesh#1521.
@shashankram shashankram merged commit 495110c into openservicemesh:main Nov 14, 2020
@shashankram shashankram deleted the rbac-v1 branch November 14, 2020 00:05
michelleN
michelleN reviewed Nov 14, 2020
View reviewed changes
Copy link
Contributor

@michelleN michelleN left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

draychev pushed a commit to draychev/osm that referenced this pull request Nov 19, 2020
@shashankram @draychev
envoy/rbac: add support for server side RBAC fitler (openservicemesh#…
19b660d 
…2054)

This change introduces an RBAC filter in the inbound mesh filter
chain. Currently, the RBAC filter grants full access to client
identities that are permitted by an SMI traffic target policy.
HTTP filtering based on HTTP routes still happens within RDS.
The RBAC filter is omitted in permissive mode.

This change is a part of openservicemesh#1964 and is required by openservicemesh#1521.
draychev pushed a commit to draychev/osm that referenced this pull request Nov 19, 2020
@shashankram @draychev
envoy/rbac: add support for server side RBAC fitler (openservicemesh#…
b2d8805 
…2054)

This change introduces an RBAC filter in the inbound mesh filter
chain. Currently, the RBAC filter grants full access to client
identities that are permitted by an SMI traffic target policy.
HTTP filtering based on HTTP routes still happens within RDS.
The RBAC filter is omitted in permissive mode.

This change is a part of openservicemesh#1964 and is required by openservicemesh#1521.
draychev pushed a commit to draychev/osm that referenced this pull request Dec 14, 2020
@shashankram @draychev
envoy/rbac: add support for server side RBAC fitler (openservicemesh#…
e299b2c 
…2054)

This change introduces an RBAC filter in the inbound mesh filter
chain. Currently, the RBAC filter grants full access to client
identities that are permitted by an SMI traffic target policy.
HTTP filtering based on HTTP routes still happens within RDS.
The RBAC filter is omitted in permissive mode.

This change is a part of openservicemesh#1964 and is required by openservicemesh#1521.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@michelleN michelleN michelleN left review comments

@draychev draychev draychev approved these changes

@eduser25 eduser25 eduser25 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@shashankram @michelleN @eduser25 @draychev