Skip to content

Commit

Permalink
add local gateway name as attribute (#595)
Browse files Browse the repository at this point in the history
Signed-off-by: Ziv Nevo <nevo@il.ibm.com>
zivnevo authored May 21, 2024
1 parent 323f5a9 commit 5908737
Showing 2 changed files with 17 additions and 5 deletions.
10 changes: 9 additions & 1 deletion pkg/controlplane/authz/manager.go
Original file line number Diff line number Diff line change
@@ -97,6 +97,7 @@ type Manager struct {
loadBalancer *LoadBalancer
connectivityPDP *connectivitypdp.PDP

peerName string
peerTLS *tls.ParsedCertData
peerLock sync.RWMutex
peerClient map[string]*peer.Client
@@ -206,7 +207,7 @@ func (m *Manager) getPodInfoByIP(ip string) *podInfo {
func (m *Manager) authorizeEgress(ctx context.Context, req *egressAuthorizationRequest) (*egressAuthorizationResponse, error) {
m.logger.Infof("Received egress authorization request: %v.", req)

srcAttributes := connectivitypdp.WorkloadAttrs{}
srcAttributes := connectivitypdp.WorkloadAttrs{GatewayNameLabel: m.peerName}
podInfo := m.getPodInfoByIP(req.IP)
if podInfo != nil {
srcAttributes[ServiceNamespaceLabel] = podInfo.namespace
@@ -362,6 +363,7 @@ func (m *Manager) authorizeIngress(
dstAttributes := connectivitypdp.WorkloadAttrs{
ServiceNameLabel: req.ServiceName.Name,
ServiceNamespaceLabel: req.ServiceName.Namespace,
GatewayNameLabel: m.peerName,
}
decision, err := m.connectivityPDP.Decide(srcAttributes, dstAttributes, req.ServiceName.Namespace)
if err != nil {
@@ -442,11 +444,17 @@ func NewManager(peerTLS *tls.ParsedCertData, cl client.Client, namespace string)
return nil, fmt.Errorf("unable to create JWK verifing key: %w", err)
}

dnsNames := peerTLS.DNSNames()
if len(dnsNames) == 0 {
return nil, fmt.Errorf("expected peer certificate to contain at least one DNS name")
}

return &Manager{
client: cl,
namespace: namespace,
connectivityPDP: connectivitypdp.NewPDP(),
loadBalancer: NewLoadBalancer(),
peerName: dnsNames[0],
peerTLS: peerTLS,
peerClient: make(map[string]*peer.Client),
jwkSignKey: jwkSignKey,
12 changes: 8 additions & 4 deletions tests/e2e/k8s/test_policy.go
Original file line number Diff line number Diff line change
@@ -40,15 +40,19 @@ func (s *TestSuite) TestPolicyLabels() {
// 1. Create a policy that allows traffic only to the echo service at cl[0] - apply in cl[1] (on egress)
// In addition, create a policy to only allow traffic from cl[1] - apply in cl[0] (on ingress)
allowEchoPolicyName := "allow-access-to-echo-svc"
dstLabels := map[string]string{
srcLabels := map[string]string{ // allow traffic only from cl1
authz.GatewayNameLabel: cl[1].Name(),
}
dstLabels := map[string]string{ // allow traffic only to echo in cl1
authz.ServiceNameLabel: httpEchoService.Name,
authz.GatewayNameLabel: cl[0].Name(),
}
allowEchoPolicy := util.NewPolicy(allowEchoPolicyName, v1alpha1.AccessPolicyActionAllow, nil, dstLabels)
allowEchoPolicy := util.NewPolicy(allowEchoPolicyName, v1alpha1.AccessPolicyActionAllow, srcLabels, dstLabels)
require.Nil(s.T(), cl[1].CreatePolicy(allowEchoPolicy))

srcLabels := map[string]string{authz.GatewayNameLabel: cl[1].Name()}
specificSrcPeerPolicy := util.NewPolicy("specific-peer", v1alpha1.AccessPolicyActionAllow, srcLabels, nil)
srcLabels = map[string]string{authz.GatewayNameLabel: cl[1].Name()} // allow traffic only from cl1
dstLabels = map[string]string{authz.GatewayNameLabel: cl[0].Name()} // allow traffic only to cl0
specificSrcPeerPolicy := util.NewPolicy("specific-peer", v1alpha1.AccessPolicyActionAllow, srcLabels, dstLabels)
require.Nil(s.T(), cl[0].CreatePolicy(specificSrcPeerPolicy))

data, err := cl[1].AccessService(httpecho.GetEchoValue, importedService, true, nil)

0 comments on commit 5908737

Please sign in to comment.