From 590873768ced7f97fe2e3f701434b458b352c717 Mon Sep 17 00:00:00 2001 From: Ziv Nevo <79099626+zivnevo@users.noreply.github.com> Date: Tue, 21 May 2024 09:41:57 +0300 Subject: [PATCH] add local gateway name as attribute (#595) Signed-off-by: Ziv Nevo --- pkg/controlplane/authz/manager.go | 10 +++++++++- tests/e2e/k8s/test_policy.go | 12 ++++++++---- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/pkg/controlplane/authz/manager.go b/pkg/controlplane/authz/manager.go index 381b2be7..6abfa21a 100644 --- a/pkg/controlplane/authz/manager.go +++ b/pkg/controlplane/authz/manager.go @@ -97,6 +97,7 @@ type Manager struct { loadBalancer *LoadBalancer connectivityPDP *connectivitypdp.PDP + peerName string peerTLS *tls.ParsedCertData peerLock sync.RWMutex peerClient map[string]*peer.Client @@ -206,7 +207,7 @@ func (m *Manager) getPodInfoByIP(ip string) *podInfo { func (m *Manager) authorizeEgress(ctx context.Context, req *egressAuthorizationRequest) (*egressAuthorizationResponse, error) { m.logger.Infof("Received egress authorization request: %v.", req) - srcAttributes := connectivitypdp.WorkloadAttrs{} + srcAttributes := connectivitypdp.WorkloadAttrs{GatewayNameLabel: m.peerName} podInfo := m.getPodInfoByIP(req.IP) if podInfo != nil { srcAttributes[ServiceNamespaceLabel] = podInfo.namespace @@ -362,6 +363,7 @@ func (m *Manager) authorizeIngress( dstAttributes := connectivitypdp.WorkloadAttrs{ ServiceNameLabel: req.ServiceName.Name, ServiceNamespaceLabel: req.ServiceName.Namespace, + GatewayNameLabel: m.peerName, } decision, err := m.connectivityPDP.Decide(srcAttributes, dstAttributes, req.ServiceName.Namespace) if err != nil { @@ -442,11 +444,17 @@ func NewManager(peerTLS *tls.ParsedCertData, cl client.Client, namespace string) return nil, fmt.Errorf("unable to create JWK verifing key: %w", err) } + dnsNames := peerTLS.DNSNames() + if len(dnsNames) == 0 { + return nil, fmt.Errorf("expected peer certificate to contain at least one DNS name") + } + return &Manager{ client: cl, namespace: namespace, connectivityPDP: connectivitypdp.NewPDP(), loadBalancer: NewLoadBalancer(), + peerName: dnsNames[0], peerTLS: peerTLS, peerClient: make(map[string]*peer.Client), jwkSignKey: jwkSignKey, diff --git a/tests/e2e/k8s/test_policy.go b/tests/e2e/k8s/test_policy.go index f9b0429a..bd97bbc6 100644 --- a/tests/e2e/k8s/test_policy.go +++ b/tests/e2e/k8s/test_policy.go @@ -40,15 +40,19 @@ func (s *TestSuite) TestPolicyLabels() { // 1. Create a policy that allows traffic only to the echo service at cl[0] - apply in cl[1] (on egress) // In addition, create a policy to only allow traffic from cl[1] - apply in cl[0] (on ingress) allowEchoPolicyName := "allow-access-to-echo-svc" - dstLabels := map[string]string{ + srcLabels := map[string]string{ // allow traffic only from cl1 + authz.GatewayNameLabel: cl[1].Name(), + } + dstLabels := map[string]string{ // allow traffic only to echo in cl1 authz.ServiceNameLabel: httpEchoService.Name, authz.GatewayNameLabel: cl[0].Name(), } - allowEchoPolicy := util.NewPolicy(allowEchoPolicyName, v1alpha1.AccessPolicyActionAllow, nil, dstLabels) + allowEchoPolicy := util.NewPolicy(allowEchoPolicyName, v1alpha1.AccessPolicyActionAllow, srcLabels, dstLabels) require.Nil(s.T(), cl[1].CreatePolicy(allowEchoPolicy)) - srcLabels := map[string]string{authz.GatewayNameLabel: cl[1].Name()} - specificSrcPeerPolicy := util.NewPolicy("specific-peer", v1alpha1.AccessPolicyActionAllow, srcLabels, nil) + srcLabels = map[string]string{authz.GatewayNameLabel: cl[1].Name()} // allow traffic only from cl1 + dstLabels = map[string]string{authz.GatewayNameLabel: cl[0].Name()} // allow traffic only to cl0 + specificSrcPeerPolicy := util.NewPolicy("specific-peer", v1alpha1.AccessPolicyActionAllow, srcLabels, dstLabels) require.Nil(s.T(), cl[0].CreatePolicy(specificSrcPeerPolicy)) data, err := cl[1].AccessService(httpecho.GetEchoValue, importedService, true, nil)