controlplane: Introduce authz package

This commit adds an authz package to the controlplane. This package is responsible for authorizing dataplane connections (either ingress or egress). Signed-off-by: Or Ozeri <[email protected]>
clusterlink-net · Feb 21, 2024 · ca89f06 · ca89f06
1 parent 0092d23
commit ca89f06
Show file tree

Hide file tree

Showing 14 changed files with 571 additions and 709 deletions.
diff --git a/cmd/cl-controlplane/app/server.go b/cmd/cl-controlplane/app/server.go
@@ -165,6 +165,12 @@ func (o *Options) Run() error {
 	runnableManager.AddServer(grpcServerAddress, grpcServer)
 	runnableManager.AddServer(controlplaneServerListenAddress, sniProxy)
 
+	authzManager, err := authz.NewManager(parsedCertData)
+	authz.RegisterHandlers(authzManager, &httpServer.Server)
+	if err := authz.CreateControllers(authzManager, mgr); err != nil {
+		return fmt.Errorf("cannot create authz controllers: %w", err)
+	}
+
 	controlManager := control.NewManager(mgr.GetClient())
 
 	xdsManager := xds.NewManager()
@@ -185,12 +191,12 @@ func (o *Options) Run() error {
 
 	storeManager := kv.NewManager(kvStore)
 
-	cp, err := controlplane.NewInstance(parsedCertData, storeManager, controlManager, xdsManager, namespace)
+	cp, err := controlplane.NewInstance(
+		storeManager, authzManager, controlManager, xdsManager, namespace)
 	if err != nil {
 		return err
 	}
 
-	authz.RegisterHandlers(cp, &httpServer.Server)
 	cprest.RegisterHandlers(cp, httpServer)
 
 	return runnableManager.Run()

diff --git a/go.mod b/go.mod
@@ -3,7 +3,6 @@ module github.com/clusterlink-net/clusterlink
 go 1.20
 
 require (
-	github.com/bombsimon/logrusr/v4 v4.1.0
 	github.com/envoyproxy/go-control-plane v0.12.0
 	github.com/go-chi/chi v4.1.2+incompatible
 	github.com/google/uuid v1.6.0

diff --git a/go.sum b/go.sum
@@ -4,8 +4,6 @@ github.com/armon/go-proxyproto v0.0.0-20210323213023-7e956b284f0a/go.mod h1:QmP9
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bombsimon/logrusr/v4 v4.1.0 h1:uZNPbwusB0eUXlO8hIUwStE6Lr5bLN6IgYgG+75kuh4=
-github.com/bombsimon/logrusr/v4 v4.1.0/go.mod h1:pjfHC5e59CvjTBIU3V3sGhFWFAnsnhOR03TRc6im0l8=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g=
 github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=

diff --git a/pkg/controlplane/api/authz.go b/pkg/controlplane/api/authz.go
@@ -13,6 +13,8 @@
 
 package api
 
+import "github.com/lestrrat-go/jwx/jwa"
+
 const (
 	// RemotePeerAuthorizationPath is the path remote peers use to send an authorization request.
 	RemotePeerAuthorizationPath = "/authz"
@@ -34,6 +36,8 @@ const (
 	// TargetClusterHeader holds the name of the target cluster.
 	TargetClusterHeader = "host"
 
+	// JWTSignatureAlgorithm defines the signing algorithm for JWT tokens.
+	JWTSignatureAlgorithm = jwa.RS256
 	// ExportNameJWTClaim holds the name of the requested exported service.
 	ExportNameJWTClaim = "export_name"
 	// ExportNamespaceJWTClaim holds the namespace of the requested exported service.

diff --git a/pkg/controlplane/authz.go b/pkg/controlplane/authz.go
diff --git a/pkg/controlplane/authz/controllers.go b/pkg/controlplane/authz/controllers.go
@@ -0,0 +1,67 @@
+// Copyright 2023 The ClusterLink Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package authz
+
+import (
+	"context"
+
+	"github.com/sirupsen/logrus"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+type podReconciler struct {
+	client  client.Client
+	manager *Manager
+	logger  *logrus.Entry
+}
+
+// Reconcile Pod objects.
+func (r *podReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	r.logger.Debugf("Reconcile: %v", req.NamespacedName)
+
+	var pod v1.Pod
+	if err := r.client.Get(ctx, req.NamespacedName, &pod); err != nil {
+		if errors.IsNotFound(err) {
+			r.manager.deletePod(req.NamespacedName)
+			return ctrl.Result{}, nil
+		}
+
+		r.logger.Errorf("Unable to get pod: %v", err)
+		return ctrl.Result{}, err
+	}
+
+	r.manager.addPod(&pod)
+	return ctrl.Result{}, nil
+}
+
+func newPodReconciler(manager *Manager, clnt client.Client) *podReconciler {
+	return &podReconciler{
+		client:  clnt,
+		manager: manager,
+		logger: logrus.WithField(
+			"component", "controlplane.authz.pod-reconciler"),
+	}
+}
+
+// CreateControllers creates the various k8s controllers used to update the authz manager.
+func CreateControllers(mgr *Manager, controllerManager ctrl.Manager) error {
+	k8sClient := controllerManager.GetClient()
+
+	return ctrl.NewControllerManagedBy(controllerManager).
+		For(&v1.Pod{}).
+		Complete(newPodReconciler(mgr, k8sClient))
+}