Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy attributes design proposal #214

Merged
merged 19 commits into from
Jan 28, 2024
Merged

Policy attributes design proposal #214

merged 19 commits into from
Jan 28, 2024

Conversation

elevran
Copy link
Collaborator

@elevran elevran commented Nov 22, 2023
edited by zivnevo
Loading

See also Issue #17

@elevran elevran changed the title wip: initial attribute design proposal WIP: initial attribute design proposal Nov 22, 2023
@elevran elevran changed the title WIP: initial attribute design proposal WIP: Policy attributes design proposal Nov 22, 2023
@zivnevo
Copy link
Collaborator

zivnevo commented Nov 27, 2023

@elevran PTAL

@elevran
Another iteration.
f5b96dc 
- Expand description and text in sections
- Add attribute table

Signed-off-by: Etai Lev Ran <[email protected]>
@elevran
Copy link
Collaborator Author

elevran commented Nov 28, 2023

@zivnevo thanks for the update. Pushed another iteration with more content. Might almost be there for initial sharing and feedback.

@zivnevo
another iteration
774b76b 
Signed-off-by: ZIV NEVO <[email protected]>
elevran and others added 7 commits December 5, 2023 15:35
@elevran
wip: initial attribute design proposal
a4430a3 
Signed-off-by: Etai Lev Ran <[email protected]>
@zivnevo @elevran
More info on retrieving and exchanging attrs
525ef25 
Signed-off-by: ZIV NEVO <[email protected]>
@elevran
Another iteration.
d236f3f 
- Expand description and text in sections
- Add attribute table

Signed-off-by: Etai Lev Ran <[email protected]>
@elevran
clarify workload/service distinction
4e2b9c6 
Signed-off-by: Etai Lev Ran <[email protected]>
@elevran
add k8s:sa attribute, reference common labels
2dcb8fe 
Signed-off-by: Etai Lev Ran <[email protected]>
@elevran
fixed typo - missing word
e776a48 
Signed-off-by: Etai Lev Ran <[email protected]>
@elevran
Merge branch 'attributes_design' of github.com:elevran/clusterlink in…
16b9e46 
…to attributes_design

Signed-off-by: Etai Lev Ran <[email protected]>
@elevran
Copy link
Collaborator Author

elevran commented Dec 7, 2023

@zivnevo - is this ready to be reviewed from your point of view?

@zivnevo zivnevo changed the title WIP: Policy attributes design proposal Policy attributes design proposal Dec 7, 2023
@zivnevo
Copy link
Collaborator

zivnevo commented Dec 7, 2023

@zivnevo - is this ready to be reviewed from your point of view?

Yes, I think we are good

@zivnevo zivnevo requested a review from huang195 December 7, 2023 13:49
@gilshurek
Copy link

  1. In reference to identity-based-connectivity and access-control concepts: clarify which attribute-scope’ hold source/target attributes which should be tied to the identities of source/target entities (workload & service) – and which scopes hold ‘context’ attributes, preferably tied to identities of infrastructure (?) entities (gateway, site, fabric).
  2. Consistently use prefixes to denote attribute-scopes and sub-scopes.
    a. Why do we have a “cl” prefix? Is this the ‘gateway’ attribute-scope?
    b. Use different prefixes for Service and Workload k8s labels.
    c. In general, I suggest not to use ‘k8s’ as a prefix but as a sub-prefix. E.g., “service:k8s: …” “workload:k8s: …”
  3. The Image SHA as a candidate workload attribute: The SHA is a prime identity authentication attribute (as a spire selector) but maybe not an attribute to be used by the ‘connectivity-autorization’ policies: Once the workload’s identity is established, the policy engine will use connectivity decision attributes that are derived from the identity.
  4. “(note that the source site attributes are not sent to conserve resources - see note here)”: I faild to find the note.
  5. Beyond this proposal: (how) Can we shift to a client handle which is not the IP-address?
  6. Beyond this proposal: We use a ‘service’ abstraction for the connection target, which may indicate a collection of workloads. How about using a similar abstraction for the source, including the requirement to ‘register’ such services to CL?

mrsabath
mrsabath reviewed Jan 4, 2024
View reviewed changes
Copy link

@mrsabath mrsabath left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a really good document that starts the conversation. I think we should have more discussion, as I started to add comments below.

design-proposals/policy-attributes.md Outdated Show resolved Hide resolved
design-proposals/policy-attributes.md Show resolved Hide resolved
design-proposals/policy-attributes.md Outdated Show resolved Hide resolved
design-proposals/policy-attributes.md Show resolved Hide resolved
design-proposals/policy-attributes.md Show resolved Hide resolved
@elevran
Copy link
Collaborator Author

elevran commented Jan 28, 2024

@zivnevo can this be merged?

@zivnevo zivnevo merged commit 6f7f51b into clusterlink-net:main Jan 28, 2024
9 checks passed
@elevran elevran deleted the attributes_design branch January 28, 2024 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kfirtoledo kfirtoledo kfirtoledo left review comments

@michalmalka michalmalka michalmalka left review comments

@mrsabath mrsabath mrsabath left review comments

@zivnevo zivnevo zivnevo approved these changes

@huang195 huang195 Awaiting requested review from huang195

Assignees

@elevran elevran

@zivnevo zivnevo

Labels
size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@elevran @zivnevo @gilshurek @mrsabath @michalmalka @kfirtoledo