-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Preparing for workload attributes support #277
Changes from 7 commits
d58b65e
1ea718c
fc8a023
b320c2d
dd24e22
5654f7e
4fbdb67
a2dd5ac
6f2181e
4a7115e
049d069
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -24,10 +24,10 @@ import ( | |
"github.com/sirupsen/logrus" | ||
|
||
"github.com/clusterlink-net/clusterlink/pkg/api" | ||
event "github.com/clusterlink-net/clusterlink/pkg/controlplane/eventmanager" | ||
cpstore "github.com/clusterlink-net/clusterlink/pkg/controlplane/store" | ||
"github.com/clusterlink-net/clusterlink/pkg/platform" | ||
"github.com/clusterlink-net/clusterlink/pkg/policyengine" | ||
"github.com/clusterlink-net/clusterlink/pkg/policyengine/policytypes" | ||
"github.com/clusterlink-net/clusterlink/pkg/store" | ||
"github.com/clusterlink-net/clusterlink/pkg/util" | ||
"github.com/clusterlink-net/clusterlink/pkg/utils/netutils" | ||
|
@@ -175,14 +175,11 @@ func (cp *Instance) CreateExport(export *cpstore.Export) error { | |
if eSpec.ExternalService != "" && !netutils.IsIP(eSpec.ExternalService) && !netutils.IsDNS(eSpec.ExternalService) { | ||
return fmt.Errorf("the external service %s is not a hostname or an IP address", eSpec.ExternalService) | ||
} | ||
resp, err := cp.policyDecider.AddExport(&api.Export{Name: export.Name, Spec: export.ExportSpec}) | ||
// TODO: check policyDecider's answer | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: can you assign the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We have to decide if we want separate export policies or rather derive export behavior from access policies |
||
_, err := cp.policyDecider.AddExport(&api.Export{Name: export.Name, Spec: export.ExportSpec}) | ||
if err != nil { | ||
return err | ||
} | ||
if resp.Action != event.AllowAll { | ||
cp.logger.Warnf("Access policies deny creating export '%s'.", export.Name) | ||
return nil | ||
} | ||
|
||
if cp.initialized { | ||
if err := cp.exports.Create(export); err != nil { | ||
|
@@ -210,14 +207,11 @@ func (cp *Instance) UpdateExport(export *cpstore.Export) error { | |
return fmt.Errorf("the external service %s is not a hostname or an IP address", eSpec.ExternalService) | ||
} | ||
|
||
resp, err := cp.policyDecider.AddExport(&api.Export{Name: export.Name, Spec: export.ExportSpec}) | ||
// TODO: check policyDecider's answer | ||
_, err := cp.policyDecider.AddExport(&api.Export{Name: export.Name, Spec: export.ExportSpec}) | ||
if err != nil { | ||
return err | ||
} | ||
if resp.Action != event.AllowAll { | ||
cp.logger.Warnf("Access policies deny creating export '%s'.", export.Name) | ||
return nil | ||
} | ||
|
||
err = cp.exports.Update(export.Name, func(old *cpstore.Export) *cpstore.Export { | ||
return export | ||
|
@@ -377,7 +371,7 @@ func (cp *Instance) CreateBinding(binding *cpstore.Binding) error { | |
if err != nil { | ||
return err | ||
} | ||
if action != event.Allow { | ||
if action != policytypes.PolicyActionAllow { | ||
zivnevo marked this conversation as resolved.
Show resolved
Hide resolved
|
||
cp.logger.Warnf("Access policies deny creating binding '%s'->'%s' .", binding.Import, binding.Peer) | ||
return nil | ||
} | ||
|
@@ -399,7 +393,7 @@ func (cp *Instance) UpdateBinding(binding *cpstore.Binding) error { | |
if err != nil { | ||
return err | ||
} | ||
if action != event.Allow { | ||
if action != policytypes.PolicyActionAllow { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Need to consider if we want policies to allow/deny binding as well when moving to CRD based management (the current proposal does NOT have a binding object but instead lists Peers on the Import CRD). |
||
cp.logger.Warnf("Access policies deny creating binding '%s'->'%s' .", binding.Import, binding.Peer) | ||
return nil | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
q: does it make sense to have member structs for
ConnectionRequest.Source
andConnectionRequest.Destination
instead of prefixing value names (e.g.,ConnectionRequest.SrcWorkloadAttrs
vsConnectionRequest.Source.Attributes
)?We can encapsulate some logic if it is a proper type?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SrcWorkloadAttrs
is now the only information on the source, asSrcPeer
was removed. If needed, we can encapsulate more logic intopolicytypes.WorkloadAttrs