Skip to content
This repository has been archived by the owner on Jun 19, 2022. It is now read-only.

Implement Istio http policy binding controller #656

Merged
merged 4 commits into from
Mar 18, 2020
Merged

Implement Istio http policy binding controller #656

merged 4 commits into from
Mar 18, 2020

Conversation

yolocs
Copy link
Member

@yolocs yolocs commented Mar 16, 2020
edited by nachocano
Loading

Fixes #595

Changes

  • Introduced Istio security API (along with generated stuff) as a dependency - Istio 1.5 release security v1beta1 API
  • Implemented the controller that listens to http policy bindings annotated with binding class = istio
    • The controller interprets HTTPPolicy to Istio RequestAuthentication and AuthorizationPolicy
    • RequestAuthentication validates JWTs
    • AuthorizationPolicy checks request metadata

Meaningful changes are at: pkg/reconciler/security/istio

Release Note

Added initial Istio policy binding implementation.
It requires Istio release >= 1.5.
Documentation: /docs/security/README.md (TODO now)

Docs

@googlebot googlebot added the cla: yes (override cla status due to multiple authors bug) label Mar 16, 2020
@knative-prow-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yolocs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@yolocs
Copy link
Member Author

yolocs commented Mar 16, 2020

/assign @nachocano

nachocano
nachocano reviewed Mar 18, 2020
View reviewed changes
Copy link
Member

@nachocano nachocano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yolocs made an initial pass, added a few nits.
The code is really neat!

Gopkg.toml Show resolved Hide resolved
pkg/apis/security/v1alpha1/common_types.go Outdated Show resolved Hide resolved
pkg/apis/security/v1alpha1/common_types.go Outdated Show resolved Hide resolved
pkg/reconciler/security/istio/const.go Outdated Show resolved Hide resolved
pkg/reconciler/security/istio/httppolicybinding/controller.go Outdated Show resolved Hide resolved
pkg/reconciler/security/istio/httppolicybinding/resources.go Outdated Show resolved Hide resolved
pkg/reconciler/security/istio/httppolicybinding/resources.go Outdated Show resolved Hide resolved
pkg/reconciler/security/istio/httppolicybinding/resources.go Outdated Show resolved Hide resolved
pkg/reconciler/security/istio/httppolicybinding/resources_test.go Outdated Show resolved Hide resolved
pkg/reconciler/security/istio/httppolicybinding/httppolicybinding_test.go Outdated Show resolved Hide resolved
@yolocs yolocs requested a review from nachocano March 18, 2020 22:07
@knative-metrics-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-google-knative-gcp-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/apis/security/v1alpha1/common_lifecycle.go 80.0% 62.5% -17.5
pkg/apis/security/v1alpha1/common_types.go Do not exist 88.9%
pkg/reconciler/security/istio/httppolicybinding/controller.go Do not exist 100.0%
pkg/reconciler/security/istio/httppolicybinding/httppolicybinding.go Do not exist 88.7%
pkg/reconciler/security/istio/httppolicybinding/resources/authorization_policy.go Do not exist 100.0%
pkg/reconciler/security/istio/httppolicybinding/resources/request_authentication.go Do not exist 100.0%
pkg/reconciler/security/subject_resolver.go Do not exist 89.7%

@nachocano
Copy link
Member

/lgtm

Thanks for adding this @yolocs!!! Looking forward to seeing this in action!!!

@knative-prow-robot knative-prow-robot merged commit 4383f6c into google:master Mar 18, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@capri-xiyue capri-xiyue Awaiting requested review from capri-xiyue

@grantr grantr Awaiting requested review from grantr

@nachocano nachocano Awaiting requested review from nachocano

Assignees

@nachocano nachocano

Labels
approved cla: yes (override cla status due to multiple authors bug) lgtm size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Policy binding implementation with Istio
5 participants
@yolocs @knative-prow-robot @knative-metrics-robot @nachocano @googlebot