Skip to content

Commit

Permalink
Audit mode implementation
Browse files Browse the repository at this point in the history
Followup to #12845, branched off alpeb/policy-audit-crd

This expands the policy controller index in the following ways:

- Adds the new Audit variant to the DefaultPolicy enum
- Expands the function that synthesizes the authorizations for a given default policy (DefaultPolicy::default_authzs) so that it also creates an Unauthenticated client auth and a allow-all NetworkMatch for the new Audit default policy.
- Now that a Server can have a default policy different than Deny, when generating InboundServer authorizations (PolicyIndex::client_authzs) make sure to append the default authorizations when DefaultPolicy is Allow or Audit

Also, the admission controller ensures the new accessPolicy field contains a valid value.
  • Loading branch information
alpeb committed Jul 18, 2024
1 parent d537592 commit 96eae10
Show file tree
Hide file tree
Showing 5 changed files with 54 additions and 27 deletions.
1 change: 1 addition & 0 deletions policy-controller/k8s/api/src/policy/server.rs
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ pub struct ServerSpec {
pub selector: Selector,
pub port: Port,
pub proxy_protocol: Option<ProxyProtocol>,
pub access_policy: Option<String>,
}

#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize, JsonSchema)]
Expand Down
59 changes: 34 additions & 25 deletions policy-controller/k8s/index/src/defaults.rs
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ pub enum DefaultPolicy {

/// Indicates that all traffic is denied unless explicitly permitted by an authorization policy.
Deny,

/// Indicates that all traffic is let through, but gets audited
Audit,
}

// === impl DefaultPolicy ===
Expand All @@ -47,6 +50,7 @@ impl std::str::FromStr for DefaultPolicy {
cluster_only: true,
}),
"deny" => Ok(Self::Deny),
"audit" => Ok(Self::Audit),
s => Err(anyhow!("invalid mode: {:?}", s)),
}
}
Expand All @@ -72,6 +76,7 @@ impl DefaultPolicy {
cluster_only: true,
} => "cluster-unauthenticated",
Self::Deny => "deny",
Self::Audit => "audit",
}
}

Expand All @@ -80,32 +85,35 @@ impl DefaultPolicy {
config: &ClusterInfo,
) -> HashMap<AuthorizationRef, ClientAuthorization> {
let mut authzs = HashMap::default();
if let DefaultPolicy::Allow {
authenticated_only,
cluster_only,
} = self
{
let authentication = if authenticated_only {
ClientAuthentication::TlsAuthenticated(vec![IdentityMatch::Suffix(vec![])])
} else {
ClientAuthentication::Unauthenticated
};
let networks = if cluster_only {
config.networks.iter().copied().map(Into::into).collect()
} else {
vec![
"0.0.0.0/0".parse::<IpNet>().unwrap().into(),
"::/0".parse::<IpNet>().unwrap().into(),
]
};
authzs.insert(
AuthorizationRef::Default(self.as_str()),
ClientAuthorization {
authentication,
networks,
},
);
let (authenticated_only, cluster_only) = match self {
DefaultPolicy::Allow {
authenticated_only,
cluster_only,
} => (authenticated_only, cluster_only),
DefaultPolicy::Deny => return authzs,
DefaultPolicy::Audit => (false, false),
};

let authentication = if authenticated_only {
ClientAuthentication::TlsAuthenticated(vec![IdentityMatch::Suffix(vec![])])
} else {
ClientAuthentication::Unauthenticated
};
let networks = if cluster_only {
config.networks.iter().copied().map(Into::into).collect()
} else {
vec![
"0.0.0.0/0".parse::<IpNet>().unwrap().into(),
"::/0".parse::<IpNet>().unwrap().into(),
]
};
authzs.insert(
AuthorizationRef::Default(self.as_str()),
ClientAuthorization {
authentication,
networks,
},
);
authzs
}
}
Expand Down Expand Up @@ -140,6 +148,7 @@ mod test {
authenticated_only: false,
cluster_only: true,
},
DefaultPolicy::Audit,
] {
assert_eq!(
default.to_string().parse::<DefaultPolicy>().unwrap(),
Expand Down
6 changes: 6 additions & 0 deletions policy-controller/k8s/index/src/inbound/index.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1753,6 +1753,12 @@ impl PolicyIndex {
authzs.insert(reference, authz);
}

if let Some(p @ DefaultPolicy::Allow { .. }) | Some(p @ DefaultPolicy::Audit) =
server.access_policy
{
authzs.extend(p.default_authzs(&self.cluster_info));
}

authzs
}

Expand Down
4 changes: 3 additions & 1 deletion policy-controller/k8s/index/src/inbound/server.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
use crate::ClusterInfo;
use crate::{ClusterInfo, DefaultPolicy};
use linkerd_policy_controller_core::inbound::ProxyProtocol;
use linkerd_policy_controller_k8s_api::{
self as k8s, policy::server::Port, policy::server::Selector,
Expand All @@ -11,6 +11,7 @@ pub(crate) struct Server {
pub selector: Selector,
pub port_ref: Port,
pub protocol: ProxyProtocol,
pub access_policy: Option<DefaultPolicy>,
}

impl Server {
Expand All @@ -20,6 +21,7 @@ impl Server {
selector: srv.spec.selector,
port_ref: srv.spec.port,
protocol: proxy_protocol(srv.spec.proxy_protocol, cluster),
access_policy: srv.spec.access_policy.and_then(|p| p.parse().ok()),
}
}
}
Expand Down
11 changes: 10 additions & 1 deletion policy-controller/src/admission.rs
Original file line number Diff line number Diff line change
Expand Up @@ -319,7 +319,8 @@ impl Validate<MeshTLSAuthenticationSpec> for Admission {

#[async_trait::async_trait]
impl Validate<ServerSpec> for Admission {
/// Checks that `spec` doesn't select the same pod/ports as other existing Servers
/// Checks that `spec` doesn't select the same pod/ports as other existing Servers, and that
/// `accessPolicy` contains a valid value
//
// TODO(ver) this isn't rigorous about detecting servers that select the same port if one port
// specifies a numeric port and the other specifies the port's name.
Expand All @@ -346,6 +347,14 @@ impl Validate<ServerSpec> for Admission {
}
}

if let Some(Err(_)) = spec
.clone()
.access_policy
.map(|p| p.parse::<index::DefaultPolicy>())
{
bail!("Invalid accessPolicy \"{}\"", spec.access_policy.unwrap());
}

Ok(())
}
}
Expand Down

0 comments on commit 96eae10

Please sign in to comment.