diff --git a/Makefile b/Makefile index 2c5cbc63b8..5cad3ab553 100644 --- a/Makefile +++ b/Makefile @@ -25,6 +25,7 @@ install-serving: INSTALL_EVENTING="false" ./hack/install.sh install-serving-with-mesh: + FULL_MESH="true" UNINSTALL_MESH="false" ./hack/mesh.sh FULL_MESH=true SCALE_UP=4 INSTALL_SERVING=true INSTALL_EVENTING="false" ./hack/install.sh install-eventing: @@ -127,8 +128,9 @@ test-e2e-with-mesh-testonly: test-e2e-with-mesh: FULL_MESH="true" UNINSTALL_MESH="false" ./hack/mesh.sh ./hack/tracing.sh - FULL_MESH=true ENABLE_TRACING=true ./hack/install.sh - FULL_MESH=true ./test/e2e-tests.sh + UNINSTALL_STRIMZI="false" ./hack/strimzi.sh + FULL_MESH=true SCALE_UP=4 INSTALL_KAFKA="true" ENABLE_TRACING=true ./hack/install.sh + FULL_MESH=true TEST_KNATIVE_KAFKA=true ./test/e2e-tests.sh # Run both unit and E2E tests from the current repo. test-operator: test-unit test-e2e @@ -252,6 +254,9 @@ release-files: ./hack/generate/quickstart.sh \ templates/serverless-application-quickstart.yaml \ knative-operator/deploy/resources/quickstart/serverless-application-quickstart.yaml +# TODO: uncomment as soon as chart changes are merged +# ./hack/generate/mesh-auth-policies.sh \ +# tenant-1,tenant-2,serving-tests,serverless-tests # Generates all files that can be generated, includes release files, code generation # and updates vendoring. diff --git a/hack/generate/mesh-auth-policies.sh b/hack/generate/mesh-auth-policies.sh new file mode 100755 index 0000000000..5550e8dcf0 --- /dev/null +++ b/hack/generate/mesh-auth-policies.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash + +set -Eeuo pipefail + +tenants="${1:?Provide tenants as comma-delimited as arg[1]}" + +# exit if helm is not installed +helm > /dev/null || exit 127 + +# shellcheck disable=SC1091,SC1090 +source "$(dirname "${BASH_SOURCE[0]}")/../lib/metadata.bash" + +policies_path="$(dirname "${BASH_SOURCE[0]}")/../lib/mesh_resources/authorization-policies/helm" +chart_version="$(metadata.get project.version)" + +echo "Cleaning up old resources in $policies_path" + +rm -rf "$policies_path" +mkdir -p "$policies_path" + +for tenant in ${tenants//,/ }; do + echo "Generating AuthorizationPolicies for tenant $tenant" + + helm template oci://quay.io/openshift-knative/knative-istio-authz-onboarding --version "$chart_version" --set "name=$tenant" --set "namespaces={$tenant}" > "$policies_path/$tenant.yaml" +done + +echo "Istio AuthorizationPolicies successfully updated for version $chart_version" diff --git a/hack/lib/mesh.bash b/hack/lib/mesh.bash index f18dd13a4e..98e6ac900d 100644 --- a/hack/lib/mesh.bash +++ b/hack/lib/mesh.bash @@ -117,9 +117,9 @@ function deploy_gateways { oc apply -f "${resources_dir}"/namespace.yaml || return $? oc apply -f "${resources_dir}"/smmr.yaml || return $? oc apply -f "${resources_dir}"/gateway.yaml || return $? - oc apply -f "${resources_dir}"/peerauthentication.yaml || return $? + oc apply -f "${resources_dir}"/authorization-policies/setup || return $? + oc apply -f "${resources_dir}"/authorization-policies/helm || return $? - oc create ns "${EVENTING_NAMESPACE}" --dry-run=client -oyaml | kubectl apply -f - oc apply -n "${EVENTING_NAMESPACE}" -f "${resources_dir}"/kafka-service-entry.yaml || return $? for ns in serverless-tests eventing-e2e0 eventing-e2e1 eventing-e2e2 eventing-e2e3 eventing-e2e4; do oc apply -n "$ns" -f "${resources_dir}"/kafka-service-entry.yaml || return $? @@ -128,6 +128,13 @@ function deploy_gateways { } function undeploy_gateways { + oc delete -n serverless-tests -f "${resources_dir}"/network-policy-monitoring.yaml --ignore-not-found || return $? + for ns in serverless-tests eventing-e2e0 eventing-e2e1 eventing-e2e2 eventing-e2e3 eventing-e2e4; do + oc delete -n "$ns" -f "${resources_dir}"/kafka-service-entry.yaml --ignore-not-found || return $? + done + oc delete authorizationpolicy allow-traffic-to-cluster-domain -n istio-system --ignore-not-found || return $? + oc delete -f "${resources_dir}"/authorization-policies/helm --ignore-not-found || return $? + oc delete -f "${resources_dir}"/authorization-policies/setup --ignore-not-found || return $? oc delete -f "${resources_dir}"/peerauthentication.yaml --ignore-not-found || return $? oc delete -f "${resources_dir}"/gateway.yaml --ignore-not-found || return $? oc delete -f "${resources_dir}"/smmr.yaml --ignore-not-found || return $? diff --git a/hack/lib/mesh_resources/authorization-policies/helm/serverless-tests.yaml b/hack/lib/mesh_resources/authorization-policies/helm/serverless-tests.yaml new file mode 100644 index 0000000000..71e6dce55b --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/helm/serverless-tests.yaml @@ -0,0 +1,547 @@ +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-knative-to-ns.yaml +# Allow namespace serverless-tests to receive requests from Knative system components, from istio-system and from all namespaces of the tenant. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-from-knative-and-istio + namespace: serverless-tests +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: + - "serverless-tests" + - "knative-serving" + - "istio-system" + + - from: + - source: + namespaces: + - "knative-eventing" + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-via-knative-serving.yaml +# Allow activator to receive requests from workloads and resources in serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + # Allow to receive requests for Knative services in serverless-tests + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + hosts: + - "*.serverless-tests" + - "*.serverless-tests.svc" + - "*.serverless-tests.svc.cluster.local" + + # Allow to receive requests from eventing sources, subscriptions and triggers in serverless-tests. + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serverless-tests" + - "*.serverless-tests.svc" + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-kafka-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-kafka-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-mt-channel-based-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-mt-channel-based-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +# Allow imc-dispatcher to receive requests from workloads and resources in serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-to-imc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + # Allow to receive requests from event sources in serverless-tests + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from workloads and resources in serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-to-ekb + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + # Allow to receive requests from event sources in serverless-tests + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-channel-receiver to receive requests from workloads and resources in serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-to-ekc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + # Allow to receive requests from event sources in serverless-tests + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from workloads and resources in serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + # Allow to receive requests from event sources in serverless-tests + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow broker-ingress to receive requests from workloads and resources in serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + # Allow to receive requests from event sources in serverless-tests + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/serving-allow-wait-for-drain.yaml +# Allow kubernetes to call the PreStopHook to wait for draining on port 8022 in serverless-tests +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: "allow-wait-for-drain" + namespace: "serverless-tests" +spec: + action: ALLOW + rules: + - to: + - operation: + ports: + - "8022" diff --git a/hack/lib/mesh_resources/authorization-policies/helm/serving-tests.yaml b/hack/lib/mesh_resources/authorization-policies/helm/serving-tests.yaml new file mode 100644 index 0000000000..2556fbc443 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/helm/serving-tests.yaml @@ -0,0 +1,547 @@ +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-knative-to-ns.yaml +# Allow namespace serving-tests to receive requests from Knative system components, from istio-system and from all namespaces of the tenant. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-from-knative-and-istio + namespace: serving-tests +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: + - "serving-tests" + - "knative-serving" + - "istio-system" + + - from: + - source: + namespaces: + - "knative-eventing" + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-via-knative-serving.yaml +# Allow activator to receive requests from workloads and resources in serving-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serving-tests-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + # Allow to receive requests for Knative services in serving-tests + - from: + - source: + namespaces: + - "serving-tests" + to: + - operation: + hosts: + - "*.serving-tests" + - "*.serving-tests.svc" + - "*.serving-tests.svc.cluster.local" + + # Allow to receive requests from eventing sources, subscriptions and triggers in serving-tests. + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serving-tests" + - "*.serving-tests.svc" + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-kafka-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serving-tests-kafka-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-mt-channel-based-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serving-tests-mt-channel-based-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +# Allow imc-dispatcher to receive requests from workloads and resources in serving-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serving-tests-to-imc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + # Allow to receive requests from event sources in serving-tests + - from: + - source: + namespaces: + - "serving-tests" + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from workloads and resources in serving-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serving-tests-to-ekb + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + # Allow to receive requests from event sources in serving-tests + - from: + - source: + namespaces: + - "serving-tests" + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-channel-receiver to receive requests from workloads and resources in serving-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serving-tests-to-ekc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + # Allow to receive requests from event sources in serving-tests + - from: + - source: + namespaces: + - "serving-tests" + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from workloads and resources in serving-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serving-tests-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + # Allow to receive requests from event sources in serving-tests + - from: + - source: + namespaces: + - "serving-tests" + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow broker-ingress to receive requests from workloads and resources in serving-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serving-tests-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + # Allow to receive requests from event sources in serving-tests + - from: + - source: + namespaces: + - "serving-tests" + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/serving-allow-wait-for-drain.yaml +# Allow kubernetes to call the PreStopHook to wait for draining on port 8022 in serving-tests +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: "allow-wait-for-drain" + namespace: "serving-tests" +spec: + action: ALLOW + rules: + - to: + - operation: + ports: + - "8022" diff --git a/hack/lib/mesh_resources/authorization-policies/helm/tenant-1.yaml b/hack/lib/mesh_resources/authorization-policies/helm/tenant-1.yaml new file mode 100644 index 0000000000..564d16d03e --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/helm/tenant-1.yaml @@ -0,0 +1,547 @@ +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-knative-to-ns.yaml +# Allow namespace tenant-1 to receive requests from Knative system components, from istio-system and from all namespaces of the tenant. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-from-knative-and-istio + namespace: tenant-1 +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: + - "tenant-1" + - "knative-serving" + - "istio-system" + + - from: + - source: + namespaces: + - "knative-eventing" + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-via-knative-serving.yaml +# Allow activator to receive requests from workloads and resources in tenant-1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + # Allow to receive requests for Knative services in tenant-1 + - from: + - source: + namespaces: + - "tenant-1" + to: + - operation: + hosts: + - "*.tenant-1" + - "*.tenant-1.svc" + - "*.tenant-1.svc.cluster.local" + + # Allow to receive requests from eventing sources, subscriptions and triggers in tenant-1. + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-1" + - "*.tenant-1.svc" + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-kafka-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-kafka-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-mt-channel-based-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-mt-channel-based-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +# Allow imc-dispatcher to receive requests from workloads and resources in tenant-1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-to-imc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + # Allow to receive requests from event sources in tenant-1 + - from: + - source: + namespaces: + - "tenant-1" + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from workloads and resources in tenant-1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-to-ekb + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + # Allow to receive requests from event sources in tenant-1 + - from: + - source: + namespaces: + - "tenant-1" + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-channel-receiver to receive requests from workloads and resources in tenant-1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-to-ekc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + # Allow to receive requests from event sources in tenant-1 + - from: + - source: + namespaces: + - "tenant-1" + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from workloads and resources in tenant-1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + # Allow to receive requests from event sources in tenant-1 + - from: + - source: + namespaces: + - "tenant-1" + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow broker-ingress to receive requests from workloads and resources in tenant-1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + # Allow to receive requests from event sources in tenant-1 + - from: + - source: + namespaces: + - "tenant-1" + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/serving-allow-wait-for-drain.yaml +# Allow kubernetes to call the PreStopHook to wait for draining on port 8022 in tenant-1 +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: "allow-wait-for-drain" + namespace: "tenant-1" +spec: + action: ALLOW + rules: + - to: + - operation: + ports: + - "8022" diff --git a/hack/lib/mesh_resources/authorization-policies/helm/tenant-2.yaml b/hack/lib/mesh_resources/authorization-policies/helm/tenant-2.yaml new file mode 100644 index 0000000000..2028230850 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/helm/tenant-2.yaml @@ -0,0 +1,547 @@ +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-knative-to-ns.yaml +# Allow namespace tenant-2 to receive requests from Knative system components, from istio-system and from all namespaces of the tenant. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-from-knative-and-istio + namespace: tenant-2 +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: + - "tenant-2" + - "knative-serving" + - "istio-system" + + - from: + - source: + namespaces: + - "knative-eventing" + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-via-knative-serving.yaml +# Allow activator to receive requests from workloads and resources in tenant-2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + # Allow to receive requests for Knative services in tenant-2 + - from: + - source: + namespaces: + - "tenant-2" + to: + - operation: + hosts: + - "*.tenant-2" + - "*.tenant-2.svc" + - "*.tenant-2.svc.cluster.local" + + # Allow to receive requests from eventing sources, subscriptions and triggers in tenant-2. + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-2" + - "*.tenant-2.svc" + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-kafka-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-kafka-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-mt-channel-based-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-mt-channel-based-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +# Allow imc-dispatcher to receive requests from workloads and resources in tenant-2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-to-imc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + # Allow to receive requests from event sources in tenant-2 + - from: + - source: + namespaces: + - "tenant-2" + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from workloads and resources in tenant-2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-to-ekb + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + # Allow to receive requests from event sources in tenant-2 + - from: + - source: + namespaces: + - "tenant-2" + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-channel-receiver to receive requests from workloads and resources in tenant-2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-to-ekc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + # Allow to receive requests from event sources in tenant-2 + - from: + - source: + namespaces: + - "tenant-2" + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from workloads and resources in tenant-2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + # Allow to receive requests from event sources in tenant-2 + - from: + - source: + namespaces: + - "tenant-2" + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow broker-ingress to receive requests from workloads and resources in tenant-2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + # Allow to receive requests from event sources in tenant-2 + - from: + - source: + namespaces: + - "tenant-2" + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/serving-allow-wait-for-drain.yaml +# Allow kubernetes to call the PreStopHook to wait for draining on port 8022 in tenant-2 +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: "allow-wait-for-drain" + namespace: "tenant-2" +spec: + action: ALLOW + rules: + - to: + - operation: + ports: + - "8022" diff --git a/hack/lib/mesh_resources/authorization-policies/setup/common-deny-all-by-default.yaml b/hack/lib/mesh_resources/authorization-policies/setup/common-deny-all-by-default.yaml new file mode 100644 index 0000000000..d56c77dadd --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/setup/common-deny-all-by-default.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: deny-all-by-default + namespace: knative-eventing +spec: { } +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: deny-all-by-default + namespace: knative-serving +spec: { } diff --git a/hack/lib/mesh_resources/authorization-policies/setup/eventing-allow-mt-channel-based-broker-to-channels.yaml b/hack/lib/mesh_resources/authorization-policies/setup/eventing-allow-mt-channel-based-broker-to-channels.yaml new file mode 100644 index 0000000000..c7f8d58a29 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/setup/eventing-allow-mt-channel-based-broker-to-channels.yaml @@ -0,0 +1,75 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-mt-channel-based-broker-ingress-to-imc-dispatcher + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-ingress" ] + to: + - operation: + methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-mt-channel-based-broker-ingress-to-kafka-channel + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-ingress" ] + to: + - operation: + methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-kafka-channel-to-mt-channel-based-broker-filter + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-filter" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] + to: + - operation: + methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-imc-to-mt-channel-based-broker-filter + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-filter" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] + to: + - operation: + methods: [ "POST" ] diff --git a/hack/lib/mesh_resources/authorization-policies/setup/eventing-allow-probe-kafka-controller.yaml b/hack/lib/mesh_resources/authorization-policies/setup/eventing-allow-probe-kafka-controller.yaml new file mode 100644 index 0000000000..43784e8770 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/setup/eventing-allow-probe-kafka-controller.yaml @@ -0,0 +1,56 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-probe-kafka-broker-receiver + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + to: + - operation: + methods: [ "GET" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-probe-kafka-sink-receiver + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + to: + - operation: + methods: [ "GET" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-probe-kafka-channel-receiver + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + to: + - operation: + methods: [ "GET" ] diff --git a/hack/lib/mesh_resources/authorization-policies/setup/serving-allow-traffic-to-activator.yaml b/hack/lib/mesh_resources/authorization-policies/setup/serving-allow-traffic-to-activator.yaml new file mode 100644 index 0000000000..e3df6cde55 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/setup/serving-allow-traffic-to-activator.yaml @@ -0,0 +1,14 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-traffic-to-activator + namespace: knative-serving +spec: + selector: + matchLabels: + app: activator + action: ALLOW + rules: + - from: + - source: + namespaces: [ "knative-serving", "istio-system" ] diff --git a/hack/lib/mesh_resources/authorization-policies/setup/serving-allow-traffic-to-autoscaler.yaml b/hack/lib/mesh_resources/authorization-policies/setup/serving-allow-traffic-to-autoscaler.yaml new file mode 100644 index 0000000000..4850c6062e --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/setup/serving-allow-traffic-to-autoscaler.yaml @@ -0,0 +1,14 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-traffic-to-autoscaler + namespace: knative-serving +spec: + selector: + matchLabels: + app: autoscaler + action: ALLOW + rules: + - from: + - source: + namespaces: [ "knative-serving" ] diff --git a/hack/lib/mesh_resources/gateway.yaml b/hack/lib/mesh_resources/gateway.yaml index 524f9c7e16..0c10b61ed8 100644 --- a/hack/lib/mesh_resources/gateway.yaml +++ b/hack/lib/mesh_resources/gateway.yaml @@ -5,7 +5,7 @@ metadata: namespace: knative-serving spec: selector: - istio: ingressgateway + knative: ingressgateway servers: - port: number: 443 @@ -24,12 +24,14 @@ metadata: namespace: knative-serving spec: selector: - istio: ingressgateway + knative: ingressgateway servers: - port: number: 8081 - name: http - protocol: HTTP + name: https + protocol: HTTPS + tls: + mode: ISTIO_MUTUAL hosts: - "*" --- diff --git a/hack/lib/mesh_resources/namespace.yaml b/hack/lib/mesh_resources/namespace.yaml index c36f1b4351..8ad77a0d4b 100644 --- a/hack/lib/mesh_resources/namespace.yaml +++ b/hack/lib/mesh_resources/namespace.yaml @@ -7,3 +7,60 @@ apiVersion: v1 kind: Namespace metadata: name: knative-eventing +--- +apiVersion: v1 +kind: Namespace +metadata: + name: serving-tests + labels: + maistra.io/member-of: istio-system # Workaround for OSSM-1397 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: serving-tests-alt + labels: + maistra.io/member-of: istio-system # Workaround for OSSM-1397 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: serverless-tests + labels: + maistra.io/member-of: istio-system # Workaround for OSSM-1397 +--- +# Additional namespaces for upgrade tests +apiVersion: v1 +kind: Namespace +metadata: + name: eventing-e2e0 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: eventing-e2e1 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: eventing-e2e2 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: eventing-e2e3 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: eventing-e2e4 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: tenant-1 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: tenant-2 diff --git a/hack/lib/mesh_resources/peerauthentication.yaml b/hack/lib/mesh_resources/peerauthentication.yaml deleted file mode 100644 index 04de3396af..0000000000 --- a/hack/lib/mesh_resources/peerauthentication.yaml +++ /dev/null @@ -1,72 +0,0 @@ -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: istio-system -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: knative-eventing -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: serverless-tests -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: eventing-e2e0 -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: eventing-e2e1 -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: eventing-e2e2 -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: eventing-e2e3 -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: eventing-e2e4 -spec: - mtls: - mode: STRICT ---- diff --git a/hack/lib/mesh_resources/smcp.yaml b/hack/lib/mesh_resources/smcp.yaml index ccfb138609..e16104f408 100644 --- a/hack/lib/mesh_resources/smcp.yaml +++ b/hack/lib/mesh_resources/smcp.yaml @@ -4,14 +4,28 @@ metadata: name: basic namespace: istio-system spec: + security: + dataPlane: + mtls: true profiles: - default + techPreview: + meshConfig: + defaultConfig: + terminationDrainDuration: 35s + gateways: + ingress: + service: + metadata: + labels: + knative: ingressgateway proxy: networking: trafficControl: inbound: excludedPorts: - 8444 + - 8022 accessLogging: file: name: /dev/stdout diff --git a/hack/lib/mesh_resources/smmr.yaml b/hack/lib/mesh_resources/smmr.yaml index 6cc94d390f..69638717d9 100644 --- a/hack/lib/mesh_resources/smmr.yaml +++ b/hack/lib/mesh_resources/smmr.yaml @@ -1,49 +1,3 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: serving-tests ---- -apiVersion: v1 -kind: Namespace -metadata: - name: serving-tests-alt ---- -apiVersion: v1 -kind: Namespace -metadata: - name: serverless-tests ---- -apiVersion: v1 -kind: Namespace -metadata: - name: serverless-tests2 ---- -# Additional namespaces for upgrade tests -apiVersion: v1 -kind: Namespace -metadata: - name: eventing-e2e0 ---- -apiVersion: v1 -kind: Namespace -metadata: - name: eventing-e2e1 ---- -apiVersion: v1 -kind: Namespace -metadata: - name: eventing-e2e2 ---- -apiVersion: v1 -kind: Namespace -metadata: - name: eventing-e2e3 ---- -apiVersion: v1 -kind: Namespace -metadata: - name: eventing-e2e4 ---- apiVersion: maistra.io/v1 kind: ServiceMeshMemberRoll metadata: @@ -56,9 +10,10 @@ spec: - serving-tests - serving-tests-alt - serverless-tests - - serverless-tests2 - eventing-e2e0 - eventing-e2e1 - eventing-e2e2 - eventing-e2e3 - eventing-e2e4 + - tenant-1 + - tenant-2 diff --git a/serving/metadata-webhook/config/100-namespace.yaml b/serving/metadata-webhook/config/100-namespace.yaml index eefbe6152b..5522b4a0be 100644 --- a/serving/metadata-webhook/config/100-namespace.yaml +++ b/serving/metadata-webhook/config/100-namespace.yaml @@ -4,3 +4,4 @@ metadata: name: serving-tests labels: samples.knative.dev/release: devel + maistra.io/member-of: istio-system # Workaround for OSSM-1397 diff --git a/serving/metadata-webhook/config/200-serviceaccount.yaml b/serving/metadata-webhook/config/200-serviceaccount.yaml index 43a9ad9e07..a5e8a36204 100644 --- a/serving/metadata-webhook/config/200-serviceaccount.yaml +++ b/serving/metadata-webhook/config/200-serviceaccount.yaml @@ -41,8 +41,8 @@ metadata: samples.knative.dev/release: devel aggregationRule: clusterRoleSelectors: - - matchLabels: - samples.knative.dev/controller: "true" + - matchLabels: + samples.knative.dev/controller: "true" rules: [] # Rules are automatically filled in by the controller manager. --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/serving/metadata-webhook/config/500-webhook-configuration.yaml b/serving/metadata-webhook/config/500-webhook-configuration.yaml index a0c5fa5c70..e9fa5b147c 100644 --- a/serving/metadata-webhook/config/500-webhook-configuration.yaml +++ b/serving/metadata-webhook/config/500-webhook-configuration.yaml @@ -5,15 +5,15 @@ metadata: labels: samples.knative.dev/release: devel webhooks: -- admissionReviewVersions: - - v1beta1 - clientConfig: - service: - name: webhook - namespace: serving-tests - failurePolicy: Fail - sideEffects: None - name: webhook.metadata-webhook.example.com + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: webhook + namespace: serving-tests + failurePolicy: Fail + sideEffects: None + name: webhook.metadata-webhook.example.com --- apiVersion: v1 kind: Secret diff --git a/serving/metadata-webhook/config/600-webhook.yaml b/serving/metadata-webhook/config/600-webhook.yaml index 6bf8d366eb..d27179cba8 100644 --- a/serving/metadata-webhook/config/600-webhook.yaml +++ b/serving/metadata-webhook/config/600-webhook.yaml @@ -10,4 +10,4 @@ spec: matchLabels: app: webhook ingress: - - {} + - {} diff --git a/serving/metadata-webhook/config/webhook.yaml b/serving/metadata-webhook/config/webhook.yaml index fac3488df3..ac94a9d22b 100644 --- a/serving/metadata-webhook/config/webhook.yaml +++ b/serving/metadata-webhook/config/webhook.yaml @@ -22,55 +22,55 @@ spec: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app: webhook - topologyKey: kubernetes.io/hostname - weight: 100 + - podAffinityTerm: + labelSelector: + matchLabels: + app: webhook + topologyKey: kubernetes.io/hostname + weight: 100 serviceAccountName: controller containers: - - name: webhook - image: registry.ci.openshift.org/knative/openshift-serverless-nightly:metadata-webhook - resources: - requests: - cpu: 20m - memory: 20Mi - limits: - cpu: 200m - memory: 200Mi - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KUBERNETES_MIN_VERSION - value: v1.0.0 - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: METRICS_DOMAIN - value: knative.dev/samples - - name: WEBHOOK_NAME - value: webhook + - name: webhook + image: registry.ci.openshift.org/knative/openshift-serverless-nightly:metadata-webhook + resources: + requests: + cpu: 20m + memory: 20Mi + limits: + cpu: 200m + memory: 200Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUBERNETES_MIN_VERSION + value: v1.0.0 + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: METRICS_DOMAIN + value: knative.dev/samples + - name: WEBHOOK_NAME + value: webhook - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - all + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all - readinessProbe: &probe - periodSeconds: 1 - httpGet: - scheme: HTTPS - port: 8443 - httpHeaders: - - name: k-kubelet-probe - value: "webhook" - livenessProbe: *probe + readinessProbe: &probe + periodSeconds: 1 + httpGet: + scheme: HTTPS + port: 8443 + httpHeaders: + - name: k-kubelet-probe + value: "webhook" + livenessProbe: *probe # Our webhook should gracefully terminate by lame ducking first, set this to a sufficiently # high value that we respect whatever value it has configured for the lame duck grace period. diff --git a/serving/metadata-webhook/pkg/defaults/ksvc_defaults.go b/serving/metadata-webhook/pkg/defaults/ksvc_defaults.go index 0cfbc4abcf..a82b125ab4 100644 --- a/serving/metadata-webhook/pkg/defaults/ksvc_defaults.go +++ b/serving/metadata-webhook/pkg/defaults/ksvc_defaults.go @@ -14,9 +14,6 @@ const ( sidecarrewriteAppHTTPProbers = "sidecar.istio.io/rewriteAppHTTPProbers" proxyIstioConfig = "proxy.istio.io/config" holdApplicationUntilProxyStarts = `{ "holdApplicationUntilProxyStarts": true }` - - maistraProxyEnv = "sidecar.maistra.io/proxyEnv" - terminationDrainDuration = `{ "TERMINATION_DRAIN_DURATION_SECONDS": "20" }` ) // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -46,7 +43,6 @@ func (r *TargetKService) SetDefaults(_ context.Context) { r.Spec.Template.Annotations[sidecarInject] = "true" r.Spec.Template.Annotations[sidecarrewriteAppHTTPProbers] = "true" - r.Spec.Template.Annotations[maistraProxyEnv] = terminationDrainDuration r.Spec.Template.Annotations[proxyIstioConfig] = holdApplicationUntilProxyStarts } diff --git a/serving/metadata-webhook/pkg/defaults/ksvc_defaults_test.go b/serving/metadata-webhook/pkg/defaults/ksvc_defaults_test.go index e858294376..e78c311775 100644 --- a/serving/metadata-webhook/pkg/defaults/ksvc_defaults_test.go +++ b/serving/metadata-webhook/pkg/defaults/ksvc_defaults_test.go @@ -33,7 +33,6 @@ func TestTargetKServiceDefaulting(t *testing.T) { proxyIstioConfig: holdApplicationUntilProxyStarts, sidecarInject: "true", sidecarrewriteAppHTTPProbers: "true", - maistraProxyEnv: terminationDrainDuration, }, }, }, @@ -57,7 +56,6 @@ func TestTargetKServiceDefaulting(t *testing.T) { Annotations: map[string]string{ sidecarInject: "false", sidecarrewriteAppHTTPProbers: "false", - maistraProxyEnv: `{ "TERMINATION_DRAIN_DURATION_SECONDS": "5" }`, }, }, }, @@ -80,7 +78,6 @@ func TestTargetKServiceDefaulting(t *testing.T) { proxyIstioConfig: holdApplicationUntilProxyStarts, sidecarInject: "true", sidecarrewriteAppHTTPProbers: "true", - maistraProxyEnv: terminationDrainDuration, }, }, }, diff --git a/test/eventinge2erekt/channelbasedbroker_ksvc_test.go b/test/eventinge2erekt/channelbasedbroker_ksvc_test.go index 018360652a..93385067a7 100644 --- a/test/eventinge2erekt/channelbasedbroker_ksvc_test.go +++ b/test/eventinge2erekt/channelbasedbroker_ksvc_test.go @@ -8,7 +8,6 @@ import ( resources "knative.dev/eventing/test/rekt/resources/broker" "knative.dev/pkg/system" "knative.dev/reconciler-test/pkg/environment" - "knative.dev/reconciler-test/pkg/eventshub" "knative.dev/reconciler-test/pkg/feature" "knative.dev/reconciler-test/pkg/k8s" "knative.dev/reconciler-test/pkg/knative" @@ -18,16 +17,7 @@ import ( func TestChannelBasedBrokerToKsvc(t *testing.T) { t.Parallel() - ctx, env := global.Environment( - knative.WithKnativeNamespace(system.Namespace()), - knative.WithLoggingConfig, - knative.WithTracingConfig, - k8s.WithEventListener, - // Enables KnativeService in the scenario. - eventshub.WithKnativeServiceForwarder, - environment.WithPollTimings(5*time.Second, 4*time.Minute), - environment.Managed(t), - ) + ctx, env := defaultEnvironment(t) brokerName := feature.MakeRandomK8sName("broker") diff --git a/test/eventinge2erekt/containersource_channel_ksvc_test.go b/test/eventinge2erekt/containersource_channel_ksvc_test.go index 4c61d057bf..a1e463ba5d 100644 --- a/test/eventinge2erekt/containersource_channel_ksvc_test.go +++ b/test/eventinge2erekt/containersource_channel_ksvc_test.go @@ -6,11 +6,6 @@ import ( "knative.dev/eventing/test/rekt/features/channel" "knative.dev/eventing/test/rekt/resources/subscription" duckv1 "knative.dev/pkg/apis/duck/v1" - "knative.dev/pkg/system" - "knative.dev/reconciler-test/pkg/environment" - "knative.dev/reconciler-test/pkg/eventshub" - "knative.dev/reconciler-test/pkg/k8s" - "knative.dev/reconciler-test/pkg/knative" "knative.dev/reconciler-test/pkg/manifest" ) @@ -18,15 +13,7 @@ import ( func TestContainerSourceChannelKsvc(t *testing.T) { t.Parallel() - ctx, env := global.Environment( - knative.WithKnativeNamespace(system.Namespace()), - knative.WithLoggingConfig, - knative.WithTracingConfig, - k8s.WithEventListener, - // Enables KnativeService in the scenario. - eventshub.WithKnativeServiceForwarder, - environment.Managed(t), - ) + ctx, env := defaultEnvironment(t) createSubscriberFn := func(ref *duckv1.KReference, uri string) manifest.CfgFn { return subscription.WithSubscriber(ref, uri) diff --git a/test/eventinge2erekt/main_test.go b/test/eventinge2erekt/main_test.go index 5dfad92237..0f1bbca062 100644 --- a/test/eventinge2erekt/main_test.go +++ b/test/eventinge2erekt/main_test.go @@ -1,11 +1,17 @@ package eventinge2erekt import ( + "context" "os" "testing" + "time" "knative.dev/eventing/test/rekt/resources/broker" + "knative.dev/pkg/system" "knative.dev/reconciler-test/pkg/environment" + "knative.dev/reconciler-test/pkg/eventshub" + "knative.dev/reconciler-test/pkg/k8s" + "knative.dev/reconciler-test/pkg/knative" ) var global environment.GlobalEnvironment @@ -19,3 +25,16 @@ func TestMain(m *testing.M) { // Run the tests. os.Exit(m.Run()) } + +func defaultEnvironment(t *testing.T) (context.Context, environment.Environment) { + return global.Environment( + knative.WithKnativeNamespace(system.Namespace()), + knative.WithLoggingConfig, + knative.WithTracingConfig, + k8s.WithEventListener, + // Enables KnativeService in the scenario. + eventshub.WithKnativeServiceForwarder, + environment.WithPollTimings(5*time.Second, 4*time.Minute), + environment.Managed(t), + ) +} diff --git a/test/eventinge2erekt/pingsource_ksvc_test.go b/test/eventinge2erekt/pingsource_ksvc_test.go index 079f7f4c53..7d2fceb7be 100644 --- a/test/eventinge2erekt/pingsource_ksvc_test.go +++ b/test/eventinge2erekt/pingsource_ksvc_test.go @@ -6,26 +6,14 @@ import ( "github.com/openshift-knative/serverless-operator/test/eventinge2erekt/features" "knative.dev/eventing/test/rekt/features/pingsource" - "knative.dev/pkg/system" "knative.dev/reconciler-test/pkg/environment" - "knative.dev/reconciler-test/pkg/eventshub" - "knative.dev/reconciler-test/pkg/k8s" - "knative.dev/reconciler-test/pkg/knative" ) // PingSource -> Ksvc -> Sink (Eventshub) func TestPingSourceToKsvc(t *testing.T) { t.Parallel() - ctx, env := global.Environment( - knative.WithKnativeNamespace(system.Namespace()), - knative.WithLoggingConfig, - knative.WithTracingConfig, - k8s.WithEventListener, - // Enables KnativeService in the PingSource scenario. - eventshub.WithKnativeServiceForwarder, - environment.Managed(t), - ) + ctx, env := defaultEnvironment(t) since := time.Now() diff --git a/test/extensione2erekt/main_test.go b/test/extensione2erekt/main_test.go index 4838fd094e..8862e869f4 100644 --- a/test/extensione2erekt/main_test.go +++ b/test/extensione2erekt/main_test.go @@ -4,6 +4,7 @@ import ( "context" "os" "testing" + "time" "knative.dev/eventing/test/rekt/resources/channel_impl" "knative.dev/pkg/system" @@ -34,6 +35,7 @@ func defaultEnvironment(t *testing.T) (context.Context, environment.Environment) k8s.WithEventListener, // Enables KnativeService in the scenario. eventshub.WithKnativeServiceForwarder, + environment.WithPollTimings(5*time.Second, 4*time.Minute), environment.Managed(t), ) } diff --git a/test/flags.go b/test/flags.go index 53ce80fde4..2967573256 100644 --- a/test/flags.go +++ b/test/flags.go @@ -12,8 +12,7 @@ import ( ) const ( - Namespace = "serverless-tests" - Namespace2 = "serverless-tests2" + Namespace = "serverless-tests" ) // Flags holds the initialized test flags diff --git a/test/lib.bash b/test/lib.bash index f5f53989fc..56f6e9d7a5 100644 --- a/test/lib.bash +++ b/test/lib.bash @@ -9,7 +9,7 @@ source "$(dirname "$(dirname "$(realpath "${BASH_SOURCE[0]}")")")/hack/lib/__sou readonly TEARDOWN="${TEARDOWN:-on_exit}" export TEST_NAMESPACE="${TEST_NAMESPACE:-serverless-tests}" declare -a TEST_NAMESPACES -TEST_NAMESPACES=("${TEST_NAMESPACE}" "serverless-tests2" "serverless-tests-mesh") +TEST_NAMESPACES=("${TEST_NAMESPACE}" "serverless-tests-mesh") export TEST_NAMESPACES source "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/serving.bash" @@ -140,12 +140,12 @@ function downstream_serving_e2e_tests { fi if [[ $FULL_MESH == "true" ]]; then - go_test_e2e "${RUN_FLAGS[@]}" ./test/servinge2e/ \ + go_test_e2e "${RUN_FLAGS[@]}" ./test/servinge2e/ ./test/servinge2e/servicemesh/ \ --kubeconfigs "${kubeconfigs_str}" \ --imagetemplate "${IMAGE_TEMPLATE}" \ "$@" else - go_test_e2e "${RUN_FLAGS[@]}" ./test/servinge2e/... \ + go_test_e2e "${RUN_FLAGS[@]}" ./test/servinge2e/ ./test/servinge2e/kourier/ \ --kubeconfigs "${kubeconfigs_str}" \ --imagetemplate "${IMAGE_TEMPLATE}" \ "$@" diff --git a/test/service.go b/test/service.go index 9760fb3cfb..8a106fa728 100644 --- a/test/service.go +++ b/test/service.go @@ -17,17 +17,18 @@ import ( type ServiceCfgFunc func(*servingv1.Service) -func Service(name, namespace, image string, annotations map[string]string) *servingv1.Service { +func Service(name, namespace, image string, serviceAnnotations, templateAnnotations map[string]string) *servingv1.Service { s := &servingv1.Service{ ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, + Name: name, + Namespace: namespace, + Annotations: serviceAnnotations, }, Spec: servingv1.ServiceSpec{ ConfigurationSpec: servingv1.ConfigurationSpec{ Template: servingv1.RevisionTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ - Annotations: annotations, + Annotations: templateAnnotations, }, Spec: servingv1.RevisionSpec{ PodSpec: corev1.PodSpec{ @@ -82,7 +83,7 @@ func WithServiceReady(ctx *Context, name, namespace, image string, cfgFuncs ...S } func CreateService(ctx *Context, name, namespace, image string, cfgFuncs ...ServiceCfgFunc) (*servingv1.Service, error) { - service := Service(name, namespace, image, nil) + service := Service(name, namespace, image, nil, nil) for _, f := range cfgFuncs { f(service) } diff --git a/test/serving.bash b/test/serving.bash index 2c5983c542..093df2533c 100644 --- a/test/serving.bash +++ b/test/serving.bash @@ -21,6 +21,10 @@ function prepare_knative_serving_tests { # Create test resources (namespaces, configMaps, secrets) oc apply -f test/config/cluster-resources.yaml + # Workaround for https://issues.redhat.com/browse/OSSM-1397 + if [[ $FULL_MESH == "true" ]]; then + oc label namespace serving-tests maistra.io/member-of=istio-system --overwrite + fi oc apply -f test/config/test-resources.yaml # Adding scc for anyuid to test TestShouldRunAsUserContainerDefault. oc adm policy add-scc-to-user anyuid -z default -n serving-tests @@ -77,6 +81,12 @@ function upstream_knative_serving_e2e_and_conformance_tests { parallel=2 fi + if [[ $FULL_MESH == "true" ]]; then + # reconfiguring istio-proxies is flaky on too much parallelism, + # random pods will fail to start with `PostStartHook failed` + parallel=8 + fi + mv ./test/e2e/autoscale_test.go ./test/e2e/autoscale_test.backup SYSTEM_NAMESPACE="$SERVING_NAMESPACE" go_test_e2e -tags="e2e" -timeout=30m -parallel=$parallel \ diff --git a/test/servinge2e/deploy_kn_k8s_svc_in_same_namespace_test.go b/test/servinge2e/deploy_kn_k8s_svc_in_same_namespace_test.go deleted file mode 100644 index e50753b6c3..0000000000 --- a/test/servinge2e/deploy_kn_k8s_svc_in_same_namespace_test.go +++ /dev/null @@ -1,191 +0,0 @@ -package servinge2e - -import ( - "context" - "net/url" - "testing" - - "github.com/openshift-knative/serverless-operator/test" - routev1 "github.com/openshift/api/route/v1" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/intstr" - pkgTest "knative.dev/pkg/test" -) - -func TestKnativeVersusKubeServicesInOneNamespace(t *testing.T) { - - caCtx := test.SetupClusterAdmin(t) - test.CleanupOnInterrupt(t, func() { test.CleanupAll(t, caCtx) }) - defer test.CleanupAll(t, caCtx) - - //Create deployment - err := test.CreateDeployment(caCtx, kubeHelloworldService, test.Namespace2, pkgTest.ImagePath(test.HelloworldGoImg)) - if err != nil { - t.Fatal("Deployment not created", err) - } - // Deploy plain Kube service - svc, err := createKubeService(caCtx, kubeHelloworldService, test.Namespace2) - if err != nil { - t.Fatal("Kubernetes service not created", err) - } - route, err := withRouteForServiceReady(caCtx, svc.Name, test.Namespace2) - if err != nil { - t.Fatal("Failed to create route for service", svc.Name, err) - } - kubeServiceURL, err := url.Parse("http://" + route.Status.Ingress[0].Host) - if err != nil { - t.Fatal("Failed to parse url", err) - } - - // Check Kube service responds - WaitForRouteServingText(t, caCtx, kubeServiceURL, helloworldText) - - // Deploy Knative service in the same namespace - ksvc, err := test.WithServiceReady(caCtx, helloworldService, test.Namespace2, pkgTest.ImagePath(test.HelloworldGoImg)) - if err != nil { - t.Fatal("Knative Service not ready", err) - } - - // Check that both services respond - WaitForRouteServingText(t, caCtx, ksvc.Status.URL.URL(), helloworldText) - WaitForRouteServingText(t, caCtx, kubeServiceURL, helloworldText) - - // Delete Knative service - if err = caCtx.Clients.Serving.ServingV1().Services(test.Namespace2).Delete(context.Background(), ksvc.Name, metav1.DeleteOptions{}); err != nil { - t.Fatal("Failed to remove service", err) - } - - // Check that Kube service still responds - WaitForRouteServingText(t, caCtx, kubeServiceURL, helloworldText) - - // Remove the Kube service - if err = caCtx.Clients.Route.Routes(test.Namespace2).Delete(context.Background(), svc.Name, metav1.DeleteOptions{}); err != nil { - t.Fatal("Failed to remove route", err) - } - if err = caCtx.Clients.Kube.CoreV1().Services(test.Namespace2).Delete(context.Background(), svc.Name, metav1.DeleteOptions{}); err != nil { - t.Fatal("Failed to remove service", err) - } - if err = caCtx.Clients.Kube.AppsV1().Deployments(test.Namespace2).Delete(context.Background(), svc.Name, metav1.DeleteOptions{}); err != nil { - t.Fatal("Failed to remove deployment", err) - } - - // Deploy Knative service in the namespace first - ksvc, err = test.WithServiceReady(caCtx, helloworldService2, test.Namespace2, pkgTest.ImagePath(test.HelloworldGoImg)) - if err != nil { - t.Fatal("Knative Service not ready", err) - } - - // Check that Knative service responds - WaitForRouteServingText(t, caCtx, ksvc.Status.URL.URL(), helloworldText) - - //Create deployment - err = test.CreateDeployment(caCtx, kubeHelloworldService, test.Namespace2, pkgTest.ImagePath(test.HelloworldGoImg)) - if err != nil { - t.Fatal("Deployment not created", err) - } - // Deploy plain Kube service - svc, err = createKubeService(caCtx, kubeHelloworldService, test.Namespace2) - if err != nil { - t.Fatal("Kubernetes service not created", err) - } - route, err = withRouteForServiceReady(caCtx, svc.Name, test.Namespace2) - if err != nil { - t.Fatal("Failed to create route for service", svc.Name, err) - } - kubeServiceURL, err = url.Parse("http://" + route.Status.Ingress[0].Host) - if err != nil { - t.Fatal("Failed to parse url", err) - } - - // Check that both services respond - WaitForRouteServingText(t, caCtx, ksvc.Status.URL.URL(), helloworldText) - WaitForRouteServingText(t, caCtx, kubeServiceURL, helloworldText) - - // Remove the Kube service - if err = caCtx.Clients.Route.Routes(test.Namespace2).Delete(context.Background(), svc.Name, metav1.DeleteOptions{}); err != nil { - t.Fatal("Failed to remove route", err) - } - if err = caCtx.Clients.Kube.CoreV1().Services(test.Namespace2).Delete(context.Background(), svc.Name, metav1.DeleteOptions{}); err != nil { - t.Fatal("Failed to remove service", err) - } - if err = caCtx.Clients.Kube.AppsV1().Deployments(test.Namespace2).Delete(context.Background(), svc.Name, metav1.DeleteOptions{}); err != nil { - t.Fatal("Failed to remove deployment", err) - } - - // Check that Knative service still responds - WaitForRouteServingText(t, caCtx, ksvc.Status.URL.URL(), helloworldText) - - // Delete the Knative service - if err = caCtx.Clients.Serving.ServingV1().Services(test.Namespace2).Delete(context.Background(), ksvc.Name, metav1.DeleteOptions{}); err != nil { - t.Fatal("Failed to remove service", err) - } -} - -func withRouteForServiceReady(ctx *test.Context, serviceName, namespace string) (*routev1.Route, error) { - r := &routev1.Route{ - ObjectMeta: metav1.ObjectMeta{ - Name: serviceName, - Namespace: namespace, - }, - Spec: routev1.RouteSpec{ - To: routev1.RouteTargetReference{ - Kind: "Service", - Name: serviceName, - }, - }, - } - - route, err := ctx.Clients.Route.Routes(namespace).Create(context.Background(), r, metav1.CreateOptions{}) - if err != nil { - return nil, err - } - - ctx.AddToCleanup(func() error { - ctx.T.Logf("Cleaning up OCP Route '%s/%s'", r.Namespace, r.Name) - return ctx.Clients.Route.Routes(namespace).Delete(context.Background(), route.Name, metav1.DeleteOptions{}) - }) - - return test.WaitForRouteState(ctx, route.Name, route.Namespace, routeHasHost) -} - -func routeHasHost(r *routev1.Route, _ error) (bool, error) { - return len(r.Status.Ingress) != 0 && len(r.Status.Ingress[0].Conditions) != 0 && - r.Status.Ingress[0].Conditions[0].Type == routev1.RouteAdmitted && - r.Status.Ingress[0].Conditions[0].Status == corev1.ConditionTrue, nil -} - -func createKubeService(ctx *test.Context, name, namespace string) (*corev1.Service, error) { - kubeService := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: corev1.ServiceSpec{ - Ports: []corev1.ServicePort{ - { - Port: 80, - TargetPort: intstr.IntOrString{ - Type: intstr.Int, - IntVal: 8080, - }, - }, - }, - Selector: map[string]string{ - "app": name, - }, - }, - } - - svc, err := ctx.Clients.Kube.CoreV1().Services(namespace).Create(context.Background(), kubeService, metav1.CreateOptions{}) - if err != nil { - return nil, err - } - - ctx.AddToCleanup(func() error { - ctx.T.Logf("Cleaning up K8s Service '%s/%s'", kubeService.Namespace, kubeService.Name) - return ctx.Clients.Serving.ServingV1().Services(namespace).Delete(context.Background(), svc.Name, metav1.DeleteOptions{}) - }) - - return svc, nil -} diff --git a/test/servinge2e/helpers.go b/test/servinge2e/helpers.go index 121caccd17..c56a2940dd 100644 --- a/test/servinge2e/helpers.go +++ b/test/servinge2e/helpers.go @@ -12,10 +12,7 @@ import ( ) const ( - helloworldService = "helloworld-go" - helloworldService2 = "helloworld-go2" - kubeHelloworldService = "kube-helloworld-go" - helloworldText = "Hello World!" + helloworldText = "Hello World!" ) func WaitForRouteServingText(t *testing.T, caCtx *test.Context, routeURL *url.URL, expectedText string) { diff --git a/test/servinge2e/kourier/custom_route_test.go b/test/servinge2e/kourier/custom_route_test.go index 25c2c788b4..c44b55331b 100644 --- a/test/servinge2e/kourier/custom_route_test.go +++ b/test/servinge2e/kourier/custom_route_test.go @@ -39,7 +39,7 @@ func TestCustomOpenShiftRoute(t *testing.T) { defer test.CleanupAll(t, caCtx) // Create Kservice with disable Annotation. - ksvc := test.Service(serviceName, test.Namespace, pkgTest.ImagePath(test.HelloworldGoImg), nil) + ksvc := test.Service(serviceName, test.Namespace, pkgTest.ImagePath(test.HelloworldGoImg), nil, nil) ksvc.ObjectMeta.Annotations = map[string]string{resources.DisableRouteAnnotation: "true"} ksvc = test.WithServiceReadyOrFail(caCtx, ksvc) diff --git a/test/servinge2e/kourier/service_to_service_test.go b/test/servinge2e/kourier/service_to_service_test.go index 9d5f921bc8..3c14fa574d 100644 --- a/test/servinge2e/kourier/service_to_service_test.go +++ b/test/servinge2e/kourier/service_to_service_test.go @@ -6,6 +6,7 @@ import ( "github.com/openshift-knative/serverless-operator/test" "github.com/openshift-knative/serverless-operator/test/servinge2e" + "github.com/openshift-knative/serverless-operator/test/servinge2e/servicemesh" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "knative.dev/networking/pkg/apis/networking" pkgTest "knative.dev/pkg/test" @@ -62,9 +63,10 @@ func TestServiceToServiceCalls(t *testing.T) { } } +// testServiceToService tests calling a ksvc from another service. func testServiceToService(t *testing.T, ctx *test.Context, namespace string, tc testCase) { // Create a ksvc with the specified annotations and labels - service := test.Service(tc.name, namespace, pkgTest.ImagePath(test.HelloworldGoImg), tc.annotations) + service := test.Service(tc.name, namespace, pkgTest.ImagePath(test.HelloworldGoImg), nil, tc.annotations) service.ObjectMeta.Labels = tc.labels service = test.WithServiceReadyOrFail(ctx, service) @@ -73,7 +75,7 @@ func testServiceToService(t *testing.T, ctx *test.Context, namespace string, tc // For cluster-local ksvc, we deploy an "HTTP proxy" service, and request that one instead if service.GetLabels()[networking.VisibilityLabelKey] == serving.VisibilityClusterLocal { // Deploy an "HTTP proxy" towards the ksvc (using an httpproxy image from knative-serving testsuite) - httpProxy := test.WithServiceReadyOrFail(ctx, httpProxyService(tc.name+"-proxy", namespace, service.Status.URL.Host)) + httpProxy := test.WithServiceReadyOrFail(ctx, servicemesh.HTTPProxyService(tc.name+"-proxy", namespace, "" /*gateway*/, service.Status.URL.Host, nil, nil)) serviceURL = httpProxy.Status.URL.URL() } diff --git a/test/servinge2e/kourier/servicemesh_test.go b/test/servinge2e/kourier/servicemesh_test.go index 72cf850a53..e98e2a5b08 100644 --- a/test/servinge2e/kourier/servicemesh_test.go +++ b/test/servinge2e/kourier/servicemesh_test.go @@ -19,6 +19,7 @@ import ( "testing" "time" + "github.com/openshift-knative/serverless-operator/test/servinge2e/servicemesh" "knative.dev/serving/pkg/apis/autoscaling" "github.com/openshift-knative/serverless-operator/test" @@ -30,22 +31,20 @@ import ( "knative.dev/pkg/test/helpers" "knative.dev/pkg/test/spoof" "knative.dev/serving/pkg/apis/serving" - servingv1 "knative.dev/serving/pkg/apis/serving/v1" servingTest "knative.dev/serving/test" ) +const ( + serviceMeshTestNamespaceName = "serverless-tests-mesh" +) + type testCase struct { name string - labels map[string]string // Ksvc labels - annotations map[string]string // Revision template annotations + labels map[string]string // Ksvc Labels + annotations map[string]string // Revision template Annotations expectIstioSidecar bool // Whether it is expected for the istio-proxy sidecar to be injected into the pod } -const ( - serviceMeshTestNamespaceName = "serverless-tests-mesh" - istioInjectKey = "sidecar.istio.io/inject" -) - // Following https://docs.openshift.com/container-platform/4.9/serverless/admin_guide/serverless-ossm-setup.html func setupNamespaceForServiceMesh(ctx *test.Context, serviceMeshNamespace, testNamespace string) { test.CreateServiceMeshMemberRollV1(ctx, test.ServiceMeshMemberRollV1("default", serviceMeshNamespace, testNamespace)) @@ -95,17 +94,6 @@ func runTestForAllServiceMeshVersions(t *testing.T, testFunc func(ctx *test.Cont } } -// A knative service acting as an "http proxy", redirects requests towards a given "host". Used to test cluster-local services -func httpProxyService(name, namespace, host string) *servingv1.Service { - proxy := test.Service(name, namespace, pkgTest.ImagePath(test.HTTPProxyImg), nil) - proxy.Spec.Template.Spec.Containers[0].Env = append(proxy.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{ - Name: "TARGET_HOST", - Value: host, - }) - - return proxy -} - // Skipped unless ServiceMesh has been installed via "make install-mesh" func TestKsvcWithServiceMeshSidecar(t *testing.T) { runTestForAllServiceMeshVersions(t, func(ctx *test.Context) { @@ -114,7 +102,7 @@ func TestKsvcWithServiceMeshSidecar(t *testing.T) { // Verifies the activator can connect to the pod name: "sidecar-via-activator", annotations: map[string]string{ - istioInjectKey: "true", + servicemesh.IstioInjectKey: "true", autoscaling.TargetBurstCapacityKey: "-1", }, expectIstioSidecar: true, @@ -123,7 +111,7 @@ func TestKsvcWithServiceMeshSidecar(t *testing.T) { // Verifies the gateway can connect to the pod directly name: "sidecar-without-activator", annotations: map[string]string{ - istioInjectKey: "true", + servicemesh.IstioInjectKey: "true", autoscaling.TargetBurstCapacityKey: "0", autoscaling.MinScaleAnnotationKey: "1", }, @@ -132,27 +120,27 @@ func TestKsvcWithServiceMeshSidecar(t *testing.T) { // Verifies the "sidecar.istio.io/inject" annotation is really what decides the istio-proxy presence name: "no-sidecar", annotations: map[string]string{ - istioInjectKey: "false", + servicemesh.IstioInjectKey: "false", }, expectIstioSidecar: false, }, { - // A cluster-local variant of the "sidecar-via-activator" scenario + // A cluster-local variant of the "sidecar-via-activator" testCase name: "local-sidecar-via-activator", labels: map[string]string{ networking.VisibilityLabelKey: serving.VisibilityClusterLocal, }, annotations: map[string]string{ - istioInjectKey: "true", + servicemesh.IstioInjectKey: "true", }, expectIstioSidecar: true, }, { - // A cluster-local variant of the "sidecar-without-activator" scenario + // A cluster-local variant of the "sidecar-without-activator" testCase name: "local-sidecar-without-activator", labels: map[string]string{ networking.VisibilityLabelKey: serving.VisibilityClusterLocal, }, annotations: map[string]string{ - istioInjectKey: "true", + servicemesh.IstioInjectKey: "true", autoscaling.TargetBurstCapacityKey: "0", autoscaling.MinScaleAnnotationKey: "1", }, @@ -160,14 +148,14 @@ func TestKsvcWithServiceMeshSidecar(t *testing.T) { }} t := ctx.T - for _, scenario := range tests { - scenario := scenario - t.Run(scenario.name, func(t *testing.T) { + for _, testCase := range tests { + testCase := testCase + t.Run(testCase.name, func(t *testing.T) { // Create a new context to prevent calling ctx.T.Fatal on parent T. ctx := test.SetupClusterAdmin(t) test.CleanupOnInterrupt(t, func() { test.CleanupAll(t, ctx) }) defer test.CleanupAll(t, ctx) - testServiceToService(t, ctx, test.Namespace, scenario) + testServiceToService(t, ctx, test.Namespace, testCase) }) } }) @@ -331,7 +319,7 @@ func TestKsvcWithServiceMeshJWTDefaultPolicy(t *testing.T) { // istio-pilot caches the JWKS content if a new Policy has the same jwksUri as some old policy. // Rerunning this test would fail if we kept the jwksUri constant across invocations then, // hence the random suffix for the jwks ksvc. - jwksKsvc := test.Service(helpers.AppendRandomString("jwks"), test.Namespace, pkgTest.ImagePath(test.HelloOpenshiftImg), nil) + jwksKsvc := test.Service(helpers.AppendRandomString("jwks"), test.Namespace, pkgTest.ImagePath(test.HelloOpenshiftImg), nil, nil) jwksKsvc.Spec.Template.Spec.Containers[0].Env = append(jwksKsvc.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{ Name: "RESPONSE", Value: jwks, @@ -482,7 +470,7 @@ func TestKsvcWithServiceMeshJWTDefaultPolicy(t *testing.T) { } // Create a test ksvc, should be accessible only via proper JWT token - testKsvc := test.Service("jwt-test", test.Namespace, pkgTest.ImagePath(test.HelloworldGoImg), map[string]string{ + testKsvc := test.Service("jwt-test", test.Namespace, pkgTest.ImagePath(test.HelloworldGoImg), nil, map[string]string{ "sidecar.istio.io/inject": "true", "sidecar.istio.io/rewriteAppHTTPProbers": "true", }) @@ -632,7 +620,7 @@ func TestKsvcWithServiceMeshJWTDefaultPolicy(t *testing.T) { func lookupOpenShiftRouterIP(ctx *test.Context) net.IP { // Deploy an auxiliary ksvc accessible via an OpenShift route, so that we have a route hostname that we can resolve - aux := test.Service("aux", test.Namespace, pkgTest.ImagePath(test.HelloworldGoImg), nil) + aux := test.Service("aux", test.Namespace, pkgTest.ImagePath(test.HelloworldGoImg), nil, nil) aux = test.WithServiceReadyOrFail(ctx, aux) ips, err := net.LookupIP(aux.Status.URL.Host) diff --git a/test/servinge2e/kourier/verify_http_and_https_test.go b/test/servinge2e/kourier/verify_http_and_https_test.go index ab72807516..97900c7d0e 100644 --- a/test/servinge2e/kourier/verify_http_and_https_test.go +++ b/test/servinge2e/kourier/verify_http_and_https_test.go @@ -16,7 +16,7 @@ func TestKnativeServiceHTTPRedirect(t *testing.T) { test.CleanupOnInterrupt(t, func() { test.CleanupAll(t, caCtx) }) defer test.CleanupAll(t, caCtx) - ksvc := test.Service("redirect-service", test.Namespace, pkgTest.ImagePath(test.HelloworldGoImg), nil) + ksvc := test.Service("redirect-service", test.Namespace, pkgTest.ImagePath(test.HelloworldGoImg), nil, nil) ksvc.ObjectMeta.Annotations = map[string]string{networking.HTTPProtocolAnnotationKey: "redirected"} ksvc = test.WithServiceReadyOrFail(caCtx, ksvc) diff --git a/test/servinge2e/servicemesh/helpers.go b/test/servinge2e/servicemesh/helpers.go new file mode 100644 index 0000000000..7daa89bfc6 --- /dev/null +++ b/test/servinge2e/servicemesh/helpers.go @@ -0,0 +1,44 @@ +package servicemesh + +import ( + "github.com/openshift-knative/serverless-operator/test" + corev1 "k8s.io/api/core/v1" + pkgTest "knative.dev/pkg/test" + "knative.dev/pkg/test/spoof" + servingv1 "knative.dev/serving/pkg/apis/serving/v1" +) + +const ( + IstioInjectKey = "sidecar.istio.io/inject" + IstioRewriteProbersKey = "sidecar.istio.io/rewriteAppHTTPProbers" + ServingEnablePassthroughKey = "serving.knative.openshift.io/enablePassthrough" + helloWorldText = "Hello World!" +) + +type testCase struct { + name string + labels map[string]string // Ksvc Labels + annotations map[string]string // Revision template Annotations + sourceNamespace string // Namespace for the source service (http proxy) + targetNamespace string // Namespace for the target service + gateway string // Value for gateway that's called by http proxy + usePrivateService bool // Whether http proxy should call target's service private service + checkResponseFunc spoof.ResponseChecker // Function to be used to check response +} + +// HTTPProxyService returns a knative service acting as "http proxy", redirects requests towards a given "host". Used to test cluster-local services +func HTTPProxyService(name, namespace, gateway, target string, serviceAnnotations, templateAnnotations map[string]string) *servingv1.Service { + proxy := test.Service(name, namespace, pkgTest.ImagePath(test.HTTPProxyImg), serviceAnnotations, templateAnnotations) + if gateway != "" { + proxy.Spec.Template.Spec.Containers[0].Env = append(proxy.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{ + Name: "GATEWAY_HOST", + Value: gateway, + }) + } + proxy.Spec.Template.Spec.Containers[0].Env = append(proxy.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{ + Name: "TARGET_HOST", + Value: target, + }) + + return proxy +} diff --git a/test/servinge2e/servicemesh/multitenant_test.go b/test/servinge2e/servicemesh/multitenant_test.go new file mode 100644 index 0000000000..4cbfe8e57f --- /dev/null +++ b/test/servinge2e/servicemesh/multitenant_test.go @@ -0,0 +1,167 @@ +package servicemesh + +import ( + "context" + "fmt" + "testing" + + "github.com/openshift-knative/serverless-operator/test" + "knative.dev/networking/pkg/apis/networking" + pkgTest "knative.dev/pkg/test" + "knative.dev/pkg/test/spoof" + "knative.dev/serving/pkg/apis/autoscaling" + "knative.dev/serving/pkg/apis/serving" + servingTest "knative.dev/serving/test" +) + +const ( + Tenant1 = "tenant-1" + Tenant2 = "tenant-2" + LocalGatewayHost = "knative-local-gateway.istio-system.svc.cluster.local" +) + +var ExpectStatusForbidden = func(resp *spoof.Response) (bool, error) { + if resp.StatusCode != 403 { + // Returning (false, nil) causes SpoofingClient.Poll to retry. + return false, fmt.Errorf("unexpected status: %d", resp.StatusCode) + } + return true, nil +} + +func TestMultiTenancyWithServiceMesh(t *testing.T) { + tests := []testCase{ + { + name: "same-tenant-directly", + annotations: map[string]string{ + autoscaling.TargetBurstCapacityKey: "0", + autoscaling.MinScaleAnnotationKey: "1", + }, + sourceNamespace: Tenant1, + targetNamespace: Tenant1, + usePrivateService: true, + checkResponseFunc: spoof.MatchesBody(helloWorldText), + }, + { + name: "cross-tenant-directly", + annotations: map[string]string{ + autoscaling.TargetBurstCapacityKey: "0", + autoscaling.MinScaleAnnotationKey: "1", + }, + sourceNamespace: Tenant1, + targetNamespace: Tenant2, + usePrivateService: true, + checkResponseFunc: ExpectStatusForbidden, + }, + { + name: "same-tenant-via-activator", + annotations: map[string]string{ + autoscaling.TargetBurstCapacityKey: "-1", + }, + sourceNamespace: Tenant1, + targetNamespace: Tenant1, + checkResponseFunc: spoof.MatchesBody(helloWorldText), + }, + { + name: "cross-tenant-via-activator", + annotations: map[string]string{ + autoscaling.TargetBurstCapacityKey: "-1", + }, + sourceNamespace: Tenant1, + targetNamespace: Tenant2, + checkResponseFunc: ExpectStatusForbidden, + }, + { + name: "same-tenant-via-ingress-via-activator", + annotations: map[string]string{ + autoscaling.TargetBurstCapacityKey: "-1", + }, + sourceNamespace: Tenant1, + targetNamespace: Tenant1, + checkResponseFunc: spoof.MatchesBody(helloWorldText), + gateway: LocalGatewayHost, + }, + { + name: "cross-tenant-via-ingress-via-activator", + annotations: map[string]string{ + autoscaling.TargetBurstCapacityKey: "-1", + }, + sourceNamespace: Tenant1, + targetNamespace: Tenant2, + checkResponseFunc: ExpectStatusForbidden, + gateway: LocalGatewayHost, + }, + { + name: "same-tenant-via-ingress-no-activator", + annotations: map[string]string{ + autoscaling.TargetBurstCapacityKey: "0", + autoscaling.MinScaleAnnotationKey: "1", + }, + sourceNamespace: Tenant1, + targetNamespace: Tenant1, + checkResponseFunc: spoof.MatchesBody(helloWorldText), + gateway: LocalGatewayHost, + }, + { + name: "cross-tenant-via-ingress-no-activator", + annotations: map[string]string{ + autoscaling.TargetBurstCapacityKey: "0", + autoscaling.MinScaleAnnotationKey: "1", + }, + sourceNamespace: Tenant1, + targetNamespace: Tenant2, + checkResponseFunc: ExpectStatusForbidden, + gateway: LocalGatewayHost, + }} + + for _, tc := range tests { + tc := tc + + tc.annotations[IstioInjectKey] = "true" + tc.annotations[IstioRewriteProbersKey] = "true" + + // Always use cluster-local service. + tc.labels = map[string]string{ + networking.VisibilityLabelKey: serving.VisibilityClusterLocal, + } + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + + ctx := test.SetupClusterAdmin(t) + test.CleanupOnInterrupt(t, func() { test.CleanupAll(t, ctx) }) + defer test.CleanupAll(t, ctx) + + service := test.Service(tc.name, tc.targetNamespace, pkgTest.ImagePath(test.HelloworldGoImg), map[string]string{ + ServingEnablePassthroughKey: "true", + }, tc.annotations) + service.ObjectMeta.Labels = tc.labels + + service = test.WithServiceReadyOrFail(ctx, service) + + gateway := "" + targetHost := service.Status.URL.Host + if tc.usePrivateService { + targetHost = fmt.Sprintf("%s-00001-private.%s.svc.cluster.local", service.Name, tc.targetNamespace) + } else if tc.gateway != "" { + gateway = tc.gateway + targetHost = service.Status.URL.Host + } + + httpProxy := test.WithServiceReadyOrFail(ctx, HTTPProxyService(tc.name+"-proxy", tc.sourceNamespace, gateway, targetHost, map[string]string{ + ServingEnablePassthroughKey: "true", + }, tc.annotations)) + + if _, err := pkgTest.CheckEndpointState( + context.Background(), + ctx.Clients.Kube, + t.Logf, + httpProxy.Status.URL.URL(), + tc.checkResponseFunc, + "CheckResponse", + true, + servingTest.AddRootCAtoTransport(context.Background(), t.Logf, &servingTest.Clients{KubeClient: ctx.Clients.Kube}, true), + ); err != nil { + t.Fatalf("Unexpected state for %s :%v", httpProxy.Status.URL.URL(), err) + } + }) + } +} diff --git a/test/servinge2e/tracing_test.go b/test/servinge2e/tracing_test.go index b86ae4244c..1066b7208e 100644 --- a/test/servinge2e/tracing_test.go +++ b/test/servinge2e/tracing_test.go @@ -54,7 +54,7 @@ func tracingTest(t *testing.T, activatorInPath bool) { if activatorInPath { annotations = nil } - ksvc := test.WithServiceReadyOrFail(ctx, test.Service(name, testNamespace, pkgTest.ImagePath(test.HelloworldGoImg), annotations)) + ksvc := test.WithServiceReadyOrFail(ctx, test.Service(name, testNamespace, pkgTest.ImagePath(test.HelloworldGoImg), nil, annotations)) WaitForRouteServingText(t, ctx, ksvc.Status.URL.URL(), helloworldText) diff --git a/test/upstream-e2e-tests.sh b/test/upstream-e2e-tests.sh index 00a037cbe8..2ed8fff3e9 100755 --- a/test/upstream-e2e-tests.sh +++ b/test/upstream-e2e-tests.sh @@ -45,7 +45,6 @@ if [[ $TEST_KNATIVE_E2E == true ]]; then if [[ $TEST_KNATIVE_EVENTING == true ]]; then upstream_knative_eventing_e2e fi - fi [ -n "$OPENSHIFT_CI" ] && check_serverless_alerts