From 4fb1849fb3dcf8e9865d4840227d118a9dc5ab80 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Mon, 19 Jun 2023 12:06:31 +0200 Subject: [PATCH 01/42] Install Mesh Resources for multitenancy --- hack/lib/mesh.bash | 4 +- ...authorization-policy-knative-eventing.yaml | 124 ++++++++++++ .../authorization-policy-knative-serving.yaml | 69 +++++++ .../authorization-policy-test-namespaces.yaml | 36 ++++ hack/lib/mesh_resources/gateway.yaml | 6 +- hack/lib/mesh_resources/namespace.yaml | 51 +++++ .../mesh_resources/peerauthentication.yaml | 17 ++ hack/lib/mesh_resources/smmr.yaml | 49 +---- .../config/500-webhook-configuration.yaml | 25 --- .../cluster-resources/100-namespace.yaml | 13 ++ .../200-clusterrole.yaml} | 26 +-- .../300-clusterrolebinding.yaml | 29 +++ .../400-webhookconfiguration.yaml | 33 +++ .../200-serviceaccount.yaml} | 4 +- .../400-service.yaml} | 1 - .../namespaced-resources/500-secret.yaml | 7 + .../600-networkpolicy.yaml} | 1 - .../{ => namespaced-resources}/webhook.yaml | 1 - test/e2e-tests.sh | 3 + test/flags.go | 3 +- test/lib.bash | 6 +- test/service.go | 11 +- ...eploy_kn_k8s_svc_in_same_namespace_test.go | 191 ------------------ test/servinge2e/helpers.go | 5 +- test/servinge2e/kourier/custom_route_test.go | 2 +- .../kourier/service_to_service_test.go | 6 +- test/servinge2e/kourier/servicemesh_test.go | 54 ++--- .../kourier/verify_http_and_https_test.go | 2 +- test/servinge2e/servicemesh/helpers.go | 45 +++++ .../servicemesh/multitenant_test.go | 167 +++++++++++++++ test/servinge2e/tracing_test.go | 2 +- 31 files changed, 646 insertions(+), 347 deletions(-) create mode 100644 hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml create mode 100644 hack/lib/mesh_resources/authorization-policy-knative-serving.yaml create mode 100644 hack/lib/mesh_resources/authorization-policy-test-namespaces.yaml delete mode 100644 serving/metadata-webhook/config/500-webhook-configuration.yaml create mode 100644 serving/metadata-webhook/config/cluster-resources/100-namespace.yaml rename serving/metadata-webhook/config/{200-serviceaccount.yaml => cluster-resources/200-clusterrole.yaml} (73%) create mode 100644 serving/metadata-webhook/config/cluster-resources/300-clusterrolebinding.yaml create mode 100644 serving/metadata-webhook/config/cluster-resources/400-webhookconfiguration.yaml rename serving/metadata-webhook/config/{100-namespace.yaml => namespaced-resources/200-serviceaccount.yaml} (64%) rename serving/metadata-webhook/config/{400-webhook-service.yaml => namespaced-resources/400-service.yaml} (88%) create mode 100644 serving/metadata-webhook/config/namespaced-resources/500-secret.yaml rename serving/metadata-webhook/config/{600-webhook.yaml => namespaced-resources/600-networkpolicy.yaml} (87%) rename serving/metadata-webhook/config/{ => namespaced-resources}/webhook.yaml (98%) delete mode 100644 test/servinge2e/deploy_kn_k8s_svc_in_same_namespace_test.go create mode 100644 test/servinge2e/servicemesh/helpers.go create mode 100644 test/servinge2e/servicemesh/multitenant_test.go diff --git a/hack/lib/mesh.bash b/hack/lib/mesh.bash index f18dd13a4e..537aa771b3 100644 --- a/hack/lib/mesh.bash +++ b/hack/lib/mesh.bash @@ -118,8 +118,10 @@ function deploy_gateways { oc apply -f "${resources_dir}"/smmr.yaml || return $? oc apply -f "${resources_dir}"/gateway.yaml || return $? oc apply -f "${resources_dir}"/peerauthentication.yaml || return $? + oc apply -f "${resources_dir}"/authorization-policy-knative-serving.yaml || return $? + oc apply -f "${resources_dir}"/authorization-policy-knative-eventing.yaml || return $? + oc apply -f "${resources_dir}"/authorization-policy-test-namespaces.yaml || return $? - oc create ns "${EVENTING_NAMESPACE}" --dry-run=client -oyaml | kubectl apply -f - oc apply -n "${EVENTING_NAMESPACE}" -f "${resources_dir}"/kafka-service-entry.yaml || return $? for ns in serverless-tests eventing-e2e0 eventing-e2e1 eventing-e2e2 eventing-e2e3 eventing-e2e4; do oc apply -n "$ns" -f "${resources_dir}"/kafka-service-entry.yaml || return $? diff --git a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml new file mode 100644 index 0000000000..488de7d2c6 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml @@ -0,0 +1,124 @@ +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-mt-channel-based-broker + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: [ "serverless-tests" ] + to: + - operation: + methods: [ "POST" ] + paths: [ "/serverless-tests/*" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-mt-channel-based-broker-ingress-to-imc-dispatcher + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-ingress" ] + to: + - operation: + methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-imc-dispatcher-to-mt-channel-based-broker-filter + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-filter" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] + to: + - operation: + methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-imc-dispatcher + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + - from: + - source: + namespaces: [ "serverless-tests" ] + to: + - operation: + hosts: [ "*.serverless-tests.svc.cluster.local" ] + methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-mt-channel-based-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + - "cluster.local/ns/knative-eventing/sa/kafka-channel-dispatcher" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-kafka-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/kafka-broker-dispatcher" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] diff --git a/hack/lib/mesh_resources/authorization-policy-knative-serving.yaml b/hack/lib/mesh_resources/authorization-policy-knative-serving.yaml new file mode 100644 index 0000000000..e6cc236222 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policy-knative-serving.yaml @@ -0,0 +1,69 @@ +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-traffic-to-activator + namespace: knative-serving +spec: + selector: + matchLabels: + app: activator + action: ALLOW + rules: + - from: + - source: + namespaces: [ "knative-serving", "knative-eventing", "istio-system" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-to-activator + namespace: knative-serving +spec: + selector: + matchLabels: + app: activator + action: ALLOW + rules: + - from: + - source: + namespaces: [ "tenant-1" ] + to: + - operation: + hosts: [ "*.tenant-1.svc.cluster.local" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-to-activator + namespace: knative-serving +spec: + selector: + matchLabels: + app: activator + action: ALLOW + rules: + - from: + - source: + namespaces: [ "tenant-2" ] + to: + - operation: + hosts: [ "*.tenant-2.svc.cluster.local" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-to-activator + namespace: knative-serving +spec: + selector: + matchLabels: + app: activator + action: ALLOW + rules: + - from: + - source: + namespaces: [ "serverless-tests", "knative-eventing" ] + to: + - operation: + hosts: [ "*.serverless-tests.svc.cluster.local" ] diff --git a/hack/lib/mesh_resources/authorization-policy-test-namespaces.yaml b/hack/lib/mesh_resources/authorization-policy-test-namespaces.yaml new file mode 100644 index 0000000000..cd9d1197bf --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policy-test-namespaces.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-traffic-to-tenant-1 + namespace: tenant-1 +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: ["tenant-1", "knative-serving", "istio-system"] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-traffic-to-tenant-2 + namespace: tenant-2 +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: ["tenant-2", "knative-serving", "istio-system"] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-traffic-to-serverless-tests + namespace: serverless-tests +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: ["serverless-tests", "knative-serving", "knative-eventing", "istio-system"] diff --git a/hack/lib/mesh_resources/gateway.yaml b/hack/lib/mesh_resources/gateway.yaml index 524f9c7e16..1d4696046d 100644 --- a/hack/lib/mesh_resources/gateway.yaml +++ b/hack/lib/mesh_resources/gateway.yaml @@ -28,8 +28,10 @@ spec: servers: - port: number: 8081 - name: http - protocol: HTTP + name: https + protocol: HTTPS + tls: + mode: ISTIO_MUTUAL hosts: - "*" --- diff --git a/hack/lib/mesh_resources/namespace.yaml b/hack/lib/mesh_resources/namespace.yaml index c36f1b4351..b4fbcae53c 100644 --- a/hack/lib/mesh_resources/namespace.yaml +++ b/hack/lib/mesh_resources/namespace.yaml @@ -7,3 +7,54 @@ apiVersion: v1 kind: Namespace metadata: name: knative-eventing +--- +apiVersion: v1 +kind: Namespace +metadata: + name: serving-tests +--- +apiVersion: v1 +kind: Namespace +metadata: + name: serving-tests-alt +--- +apiVersion: v1 +kind: Namespace +metadata: + name: serverless-tests +--- +# Additional namespaces for upgrade tests +apiVersion: v1 +kind: Namespace +metadata: + name: eventing-e2e0 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: eventing-e2e1 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: eventing-e2e2 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: eventing-e2e3 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: eventing-e2e4 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: tenant-1 +--- +apiVersion: v1 +kind: Namespace +metadata: + name: tenant-2 diff --git a/hack/lib/mesh_resources/peerauthentication.yaml b/hack/lib/mesh_resources/peerauthentication.yaml index 04de3396af..8e39fe4b09 100644 --- a/hack/lib/mesh_resources/peerauthentication.yaml +++ b/hack/lib/mesh_resources/peerauthentication.yaml @@ -70,3 +70,20 @@ spec: mtls: mode: STRICT --- +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: default + namespace: tenant-1 +spec: + mtls: + mode: STRICT +--- +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: default + namespace: tenant-2 +spec: + mtls: + mode: STRICT diff --git a/hack/lib/mesh_resources/smmr.yaml b/hack/lib/mesh_resources/smmr.yaml index 6cc94d390f..69638717d9 100644 --- a/hack/lib/mesh_resources/smmr.yaml +++ b/hack/lib/mesh_resources/smmr.yaml @@ -1,49 +1,3 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: serving-tests ---- -apiVersion: v1 -kind: Namespace -metadata: - name: serving-tests-alt ---- -apiVersion: v1 -kind: Namespace -metadata: - name: serverless-tests ---- -apiVersion: v1 -kind: Namespace -metadata: - name: serverless-tests2 ---- -# Additional namespaces for upgrade tests -apiVersion: v1 -kind: Namespace -metadata: - name: eventing-e2e0 ---- -apiVersion: v1 -kind: Namespace -metadata: - name: eventing-e2e1 ---- -apiVersion: v1 -kind: Namespace -metadata: - name: eventing-e2e2 ---- -apiVersion: v1 -kind: Namespace -metadata: - name: eventing-e2e3 ---- -apiVersion: v1 -kind: Namespace -metadata: - name: eventing-e2e4 ---- apiVersion: maistra.io/v1 kind: ServiceMeshMemberRoll metadata: @@ -56,9 +10,10 @@ spec: - serving-tests - serving-tests-alt - serverless-tests - - serverless-tests2 - eventing-e2e0 - eventing-e2e1 - eventing-e2e2 - eventing-e2e3 - eventing-e2e4 + - tenant-1 + - tenant-2 diff --git a/serving/metadata-webhook/config/500-webhook-configuration.yaml b/serving/metadata-webhook/config/500-webhook-configuration.yaml deleted file mode 100644 index a0c5fa5c70..0000000000 --- a/serving/metadata-webhook/config/500-webhook-configuration.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: webhook.metadata-webhook.example.com - labels: - samples.knative.dev/release: devel -webhooks: -- admissionReviewVersions: - - v1beta1 - clientConfig: - service: - name: webhook - namespace: serving-tests - failurePolicy: Fail - sideEffects: None - name: webhook.metadata-webhook.example.com ---- -apiVersion: v1 -kind: Secret -metadata: - name: webhook-certs - namespace: serving-tests - labels: - samples.knative.dev/release: devel -# The data is populated at install time. diff --git a/serving/metadata-webhook/config/cluster-resources/100-namespace.yaml b/serving/metadata-webhook/config/cluster-resources/100-namespace.yaml new file mode 100644 index 0000000000..83e448dcc7 --- /dev/null +++ b/serving/metadata-webhook/config/cluster-resources/100-namespace.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: serving-tests + labels: + samples.knative.dev/release: devel +--- +apiVersion: v1 +kind: Namespace +metadata: + name: serverless-tests + labels: + samples.knative.dev/release: devel diff --git a/serving/metadata-webhook/config/200-serviceaccount.yaml b/serving/metadata-webhook/config/cluster-resources/200-clusterrole.yaml similarity index 73% rename from serving/metadata-webhook/config/200-serviceaccount.yaml rename to serving/metadata-webhook/config/cluster-resources/200-clusterrole.yaml index 43a9ad9e07..1380264c88 100644 --- a/serving/metadata-webhook/config/200-serviceaccount.yaml +++ b/serving/metadata-webhook/config/cluster-resources/200-clusterrole.yaml @@ -1,10 +1,3 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: controller - namespace: serving-tests - labels: - samples.knative.dev/release: devel --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -41,21 +34,6 @@ metadata: samples.knative.dev/release: devel aggregationRule: clusterRoleSelectors: - - matchLabels: - samples.knative.dev/controller: "true" + - matchLabels: + samples.knative.dev/controller: "true" rules: [] # Rules are automatically filled in by the controller manager. ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: metadata-webhook-admin - labels: - samples.knative.dev/release: devel -subjects: - - kind: ServiceAccount - name: controller - namespace: serving-tests -roleRef: - kind: ClusterRole - name: metadata-webhook-admin - apiGroup: rbac.authorization.k8s.io diff --git a/serving/metadata-webhook/config/cluster-resources/300-clusterrolebinding.yaml b/serving/metadata-webhook/config/cluster-resources/300-clusterrolebinding.yaml new file mode 100644 index 0000000000..0b2fdf5166 --- /dev/null +++ b/serving/metadata-webhook/config/cluster-resources/300-clusterrolebinding.yaml @@ -0,0 +1,29 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: metadata-webhook-admin + labels: + samples.knative.dev/release: devel +subjects: + - kind: ServiceAccount + name: controller + namespace: serving-tests +roleRef: + kind: ClusterRole + name: metadata-webhook-admin + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: metadata-webhook-admin + labels: + samples.knative.dev/release: devel +subjects: + - kind: ServiceAccount + name: controller + namespace: serverless-tests +roleRef: + kind: ClusterRole + name: metadata-webhook-admin + apiGroup: rbac.authorization.k8s.io diff --git a/serving/metadata-webhook/config/cluster-resources/400-webhookconfiguration.yaml b/serving/metadata-webhook/config/cluster-resources/400-webhookconfiguration.yaml new file mode 100644 index 0000000000..21cfa9dad8 --- /dev/null +++ b/serving/metadata-webhook/config/cluster-resources/400-webhookconfiguration.yaml @@ -0,0 +1,33 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: webhook.metadata-webhook.example.com + labels: + samples.knative.dev/release: devel +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: webhook + namespace: serving-tests + failurePolicy: Fail + sideEffects: None + name: webhook.metadata-webhook.example.com +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: webhook.metadata-webhook.example.com + labels: + samples.knative.dev/release: devel +webhooks: + - admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: webhook + namespace: serverless-tests + failurePolicy: Fail + sideEffects: None + name: webhook.metadata-webhook.example.com diff --git a/serving/metadata-webhook/config/100-namespace.yaml b/serving/metadata-webhook/config/namespaced-resources/200-serviceaccount.yaml similarity index 64% rename from serving/metadata-webhook/config/100-namespace.yaml rename to serving/metadata-webhook/config/namespaced-resources/200-serviceaccount.yaml index eefbe6152b..d77dc4dd1e 100644 --- a/serving/metadata-webhook/config/100-namespace.yaml +++ b/serving/metadata-webhook/config/namespaced-resources/200-serviceaccount.yaml @@ -1,6 +1,6 @@ apiVersion: v1 -kind: Namespace +kind: ServiceAccount metadata: - name: serving-tests + name: controller labels: samples.knative.dev/release: devel diff --git a/serving/metadata-webhook/config/400-webhook-service.yaml b/serving/metadata-webhook/config/namespaced-resources/400-service.yaml similarity index 88% rename from serving/metadata-webhook/config/400-webhook-service.yaml rename to serving/metadata-webhook/config/namespaced-resources/400-service.yaml index afa3fe1bfe..e7b32e0b7c 100644 --- a/serving/metadata-webhook/config/400-webhook-service.yaml +++ b/serving/metadata-webhook/config/namespaced-resources/400-service.yaml @@ -5,7 +5,6 @@ metadata: role: webhook samples.knative.dev/release: devel name: webhook - namespace: serving-tests spec: ports: - port: 443 diff --git a/serving/metadata-webhook/config/namespaced-resources/500-secret.yaml b/serving/metadata-webhook/config/namespaced-resources/500-secret.yaml new file mode 100644 index 0000000000..653544878a --- /dev/null +++ b/serving/metadata-webhook/config/namespaced-resources/500-secret.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Secret +metadata: + name: webhook-certs + labels: + samples.knative.dev/release: devel +# The data is populated at install time. diff --git a/serving/metadata-webhook/config/600-webhook.yaml b/serving/metadata-webhook/config/namespaced-resources/600-networkpolicy.yaml similarity index 87% rename from serving/metadata-webhook/config/600-webhook.yaml rename to serving/metadata-webhook/config/namespaced-resources/600-networkpolicy.yaml index 6bf8d366eb..8802ae2295 100644 --- a/serving/metadata-webhook/config/600-webhook.yaml +++ b/serving/metadata-webhook/config/namespaced-resources/600-networkpolicy.yaml @@ -2,7 +2,6 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: metadata-webhook - namespace: serving-tests labels: app: webhook spec: diff --git a/serving/metadata-webhook/config/webhook.yaml b/serving/metadata-webhook/config/namespaced-resources/webhook.yaml similarity index 98% rename from serving/metadata-webhook/config/webhook.yaml rename to serving/metadata-webhook/config/namespaced-resources/webhook.yaml index fac3488df3..f1cbac559e 100644 --- a/serving/metadata-webhook/config/webhook.yaml +++ b/serving/metadata-webhook/config/namespaced-resources/webhook.yaml @@ -2,7 +2,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: webhook - namespace: serving-tests labels: samples.knative.dev/release: devel spec: diff --git a/test/e2e-tests.sh b/test/e2e-tests.sh index 55c3e0e783..223f2b3f91 100755 --- a/test/e2e-tests.sh +++ b/test/e2e-tests.sh @@ -15,6 +15,9 @@ dump_state.setup # test if [[ $FULL_MESH == "true" ]]; then # net-istio does not use knative-serving-ingress namespace. export INGRESS_NAMESPACE="knative-serving" + # metadata-webhook adds istio annotations for e2e test by webhook. + oc apply -f "$(dirname "$(dirname "$(realpath "${BASH_SOURCE[0]}")")")/serving/metadata-webhook/config/cluster-resources" + oc apply -n serverless-tests -f "$(dirname "$(dirname "$(realpath "${BASH_SOURCE[0]}")")")/serving/metadata-webhook/config/namespaced-resources" else trust_router_ca fi diff --git a/test/flags.go b/test/flags.go index 53ce80fde4..2967573256 100644 --- a/test/flags.go +++ b/test/flags.go @@ -12,8 +12,7 @@ import ( ) const ( - Namespace = "serverless-tests" - Namespace2 = "serverless-tests2" + Namespace = "serverless-tests" ) // Flags holds the initialized test flags diff --git a/test/lib.bash b/test/lib.bash index 899f49d995..0f295831de 100644 --- a/test/lib.bash +++ b/test/lib.bash @@ -9,7 +9,7 @@ source "$(dirname "$(dirname "$(realpath "${BASH_SOURCE[0]}")")")/hack/lib/__sou readonly TEARDOWN="${TEARDOWN:-on_exit}" export TEST_NAMESPACE="${TEST_NAMESPACE:-serverless-tests}" declare -a TEST_NAMESPACES -TEST_NAMESPACES=("${TEST_NAMESPACE}" "serverless-tests2" "serverless-tests-mesh") +TEST_NAMESPACES=("${TEST_NAMESPACE}" "serverless-tests-mesh") export TEST_NAMESPACES source "$(dirname "$(realpath "${BASH_SOURCE[0]}")")/serving.bash" @@ -140,12 +140,12 @@ function downstream_serving_e2e_tests { fi if [[ $FULL_MESH == "true" ]]; then - go_test_e2e "${RUN_FLAGS[@]}" ./test/servinge2e/ \ + go_test_e2e "${RUN_FLAGS[@]}" ./test/servinge2e/ ./test/servinge2e/servicemesh/ \ --kubeconfigs "${kubeconfigs_str}" \ --imagetemplate "${IMAGE_TEMPLATE}" \ "$@" else - go_test_e2e "${RUN_FLAGS[@]}" ./test/servinge2e/... \ + go_test_e2e "${RUN_FLAGS[@]}" ./test/servinge2e/ ./test/servinge2e/kourier/ \ --kubeconfigs "${kubeconfigs_str}" \ --imagetemplate "${IMAGE_TEMPLATE}" \ "$@" diff --git a/test/service.go b/test/service.go index 9760fb3cfb..8a106fa728 100644 --- a/test/service.go +++ b/test/service.go @@ -17,17 +17,18 @@ import ( type ServiceCfgFunc func(*servingv1.Service) -func Service(name, namespace, image string, annotations map[string]string) *servingv1.Service { +func Service(name, namespace, image string, serviceAnnotations, templateAnnotations map[string]string) *servingv1.Service { s := &servingv1.Service{ ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, + Name: name, + Namespace: namespace, + Annotations: serviceAnnotations, }, Spec: servingv1.ServiceSpec{ ConfigurationSpec: servingv1.ConfigurationSpec{ Template: servingv1.RevisionTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ - Annotations: annotations, + Annotations: templateAnnotations, }, Spec: servingv1.RevisionSpec{ PodSpec: corev1.PodSpec{ @@ -82,7 +83,7 @@ func WithServiceReady(ctx *Context, name, namespace, image string, cfgFuncs ...S } func CreateService(ctx *Context, name, namespace, image string, cfgFuncs ...ServiceCfgFunc) (*servingv1.Service, error) { - service := Service(name, namespace, image, nil) + service := Service(name, namespace, image, nil, nil) for _, f := range cfgFuncs { f(service) } diff --git a/test/servinge2e/deploy_kn_k8s_svc_in_same_namespace_test.go b/test/servinge2e/deploy_kn_k8s_svc_in_same_namespace_test.go deleted file mode 100644 index c512d7884e..0000000000 --- a/test/servinge2e/deploy_kn_k8s_svc_in_same_namespace_test.go +++ /dev/null @@ -1,191 +0,0 @@ -package servinge2e - -import ( - "context" - "net/url" - "testing" - - "github.com/openshift-knative/serverless-operator/test" - routev1 "github.com/openshift/api/route/v1" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/util/intstr" - pkgTest "knative.dev/pkg/test" -) - -func TestKnativeVersusKubeServicesInOneNamespace(t *testing.T) { - - caCtx := test.SetupClusterAdmin(t) - test.CleanupOnInterrupt(t, func() { test.CleanupAll(t, caCtx) }) - defer test.CleanupAll(t, caCtx) - - //Create deployment - err := test.CreateDeployment(caCtx, kubeHelloworldService, test.Namespace2, pkgTest.ImagePath(test.HelloworldGoImg)) - if err != nil { - t.Fatal("Deployment not created", err) - } - // Deploy plain Kube service - svc, err := createKubeService(caCtx, kubeHelloworldService, test.Namespace2) - if err != nil { - t.Fatal("Kubernetes service not created", err) - } - route, err := withRouteForServiceReady(caCtx, svc.Name, test.Namespace2) - if err != nil { - t.Fatal("Failed to create route for service", svc.Name, err) - } - kubeServiceURL, err := url.Parse("http://" + route.Status.Ingress[0].Host) - if err != nil { - t.Fatal("Failed to parse url", err) - } - - // Check Kube service responds - WaitForRouteServingText(t, caCtx, kubeServiceURL, helloworldText) - - // Deploy Knative service in the same namespace - ksvc, err := test.WithServiceReady(caCtx, helloworldService, test.Namespace2, pkgTest.ImagePath(test.HelloworldGoImg)) - if err != nil { - t.Fatal("Knative Service not ready", err) - } - - // Check that both services respond - WaitForRouteServingText(t, caCtx, ksvc.Status.URL.URL(), helloworldText) - WaitForRouteServingText(t, caCtx, kubeServiceURL, helloworldText) - - // Delete Knative service - if err = caCtx.Clients.Serving.ServingV1().Services(test.Namespace2).Delete(context.Background(), ksvc.Name, metav1.DeleteOptions{}); err != nil { - t.Fatal("Failed to remove service", err) - } - - // Check that Kube service still responds - WaitForRouteServingText(t, caCtx, kubeServiceURL, helloworldText) - - // Remove the Kube service - if err = caCtx.Clients.Route.Routes(test.Namespace2).Delete(context.Background(), svc.Name, metav1.DeleteOptions{}); err != nil { - t.Fatal("Failed to remove route", err) - } - if err = caCtx.Clients.Kube.CoreV1().Services(test.Namespace2).Delete(context.Background(), svc.Name, metav1.DeleteOptions{}); err != nil { - t.Fatal("Failed to remove service", err) - } - if err = caCtx.Clients.Kube.AppsV1().Deployments(test.Namespace2).Delete(context.Background(), svc.Name, metav1.DeleteOptions{}); err != nil { - t.Fatal("Failed to remove deployment", err) - } - - // Deploy Knative service in the namespace first - ksvc, err = test.WithServiceReady(caCtx, helloworldService2, test.Namespace2, pkgTest.ImagePath(test.HelloworldGoImg)) - if err != nil { - t.Fatal("Knative Service not ready", err) - } - - // Check that Knative service responds - WaitForRouteServingText(t, caCtx, ksvc.Status.URL.URL(), helloworldText) - - //Create deployment - err = test.CreateDeployment(caCtx, kubeHelloworldService, test.Namespace2, pkgTest.ImagePath(test.HelloworldGoImg)) - if err != nil { - t.Fatal("Deployment not created", err) - } - // Deploy plain Kube service - svc, err = createKubeService(caCtx, kubeHelloworldService, test.Namespace2) - if err != nil { - t.Fatal("Kubernetes service not created", err) - } - route, err = withRouteForServiceReady(caCtx, svc.Name, test.Namespace2) - if err != nil { - t.Fatal("Failed to create route for service", svc.Name, err) - } - kubeServiceURL, err = url.Parse("http://" + route.Status.Ingress[0].Host) - if err != nil { - t.Fatal("Failed to parse url", err) - } - - // Check that both services respond - WaitForRouteServingText(t, caCtx, ksvc.Status.URL.URL(), helloworldText) - WaitForRouteServingText(t, caCtx, kubeServiceURL, helloworldText) - - // Remove the Kube service - if err = caCtx.Clients.Route.Routes(test.Namespace2).Delete(context.Background(), svc.Name, metav1.DeleteOptions{}); err != nil { - t.Fatal("Failed to remove route", err) - } - if err = caCtx.Clients.Kube.CoreV1().Services(test.Namespace2).Delete(context.Background(), svc.Name, metav1.DeleteOptions{}); err != nil { - t.Fatal("Failed to remove service", err) - } - if err = caCtx.Clients.Kube.AppsV1().Deployments(test.Namespace2).Delete(context.Background(), svc.Name, metav1.DeleteOptions{}); err != nil { - t.Fatal("Failed to remove deployment", err) - } - - // Check that Knative service still responds - WaitForRouteServingText(t, caCtx, ksvc.Status.URL.URL(), helloworldText) - - // Delete the Knative service - if err = caCtx.Clients.Serving.ServingV1().Services(test.Namespace2).Delete(context.Background(), ksvc.Name, metav1.DeleteOptions{}); err != nil { - t.Fatal("Failed to remove service", err) - } -} - -func withRouteForServiceReady(ctx *test.Context, serviceName, namespace string) (*routev1.Route, error) { - r := &routev1.Route{ - ObjectMeta: metav1.ObjectMeta{ - Name: serviceName, - Namespace: namespace, - }, - Spec: routev1.RouteSpec{ - To: routev1.RouteTargetReference{ - Kind: "Service", - Name: serviceName, - }, - }, - } - - route, err := ctx.Clients.Route.Routes(namespace).Create(context.Background(), r, metav1.CreateOptions{}) - if err != nil { - return nil, err - } - - ctx.AddToCleanup(func() error { - ctx.T.Logf("Cleaning up OCP Route '%s/%s'", r.Namespace, r.Name) - return ctx.Clients.Route.Routes(namespace).Delete(context.Background(), route.Name, metav1.DeleteOptions{}) - }) - - return test.WaitForRouteState(ctx, route.Name, route.Namespace, routeHasHost) -} - -func routeHasHost(r *routev1.Route, err error) (bool, error) { - return len(r.Status.Ingress) != 0 && len(r.Status.Ingress[0].Conditions) != 0 && - r.Status.Ingress[0].Conditions[0].Type == routev1.RouteAdmitted && - r.Status.Ingress[0].Conditions[0].Status == corev1.ConditionTrue, nil -} - -func createKubeService(ctx *test.Context, name, namespace string) (*corev1.Service, error) { - kubeService := &corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, - Namespace: namespace, - }, - Spec: corev1.ServiceSpec{ - Ports: []corev1.ServicePort{ - { - Port: 80, - TargetPort: intstr.IntOrString{ - Type: intstr.Int, - IntVal: 8080, - }, - }, - }, - Selector: map[string]string{ - "app": name, - }, - }, - } - - svc, err := ctx.Clients.Kube.CoreV1().Services(namespace).Create(context.Background(), kubeService, metav1.CreateOptions{}) - if err != nil { - return nil, err - } - - ctx.AddToCleanup(func() error { - ctx.T.Logf("Cleaning up K8s Service '%s/%s'", kubeService.Namespace, kubeService.Name) - return ctx.Clients.Serving.ServingV1().Services(namespace).Delete(context.Background(), svc.Name, metav1.DeleteOptions{}) - }) - - return svc, nil -} diff --git a/test/servinge2e/helpers.go b/test/servinge2e/helpers.go index 121caccd17..c56a2940dd 100644 --- a/test/servinge2e/helpers.go +++ b/test/servinge2e/helpers.go @@ -12,10 +12,7 @@ import ( ) const ( - helloworldService = "helloworld-go" - helloworldService2 = "helloworld-go2" - kubeHelloworldService = "kube-helloworld-go" - helloworldText = "Hello World!" + helloworldText = "Hello World!" ) func WaitForRouteServingText(t *testing.T, caCtx *test.Context, routeURL *url.URL, expectedText string) { diff --git a/test/servinge2e/kourier/custom_route_test.go b/test/servinge2e/kourier/custom_route_test.go index 25c2c788b4..c44b55331b 100644 --- a/test/servinge2e/kourier/custom_route_test.go +++ b/test/servinge2e/kourier/custom_route_test.go @@ -39,7 +39,7 @@ func TestCustomOpenShiftRoute(t *testing.T) { defer test.CleanupAll(t, caCtx) // Create Kservice with disable Annotation. - ksvc := test.Service(serviceName, test.Namespace, pkgTest.ImagePath(test.HelloworldGoImg), nil) + ksvc := test.Service(serviceName, test.Namespace, pkgTest.ImagePath(test.HelloworldGoImg), nil, nil) ksvc.ObjectMeta.Annotations = map[string]string{resources.DisableRouteAnnotation: "true"} ksvc = test.WithServiceReadyOrFail(caCtx, ksvc) diff --git a/test/servinge2e/kourier/service_to_service_test.go b/test/servinge2e/kourier/service_to_service_test.go index 9d5f921bc8..43827666f6 100644 --- a/test/servinge2e/kourier/service_to_service_test.go +++ b/test/servinge2e/kourier/service_to_service_test.go @@ -6,6 +6,7 @@ import ( "github.com/openshift-knative/serverless-operator/test" "github.com/openshift-knative/serverless-operator/test/servinge2e" + "github.com/openshift-knative/serverless-operator/test/servinge2e/servicemesh" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "knative.dev/networking/pkg/apis/networking" pkgTest "knative.dev/pkg/test" @@ -62,9 +63,10 @@ func TestServiceToServiceCalls(t *testing.T) { } } +// testServiceToService tests calling a ksvc from another service. func testServiceToService(t *testing.T, ctx *test.Context, namespace string, tc testCase) { // Create a ksvc with the specified annotations and labels - service := test.Service(tc.name, namespace, pkgTest.ImagePath(test.HelloworldGoImg), tc.annotations) + service := test.Service(tc.name, namespace, pkgTest.ImagePath(test.HelloworldGoImg), nil, tc.annotations) service.ObjectMeta.Labels = tc.labels service = test.WithServiceReadyOrFail(ctx, service) @@ -73,7 +75,7 @@ func testServiceToService(t *testing.T, ctx *test.Context, namespace string, tc // For cluster-local ksvc, we deploy an "HTTP proxy" service, and request that one instead if service.GetLabels()[networking.VisibilityLabelKey] == serving.VisibilityClusterLocal { // Deploy an "HTTP proxy" towards the ksvc (using an httpproxy image from knative-serving testsuite) - httpProxy := test.WithServiceReadyOrFail(ctx, httpProxyService(tc.name+"-proxy", namespace, service.Status.URL.Host)) + httpProxy := test.WithServiceReadyOrFail(ctx, servicemesh.HttpProxyService(tc.name+"-proxy", namespace, "" /*gateway*/, service.Status.URL.Host, nil, nil)) serviceURL = httpProxy.Status.URL.URL() } diff --git a/test/servinge2e/kourier/servicemesh_test.go b/test/servinge2e/kourier/servicemesh_test.go index 72cf850a53..e98e2a5b08 100644 --- a/test/servinge2e/kourier/servicemesh_test.go +++ b/test/servinge2e/kourier/servicemesh_test.go @@ -19,6 +19,7 @@ import ( "testing" "time" + "github.com/openshift-knative/serverless-operator/test/servinge2e/servicemesh" "knative.dev/serving/pkg/apis/autoscaling" "github.com/openshift-knative/serverless-operator/test" @@ -30,22 +31,20 @@ import ( "knative.dev/pkg/test/helpers" "knative.dev/pkg/test/spoof" "knative.dev/serving/pkg/apis/serving" - servingv1 "knative.dev/serving/pkg/apis/serving/v1" servingTest "knative.dev/serving/test" ) +const ( + serviceMeshTestNamespaceName = "serverless-tests-mesh" +) + type testCase struct { name string - labels map[string]string // Ksvc labels - annotations map[string]string // Revision template annotations + labels map[string]string // Ksvc Labels + annotations map[string]string // Revision template Annotations expectIstioSidecar bool // Whether it is expected for the istio-proxy sidecar to be injected into the pod } -const ( - serviceMeshTestNamespaceName = "serverless-tests-mesh" - istioInjectKey = "sidecar.istio.io/inject" -) - // Following https://docs.openshift.com/container-platform/4.9/serverless/admin_guide/serverless-ossm-setup.html func setupNamespaceForServiceMesh(ctx *test.Context, serviceMeshNamespace, testNamespace string) { test.CreateServiceMeshMemberRollV1(ctx, test.ServiceMeshMemberRollV1("default", serviceMeshNamespace, testNamespace)) @@ -95,17 +94,6 @@ func runTestForAllServiceMeshVersions(t *testing.T, testFunc func(ctx *test.Cont } } -// A knative service acting as an "http proxy", redirects requests towards a given "host". Used to test cluster-local services -func httpProxyService(name, namespace, host string) *servingv1.Service { - proxy := test.Service(name, namespace, pkgTest.ImagePath(test.HTTPProxyImg), nil) - proxy.Spec.Template.Spec.Containers[0].Env = append(proxy.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{ - Name: "TARGET_HOST", - Value: host, - }) - - return proxy -} - // Skipped unless ServiceMesh has been installed via "make install-mesh" func TestKsvcWithServiceMeshSidecar(t *testing.T) { runTestForAllServiceMeshVersions(t, func(ctx *test.Context) { @@ -114,7 +102,7 @@ func TestKsvcWithServiceMeshSidecar(t *testing.T) { // Verifies the activator can connect to the pod name: "sidecar-via-activator", annotations: map[string]string{ - istioInjectKey: "true", + servicemesh.IstioInjectKey: "true", autoscaling.TargetBurstCapacityKey: "-1", }, expectIstioSidecar: true, @@ -123,7 +111,7 @@ func TestKsvcWithServiceMeshSidecar(t *testing.T) { // Verifies the gateway can connect to the pod directly name: "sidecar-without-activator", annotations: map[string]string{ - istioInjectKey: "true", + servicemesh.IstioInjectKey: "true", autoscaling.TargetBurstCapacityKey: "0", autoscaling.MinScaleAnnotationKey: "1", }, @@ -132,27 +120,27 @@ func TestKsvcWithServiceMeshSidecar(t *testing.T) { // Verifies the "sidecar.istio.io/inject" annotation is really what decides the istio-proxy presence name: "no-sidecar", annotations: map[string]string{ - istioInjectKey: "false", + servicemesh.IstioInjectKey: "false", }, expectIstioSidecar: false, }, { - // A cluster-local variant of the "sidecar-via-activator" scenario + // A cluster-local variant of the "sidecar-via-activator" testCase name: "local-sidecar-via-activator", labels: map[string]string{ networking.VisibilityLabelKey: serving.VisibilityClusterLocal, }, annotations: map[string]string{ - istioInjectKey: "true", + servicemesh.IstioInjectKey: "true", }, expectIstioSidecar: true, }, { - // A cluster-local variant of the "sidecar-without-activator" scenario + // A cluster-local variant of the "sidecar-without-activator" testCase name: "local-sidecar-without-activator", labels: map[string]string{ networking.VisibilityLabelKey: serving.VisibilityClusterLocal, }, annotations: map[string]string{ - istioInjectKey: "true", + servicemesh.IstioInjectKey: "true", autoscaling.TargetBurstCapacityKey: "0", autoscaling.MinScaleAnnotationKey: "1", }, @@ -160,14 +148,14 @@ func TestKsvcWithServiceMeshSidecar(t *testing.T) { }} t := ctx.T - for _, scenario := range tests { - scenario := scenario - t.Run(scenario.name, func(t *testing.T) { + for _, testCase := range tests { + testCase := testCase + t.Run(testCase.name, func(t *testing.T) { // Create a new context to prevent calling ctx.T.Fatal on parent T. ctx := test.SetupClusterAdmin(t) test.CleanupOnInterrupt(t, func() { test.CleanupAll(t, ctx) }) defer test.CleanupAll(t, ctx) - testServiceToService(t, ctx, test.Namespace, scenario) + testServiceToService(t, ctx, test.Namespace, testCase) }) } }) @@ -331,7 +319,7 @@ func TestKsvcWithServiceMeshJWTDefaultPolicy(t *testing.T) { // istio-pilot caches the JWKS content if a new Policy has the same jwksUri as some old policy. // Rerunning this test would fail if we kept the jwksUri constant across invocations then, // hence the random suffix for the jwks ksvc. - jwksKsvc := test.Service(helpers.AppendRandomString("jwks"), test.Namespace, pkgTest.ImagePath(test.HelloOpenshiftImg), nil) + jwksKsvc := test.Service(helpers.AppendRandomString("jwks"), test.Namespace, pkgTest.ImagePath(test.HelloOpenshiftImg), nil, nil) jwksKsvc.Spec.Template.Spec.Containers[0].Env = append(jwksKsvc.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{ Name: "RESPONSE", Value: jwks, @@ -482,7 +470,7 @@ func TestKsvcWithServiceMeshJWTDefaultPolicy(t *testing.T) { } // Create a test ksvc, should be accessible only via proper JWT token - testKsvc := test.Service("jwt-test", test.Namespace, pkgTest.ImagePath(test.HelloworldGoImg), map[string]string{ + testKsvc := test.Service("jwt-test", test.Namespace, pkgTest.ImagePath(test.HelloworldGoImg), nil, map[string]string{ "sidecar.istio.io/inject": "true", "sidecar.istio.io/rewriteAppHTTPProbers": "true", }) @@ -632,7 +620,7 @@ func TestKsvcWithServiceMeshJWTDefaultPolicy(t *testing.T) { func lookupOpenShiftRouterIP(ctx *test.Context) net.IP { // Deploy an auxiliary ksvc accessible via an OpenShift route, so that we have a route hostname that we can resolve - aux := test.Service("aux", test.Namespace, pkgTest.ImagePath(test.HelloworldGoImg), nil) + aux := test.Service("aux", test.Namespace, pkgTest.ImagePath(test.HelloworldGoImg), nil, nil) aux = test.WithServiceReadyOrFail(ctx, aux) ips, err := net.LookupIP(aux.Status.URL.Host) diff --git a/test/servinge2e/kourier/verify_http_and_https_test.go b/test/servinge2e/kourier/verify_http_and_https_test.go index ab72807516..97900c7d0e 100644 --- a/test/servinge2e/kourier/verify_http_and_https_test.go +++ b/test/servinge2e/kourier/verify_http_and_https_test.go @@ -16,7 +16,7 @@ func TestKnativeServiceHTTPRedirect(t *testing.T) { test.CleanupOnInterrupt(t, func() { test.CleanupAll(t, caCtx) }) defer test.CleanupAll(t, caCtx) - ksvc := test.Service("redirect-service", test.Namespace, pkgTest.ImagePath(test.HelloworldGoImg), nil) + ksvc := test.Service("redirect-service", test.Namespace, pkgTest.ImagePath(test.HelloworldGoImg), nil, nil) ksvc.ObjectMeta.Annotations = map[string]string{networking.HTTPProtocolAnnotationKey: "redirected"} ksvc = test.WithServiceReadyOrFail(caCtx, ksvc) diff --git a/test/servinge2e/servicemesh/helpers.go b/test/servinge2e/servicemesh/helpers.go new file mode 100644 index 0000000000..61e9edce14 --- /dev/null +++ b/test/servinge2e/servicemesh/helpers.go @@ -0,0 +1,45 @@ +package servicemesh + +import ( + "github.com/openshift-knative/serverless-operator/test" + corev1 "k8s.io/api/core/v1" + pkgTest "knative.dev/pkg/test" + "knative.dev/pkg/test/spoof" + servingv1 "knative.dev/serving/pkg/apis/serving/v1" +) + +const ( + IstioInjectKey = "sidecar.istio.io/inject" + IstioRewriteProbersKey = "sidecar.istio.io/rewriteAppHTTPProbers" + ServingEnablePassthroughKey = "serving.knative.openshift.io/enablePassthrough" + helloWorldText = "Hello World!" +) + +type testCase struct { + name string + labels map[string]string // Ksvc Labels + annotations map[string]string // Revision template Annotations + sourceNamespace string // Namespace for the source service (http proxy) + targetNamespace string // Namespace for the target service + gateway string // Value for gateway that's called by http proxy + targetHost string // Value for host that's called by http proxy + usePrivateService bool // Whether http proxy should call target's service private service + checkResponseFunc spoof.ResponseChecker // Function to be used to check response +} + +// HttpProxyService returns a knative service acting as "http proxy", redirects requests towards a given "host". Used to test cluster-local services +func HttpProxyService(name, namespace, gateway, target string, serviceAnnotations, templateAnnotations map[string]string) *servingv1.Service { + proxy := test.Service(name, namespace, pkgTest.ImagePath(test.HTTPProxyImg), serviceAnnotations, templateAnnotations) + if gateway != "" { + proxy.Spec.Template.Spec.Containers[0].Env = append(proxy.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{ + Name: "GATEWAY_HOST", + Value: gateway, + }) + } + proxy.Spec.Template.Spec.Containers[0].Env = append(proxy.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{ + Name: "TARGET_HOST", + Value: target, + }) + + return proxy +} diff --git a/test/servinge2e/servicemesh/multitenant_test.go b/test/servinge2e/servicemesh/multitenant_test.go new file mode 100644 index 0000000000..e0f4183815 --- /dev/null +++ b/test/servinge2e/servicemesh/multitenant_test.go @@ -0,0 +1,167 @@ +package servicemesh + +import ( + "context" + "fmt" + "testing" + + "github.com/openshift-knative/serverless-operator/test" + "knative.dev/networking/pkg/apis/networking" + pkgTest "knative.dev/pkg/test" + "knative.dev/pkg/test/spoof" + "knative.dev/serving/pkg/apis/autoscaling" + "knative.dev/serving/pkg/apis/serving" + servingTest "knative.dev/serving/test" +) + +const ( + Tenant1 = "tenant-1" + Tenant2 = "tenant-2" + LocalGatewayHost = "knative-local-gateway.istio-system.svc.cluster.local" +) + +var ExpectStatusForbidden = func(resp *spoof.Response) (bool, error) { + if resp.StatusCode != 403 { + // Returning (false, nil) causes SpoofingClient.Poll to retry. + return false, fmt.Errorf("unexpected status: %d", resp.StatusCode) + } + return true, nil +} + +func TestMultiTenancyWithServiceMesh(t *testing.T) { + tests := []testCase{ + { + name: "same-tenant-directly", + annotations: map[string]string{ + autoscaling.TargetBurstCapacityKey: "0", + autoscaling.MinScaleAnnotationKey: "1", + }, + sourceNamespace: Tenant1, + targetNamespace: Tenant1, + usePrivateService: true, + checkResponseFunc: spoof.MatchesBody(helloWorldText), + }, + { + name: "cross-tenant-directly", + annotations: map[string]string{ + autoscaling.TargetBurstCapacityKey: "0", + autoscaling.MinScaleAnnotationKey: "1", + }, + sourceNamespace: Tenant1, + targetNamespace: Tenant2, + usePrivateService: true, + checkResponseFunc: ExpectStatusForbidden, + }, + { + name: "same-tenant-via-activator", + annotations: map[string]string{ + autoscaling.TargetBurstCapacityKey: "-1", + }, + sourceNamespace: Tenant1, + targetNamespace: Tenant1, + checkResponseFunc: spoof.MatchesBody(helloWorldText), + }, + { + name: "cross-tenant-via-activator", + annotations: map[string]string{ + autoscaling.TargetBurstCapacityKey: "-1", + }, + sourceNamespace: Tenant1, + targetNamespace: Tenant2, + checkResponseFunc: ExpectStatusForbidden, + }, + { + name: "same-tenant-via-ingress-via-activator", + annotations: map[string]string{ + autoscaling.TargetBurstCapacityKey: "-1", + }, + sourceNamespace: Tenant1, + targetNamespace: Tenant1, + checkResponseFunc: spoof.MatchesBody(helloWorldText), + gateway: LocalGatewayHost, + }, + { + name: "cross-tenant-via-ingress-via-activator", + annotations: map[string]string{ + autoscaling.TargetBurstCapacityKey: "-1", + }, + sourceNamespace: Tenant1, + targetNamespace: Tenant2, + checkResponseFunc: ExpectStatusForbidden, + gateway: LocalGatewayHost, + }, + { + name: "same-tenant-via-ingress-no-activator", + annotations: map[string]string{ + autoscaling.TargetBurstCapacityKey: "0", + autoscaling.MinScaleAnnotationKey: "1", + }, + sourceNamespace: Tenant1, + targetNamespace: Tenant1, + checkResponseFunc: spoof.MatchesBody(helloWorldText), + gateway: LocalGatewayHost, + }, + { + name: "cross-tenant-via-ingress-no-activator", + annotations: map[string]string{ + autoscaling.TargetBurstCapacityKey: "0", + autoscaling.MinScaleAnnotationKey: "1", + }, + sourceNamespace: Tenant1, + targetNamespace: Tenant2, + checkResponseFunc: ExpectStatusForbidden, + gateway: LocalGatewayHost, + }} + + for _, tc := range tests { + tc := tc + + tc.annotations[IstioInjectKey] = "true" + tc.annotations[IstioRewriteProbersKey] = "true" + + // Always use cluster-local service. + tc.labels = map[string]string{ + networking.VisibilityLabelKey: serving.VisibilityClusterLocal, + } + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + + ctx := test.SetupClusterAdmin(t) + test.CleanupOnInterrupt(t, func() { test.CleanupAll(t, ctx) }) + defer test.CleanupAll(t, ctx) + + service := test.Service(tc.name, tc.targetNamespace, pkgTest.ImagePath(test.HelloworldGoImg), map[string]string{ + ServingEnablePassthroughKey: "true", + }, tc.annotations) + service.ObjectMeta.Labels = tc.labels + + service = test.WithServiceReadyOrFail(ctx, service) + + gateway := "" + targetHost := service.Status.URL.Host + if tc.usePrivateService { + targetHost = fmt.Sprintf("%s-00001-private.%s.svc.cluster.local", service.Name, tc.targetNamespace) + } else if tc.gateway != "" { + gateway = tc.gateway + targetHost = service.Status.URL.Host + } + + httpProxy := test.WithServiceReadyOrFail(ctx, HttpProxyService(tc.name+"-proxy", tc.sourceNamespace, gateway, targetHost, map[string]string{ + ServingEnablePassthroughKey: "true", + }, tc.annotations)) + + if _, err := pkgTest.CheckEndpointState( + context.Background(), + ctx.Clients.Kube, + t.Logf, + httpProxy.Status.URL.URL(), + tc.checkResponseFunc, + "CheckResponse", + true, + servingTest.AddRootCAtoTransport(context.Background(), t.Logf, &servingTest.Clients{KubeClient: ctx.Clients.Kube}, true), + ); err != nil { + t.Fatalf("Unexpected state for %s :%v", httpProxy.Status.URL.URL(), err) + } + }) + } +} diff --git a/test/servinge2e/tracing_test.go b/test/servinge2e/tracing_test.go index b86ae4244c..1066b7208e 100644 --- a/test/servinge2e/tracing_test.go +++ b/test/servinge2e/tracing_test.go @@ -54,7 +54,7 @@ func tracingTest(t *testing.T, activatorInPath bool) { if activatorInPath { annotations = nil } - ksvc := test.WithServiceReadyOrFail(ctx, test.Service(name, testNamespace, pkgTest.ImagePath(test.HelloworldGoImg), annotations)) + ksvc := test.WithServiceReadyOrFail(ctx, test.Service(name, testNamespace, pkgTest.ImagePath(test.HelloworldGoImg), nil, annotations)) WaitForRouteServingText(t, ctx, ksvc.Status.URL.URL(), helloworldText) From 7602a619fe4d63c0ccdc366f246b155943b5b35b Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 28 Jun 2023 07:47:49 +0200 Subject: [PATCH 02/42] Update authorization policies --- ...authorization-policy-knative-eventing.yaml | 153 +++++++++++++++--- 1 file changed, 132 insertions(+), 21 deletions(-) diff --git a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml index 488de7d2c6..7a26045bed 100644 --- a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml +++ b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml @@ -1,78 +1,135 @@ --- +# Allow Knative activator to receive requests from serverless-tests. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-serverless-tests-mt-channel-based-broker + name: allow-serverless-tests-to-activator + namespace: knative-serving +spec: + selector: + matchLabels: + app: activator + action: ALLOW + rules: + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" +--- +# Allow Knative InMemoryChannel to receive requests from serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-imc-channel namespace: knative-eventing spec: action: ALLOW selector: matchLabels: - app.kubernetes.io/component: "broker-ingress" + app.kubernetes.io/component: "imc-dispatcher" rules: - from: - source: - namespaces: [ "serverless-tests" ] + namespaces: + - "serverless-tests" to: - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" methods: [ "POST" ] - paths: [ "/serverless-tests/*" ] --- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-mt-channel-based-broker-ingress-to-imc-dispatcher + name: allow-serverless-tests-kafka-broker-reply namespace: knative-eventing spec: action: ALLOW selector: matchLabels: - app.kubernetes.io/component: "imc-dispatcher" + app.kubernetes.io/component: "kafka-broker-receiver" rules: - from: - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-ingress" ] + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/kafka-broker-dispatcher" to: - operation: + paths: + - "/serverless-tests/*" methods: [ "POST" ] --- +# Source: knative-istio-authz-onboarding/templates/allow-ns-to-kafka-broker.yaml +# Allow Knative Broker for Apache Kafka to receive requests from serverless-tests. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-imc-dispatcher-to-mt-channel-based-broker-filter + name: allow-serverless-tests-kafka-broker namespace: knative-eventing spec: action: ALLOW selector: matchLabels: - app.kubernetes.io/component: "broker-filter" + app.kubernetes.io/component: "kafka-broker-receiver" rules: - from: - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] + namespaces: + - "serverless-tests" to: - operation: + paths: + - "/serverless-tests/*" methods: [ "POST" ] --- +# Allow Knative Channel for Apache Kafka to receive requests from serverless-tests. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-serverless-tests-imc-dispatcher + name: allow-serverless-tests-kafka-channel namespace: knative-eventing spec: action: ALLOW selector: matchLabels: - app.kubernetes.io/component: "imc-dispatcher" + app.kubernetes.io/component: "kafka-channel-receiver" rules: - from: - source: - namespaces: [ "serverless-tests" ] + namespaces: + - "serverless-tests" to: - operation: - hosts: [ "*.serverless-tests.svc.cluster.local" ] + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] +--- +# Allow Knative Sink for Apache Kafka to receive requests from serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-kafka-sink + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + paths: + - "/serverless-tests/*" methods: [ "POST" ] --- apiVersion: security.istio.io/v1beta1 @@ -100,25 +157,79 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- +# Source: knative-istio-authz-onboarding/templates/allow-ns-to-mt-channel-based-broker.yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-serverless-tests-kafka-broker-reply + name: allow-serverless-tests-mt-channel-based-broker namespace: knative-eventing spec: action: ALLOW selector: matchLabels: - app.kubernetes.io/component: "kafka-broker-receiver" + app.kubernetes.io/component: "broker-ingress" rules: - from: - source: namespaces: - - "knative-eventing" - principals: - - "cluster.local/ns/knative-eventing/sa/kafka-broker-dispatcher" + - "serverless-tests" to: - operation: paths: - "/serverless-tests/*" methods: [ "POST" ] +--- +# Allow namespace serverless-tests to receive requests from Knative system components. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-traffic-from-knative + namespace: serverless-tests +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: + - "serverless-tests" + - "knative-eventing" + - "knative-serving" + - "istio-system" +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-mt-channel-based-broker-ingress-to-kafka-channel-receiver + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-ingress" ] + to: + - operation: + methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-kafka-channel-dispatcher-to-mt-channel-based-broker-filter + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-filter" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] + to: + - operation: + methods: [ "POST" ] From 1fba1a8465a77c8824fca81878077ffbeccb1757 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 28 Jun 2023 08:17:58 +0200 Subject: [PATCH 03/42] Update teardown for Mesh --- hack/lib/mesh.bash | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hack/lib/mesh.bash b/hack/lib/mesh.bash index 537aa771b3..1798a4f6e9 100644 --- a/hack/lib/mesh.bash +++ b/hack/lib/mesh.bash @@ -130,6 +130,13 @@ function deploy_gateways { } function undeploy_gateways { + oc delete -n serverless-tests -f "${resources_dir}"/network-policy-monitoring.yaml --ignore-not-found || return $? + for ns in serverless-tests eventing-e2e0 eventing-e2e1 eventing-e2e2 eventing-e2e3 eventing-e2e4; do + oc delete -n "$ns" -f "${resources_dir}"/kafka-service-entry.yaml --ignore-not-found || return $? + done + oc delete -f "${resources_dir}"/authorization-policy-test-namespaces.yaml --ignore-not-found || return $? + oc delete -f "${resources_dir}"/authorization-policy-knative-eventing.yaml --ignore-not-found || return $? + oc delete -f "${resources_dir}"/authorization-policy-knative-serving.yaml --ignore-not-found || return $? oc delete -f "${resources_dir}"/peerauthentication.yaml --ignore-not-found || return $? oc delete -f "${resources_dir}"/gateway.yaml --ignore-not-found || return $? oc delete -f "${resources_dir}"/smmr.yaml --ignore-not-found || return $? From 13541e577d947bf9bb08b073477f43c49de4dd20 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 28 Jun 2023 08:38:51 +0200 Subject: [PATCH 04/42] Revert "Update authorization policies" This reverts commit c7cb78fcf903f0d41d0fa380940b65420108fb1f. --- ...authorization-policy-knative-eventing.yaml | 153 +++--------------- 1 file changed, 21 insertions(+), 132 deletions(-) diff --git a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml index 7a26045bed..488de7d2c6 100644 --- a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml +++ b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml @@ -1,135 +1,78 @@ --- -# Allow Knative activator to receive requests from serverless-tests. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-serverless-tests-to-activator - namespace: knative-serving -spec: - selector: - matchLabels: - app: activator - action: ALLOW - rules: - - from: - - source: - namespaces: - - "serverless-tests" - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" ---- -# Allow Knative InMemoryChannel to receive requests from serverless-tests. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-imc-channel + name: allow-serverless-tests-mt-channel-based-broker namespace: knative-eventing spec: action: ALLOW selector: matchLabels: - app.kubernetes.io/component: "imc-dispatcher" + app.kubernetes.io/component: "broker-ingress" rules: - from: - source: - namespaces: - - "serverless-tests" + namespaces: [ "serverless-tests" ] to: - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" methods: [ "POST" ] + paths: [ "/serverless-tests/*" ] --- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-serverless-tests-kafka-broker-reply + name: allow-mt-channel-based-broker-ingress-to-imc-dispatcher namespace: knative-eventing spec: action: ALLOW selector: matchLabels: - app.kubernetes.io/component: "kafka-broker-receiver" + app.kubernetes.io/component: "imc-dispatcher" rules: - from: - source: - namespaces: - - "knative-eventing" - principals: - - "cluster.local/ns/knative-eventing/sa/kafka-broker-dispatcher" + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-ingress" ] to: - operation: - paths: - - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-ns-to-kafka-broker.yaml -# Allow Knative Broker for Apache Kafka to receive requests from serverless-tests. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-serverless-tests-kafka-broker + name: allow-imc-dispatcher-to-mt-channel-based-broker-filter namespace: knative-eventing spec: action: ALLOW selector: matchLabels: - app.kubernetes.io/component: "kafka-broker-receiver" + app.kubernetes.io/component: "broker-filter" rules: - from: - source: - namespaces: - - "serverless-tests" + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] to: - operation: - paths: - - "/serverless-tests/*" methods: [ "POST" ] --- -# Allow Knative Channel for Apache Kafka to receive requests from serverless-tests. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-serverless-tests-kafka-channel + name: allow-serverless-tests-imc-dispatcher namespace: knative-eventing spec: action: ALLOW selector: matchLabels: - app.kubernetes.io/component: "kafka-channel-receiver" + app.kubernetes.io/component: "imc-dispatcher" rules: - from: - source: - namespaces: - - "serverless-tests" + namespaces: [ "serverless-tests" ] to: - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] ---- -# Allow Knative Sink for Apache Kafka to receive requests from serverless-tests. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-kafka-sink - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-sink-receiver" - rules: - - from: - - source: - namespaces: - - "serverless-tests" - to: - - operation: - paths: - - "/serverless-tests/*" + hosts: [ "*.serverless-tests.svc.cluster.local" ] methods: [ "POST" ] --- apiVersion: security.istio.io/v1beta1 @@ -157,79 +100,25 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-ns-to-mt-channel-based-broker.yaml apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-serverless-tests-mt-channel-based-broker + name: allow-serverless-tests-kafka-broker-reply namespace: knative-eventing spec: action: ALLOW selector: matchLabels: - app.kubernetes.io/component: "broker-ingress" + app.kubernetes.io/component: "kafka-broker-receiver" rules: - from: - source: namespaces: - - "serverless-tests" + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/kafka-broker-dispatcher" to: - operation: paths: - "/serverless-tests/*" methods: [ "POST" ] ---- -# Allow namespace serverless-tests to receive requests from Knative system components. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-traffic-from-knative - namespace: serverless-tests -spec: - action: ALLOW - rules: - - from: - - source: - namespaces: - - "serverless-tests" - - "knative-eventing" - - "knative-serving" - - "istio-system" ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-mt-channel-based-broker-ingress-to-kafka-channel-receiver - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-channel-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-ingress" ] - to: - - operation: - methods: [ "POST" ] ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-kafka-channel-dispatcher-to-mt-channel-based-broker-filter - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "broker-filter" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] - to: - - operation: - methods: [ "POST" ] From e926ac0454446d63293e3f517d6d79476a07a80a Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 28 Jun 2023 08:41:29 +0200 Subject: [PATCH 05/42] Test Kafka together with Mesh --- Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 2c5cbc63b8..95baf74684 100644 --- a/Makefile +++ b/Makefile @@ -127,8 +127,9 @@ test-e2e-with-mesh-testonly: test-e2e-with-mesh: FULL_MESH="true" UNINSTALL_MESH="false" ./hack/mesh.sh ./hack/tracing.sh - FULL_MESH=true ENABLE_TRACING=true ./hack/install.sh - FULL_MESH=true ./test/e2e-tests.sh + UNINSTALL_STRIMZI="false" ./hack/strimzi.sh + FULL_MESH=true SCALE_UP=4 INSTALL_KAFKA="true" ENABLE_TRACING=true ./hack/install.sh + FULL_MESH=true TEST_KNATIVE_KAFKA=true ./test/e2e-tests.sh # Run both unit and E2E tests from the current repo. test-operator: test-unit test-e2e From 01ad24f7fc2084fb716e2fc32a836d6284239a6c Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 28 Jun 2023 08:55:16 +0200 Subject: [PATCH 06/42] Add more policies --- ...authorization-policy-knative-eventing.yaml | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml index 488de7d2c6..4af1f26195 100644 --- a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml +++ b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml @@ -122,3 +122,66 @@ spec: paths: - "/serverless-tests/*" methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-kafka-broker + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-kafka-channel + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-kafka-sink + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] From 4e4bac938ba6142e3d48ec2ac8a16c77fece35d7 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 28 Jun 2023 12:02:24 +0200 Subject: [PATCH 07/42] Remove some policies --- ...authorization-policy-knative-eventing.yaml | 63 ------------------- 1 file changed, 63 deletions(-) diff --git a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml index 4af1f26195..488de7d2c6 100644 --- a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml +++ b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml @@ -122,66 +122,3 @@ spec: paths: - "/serverless-tests/*" methods: [ "POST" ] ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-kafka-broker - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-broker-receiver" - rules: - - from: - - source: - namespaces: - - "serverless-tests" - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-kafka-channel - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-channel-receiver" - rules: - - from: - - source: - namespaces: - - "serverless-tests" - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-kafka-sink - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-sink-receiver" - rules: - - from: - - source: - namespaces: - - "serverless-tests" - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] From f81a8acfe61e9efc7140ff93ce5c7ee0c1bd016e Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 28 Jun 2023 12:03:07 +0200 Subject: [PATCH 08/42] Add policies #1 --- ...authorization-policy-knative-eventing.yaml | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml index 488de7d2c6..2de827a98a 100644 --- a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml +++ b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml @@ -122,3 +122,62 @@ spec: paths: - "/serverless-tests/*" methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-kafka-broker + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-mt-channel-based-broker-ingress-to-kafka-channel-receiver + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-ingress" ] + to: + - operation: + methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-kafka-channel-dispatcher-to-mt-channel-based-broker-filter + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-filter" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] + to: + - operation: + methods: [ "POST" ] From 530951eded6dbc222892d3581a8ccd171c8e9cc4 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 28 Jun 2023 12:04:19 +0200 Subject: [PATCH 09/42] Add policies - allow probe --- ...authorization-policy-knative-eventing.yaml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml index 2de827a98a..e288b5a79a 100644 --- a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml +++ b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml @@ -181,3 +181,60 @@ spec: to: - operation: methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-probe-kafka-broker-receiver + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + to: + - operation: + methods: [ "GET" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-probe-kafka-sink-receiver + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + to: + - operation: + methods: [ "GET" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-probe-kafka-channel-receiver + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + to: + - operation: + methods: [ "GET" ] From e726fbe699c7794e731ac40b1aefbb4b1ecc0309 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 28 Jun 2023 12:29:14 +0200 Subject: [PATCH 10/42] Introduce default environment for eventinge2erekt tests --- .../channelbasedbroker_ksvc_test.go | 12 +----------- .../containersource_channel_ksvc_test.go | 15 +-------------- test/eventinge2erekt/main_test.go | 19 +++++++++++++++++++ test/eventinge2erekt/pingsource_ksvc_test.go | 14 +------------- 4 files changed, 22 insertions(+), 38 deletions(-) diff --git a/test/eventinge2erekt/channelbasedbroker_ksvc_test.go b/test/eventinge2erekt/channelbasedbroker_ksvc_test.go index 018360652a..93385067a7 100644 --- a/test/eventinge2erekt/channelbasedbroker_ksvc_test.go +++ b/test/eventinge2erekt/channelbasedbroker_ksvc_test.go @@ -8,7 +8,6 @@ import ( resources "knative.dev/eventing/test/rekt/resources/broker" "knative.dev/pkg/system" "knative.dev/reconciler-test/pkg/environment" - "knative.dev/reconciler-test/pkg/eventshub" "knative.dev/reconciler-test/pkg/feature" "knative.dev/reconciler-test/pkg/k8s" "knative.dev/reconciler-test/pkg/knative" @@ -18,16 +17,7 @@ import ( func TestChannelBasedBrokerToKsvc(t *testing.T) { t.Parallel() - ctx, env := global.Environment( - knative.WithKnativeNamespace(system.Namespace()), - knative.WithLoggingConfig, - knative.WithTracingConfig, - k8s.WithEventListener, - // Enables KnativeService in the scenario. - eventshub.WithKnativeServiceForwarder, - environment.WithPollTimings(5*time.Second, 4*time.Minute), - environment.Managed(t), - ) + ctx, env := defaultEnvironment(t) brokerName := feature.MakeRandomK8sName("broker") diff --git a/test/eventinge2erekt/containersource_channel_ksvc_test.go b/test/eventinge2erekt/containersource_channel_ksvc_test.go index 4c61d057bf..a1e463ba5d 100644 --- a/test/eventinge2erekt/containersource_channel_ksvc_test.go +++ b/test/eventinge2erekt/containersource_channel_ksvc_test.go @@ -6,11 +6,6 @@ import ( "knative.dev/eventing/test/rekt/features/channel" "knative.dev/eventing/test/rekt/resources/subscription" duckv1 "knative.dev/pkg/apis/duck/v1" - "knative.dev/pkg/system" - "knative.dev/reconciler-test/pkg/environment" - "knative.dev/reconciler-test/pkg/eventshub" - "knative.dev/reconciler-test/pkg/k8s" - "knative.dev/reconciler-test/pkg/knative" "knative.dev/reconciler-test/pkg/manifest" ) @@ -18,15 +13,7 @@ import ( func TestContainerSourceChannelKsvc(t *testing.T) { t.Parallel() - ctx, env := global.Environment( - knative.WithKnativeNamespace(system.Namespace()), - knative.WithLoggingConfig, - knative.WithTracingConfig, - k8s.WithEventListener, - // Enables KnativeService in the scenario. - eventshub.WithKnativeServiceForwarder, - environment.Managed(t), - ) + ctx, env := defaultEnvironment(t) createSubscriberFn := func(ref *duckv1.KReference, uri string) manifest.CfgFn { return subscription.WithSubscriber(ref, uri) diff --git a/test/eventinge2erekt/main_test.go b/test/eventinge2erekt/main_test.go index 5dfad92237..0f1bbca062 100644 --- a/test/eventinge2erekt/main_test.go +++ b/test/eventinge2erekt/main_test.go @@ -1,11 +1,17 @@ package eventinge2erekt import ( + "context" "os" "testing" + "time" "knative.dev/eventing/test/rekt/resources/broker" + "knative.dev/pkg/system" "knative.dev/reconciler-test/pkg/environment" + "knative.dev/reconciler-test/pkg/eventshub" + "knative.dev/reconciler-test/pkg/k8s" + "knative.dev/reconciler-test/pkg/knative" ) var global environment.GlobalEnvironment @@ -19,3 +25,16 @@ func TestMain(m *testing.M) { // Run the tests. os.Exit(m.Run()) } + +func defaultEnvironment(t *testing.T) (context.Context, environment.Environment) { + return global.Environment( + knative.WithKnativeNamespace(system.Namespace()), + knative.WithLoggingConfig, + knative.WithTracingConfig, + k8s.WithEventListener, + // Enables KnativeService in the scenario. + eventshub.WithKnativeServiceForwarder, + environment.WithPollTimings(5*time.Second, 4*time.Minute), + environment.Managed(t), + ) +} diff --git a/test/eventinge2erekt/pingsource_ksvc_test.go b/test/eventinge2erekt/pingsource_ksvc_test.go index 079f7f4c53..7d2fceb7be 100644 --- a/test/eventinge2erekt/pingsource_ksvc_test.go +++ b/test/eventinge2erekt/pingsource_ksvc_test.go @@ -6,26 +6,14 @@ import ( "github.com/openshift-knative/serverless-operator/test/eventinge2erekt/features" "knative.dev/eventing/test/rekt/features/pingsource" - "knative.dev/pkg/system" "knative.dev/reconciler-test/pkg/environment" - "knative.dev/reconciler-test/pkg/eventshub" - "knative.dev/reconciler-test/pkg/k8s" - "knative.dev/reconciler-test/pkg/knative" ) // PingSource -> Ksvc -> Sink (Eventshub) func TestPingSourceToKsvc(t *testing.T) { t.Parallel() - ctx, env := global.Environment( - knative.WithKnativeNamespace(system.Namespace()), - knative.WithLoggingConfig, - knative.WithTracingConfig, - k8s.WithEventListener, - // Enables KnativeService in the PingSource scenario. - eventshub.WithKnativeServiceForwarder, - environment.Managed(t), - ) + ctx, env := defaultEnvironment(t) since := time.Now() From b955be36fbfc774101f91b6f2c22c69ac01c3ffe Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 28 Jun 2023 12:47:26 +0200 Subject: [PATCH 11/42] Fix lint --- test/servinge2e/kourier/service_to_service_test.go | 2 +- test/servinge2e/servicemesh/helpers.go | 5 ++--- test/servinge2e/servicemesh/multitenant_test.go | 2 +- 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/test/servinge2e/kourier/service_to_service_test.go b/test/servinge2e/kourier/service_to_service_test.go index 43827666f6..3c14fa574d 100644 --- a/test/servinge2e/kourier/service_to_service_test.go +++ b/test/servinge2e/kourier/service_to_service_test.go @@ -75,7 +75,7 @@ func testServiceToService(t *testing.T, ctx *test.Context, namespace string, tc // For cluster-local ksvc, we deploy an "HTTP proxy" service, and request that one instead if service.GetLabels()[networking.VisibilityLabelKey] == serving.VisibilityClusterLocal { // Deploy an "HTTP proxy" towards the ksvc (using an httpproxy image from knative-serving testsuite) - httpProxy := test.WithServiceReadyOrFail(ctx, servicemesh.HttpProxyService(tc.name+"-proxy", namespace, "" /*gateway*/, service.Status.URL.Host, nil, nil)) + httpProxy := test.WithServiceReadyOrFail(ctx, servicemesh.HTTPProxyService(tc.name+"-proxy", namespace, "" /*gateway*/, service.Status.URL.Host, nil, nil)) serviceURL = httpProxy.Status.URL.URL() } diff --git a/test/servinge2e/servicemesh/helpers.go b/test/servinge2e/servicemesh/helpers.go index 61e9edce14..7daa89bfc6 100644 --- a/test/servinge2e/servicemesh/helpers.go +++ b/test/servinge2e/servicemesh/helpers.go @@ -22,13 +22,12 @@ type testCase struct { sourceNamespace string // Namespace for the source service (http proxy) targetNamespace string // Namespace for the target service gateway string // Value for gateway that's called by http proxy - targetHost string // Value for host that's called by http proxy usePrivateService bool // Whether http proxy should call target's service private service checkResponseFunc spoof.ResponseChecker // Function to be used to check response } -// HttpProxyService returns a knative service acting as "http proxy", redirects requests towards a given "host". Used to test cluster-local services -func HttpProxyService(name, namespace, gateway, target string, serviceAnnotations, templateAnnotations map[string]string) *servingv1.Service { +// HTTPProxyService returns a knative service acting as "http proxy", redirects requests towards a given "host". Used to test cluster-local services +func HTTPProxyService(name, namespace, gateway, target string, serviceAnnotations, templateAnnotations map[string]string) *servingv1.Service { proxy := test.Service(name, namespace, pkgTest.ImagePath(test.HTTPProxyImg), serviceAnnotations, templateAnnotations) if gateway != "" { proxy.Spec.Template.Spec.Containers[0].Env = append(proxy.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{ diff --git a/test/servinge2e/servicemesh/multitenant_test.go b/test/servinge2e/servicemesh/multitenant_test.go index e0f4183815..4cbfe8e57f 100644 --- a/test/servinge2e/servicemesh/multitenant_test.go +++ b/test/servinge2e/servicemesh/multitenant_test.go @@ -146,7 +146,7 @@ func TestMultiTenancyWithServiceMesh(t *testing.T) { targetHost = service.Status.URL.Host } - httpProxy := test.WithServiceReadyOrFail(ctx, HttpProxyService(tc.name+"-proxy", tc.sourceNamespace, gateway, targetHost, map[string]string{ + httpProxy := test.WithServiceReadyOrFail(ctx, HTTPProxyService(tc.name+"-proxy", tc.sourceNamespace, gateway, targetHost, map[string]string{ ServingEnablePassthroughKey: "true", }, tc.annotations)) From 2fb95893495e5968e476c13c5df7a23e8ba91a16 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 28 Jun 2023 12:52:38 +0200 Subject: [PATCH 12/42] Update readme for serving/metadata-webhook --- serving/metadata-webhook/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/serving/metadata-webhook/README.md b/serving/metadata-webhook/README.md index 81f3a8d4c1..0158a2e2af 100644 --- a/serving/metadata-webhook/README.md +++ b/serving/metadata-webhook/README.md @@ -12,7 +12,8 @@ Please install [Knative Serving](https://knative.dev/docs/install/). ### Deploy metadata-webhook ``` -$ kubectl apply -f ./config +$ kubectl apply -f ./config/cluster-resources +$ kubectl apply -n serving-tests ./config/namespaced-resources $ kubectl get pod -n serving-tests -w NAME READY STATUS RESTARTS AGE From e9f84c40e63b7e6cf945dc5c7e2c7b58c2f8a13c Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 28 Jun 2023 15:17:39 +0200 Subject: [PATCH 13/42] Add allow-serverless-tests-kafka-channel auth policy --- ...authorization-policy-knative-eventing.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml index e288b5a79a..10a0b17fa7 100644 --- a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml +++ b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml @@ -238,3 +238,24 @@ spec: to: - operation: methods: [ "GET" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-kafka-channel + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] From 4007b4fa8b351b2e654b822a38e53be267c68601 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 28 Jun 2023 15:31:31 +0200 Subject: [PATCH 14/42] Add deny-all-by-default policies --- .../authorization-policy-knative-eventing.yaml | 7 +++++++ .../authorization-policy-knative-serving.yaml | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml index 10a0b17fa7..ceeacbd559 100644 --- a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml +++ b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml @@ -1,6 +1,13 @@ --- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy +metadata: + name: deny-all-by-default + namespace: knative-eventing +spec: { } +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy metadata: name: allow-serverless-tests-mt-channel-based-broker namespace: knative-eventing diff --git a/hack/lib/mesh_resources/authorization-policy-knative-serving.yaml b/hack/lib/mesh_resources/authorization-policy-knative-serving.yaml index e6cc236222..24f0715f2c 100644 --- a/hack/lib/mesh_resources/authorization-policy-knative-serving.yaml +++ b/hack/lib/mesh_resources/authorization-policy-knative-serving.yaml @@ -1,6 +1,13 @@ --- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy +metadata: + name: deny-all-by-default + namespace: knative-serving +spec: { } +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy metadata: name: allow-traffic-to-activator namespace: knative-serving From e455f4ba69c4dd4b1d071e5d4b98bc329f4c5118 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 28 Jun 2023 16:02:14 +0200 Subject: [PATCH 15/42] Allow traffic to autoscaler from activator --- .../authorization-policy-knative-serving.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/hack/lib/mesh_resources/authorization-policy-knative-serving.yaml b/hack/lib/mesh_resources/authorization-policy-knative-serving.yaml index 24f0715f2c..b00b8cce83 100644 --- a/hack/lib/mesh_resources/authorization-policy-knative-serving.yaml +++ b/hack/lib/mesh_resources/authorization-policy-knative-serving.yaml @@ -8,6 +8,21 @@ spec: { } --- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy +metadata: + name: allow-traffic-to-autoscaler + namespace: knative-serving +spec: + selector: + matchLabels: + app: autoscaler + action: ALLOW + rules: + - from: + - source: + namespaces: [ "knative-serving" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy metadata: name: allow-traffic-to-activator namespace: knative-serving From 8fbd549f0ccf61b35ca7d8dab8499c6495f19c06 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 28 Jun 2023 16:32:06 +0200 Subject: [PATCH 16/42] Use heml chart from pirDipi to generate policies Source: github.com/pierDipi/knative-istio-authz-chart policies generated by: helm template ./ --set name=serverless-tests --set "namespaces={serverless-tests}" --- ...authorization-policy-knative-eventing.yaml | 987 +++++++++++++++++- .../authorization-policy-test-namespaces.yaml | 10 +- 2 files changed, 948 insertions(+), 49 deletions(-) diff --git a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml index ceeacbd559..0347ea66f9 100644 --- a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml +++ b/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml @@ -6,29 +6,45 @@ metadata: namespace: knative-eventing spec: { } --- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Allow imc-dispatcher to receive requests from pingsource-mt-adapter in knative-eventing. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-serverless-tests-mt-channel-based-broker + name: allow-serverless-tests-pingsource-to-imc namespace: knative-eventing spec: action: ALLOW selector: matchLabels: - app.kubernetes.io/component: "broker-ingress" + app.kubernetes.io/component: "imc-dispatcher" rules: - from: - source: - namespaces: [ "serverless-tests" ] + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] to: - operation: + paths: + - "/serverless-tests/*" methods: [ "POST" ] - paths: [ "/serverless-tests/*" ] --- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow imc-dispatcher to receive requests from imc-dispatcher in knative-eventing. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-mt-channel-based-broker-ingress-to-imc-dispatcher + name: allow-serverless-tests-imc-to-imc namespace: knative-eventing spec: action: ALLOW @@ -39,34 +55,62 @@ spec: - from: - source: namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-ingress" ] + principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] to: - operation: + paths: + - "/serverless-tests/*" methods: [ "POST" ] --- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow imc-dispatcher to receive requests from mt-broker-filter in knative-eventing. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-imc-dispatcher-to-mt-channel-based-broker-filter + name: allow-serverless-tests-broker-filter-to-imc namespace: knative-eventing spec: action: ALLOW selector: matchLabels: - app.kubernetes.io/component: "broker-filter" + app.kubernetes.io/component: "imc-dispatcher" rules: - from: - source: namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] to: - operation: + paths: + - "/serverless-tests/*" methods: [ "POST" ] --- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow imc-dispatcher to receive requests from knative-kafka-source-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-serverless-tests-imc-dispatcher + name: allow-serverless-tests-eks-to-imc namespace: knative-eventing spec: action: ALLOW @@ -76,41 +120,96 @@ spec: rules: - from: - source: - namespaces: [ "serverless-tests" ] + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] to: - operation: - hosts: [ "*.serverless-tests.svc.cluster.local" ] + paths: + - "/serverless-tests/*" methods: [ "POST" ] --- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow imc-dispatcher to receive requests from knative-kafka-broker-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-serverless-tests-mt-channel-based-broker-reply + name: allow-serverless-tests-ekb-to-imc namespace: knative-eventing spec: action: ALLOW selector: matchLabels: - app.kubernetes.io/component: "broker-ingress" + app.kubernetes.io/component: "imc-dispatcher" rules: - from: - source: - namespaces: - - "knative-eventing" - principals: - - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" - - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" - - "cluster.local/ns/knative-eventing/sa/kafka-channel-dispatcher" + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] to: - operation: paths: - "/serverless-tests/*" methods: [ "POST" ] --- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow imc-dispatcher to receive requests from knative-kafka-channel-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-serverless-tests-kafka-broker-reply + name: allow-serverless-tests-ekc-to-imc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from pingsource-mt-adapter in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-pingsource-to-ekb namespace: knative-eventing spec: action: ALLOW @@ -120,20 +219,30 @@ spec: rules: - from: - source: - namespaces: - - "knative-eventing" - principals: - - "cluster.local/ns/knative-eventing/sa/kafka-broker-dispatcher" + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] to: - operation: paths: - "/serverless-tests/*" methods: [ "POST" ] --- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from imc-dispatcher in knative-eventing. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-serverless-tests-kafka-broker + name: allow-serverless-tests-imc-to-ekb namespace: knative-eventing spec: action: ALLOW @@ -143,56 +252,96 @@ spec: rules: - from: - source: - namespaces: - - "serverless-tests" + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] to: - operation: paths: - "/serverless-tests/*" methods: [ "POST" ] --- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from mt-broker-filter in knative-eventing. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-mt-channel-based-broker-ingress-to-kafka-channel-receiver + name: allow-serverless-tests-broker-filter-to-ekb namespace: knative-eventing spec: action: ALLOW selector: matchLabels: - app.kubernetes.io/component: "kafka-channel-receiver" + app.kubernetes.io/component: "kafka-broker-receiver" rules: - from: - source: namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-ingress" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] to: - operation: + paths: + - "/serverless-tests/*" methods: [ "POST" ] --- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from knative-kafka-source-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-kafka-channel-dispatcher-to-mt-channel-based-broker-filter + name: allow-serverless-tests-eks-to-ekb namespace: knative-eventing spec: action: ALLOW selector: matchLabels: - app.kubernetes.io/component: "broker-filter" + app.kubernetes.io/component: "kafka-broker-receiver" rules: - from: - source: namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] to: - operation: + paths: + - "/serverless-tests/*" methods: [ "POST" ] --- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from knative-kafka-broker-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-probe-kafka-broker-receiver + name: allow-serverless-tests-ekb-to-ekb namespace: knative-eventing spec: action: ALLOW @@ -203,34 +352,95 @@ spec: - from: - source: namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] to: - operation: - methods: [ "GET" ] + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml --- +# Allow kafka-broker-receiver to receive requests from knative-kafka-channel-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-probe-kafka-sink-receiver + name: allow-serverless-tests-ekc-to-ekb namespace: knative-eventing spec: action: ALLOW selector: matchLabels: - app.kubernetes.io/component: "kafka-sink-receiver" + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow kafka-channel-receiver to receive requests from pingsource-mt-adapter in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-pingsource-to-ekc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" rules: - from: - source: namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] to: - operation: - methods: [ "GET" ] + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml --- +# Allow kafka-channel-receiver to receive requests from imc-dispatcher in knative-eventing. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-probe-kafka-channel-receiver + name: allow-serverless-tests-imc-to-ekc namespace: knative-eventing spec: action: ALLOW @@ -241,15 +451,29 @@ spec: - from: - source: namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] to: - operation: - methods: [ "GET" ] + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml --- +# Allow kafka-channel-receiver to receive requests from mt-broker-filter in knative-eventing. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-serverless-tests-kafka-channel + name: allow-serverless-tests-broker-filter-to-ekc namespace: knative-eventing spec: action: ALLOW @@ -259,10 +483,679 @@ spec: rules: - from: - source: - namespaces: - - "serverless-tests" + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] to: - operation: hosts: - "*.serverless-tests.svc.cluster.local" methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow kafka-channel-receiver to receive requests from knative-kafka-source-data-plane in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-eks-to-ekc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow kafka-channel-receiver to receive requests from knative-kafka-broker-data-plane in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-ekb-to-ekc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow kafka-channel-receiver to receive requests from knative-kafka-channel-data-plane in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-ekc-to-ekc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from pingsource-mt-adapter in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-pingsource-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from imc-dispatcher in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-imc-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from mt-broker-filter in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-broker-filter-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from knative-kafka-source-data-plane in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-eks-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from knative-kafka-broker-data-plane in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-ekb-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from knative-kafka-channel-data-plane in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-ekc-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow broker-ingress to receive requests from pingsource-mt-adapter in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-pingsource-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow broker-ingress to receive requests from imc-dispatcher in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-imc-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow broker-ingress to receive requests from mt-broker-filter in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-broker-filter-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow broker-ingress to receive requests from knative-kafka-source-data-plane in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-eks-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow broker-ingress to receive requests from knative-kafka-broker-data-plane in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-ekb-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +--- +# Allow broker-ingress to receive requests from knative-kafka-channel-data-plane in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-ekc-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-ns-to-imc-channel.yaml +# Allow Knative InMemoryChannel to receive requests from serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-imc-channel + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-ns-to-kafka-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-kafka-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-ns-to-kafka-broker.yaml +# Allow Knative Broker for Apache Kafka to receive requests from serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-kafka-broker + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-ns-to-kafka-channel.yaml +# Allow Knative Channel for Apache Kafka to receive requests from serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-kafka-channel + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-ns-to-kafka-sink.yaml +# Allow Knative Sink for Apache Kafka to receive requests from serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-kafka-sink + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-ns-to-mt-channel-based-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-mt-channel-based-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-ns-to-mt-channel-based-broker.yaml +# Allow Knative Broker with class MTChannelBasedBroker to receive requests from serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-mt-channel-based-broker + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] diff --git a/hack/lib/mesh_resources/authorization-policy-test-namespaces.yaml b/hack/lib/mesh_resources/authorization-policy-test-namespaces.yaml index cd9d1197bf..d30a7a5caf 100644 --- a/hack/lib/mesh_resources/authorization-policy-test-namespaces.yaml +++ b/hack/lib/mesh_resources/authorization-policy-test-namespaces.yaml @@ -23,14 +23,20 @@ spec: - source: namespaces: ["tenant-2", "knative-serving", "istio-system"] --- +# Source: knative-istio-authz-onboarding/templates/allow-knative-to-ns.yaml +# Allow namespace serverless-tests to receive requests from Knative system components. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: allow-traffic-to-serverless-tests + name: allow-from-knative namespace: serverless-tests spec: action: ALLOW rules: - from: - source: - namespaces: ["serverless-tests", "knative-serving", "knative-eventing", "istio-system"] + namespaces: + - "serverless-tests" + - "knative-eventing" + - "knative-serving" + - "istio-system" From c110f2596cd9fb5a68e134c7cde4d9768d20f99c Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Thu, 29 Jun 2023 07:58:13 +0200 Subject: [PATCH 17/42] Use auth policies from pierDipi's helm chart --- hack/lib/mesh.bash | 10 +- .../allow-tenant-x-to-activator.yaml | 36 ++++++++ .../allow-traffic-to-tenant-x.yaml} | 18 ---- .../helm-chart-serverless-tests.yaml} | 62 +++++++++++-- ...w-mt-channel-based-broker-to-channels.yaml | 75 +++++++++++++++ .../setup/allow-probe-kafka-controller.yaml | 56 ++++++++++++ .../setup/allow-traffic-to-activator.yaml | 14 +++ .../setup/allow-traffic-to-autoscaler.yaml | 14 +++ .../setup/deny-all-by-default.yaml | 14 +++ .../authorization-policy-knative-serving.yaml | 91 ------------------- .../mesh_resources/peerauthentication.yaml | 9 -- hack/lib/mesh_resources/specific.yaml | 35 +++++++ 12 files changed, 303 insertions(+), 131 deletions(-) create mode 100644 hack/lib/mesh_resources/authorization-policies/allow-tenant-x-to-activator.yaml rename hack/lib/mesh_resources/{authorization-policy-test-namespaces.yaml => authorization-policies/allow-traffic-to-tenant-x.yaml} (50%) rename hack/lib/mesh_resources/{authorization-policy-knative-eventing.yaml => authorization-policies/helm-chart-serverless-tests.yaml} (95%) create mode 100644 hack/lib/mesh_resources/authorization-policies/setup/allow-mt-channel-based-broker-to-channels.yaml create mode 100644 hack/lib/mesh_resources/authorization-policies/setup/allow-probe-kafka-controller.yaml create mode 100644 hack/lib/mesh_resources/authorization-policies/setup/allow-traffic-to-activator.yaml create mode 100644 hack/lib/mesh_resources/authorization-policies/setup/allow-traffic-to-autoscaler.yaml create mode 100644 hack/lib/mesh_resources/authorization-policies/setup/deny-all-by-default.yaml delete mode 100644 hack/lib/mesh_resources/authorization-policy-knative-serving.yaml create mode 100644 hack/lib/mesh_resources/specific.yaml diff --git a/hack/lib/mesh.bash b/hack/lib/mesh.bash index 1798a4f6e9..633f61454c 100644 --- a/hack/lib/mesh.bash +++ b/hack/lib/mesh.bash @@ -118,9 +118,8 @@ function deploy_gateways { oc apply -f "${resources_dir}"/smmr.yaml || return $? oc apply -f "${resources_dir}"/gateway.yaml || return $? oc apply -f "${resources_dir}"/peerauthentication.yaml || return $? - oc apply -f "${resources_dir}"/authorization-policy-knative-serving.yaml || return $? - oc apply -f "${resources_dir}"/authorization-policy-knative-eventing.yaml || return $? - oc apply -f "${resources_dir}"/authorization-policy-test-namespaces.yaml || return $? + oc apply -f "${resources_dir}"/authorization-policies/setup || return $? + oc apply -f "${resources_dir}"/authorization-policies || return $? oc apply -n "${EVENTING_NAMESPACE}" -f "${resources_dir}"/kafka-service-entry.yaml || return $? for ns in serverless-tests eventing-e2e0 eventing-e2e1 eventing-e2e2 eventing-e2e3 eventing-e2e4; do @@ -134,9 +133,8 @@ function undeploy_gateways { for ns in serverless-tests eventing-e2e0 eventing-e2e1 eventing-e2e2 eventing-e2e3 eventing-e2e4; do oc delete -n "$ns" -f "${resources_dir}"/kafka-service-entry.yaml --ignore-not-found || return $? done - oc delete -f "${resources_dir}"/authorization-policy-test-namespaces.yaml --ignore-not-found || return $? - oc delete -f "${resources_dir}"/authorization-policy-knative-eventing.yaml --ignore-not-found || return $? - oc delete -f "${resources_dir}"/authorization-policy-knative-serving.yaml --ignore-not-found || return $? + oc delete -f "${resources_dir}"/authorization-policies --ignore-not-found || return $? + oc delete -f "${resources_dir}"/authorization-policies/setup --ignore-not-found || return $? oc delete -f "${resources_dir}"/peerauthentication.yaml --ignore-not-found || return $? oc delete -f "${resources_dir}"/gateway.yaml --ignore-not-found || return $? oc delete -f "${resources_dir}"/smmr.yaml --ignore-not-found || return $? diff --git a/hack/lib/mesh_resources/authorization-policies/allow-tenant-x-to-activator.yaml b/hack/lib/mesh_resources/authorization-policies/allow-tenant-x-to-activator.yaml new file mode 100644 index 0000000000..e7d9d6dfd1 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/allow-tenant-x-to-activator.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-to-activator + namespace: knative-serving +spec: + selector: + matchLabels: + app: activator + action: ALLOW + rules: + - from: + - source: + namespaces: [ "tenant-1" ] + to: + - operation: + hosts: [ "*.tenant-1.svc.cluster.local" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-to-activator + namespace: knative-serving +spec: + selector: + matchLabels: + app: activator + action: ALLOW + rules: + - from: + - source: + namespaces: [ "tenant-2" ] + to: + - operation: + hosts: [ "*.tenant-2.svc.cluster.local" ] diff --git a/hack/lib/mesh_resources/authorization-policy-test-namespaces.yaml b/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-tenant-x.yaml similarity index 50% rename from hack/lib/mesh_resources/authorization-policy-test-namespaces.yaml rename to hack/lib/mesh_resources/authorization-policies/allow-traffic-to-tenant-x.yaml index d30a7a5caf..37ba49a576 100644 --- a/hack/lib/mesh_resources/authorization-policy-test-namespaces.yaml +++ b/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-tenant-x.yaml @@ -22,21 +22,3 @@ spec: - from: - source: namespaces: ["tenant-2", "knative-serving", "istio-system"] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-to-ns.yaml -# Allow namespace serverless-tests to receive requests from Knative system components. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-from-knative - namespace: serverless-tests -spec: - action: ALLOW - rules: - - from: - - source: - namespaces: - - "serverless-tests" - - "knative-eventing" - - "knative-serving" - - "istio-system" diff --git a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml b/hack/lib/mesh_resources/authorization-policies/helm-chart-serverless-tests.yaml similarity index 95% rename from hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml rename to hack/lib/mesh_resources/authorization-policies/helm-chart-serverless-tests.yaml index 0347ea66f9..4101f67861 100644 --- a/hack/lib/mesh_resources/authorization-policy-knative-eventing.yaml +++ b/hack/lib/mesh_resources/authorization-policies/helm-chart-serverless-tests.yaml @@ -1,11 +1,4 @@ --- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: deny-all-by-default - namespace: knative-eventing -spec: { } ---- # Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml # Allow imc-dispatcher to receive requests from pingsource-mt-adapter in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -995,6 +988,49 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- +# Source: knative-istio-authz-onboarding/templates/allow-knative-to-ns.yaml +# Allow namespace serverless-tests to receive requests from Knative system components. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-from-knative + namespace: serverless-tests +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: + - "serverless-tests" + - "knative-eventing" + - "knative-serving" + - "istio-system" +--- +# Source: knative-istio-authz-onboarding/templates/allow-ns-to-activator.yaml +# Activator is the component handling requests for services that scaled to 0, see +# https://github.com/knative/serving/blob/main/docs/scaling/SYSTEM.md#scaling-to-zero for more details. +# +# Allow Knative activator to receive requests from serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-to-activator + namespace: knative-serving +spec: + selector: + matchLabels: + app: activator + action: ALLOW + rules: + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" +--- # Source: knative-istio-authz-onboarding/templates/allow-ns-to-imc-channel.yaml # Allow Knative InMemoryChannel to receive requests from serverless-tests. apiVersion: security.istio.io/v1beta1 @@ -1159,3 +1195,15 @@ spec: paths: - "/serverless-tests/*" methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/peer-authentication.yaml +# Enforce peer authentication to be mTLS in the namespace serverless-tests, so that we can define +# authorization policies based on client and server identities. +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: default + namespace: serverless-tests +spec: + mtls: + mode: STRICT diff --git a/hack/lib/mesh_resources/authorization-policies/setup/allow-mt-channel-based-broker-to-channels.yaml b/hack/lib/mesh_resources/authorization-policies/setup/allow-mt-channel-based-broker-to-channels.yaml new file mode 100644 index 0000000000..c7f8d58a29 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/setup/allow-mt-channel-based-broker-to-channels.yaml @@ -0,0 +1,75 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-mt-channel-based-broker-ingress-to-imc-dispatcher + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-ingress" ] + to: + - operation: + methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-mt-channel-based-broker-ingress-to-kafka-channel + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-ingress" ] + to: + - operation: + methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-kafka-channel-to-mt-channel-based-broker-filter + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-filter" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] + to: + - operation: + methods: [ "POST" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-imc-to-mt-channel-based-broker-filter + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-filter" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] + to: + - operation: + methods: [ "POST" ] diff --git a/hack/lib/mesh_resources/authorization-policies/setup/allow-probe-kafka-controller.yaml b/hack/lib/mesh_resources/authorization-policies/setup/allow-probe-kafka-controller.yaml new file mode 100644 index 0000000000..43784e8770 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/setup/allow-probe-kafka-controller.yaml @@ -0,0 +1,56 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-probe-kafka-broker-receiver + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + to: + - operation: + methods: [ "GET" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-probe-kafka-sink-receiver + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + to: + - operation: + methods: [ "GET" ] +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-probe-kafka-channel-receiver + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/kafka-controller" ] + to: + - operation: + methods: [ "GET" ] diff --git a/hack/lib/mesh_resources/authorization-policies/setup/allow-traffic-to-activator.yaml b/hack/lib/mesh_resources/authorization-policies/setup/allow-traffic-to-activator.yaml new file mode 100644 index 0000000000..e3df6cde55 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/setup/allow-traffic-to-activator.yaml @@ -0,0 +1,14 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-traffic-to-activator + namespace: knative-serving +spec: + selector: + matchLabels: + app: activator + action: ALLOW + rules: + - from: + - source: + namespaces: [ "knative-serving", "istio-system" ] diff --git a/hack/lib/mesh_resources/authorization-policies/setup/allow-traffic-to-autoscaler.yaml b/hack/lib/mesh_resources/authorization-policies/setup/allow-traffic-to-autoscaler.yaml new file mode 100644 index 0000000000..4850c6062e --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/setup/allow-traffic-to-autoscaler.yaml @@ -0,0 +1,14 @@ +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-traffic-to-autoscaler + namespace: knative-serving +spec: + selector: + matchLabels: + app: autoscaler + action: ALLOW + rules: + - from: + - source: + namespaces: [ "knative-serving" ] diff --git a/hack/lib/mesh_resources/authorization-policies/setup/deny-all-by-default.yaml b/hack/lib/mesh_resources/authorization-policies/setup/deny-all-by-default.yaml new file mode 100644 index 0000000000..d56c77dadd --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/setup/deny-all-by-default.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: deny-all-by-default + namespace: knative-eventing +spec: { } +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: deny-all-by-default + namespace: knative-serving +spec: { } diff --git a/hack/lib/mesh_resources/authorization-policy-knative-serving.yaml b/hack/lib/mesh_resources/authorization-policy-knative-serving.yaml deleted file mode 100644 index b00b8cce83..0000000000 --- a/hack/lib/mesh_resources/authorization-policy-knative-serving.yaml +++ /dev/null @@ -1,91 +0,0 @@ ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: deny-all-by-default - namespace: knative-serving -spec: { } ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-traffic-to-autoscaler - namespace: knative-serving -spec: - selector: - matchLabels: - app: autoscaler - action: ALLOW - rules: - - from: - - source: - namespaces: [ "knative-serving" ] ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-traffic-to-activator - namespace: knative-serving -spec: - selector: - matchLabels: - app: activator - action: ALLOW - rules: - - from: - - source: - namespaces: [ "knative-serving", "knative-eventing", "istio-system" ] ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-tenant-1-to-activator - namespace: knative-serving -spec: - selector: - matchLabels: - app: activator - action: ALLOW - rules: - - from: - - source: - namespaces: [ "tenant-1" ] - to: - - operation: - hosts: [ "*.tenant-1.svc.cluster.local" ] ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-tenant-2-to-activator - namespace: knative-serving -spec: - selector: - matchLabels: - app: activator - action: ALLOW - rules: - - from: - - source: - namespaces: [ "tenant-2" ] - to: - - operation: - hosts: [ "*.tenant-2.svc.cluster.local" ] ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-to-activator - namespace: knative-serving -spec: - selector: - matchLabels: - app: activator - action: ALLOW - rules: - - from: - - source: - namespaces: [ "serverless-tests", "knative-eventing" ] - to: - - operation: - hosts: [ "*.serverless-tests.svc.cluster.local" ] diff --git a/hack/lib/mesh_resources/peerauthentication.yaml b/hack/lib/mesh_resources/peerauthentication.yaml index 8e39fe4b09..1998e68a24 100644 --- a/hack/lib/mesh_resources/peerauthentication.yaml +++ b/hack/lib/mesh_resources/peerauthentication.yaml @@ -18,15 +18,6 @@ spec: --- apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication -metadata: - name: default - namespace: serverless-tests -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication metadata: name: default namespace: eventing-e2e0 diff --git a/hack/lib/mesh_resources/specific.yaml b/hack/lib/mesh_resources/specific.yaml new file mode 100644 index 0000000000..8b973b37f4 --- /dev/null +++ b/hack/lib/mesh_resources/specific.yaml @@ -0,0 +1,35 @@ +--- +# knative-eventing je navic +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-traffic-to-activator + namespace: knative-serving +spec: + selector: + matchLabels: + app: activator + action: ALLOW + rules: + - from: + - source: + namespaces: [ "knative-serving", "knative-eventing", "istio-system" ] +--- +# knative-eventing je navic +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-to-activator + namespace: knative-serving +spec: + selector: + matchLabels: + app: activator + action: ALLOW + rules: + - from: + - source: + namespaces: [ "serverless-tests", "knative-eventing" ] + to: + - operation: + hosts: [ "*.serverless-tests.svc.cluster.local" ] From e73888c7694f9e008523f13a81a72696959320e8 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Thu, 29 Jun 2023 09:22:53 +0200 Subject: [PATCH 18/42] Update helm chart for serverless-tests * Add specific authorization policies for traffic from eventing components to activator. --- .../helm-chart-serverless-tests.yaml | 203 +++++++++++++++--- 1 file changed, 173 insertions(+), 30 deletions(-) diff --git a/hack/lib/mesh_resources/authorization-policies/helm-chart-serverless-tests.yaml b/hack/lib/mesh_resources/authorization-policies/helm-chart-serverless-tests.yaml index 4101f67861..099271796d 100644 --- a/hack/lib/mesh_resources/authorization-policies/helm-chart-serverless-tests.yaml +++ b/hack/lib/mesh_resources/authorization-policies/helm-chart-serverless-tests.yaml @@ -1,5 +1,5 @@ --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml # Allow imc-dispatcher to receive requests from pingsource-mt-adapter in knative-eventing. apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy @@ -31,7 +31,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow imc-dispatcher to receive requests from imc-dispatcher in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -64,7 +64,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow imc-dispatcher to receive requests from mt-broker-filter in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -97,7 +97,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow imc-dispatcher to receive requests from knative-kafka-source-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -130,7 +130,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow imc-dispatcher to receive requests from knative-kafka-broker-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -163,7 +163,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow imc-dispatcher to receive requests from knative-kafka-channel-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -196,7 +196,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-broker-receiver to receive requests from pingsource-mt-adapter in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -229,7 +229,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-broker-receiver to receive requests from imc-dispatcher in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -262,7 +262,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-broker-receiver to receive requests from mt-broker-filter in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -295,7 +295,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-broker-receiver to receive requests from knative-kafka-source-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -328,7 +328,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-broker-receiver to receive requests from knative-kafka-broker-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -361,7 +361,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-broker-receiver to receive requests from knative-kafka-channel-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -394,7 +394,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-channel-receiver to receive requests from pingsource-mt-adapter in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -427,7 +427,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-channel-receiver to receive requests from imc-dispatcher in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -460,7 +460,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-channel-receiver to receive requests from mt-broker-filter in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -493,7 +493,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-channel-receiver to receive requests from knative-kafka-source-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -526,7 +526,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-channel-receiver to receive requests from knative-kafka-broker-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -559,7 +559,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-channel-receiver to receive requests from knative-kafka-channel-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -592,7 +592,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-sink-receiver to receive requests from pingsource-mt-adapter in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -625,7 +625,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-sink-receiver to receive requests from imc-dispatcher in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -658,7 +658,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-sink-receiver to receive requests from mt-broker-filter in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -691,7 +691,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-sink-receiver to receive requests from knative-kafka-source-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -724,7 +724,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-sink-receiver to receive requests from knative-kafka-broker-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -757,7 +757,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow kafka-sink-receiver to receive requests from knative-kafka-channel-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -790,7 +790,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow broker-ingress to receive requests from pingsource-mt-adapter in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -823,7 +823,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow broker-ingress to receive requests from imc-dispatcher in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -856,7 +856,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow broker-ingress to receive requests from mt-broker-filter in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -889,7 +889,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow broker-ingress to receive requests from knative-kafka-source-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -922,7 +922,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow broker-ingress to receive requests from knative-kafka-broker-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -955,7 +955,7 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/allow-knative-sender-to-knative-receiver.yaml +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml --- # Allow broker-ingress to receive requests from knative-kafka-channel-data-plane in knative-eventing. apiVersion: security.istio.io/v1beta1 @@ -988,6 +988,149 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-serving-receiver.yaml +# Allow activator to receive requests from pingsource-mt-adapter in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-pingsource-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-serving-receiver.yaml +--- +# Allow activator to receive requests from imc-dispatcher in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-imc-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-serving-receiver.yaml +--- +# Allow activator to receive requests from mt-broker-filter in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-broker-filter-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-serving-receiver.yaml +--- +# Allow activator to receive requests from knative-kafka-source-data-plane in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-eks-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-serving-receiver.yaml +--- +# Allow activator to receive requests from knative-kafka-broker-data-plane in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-ekb-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] +--- +# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-serving-receiver.yaml +--- +# Allow activator to receive requests from knative-kafka-channel-data-plane in knative-eventing. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-ekc-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] +--- # Source: knative-istio-authz-onboarding/templates/allow-knative-to-ns.yaml # Allow namespace serverless-tests to receive requests from Knative system components. apiVersion: security.istio.io/v1beta1 From 4646defc67995da089917453a114c2feaf83b94f Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Thu, 29 Jun 2023 14:31:30 +0200 Subject: [PATCH 19/42] Add policies for serving-tests ns for upstream tests --- .../allow-serving-tests-to-activator.yaml | 18 ++++++++++ .../allow-traffic-to-serving-tests.yaml | 12 +++++++ hack/lib/mesh_resources/specific.yaml | 35 ------------------- 3 files changed, 30 insertions(+), 35 deletions(-) create mode 100644 hack/lib/mesh_resources/authorization-policies/allow-serving-tests-to-activator.yaml create mode 100644 hack/lib/mesh_resources/authorization-policies/allow-traffic-to-serving-tests.yaml delete mode 100644 hack/lib/mesh_resources/specific.yaml diff --git a/hack/lib/mesh_resources/authorization-policies/allow-serving-tests-to-activator.yaml b/hack/lib/mesh_resources/authorization-policies/allow-serving-tests-to-activator.yaml new file mode 100644 index 0000000000..2deede1395 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/allow-serving-tests-to-activator.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serving-tests-to-activator + namespace: knative-serving +spec: + selector: + matchLabels: + app: activator + action: ALLOW + rules: + - from: + - source: + namespaces: [ "serving-tests" ] + to: + - operation: + hosts: [ "*.serving-tests.svc.cluster.local", "*.serving-tests", "*.serving-tests.svc" ] diff --git a/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-serving-tests.yaml b/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-serving-tests.yaml new file mode 100644 index 0000000000..c62987c9f0 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-serving-tests.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-traffic-to-serving-tests + namespace: serving-tests +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: ["serving-tests", "knative-serving", "istio-system"] diff --git a/hack/lib/mesh_resources/specific.yaml b/hack/lib/mesh_resources/specific.yaml deleted file mode 100644 index 8b973b37f4..0000000000 --- a/hack/lib/mesh_resources/specific.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# knative-eventing je navic -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-traffic-to-activator - namespace: knative-serving -spec: - selector: - matchLabels: - app: activator - action: ALLOW - rules: - - from: - - source: - namespaces: [ "knative-serving", "knative-eventing", "istio-system" ] ---- -# knative-eventing je navic -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-to-activator - namespace: knative-serving -spec: - selector: - matchLabels: - app: activator - action: ALLOW - rules: - - from: - - source: - namespaces: [ "serverless-tests", "knative-eventing" ] - to: - - operation: - hosts: [ "*.serverless-tests.svc.cluster.local" ] From a730da7dad56dfa6207f32285bfbbb0f895aa9e5 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Thu, 29 Jun 2023 14:32:01 +0200 Subject: [PATCH 20/42] PeerAuthentication for serving-tests --- hack/lib/mesh_resources/peerauthentication.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hack/lib/mesh_resources/peerauthentication.yaml b/hack/lib/mesh_resources/peerauthentication.yaml index 1998e68a24..adc033dabf 100644 --- a/hack/lib/mesh_resources/peerauthentication.yaml +++ b/hack/lib/mesh_resources/peerauthentication.yaml @@ -78,3 +78,12 @@ metadata: spec: mtls: mode: STRICT +--- +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: default + namespace: serving-tests +spec: + mtls: + mode: STRICT From c5b4e5a16b2277b1bb591072949e57600ceaaa72 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 30 Jun 2023 07:59:13 +0200 Subject: [PATCH 21/42] Workaround for OSSM-1397 --- hack/lib/mesh_resources/namespace.yaml | 4 ++++ test/serving.bash | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/hack/lib/mesh_resources/namespace.yaml b/hack/lib/mesh_resources/namespace.yaml index b4fbcae53c..00c709e169 100644 --- a/hack/lib/mesh_resources/namespace.yaml +++ b/hack/lib/mesh_resources/namespace.yaml @@ -12,6 +12,8 @@ apiVersion: v1 kind: Namespace metadata: name: serving-tests + labels: + maistra.io/member-of: istio-system --- apiVersion: v1 kind: Namespace @@ -22,6 +24,8 @@ apiVersion: v1 kind: Namespace metadata: name: serverless-tests + labels: + maistra.io/member-of: istio-system --- # Additional namespaces for upgrade tests apiVersion: v1 diff --git a/test/serving.bash b/test/serving.bash index 2c5983c542..d156784949 100644 --- a/test/serving.bash +++ b/test/serving.bash @@ -21,6 +21,10 @@ function prepare_knative_serving_tests { # Create test resources (namespaces, configMaps, secrets) oc apply -f test/config/cluster-resources.yaml + # Workaround for https://issues.redhat.com/browse/OSSM-1397 + if [[ $FULL_MESH == "true" ]]; then + oc label namespace serving-tests maistra.io/member-of=istio-system --overwrite + fi oc apply -f test/config/test-resources.yaml # Adding scc for anyuid to test TestShouldRunAsUserContainerDefault. oc adm policy add-scc-to-user anyuid -z default -n serving-tests From acae5fd8b59e6fb0b62ad5c66528e1b3ef0bbbc7 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 30 Jun 2023 08:14:54 +0200 Subject: [PATCH 22/42] Place webhook installation back after Serverless installation The webhook needs to be installed for both upstream Serving tests and downstream serverless-operator tests. Better to install it at the beginning. --- .../config/100-namespace.yaml | 7 ++ ...usterrole.yaml => 200-serviceaccount.yaml} | 22 ++++++ ...-service.yaml => 400-webhook-service.yaml} | 1 + ...on.yaml => 500-webhook-configuration.yaml} | 18 ++--- ...00-networkpolicy.yaml => 600-webhook.yaml} | 3 +- .../cluster-resources/100-namespace.yaml | 13 ---- .../300-clusterrolebinding.yaml | 29 ------- .../200-serviceaccount.yaml | 6 -- .../namespaced-resources/500-secret.yaml | 7 -- .../config/namespaced-resources/webhook.yaml | 76 ------------------ serving/metadata-webhook/config/webhook.yaml | 77 +++++++++++++++++++ test/e2e-tests.sh | 3 - test/upstream-e2e-tests.sh | 1 - 13 files changed, 114 insertions(+), 149 deletions(-) create mode 100644 serving/metadata-webhook/config/100-namespace.yaml rename serving/metadata-webhook/config/{cluster-resources/200-clusterrole.yaml => 200-serviceaccount.yaml} (76%) rename serving/metadata-webhook/config/{namespaced-resources/400-service.yaml => 400-webhook-service.yaml} (88%) rename serving/metadata-webhook/config/{cluster-resources/400-webhookconfiguration.yaml => 500-webhook-configuration.yaml} (57%) rename serving/metadata-webhook/config/{namespaced-resources/600-networkpolicy.yaml => 600-webhook.yaml} (83%) delete mode 100644 serving/metadata-webhook/config/cluster-resources/100-namespace.yaml delete mode 100644 serving/metadata-webhook/config/cluster-resources/300-clusterrolebinding.yaml delete mode 100644 serving/metadata-webhook/config/namespaced-resources/200-serviceaccount.yaml delete mode 100644 serving/metadata-webhook/config/namespaced-resources/500-secret.yaml delete mode 100644 serving/metadata-webhook/config/namespaced-resources/webhook.yaml create mode 100644 serving/metadata-webhook/config/webhook.yaml diff --git a/serving/metadata-webhook/config/100-namespace.yaml b/serving/metadata-webhook/config/100-namespace.yaml new file mode 100644 index 0000000000..5522b4a0be --- /dev/null +++ b/serving/metadata-webhook/config/100-namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: serving-tests + labels: + samples.knative.dev/release: devel + maistra.io/member-of: istio-system # Workaround for OSSM-1397 diff --git a/serving/metadata-webhook/config/cluster-resources/200-clusterrole.yaml b/serving/metadata-webhook/config/200-serviceaccount.yaml similarity index 76% rename from serving/metadata-webhook/config/cluster-resources/200-clusterrole.yaml rename to serving/metadata-webhook/config/200-serviceaccount.yaml index 1380264c88..a5e8a36204 100644 --- a/serving/metadata-webhook/config/cluster-resources/200-clusterrole.yaml +++ b/serving/metadata-webhook/config/200-serviceaccount.yaml @@ -1,3 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: controller + namespace: serving-tests + labels: + samples.knative.dev/release: devel --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -37,3 +44,18 @@ aggregationRule: - matchLabels: samples.knative.dev/controller: "true" rules: [] # Rules are automatically filled in by the controller manager. +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: metadata-webhook-admin + labels: + samples.knative.dev/release: devel +subjects: + - kind: ServiceAccount + name: controller + namespace: serving-tests +roleRef: + kind: ClusterRole + name: metadata-webhook-admin + apiGroup: rbac.authorization.k8s.io diff --git a/serving/metadata-webhook/config/namespaced-resources/400-service.yaml b/serving/metadata-webhook/config/400-webhook-service.yaml similarity index 88% rename from serving/metadata-webhook/config/namespaced-resources/400-service.yaml rename to serving/metadata-webhook/config/400-webhook-service.yaml index e7b32e0b7c..afa3fe1bfe 100644 --- a/serving/metadata-webhook/config/namespaced-resources/400-service.yaml +++ b/serving/metadata-webhook/config/400-webhook-service.yaml @@ -5,6 +5,7 @@ metadata: role: webhook samples.knative.dev/release: devel name: webhook + namespace: serving-tests spec: ports: - port: 443 diff --git a/serving/metadata-webhook/config/cluster-resources/400-webhookconfiguration.yaml b/serving/metadata-webhook/config/500-webhook-configuration.yaml similarity index 57% rename from serving/metadata-webhook/config/cluster-resources/400-webhookconfiguration.yaml rename to serving/metadata-webhook/config/500-webhook-configuration.yaml index 21cfa9dad8..e9fa5b147c 100644 --- a/serving/metadata-webhook/config/cluster-resources/400-webhookconfiguration.yaml +++ b/serving/metadata-webhook/config/500-webhook-configuration.yaml @@ -15,19 +15,11 @@ webhooks: sideEffects: None name: webhook.metadata-webhook.example.com --- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration +apiVersion: v1 +kind: Secret metadata: - name: webhook.metadata-webhook.example.com + name: webhook-certs + namespace: serving-tests labels: samples.knative.dev/release: devel -webhooks: - - admissionReviewVersions: - - v1beta1 - clientConfig: - service: - name: webhook - namespace: serverless-tests - failurePolicy: Fail - sideEffects: None - name: webhook.metadata-webhook.example.com +# The data is populated at install time. diff --git a/serving/metadata-webhook/config/namespaced-resources/600-networkpolicy.yaml b/serving/metadata-webhook/config/600-webhook.yaml similarity index 83% rename from serving/metadata-webhook/config/namespaced-resources/600-networkpolicy.yaml rename to serving/metadata-webhook/config/600-webhook.yaml index 8802ae2295..d27179cba8 100644 --- a/serving/metadata-webhook/config/namespaced-resources/600-networkpolicy.yaml +++ b/serving/metadata-webhook/config/600-webhook.yaml @@ -2,6 +2,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: metadata-webhook + namespace: serving-tests labels: app: webhook spec: @@ -9,4 +10,4 @@ spec: matchLabels: app: webhook ingress: - - {} + - {} diff --git a/serving/metadata-webhook/config/cluster-resources/100-namespace.yaml b/serving/metadata-webhook/config/cluster-resources/100-namespace.yaml deleted file mode 100644 index 83e448dcc7..0000000000 --- a/serving/metadata-webhook/config/cluster-resources/100-namespace.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: serving-tests - labels: - samples.knative.dev/release: devel ---- -apiVersion: v1 -kind: Namespace -metadata: - name: serverless-tests - labels: - samples.knative.dev/release: devel diff --git a/serving/metadata-webhook/config/cluster-resources/300-clusterrolebinding.yaml b/serving/metadata-webhook/config/cluster-resources/300-clusterrolebinding.yaml deleted file mode 100644 index 0b2fdf5166..0000000000 --- a/serving/metadata-webhook/config/cluster-resources/300-clusterrolebinding.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: metadata-webhook-admin - labels: - samples.knative.dev/release: devel -subjects: - - kind: ServiceAccount - name: controller - namespace: serving-tests -roleRef: - kind: ClusterRole - name: metadata-webhook-admin - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: metadata-webhook-admin - labels: - samples.knative.dev/release: devel -subjects: - - kind: ServiceAccount - name: controller - namespace: serverless-tests -roleRef: - kind: ClusterRole - name: metadata-webhook-admin - apiGroup: rbac.authorization.k8s.io diff --git a/serving/metadata-webhook/config/namespaced-resources/200-serviceaccount.yaml b/serving/metadata-webhook/config/namespaced-resources/200-serviceaccount.yaml deleted file mode 100644 index d77dc4dd1e..0000000000 --- a/serving/metadata-webhook/config/namespaced-resources/200-serviceaccount.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: controller - labels: - samples.knative.dev/release: devel diff --git a/serving/metadata-webhook/config/namespaced-resources/500-secret.yaml b/serving/metadata-webhook/config/namespaced-resources/500-secret.yaml deleted file mode 100644 index 653544878a..0000000000 --- a/serving/metadata-webhook/config/namespaced-resources/500-secret.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: webhook-certs - labels: - samples.knative.dev/release: devel -# The data is populated at install time. diff --git a/serving/metadata-webhook/config/namespaced-resources/webhook.yaml b/serving/metadata-webhook/config/namespaced-resources/webhook.yaml deleted file mode 100644 index f1cbac559e..0000000000 --- a/serving/metadata-webhook/config/namespaced-resources/webhook.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: webhook - labels: - samples.knative.dev/release: devel -spec: - replicas: 1 - selector: - matchLabels: - app: webhook - role: webhook - template: - metadata: - labels: - app: webhook - role: webhook - samples.knative.dev/release: devel - spec: - # To avoid node becoming SPOF, spread our replicas to different nodes. - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app: webhook - topologyKey: kubernetes.io/hostname - weight: 100 - - serviceAccountName: controller - containers: - - name: webhook - image: registry.ci.openshift.org/knative/openshift-serverless-nightly:metadata-webhook - resources: - requests: - cpu: 20m - memory: 20Mi - limits: - cpu: 200m - memory: 200Mi - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: KUBERNETES_MIN_VERSION - value: v1.0.0 - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: METRICS_DOMAIN - value: knative.dev/samples - - name: WEBHOOK_NAME - value: webhook - - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - all - - readinessProbe: &probe - periodSeconds: 1 - httpGet: - scheme: HTTPS - port: 8443 - httpHeaders: - - name: k-kubelet-probe - value: "webhook" - livenessProbe: *probe - - # Our webhook should gracefully terminate by lame ducking first, set this to a sufficiently - # high value that we respect whatever value it has configured for the lame duck grace period. - terminationGracePeriodSeconds: 300 diff --git a/serving/metadata-webhook/config/webhook.yaml b/serving/metadata-webhook/config/webhook.yaml new file mode 100644 index 0000000000..ac94a9d22b --- /dev/null +++ b/serving/metadata-webhook/config/webhook.yaml @@ -0,0 +1,77 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: webhook + namespace: serving-tests + labels: + samples.knative.dev/release: devel +spec: + replicas: 1 + selector: + matchLabels: + app: webhook + role: webhook + template: + metadata: + labels: + app: webhook + role: webhook + samples.knative.dev/release: devel + spec: + # To avoid node becoming SPOF, spread our replicas to different nodes. + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app: webhook + topologyKey: kubernetes.io/hostname + weight: 100 + + serviceAccountName: controller + containers: + - name: webhook + image: registry.ci.openshift.org/knative/openshift-serverless-nightly:metadata-webhook + resources: + requests: + cpu: 20m + memory: 20Mi + limits: + cpu: 200m + memory: 200Mi + env: + - name: SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUBERNETES_MIN_VERSION + value: v1.0.0 + - name: CONFIG_LOGGING_NAME + value: config-logging + - name: METRICS_DOMAIN + value: knative.dev/samples + - name: WEBHOOK_NAME + value: webhook + + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - all + + readinessProbe: &probe + periodSeconds: 1 + httpGet: + scheme: HTTPS + port: 8443 + httpHeaders: + - name: k-kubelet-probe + value: "webhook" + livenessProbe: *probe + + # Our webhook should gracefully terminate by lame ducking first, set this to a sufficiently + # high value that we respect whatever value it has configured for the lame duck grace period. + terminationGracePeriodSeconds: 300 diff --git a/test/e2e-tests.sh b/test/e2e-tests.sh index 223f2b3f91..55c3e0e783 100755 --- a/test/e2e-tests.sh +++ b/test/e2e-tests.sh @@ -15,9 +15,6 @@ dump_state.setup # test if [[ $FULL_MESH == "true" ]]; then # net-istio does not use knative-serving-ingress namespace. export INGRESS_NAMESPACE="knative-serving" - # metadata-webhook adds istio annotations for e2e test by webhook. - oc apply -f "$(dirname "$(dirname "$(realpath "${BASH_SOURCE[0]}")")")/serving/metadata-webhook/config/cluster-resources" - oc apply -n serverless-tests -f "$(dirname "$(dirname "$(realpath "${BASH_SOURCE[0]}")")")/serving/metadata-webhook/config/namespaced-resources" else trust_router_ca fi diff --git a/test/upstream-e2e-tests.sh b/test/upstream-e2e-tests.sh index 00a037cbe8..2ed8fff3e9 100755 --- a/test/upstream-e2e-tests.sh +++ b/test/upstream-e2e-tests.sh @@ -45,7 +45,6 @@ if [[ $TEST_KNATIVE_E2E == true ]]; then if [[ $TEST_KNATIVE_EVENTING == true ]]; then upstream_knative_eventing_e2e fi - fi [ -n "$OPENSHIFT_CI" ] && check_serverless_alerts From 09098ef92c20a5c6168a055311ccb3edcd4cb0a2 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 30 Jun 2023 08:19:08 +0200 Subject: [PATCH 23/42] Workaround for OSSM-1397 --- hack/lib/mesh_resources/namespace.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hack/lib/mesh_resources/namespace.yaml b/hack/lib/mesh_resources/namespace.yaml index 00c709e169..ee63c7f633 100644 --- a/hack/lib/mesh_resources/namespace.yaml +++ b/hack/lib/mesh_resources/namespace.yaml @@ -13,7 +13,7 @@ kind: Namespace metadata: name: serving-tests labels: - maistra.io/member-of: istio-system + maistra.io/member-of: istio-system # Workaround for OSSM-1397 --- apiVersion: v1 kind: Namespace @@ -25,7 +25,7 @@ kind: Namespace metadata: name: serverless-tests labels: - maistra.io/member-of: istio-system + maistra.io/member-of: istio-system # Workaround for OSSM-1397 --- # Additional namespaces for upgrade tests apiVersion: v1 From 9800a2bf9e69bef52669cde4be5ae0ae49bd3398 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 30 Jun 2023 08:20:24 +0200 Subject: [PATCH 24/42] Fix readme for webhook --- serving/metadata-webhook/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/serving/metadata-webhook/README.md b/serving/metadata-webhook/README.md index 0158a2e2af..81f3a8d4c1 100644 --- a/serving/metadata-webhook/README.md +++ b/serving/metadata-webhook/README.md @@ -12,8 +12,7 @@ Please install [Knative Serving](https://knative.dev/docs/install/). ### Deploy metadata-webhook ``` -$ kubectl apply -f ./config/cluster-resources -$ kubectl apply -n serving-tests ./config/namespaced-resources +$ kubectl apply -f ./config $ kubectl get pod -n serving-tests -w NAME READY STATUS RESTARTS AGE From c4ddaf1789bc478cf0239ccece9e5e9c02fb184a Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 30 Jun 2023 09:47:39 +0200 Subject: [PATCH 25/42] Allow traffic from knative-serving to istio-system For DomainMapping test --- .../allow-traffic-to-istio-system.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 hack/lib/mesh_resources/authorization-policies/allow-traffic-to-istio-system.yaml diff --git a/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-istio-system.yaml b/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-istio-system.yaml new file mode 100644 index 0000000000..a430f820e5 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-istio-system.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-traffic-to-istio-system + namespace: istio-system +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: ["knative-serving"] From 5665c679a8a16f22b8a632661d6d6ecb673249cc Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 30 Jun 2023 12:00:13 +0200 Subject: [PATCH 26/42] Add peerauthentication for knative-serving --- hack/lib/mesh_resources/peerauthentication.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hack/lib/mesh_resources/peerauthentication.yaml b/hack/lib/mesh_resources/peerauthentication.yaml index adc033dabf..81b59ca46b 100644 --- a/hack/lib/mesh_resources/peerauthentication.yaml +++ b/hack/lib/mesh_resources/peerauthentication.yaml @@ -9,6 +9,15 @@ spec: --- apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication +metadata: + name: default + namespace: knative-serving +spec: + mtls: + mode: STRICT +--- +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication metadata: name: default namespace: knative-eventing From b9e75715b2effab4aac2c363549c01204c54a191 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 30 Jun 2023 14:00:42 +0200 Subject: [PATCH 27/42] TMP: Try removing deny-all-by-defautl for Serving --- .../authorization-policies/setup/deny-all-by-default.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/hack/lib/mesh_resources/authorization-policies/setup/deny-all-by-default.yaml b/hack/lib/mesh_resources/authorization-policies/setup/deny-all-by-default.yaml index d56c77dadd..5e74d971f4 100644 --- a/hack/lib/mesh_resources/authorization-policies/setup/deny-all-by-default.yaml +++ b/hack/lib/mesh_resources/authorization-policies/setup/deny-all-by-default.yaml @@ -5,10 +5,3 @@ metadata: name: deny-all-by-default namespace: knative-eventing spec: { } ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: deny-all-by-default - namespace: knative-serving -spec: { } From a0b48d5328b927530b384d7e57363ecef725ca4a Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 30 Jun 2023 14:49:09 +0200 Subject: [PATCH 28/42] Remove allow-traffic-to-istio-system as it breaks all traffic for Serving --- .../allow-traffic-to-istio-system.yaml | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 hack/lib/mesh_resources/authorization-policies/allow-traffic-to-istio-system.yaml diff --git a/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-istio-system.yaml b/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-istio-system.yaml deleted file mode 100644 index a430f820e5..0000000000 --- a/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-istio-system.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-traffic-to-istio-system - namespace: istio-system -spec: - action: ALLOW - rules: - - from: - - source: - namespaces: ["knative-serving"] From 65b4310b15899cef02beebc77cfa539ba55458d6 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 30 Jun 2023 15:02:11 +0200 Subject: [PATCH 29/42] Put back deny-all-by-default for serving --- .../authorization-policies/setup/deny-all-by-default.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hack/lib/mesh_resources/authorization-policies/setup/deny-all-by-default.yaml b/hack/lib/mesh_resources/authorization-policies/setup/deny-all-by-default.yaml index 5e74d971f4..d56c77dadd 100644 --- a/hack/lib/mesh_resources/authorization-policies/setup/deny-all-by-default.yaml +++ b/hack/lib/mesh_resources/authorization-policies/setup/deny-all-by-default.yaml @@ -5,3 +5,10 @@ metadata: name: deny-all-by-default namespace: knative-eventing spec: { } +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: deny-all-by-default + namespace: knative-serving +spec: { } From 21518a982ac679e1d54f6cecb77d59a3b7cdbec1 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Mon, 3 Jul 2023 12:22:27 +0200 Subject: [PATCH 30/42] serving-tests-alt Workaround for OSSM-1397 --- hack/lib/mesh_resources/namespace.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hack/lib/mesh_resources/namespace.yaml b/hack/lib/mesh_resources/namespace.yaml index ee63c7f633..8ad77a0d4b 100644 --- a/hack/lib/mesh_resources/namespace.yaml +++ b/hack/lib/mesh_resources/namespace.yaml @@ -19,6 +19,8 @@ apiVersion: v1 kind: Namespace metadata: name: serving-tests-alt + labels: + maistra.io/member-of: istio-system # Workaround for OSSM-1397 --- apiVersion: v1 kind: Namespace From 37ee464242c4ab1b7fe8e47602d662fd9b8e4845 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Mon, 3 Jul 2023 15:19:32 +0200 Subject: [PATCH 31/42] Update authorization policies for istio-system --- hack/lib/mesh.bash | 15 +++++++++++++++ .../allow-to-istio-system.yaml | 12 ++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 hack/lib/mesh_resources/authorization-policies/allow-to-istio-system.yaml diff --git a/hack/lib/mesh.bash b/hack/lib/mesh.bash index 633f61454c..a8f0a053d6 100644 --- a/hack/lib/mesh.bash +++ b/hack/lib/mesh.bash @@ -121,6 +121,20 @@ function deploy_gateways { oc apply -f "${resources_dir}"/authorization-policies/setup || return $? oc apply -f "${resources_dir}"/authorization-policies || return $? + cat <<-EOF | oc apply -f - +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-traffic-to-cluster-domain + namespace: istio-system +spec: + action: ALLOW + rules: + - to: + - operation: + hosts: [ "*.${subdomain}" ] +EOF + oc apply -n "${EVENTING_NAMESPACE}" -f "${resources_dir}"/kafka-service-entry.yaml || return $? for ns in serverless-tests eventing-e2e0 eventing-e2e1 eventing-e2e2 eventing-e2e3 eventing-e2e4; do oc apply -n "$ns" -f "${resources_dir}"/kafka-service-entry.yaml || return $? @@ -133,6 +147,7 @@ function undeploy_gateways { for ns in serverless-tests eventing-e2e0 eventing-e2e1 eventing-e2e2 eventing-e2e3 eventing-e2e4; do oc delete -n "$ns" -f "${resources_dir}"/kafka-service-entry.yaml --ignore-not-found || return $? done + oc delete authorizationpolicy allow-traffic-to-cluster-domain -n istio-system --ignore-not-found || return $? oc delete -f "${resources_dir}"/authorization-policies --ignore-not-found || return $? oc delete -f "${resources_dir}"/authorization-policies/setup --ignore-not-found || return $? oc delete -f "${resources_dir}"/peerauthentication.yaml --ignore-not-found || return $? diff --git a/hack/lib/mesh_resources/authorization-policies/allow-to-istio-system.yaml b/hack/lib/mesh_resources/authorization-policies/allow-to-istio-system.yaml new file mode 100644 index 0000000000..a430f820e5 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/allow-to-istio-system.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-traffic-to-istio-system + namespace: istio-system +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: ["knative-serving"] From ef2b93720a97dbcabbb05f33608544d85ee20791 Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Thu, 6 Jul 2023 08:54:28 +0200 Subject: [PATCH 32/42] Update mesh resources --- Makefile | 1 + hack/lib/mesh.bash | 27 +++-- .../allow-to-istio-system.yaml | 12 --- .../helm-chart-serverless-tests.yaml | 23 ++--- .../mesh_resources/peerauthentication.yaml | 98 ------------------- hack/lib/mesh_resources/smcp.yaml | 8 ++ test/extensione2erekt/main_test.go | 2 + 7 files changed, 36 insertions(+), 135 deletions(-) delete mode 100644 hack/lib/mesh_resources/authorization-policies/allow-to-istio-system.yaml delete mode 100644 hack/lib/mesh_resources/peerauthentication.yaml diff --git a/Makefile b/Makefile index 95baf74684..5b73f5e83e 100644 --- a/Makefile +++ b/Makefile @@ -25,6 +25,7 @@ install-serving: INSTALL_EVENTING="false" ./hack/install.sh install-serving-with-mesh: + FULL_MESH="true" UNINSTALL_MESH="false" ./hack/mesh.sh FULL_MESH=true SCALE_UP=4 INSTALL_SERVING=true INSTALL_EVENTING="false" ./hack/install.sh install-eventing: diff --git a/hack/lib/mesh.bash b/hack/lib/mesh.bash index a8f0a053d6..a766353fdd 100644 --- a/hack/lib/mesh.bash +++ b/hack/lib/mesh.bash @@ -117,23 +117,22 @@ function deploy_gateways { oc apply -f "${resources_dir}"/namespace.yaml || return $? oc apply -f "${resources_dir}"/smmr.yaml || return $? oc apply -f "${resources_dir}"/gateway.yaml || return $? - oc apply -f "${resources_dir}"/peerauthentication.yaml || return $? oc apply -f "${resources_dir}"/authorization-policies/setup || return $? oc apply -f "${resources_dir}"/authorization-policies || return $? - cat <<-EOF | oc apply -f - -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-traffic-to-cluster-domain - namespace: istio-system -spec: - action: ALLOW - rules: - - to: - - operation: - hosts: [ "*.${subdomain}" ] -EOF +# cat <<-EOF | oc apply -f - +#apiVersion: security.istio.io/v1beta1 +#kind: AuthorizationPolicy +#metadata: +# name: allow-traffic-to-cluster-domain +# namespace: istio-system +#spec: +# action: ALLOW +# rules: +# - to: +# - operation: +# hosts: [ "*.${subdomain}" ] +#EOF oc apply -n "${EVENTING_NAMESPACE}" -f "${resources_dir}"/kafka-service-entry.yaml || return $? for ns in serverless-tests eventing-e2e0 eventing-e2e1 eventing-e2e2 eventing-e2e3 eventing-e2e4; do diff --git a/hack/lib/mesh_resources/authorization-policies/allow-to-istio-system.yaml b/hack/lib/mesh_resources/authorization-policies/allow-to-istio-system.yaml deleted file mode 100644 index a430f820e5..0000000000 --- a/hack/lib/mesh_resources/authorization-policies/allow-to-istio-system.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-traffic-to-istio-system - namespace: istio-system -spec: - action: ALLOW - rules: - - from: - - source: - namespaces: ["knative-serving"] diff --git a/hack/lib/mesh_resources/authorization-policies/helm-chart-serverless-tests.yaml b/hack/lib/mesh_resources/authorization-policies/helm-chart-serverless-tests.yaml index 099271796d..96c108b67d 100644 --- a/hack/lib/mesh_resources/authorization-policies/helm-chart-serverless-tests.yaml +++ b/hack/lib/mesh_resources/authorization-policies/helm-chart-serverless-tests.yaml @@ -1339,14 +1339,15 @@ spec: - "/serverless-tests/*" methods: [ "POST" ] --- -# Source: knative-istio-authz-onboarding/templates/peer-authentication.yaml -# Enforce peer authentication to be mTLS in the namespace serverless-tests, so that we can define -# authorization policies based on client and server identities. -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: serverless-tests -spec: - mtls: - mode: STRICT +## WE PROBABLY DO NOT NEED THIS +## Source: knative-istio-authz-onboarding/templates/peer-authentication.yaml +## Enforce peer authentication to be mTLS in the namespace serverless-tests, so that we can define +## authorization policies based on client and server identities. +#apiVersion: security.istio.io/v1beta1 +#kind: PeerAuthentication +#metadata: +# name: default +# namespace: serverless-tests +#spec: +# mtls: +# mode: STRICT diff --git a/hack/lib/mesh_resources/peerauthentication.yaml b/hack/lib/mesh_resources/peerauthentication.yaml deleted file mode 100644 index 81b59ca46b..0000000000 --- a/hack/lib/mesh_resources/peerauthentication.yaml +++ /dev/null @@ -1,98 +0,0 @@ -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: istio-system -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: knative-serving -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: knative-eventing -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: eventing-e2e0 -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: eventing-e2e1 -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: eventing-e2e2 -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: eventing-e2e3 -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: eventing-e2e4 -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: tenant-1 -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: tenant-2 -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: default - namespace: serving-tests -spec: - mtls: - mode: STRICT diff --git a/hack/lib/mesh_resources/smcp.yaml b/hack/lib/mesh_resources/smcp.yaml index ccfb138609..65bc192c6a 100644 --- a/hack/lib/mesh_resources/smcp.yaml +++ b/hack/lib/mesh_resources/smcp.yaml @@ -4,6 +4,13 @@ metadata: name: basic namespace: istio-system spec: + security: + dataPlane: + mtls: true + techPreview: + meshConfig: + defaultConfig: + terminationDrainDuration: 35s profiles: - default proxy: @@ -12,6 +19,7 @@ spec: inbound: excludedPorts: - 8444 + - 8022 accessLogging: file: name: /dev/stdout diff --git a/test/extensione2erekt/main_test.go b/test/extensione2erekt/main_test.go index 4838fd094e..8862e869f4 100644 --- a/test/extensione2erekt/main_test.go +++ b/test/extensione2erekt/main_test.go @@ -4,6 +4,7 @@ import ( "context" "os" "testing" + "time" "knative.dev/eventing/test/rekt/resources/channel_impl" "knative.dev/pkg/system" @@ -34,6 +35,7 @@ func defaultEnvironment(t *testing.T) (context.Context, environment.Environment) k8s.WithEventListener, // Enables KnativeService in the scenario. eventshub.WithKnativeServiceForwarder, + environment.WithPollTimings(5*time.Second, 4*time.Minute), environment.Managed(t), ) } From 09dc9831e0c941f1f444b2d5e6f5eb076add7d4b Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Tue, 18 Jul 2023 13:22:49 +0200 Subject: [PATCH 33/42] Run tests with less parallel --- test/serving.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/serving.bash b/test/serving.bash index d156784949..a1513737bb 100644 --- a/test/serving.bash +++ b/test/serving.bash @@ -83,7 +83,7 @@ function upstream_knative_serving_e2e_and_conformance_tests { mv ./test/e2e/autoscale_test.go ./test/e2e/autoscale_test.backup - SYSTEM_NAMESPACE="$SERVING_NAMESPACE" go_test_e2e -tags="e2e" -timeout=30m -parallel=$parallel \ + SYSTEM_NAMESPACE="$SERVING_NAMESPACE" go_test_e2e -tags="e2e" -timeout=30m -parallel=2 \ ./test/e2e ./test/conformance/api/... ./test/conformance/runtime/... \ ./test/e2e/domainmapping \ ./test/e2e/initcontainers \ From 15d8ce73047c478b832b4459a6fd4bd9120edb26 Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Tue, 18 Jul 2023 16:19:13 +0200 Subject: [PATCH 34/42] Disable IOR to fix `TestBYOCertificate` --- hack/lib/mesh_resources/smcp.yaml | 7 +++---- serving/metadata-webhook/pkg/defaults/ksvc_defaults.go | 2 +- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/hack/lib/mesh_resources/smcp.yaml b/hack/lib/mesh_resources/smcp.yaml index 65bc192c6a..ab33d1a6bb 100644 --- a/hack/lib/mesh_resources/smcp.yaml +++ b/hack/lib/mesh_resources/smcp.yaml @@ -7,10 +7,9 @@ spec: security: dataPlane: mtls: true - techPreview: - meshConfig: - defaultConfig: - terminationDrainDuration: 35s + gateways: + openshiftRoute: + enabled: false profiles: - default proxy: diff --git a/serving/metadata-webhook/pkg/defaults/ksvc_defaults.go b/serving/metadata-webhook/pkg/defaults/ksvc_defaults.go index 52e34eb941..1cf4d27870 100644 --- a/serving/metadata-webhook/pkg/defaults/ksvc_defaults.go +++ b/serving/metadata-webhook/pkg/defaults/ksvc_defaults.go @@ -16,7 +16,7 @@ const ( holdApplicationUntilProxyStarts = `{ "holdApplicationUntilProxyStarts": true }` maistraProxyEnv = "sidecar.maistra.io/proxyEnv" - terminationDrainDuration = `{ "TERMINATION_DRAIN_DURATION_SECONDS": "20" }` + terminationDrainDuration = `{ "TERMINATION_DRAIN_DURATION_SECONDS": "45" }` ) // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object From 6295576be4500dd92b8ba9a124a4f6e9f292a4dc Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Wed, 19 Jul 2023 07:58:33 +0200 Subject: [PATCH 35/42] Use `techPreview.meshConfig.defaultConfig.terminationDrainDuration` instead of env variable --- hack/lib/mesh_resources/smcp.yaml | 4 ++++ serving/metadata-webhook/pkg/defaults/ksvc_defaults.go | 4 ---- serving/metadata-webhook/pkg/defaults/ksvc_defaults_test.go | 3 --- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/hack/lib/mesh_resources/smcp.yaml b/hack/lib/mesh_resources/smcp.yaml index ab33d1a6bb..6fa4a14ffa 100644 --- a/hack/lib/mesh_resources/smcp.yaml +++ b/hack/lib/mesh_resources/smcp.yaml @@ -12,6 +12,10 @@ spec: enabled: false profiles: - default + techPreview: + meshConfig: + defaultConfig: + terminationDrainDuration: 35s proxy: networking: trafficControl: diff --git a/serving/metadata-webhook/pkg/defaults/ksvc_defaults.go b/serving/metadata-webhook/pkg/defaults/ksvc_defaults.go index 1cf4d27870..e61197b29d 100644 --- a/serving/metadata-webhook/pkg/defaults/ksvc_defaults.go +++ b/serving/metadata-webhook/pkg/defaults/ksvc_defaults.go @@ -14,9 +14,6 @@ const ( sidecarrewriteAppHTTPProbers = "sidecar.istio.io/rewriteAppHTTPProbers" proxyIstioConfig = "proxy.istio.io/config" holdApplicationUntilProxyStarts = `{ "holdApplicationUntilProxyStarts": true }` - - maistraProxyEnv = "sidecar.maistra.io/proxyEnv" - terminationDrainDuration = `{ "TERMINATION_DRAIN_DURATION_SECONDS": "45" }` ) // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object @@ -46,7 +43,6 @@ func (r *TargetKService) SetDefaults(ctx context.Context) { r.Spec.Template.Annotations[sidecarInject] = "true" r.Spec.Template.Annotations[sidecarrewriteAppHTTPProbers] = "true" - r.Spec.Template.Annotations[maistraProxyEnv] = terminationDrainDuration r.Spec.Template.Annotations[proxyIstioConfig] = holdApplicationUntilProxyStarts } diff --git a/serving/metadata-webhook/pkg/defaults/ksvc_defaults_test.go b/serving/metadata-webhook/pkg/defaults/ksvc_defaults_test.go index e858294376..e78c311775 100644 --- a/serving/metadata-webhook/pkg/defaults/ksvc_defaults_test.go +++ b/serving/metadata-webhook/pkg/defaults/ksvc_defaults_test.go @@ -33,7 +33,6 @@ func TestTargetKServiceDefaulting(t *testing.T) { proxyIstioConfig: holdApplicationUntilProxyStarts, sidecarInject: "true", sidecarrewriteAppHTTPProbers: "true", - maistraProxyEnv: terminationDrainDuration, }, }, }, @@ -57,7 +56,6 @@ func TestTargetKServiceDefaulting(t *testing.T) { Annotations: map[string]string{ sidecarInject: "false", sidecarrewriteAppHTTPProbers: "false", - maistraProxyEnv: `{ "TERMINATION_DRAIN_DURATION_SECONDS": "5" }`, }, }, }, @@ -80,7 +78,6 @@ func TestTargetKServiceDefaulting(t *testing.T) { proxyIstioConfig: holdApplicationUntilProxyStarts, sidecarInject: "true", sidecarrewriteAppHTTPProbers: "true", - maistraProxyEnv: terminationDrainDuration, }, }, }, From 70e6ce3bb0be3a88ebee4ca1c6cef8d32e39e901 Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Wed, 19 Jul 2023 08:46:27 +0200 Subject: [PATCH 36/42] Reduce parallelism only on mesh tests --- test/serving.bash | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/test/serving.bash b/test/serving.bash index a1513737bb..093df2533c 100644 --- a/test/serving.bash +++ b/test/serving.bash @@ -81,9 +81,15 @@ function upstream_knative_serving_e2e_and_conformance_tests { parallel=2 fi + if [[ $FULL_MESH == "true" ]]; then + # reconfiguring istio-proxies is flaky on too much parallelism, + # random pods will fail to start with `PostStartHook failed` + parallel=8 + fi + mv ./test/e2e/autoscale_test.go ./test/e2e/autoscale_test.backup - SYSTEM_NAMESPACE="$SERVING_NAMESPACE" go_test_e2e -tags="e2e" -timeout=30m -parallel=2 \ + SYSTEM_NAMESPACE="$SERVING_NAMESPACE" go_test_e2e -tags="e2e" -timeout=30m -parallel=$parallel \ ./test/e2e ./test/conformance/api/... ./test/conformance/runtime/... \ ./test/e2e/domainmapping \ ./test/e2e/initcontainers \ From 310f1848b535f1dddb47d919dff652745a8ce3f3 Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Wed, 19 Jul 2023 10:22:21 +0200 Subject: [PATCH 37/42] Use annotation to omit IOR OCP route creation --- hack/generate/csv.sh | 3 ++- hack/lib/mesh_resources/smcp.yaml | 3 --- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/hack/generate/csv.sh b/hack/generate/csv.sh index af90ff371b..62d913ff04 100755 --- a/hack/generate/csv.sh +++ b/hack/generate/csv.sh @@ -76,7 +76,8 @@ function default_knative_ingress_images() { export KNATIVE_KOURIER_GATEWAY=${KNATIVE_KOURIER_GATEWAY:-"quay.io/maistra-dev/proxyv2-ubi8:$(metadata.get dependencies.maistra)"} knative_istio="$(metadata.get dependencies.net_istio)" - export KNATIVE_ISTIO_CONTROLLER=${KNATIVE_ISTIO_CONTROLLER:-"${registry}/net-istio-controller:${knative_istio}"} +# export KNATIVE_ISTIO_CONTROLLER=${KNATIVE_ISTIO_CONTROLLER:-"${registry}/net-istio-controller:${knative_istio}"} + export KNATIVE_ISTIO_CONTROLLER="quay.io/rlehmann/net-istio:maistra-fix" export KNATIVE_ISTIO_WEBHOOK=${KNATIVE_ISTIO_WEBHOOK:-"${registry}/net-istio-webhook:${knative_istio}"} } diff --git a/hack/lib/mesh_resources/smcp.yaml b/hack/lib/mesh_resources/smcp.yaml index 6fa4a14ffa..26026a4cef 100644 --- a/hack/lib/mesh_resources/smcp.yaml +++ b/hack/lib/mesh_resources/smcp.yaml @@ -7,9 +7,6 @@ spec: security: dataPlane: mtls: true - gateways: - openshiftRoute: - enabled: false profiles: - default techPreview: From 85f9b571cc1fb645ca6a3251ae1c9bb83cb84cef Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Thu, 20 Jul 2023 14:50:25 +0200 Subject: [PATCH 38/42] Use specific labels for Knative gateways to omit conflict (SRVCOM-2356) --- hack/lib/mesh_resources/gateway.yaml | 4 ++-- hack/lib/mesh_resources/smcp.yaml | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/hack/lib/mesh_resources/gateway.yaml b/hack/lib/mesh_resources/gateway.yaml index 1d4696046d..0c10b61ed8 100644 --- a/hack/lib/mesh_resources/gateway.yaml +++ b/hack/lib/mesh_resources/gateway.yaml @@ -5,7 +5,7 @@ metadata: namespace: knative-serving spec: selector: - istio: ingressgateway + knative: ingressgateway servers: - port: number: 443 @@ -24,7 +24,7 @@ metadata: namespace: knative-serving spec: selector: - istio: ingressgateway + knative: ingressgateway servers: - port: number: 8081 diff --git a/hack/lib/mesh_resources/smcp.yaml b/hack/lib/mesh_resources/smcp.yaml index 26026a4cef..e16104f408 100644 --- a/hack/lib/mesh_resources/smcp.yaml +++ b/hack/lib/mesh_resources/smcp.yaml @@ -13,6 +13,12 @@ spec: meshConfig: defaultConfig: terminationDrainDuration: 35s + gateways: + ingress: + service: + metadata: + labels: + knative: ingressgateway proxy: networking: trafficControl: From 183c353e38684668aa696d783755a9ccb637513a Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Thu, 20 Jul 2023 15:00:44 +0200 Subject: [PATCH 39/42] Use updated resources from openshift-knative/knative-istio-authz-chart --- .../authorization-policies/README.md | 12 + .../allow-serving-tests-to-activator.yaml | 18 - .../allow-tenant-x-to-activator.yaml | 36 - .../allow-traffic-to-serving-tests.yaml | 12 - .../allow-traffic-to-tenant-x.yaml | 24 - .../helm-chart-serverless-tests.yaml | 1353 ----------------- .../helm-serving-tests.yaml | 543 +++++++ .../authorization-policies/helm-tenant-1.yaml | 543 +++++++ .../authorization-policies/helm-tenant-2.yaml | 543 +++++++ .../serverless-tests.yaml | 543 +++++++ ...t.yaml => common-deny-all-by-default.yaml} | 0 ...-mt-channel-based-broker-to-channels.yaml} | 0 ...venting-allow-probe-kafka-controller.yaml} | 0 ...> serving-allow-traffic-to-activator.yaml} | 0 ... serving-allow-traffic-to-autoscaler.yaml} | 0 15 files changed, 2184 insertions(+), 1443 deletions(-) create mode 100644 hack/lib/mesh_resources/authorization-policies/README.md delete mode 100644 hack/lib/mesh_resources/authorization-policies/allow-serving-tests-to-activator.yaml delete mode 100644 hack/lib/mesh_resources/authorization-policies/allow-tenant-x-to-activator.yaml delete mode 100644 hack/lib/mesh_resources/authorization-policies/allow-traffic-to-serving-tests.yaml delete mode 100644 hack/lib/mesh_resources/authorization-policies/allow-traffic-to-tenant-x.yaml delete mode 100644 hack/lib/mesh_resources/authorization-policies/helm-chart-serverless-tests.yaml create mode 100644 hack/lib/mesh_resources/authorization-policies/helm-serving-tests.yaml create mode 100644 hack/lib/mesh_resources/authorization-policies/helm-tenant-1.yaml create mode 100644 hack/lib/mesh_resources/authorization-policies/helm-tenant-2.yaml create mode 100644 hack/lib/mesh_resources/authorization-policies/serverless-tests.yaml rename hack/lib/mesh_resources/authorization-policies/setup/{deny-all-by-default.yaml => common-deny-all-by-default.yaml} (100%) rename hack/lib/mesh_resources/authorization-policies/setup/{allow-mt-channel-based-broker-to-channels.yaml => eventing-allow-mt-channel-based-broker-to-channels.yaml} (100%) rename hack/lib/mesh_resources/authorization-policies/setup/{allow-probe-kafka-controller.yaml => eventing-allow-probe-kafka-controller.yaml} (100%) rename hack/lib/mesh_resources/authorization-policies/setup/{allow-traffic-to-activator.yaml => serving-allow-traffic-to-activator.yaml} (100%) rename hack/lib/mesh_resources/authorization-policies/setup/{allow-traffic-to-autoscaler.yaml => serving-allow-traffic-to-autoscaler.yaml} (100%) diff --git a/hack/lib/mesh_resources/authorization-policies/README.md b/hack/lib/mesh_resources/authorization-policies/README.md new file mode 100644 index 0000000000..e6b776790a --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/README.md @@ -0,0 +1,12 @@ +The resources in this folder are based on https://github.com/openshift-knative/knative-istio-authz-chart. +`setup` can be copied 1:1, the other ones are generated using the helm generator: + +```bash +helm template oci://quay.io/pierdipi/knative-istio-authz-onboarding --version 0.1.0 --set "name=tenant-1" --set "namespaces={tenant-1}" > helm-tenant-1.yaml + +helm template oci://quay.io/pierdipi/knative-istio-authz-onboarding --version 0.1.0 --set "name=tenant-2" --set "namespaces={tenant-2}" > helm-tenant-2.yaml + +helm template oci://quay.io/pierdipi/knative-istio-authz-onboarding --version 0.1.0 --set "name=serving-tests" --set "namespaces={serving-tests}" > helm-serving-tests.yaml +``` + + diff --git a/hack/lib/mesh_resources/authorization-policies/allow-serving-tests-to-activator.yaml b/hack/lib/mesh_resources/authorization-policies/allow-serving-tests-to-activator.yaml deleted file mode 100644 index 2deede1395..0000000000 --- a/hack/lib/mesh_resources/authorization-policies/allow-serving-tests-to-activator.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serving-tests-to-activator - namespace: knative-serving -spec: - selector: - matchLabels: - app: activator - action: ALLOW - rules: - - from: - - source: - namespaces: [ "serving-tests" ] - to: - - operation: - hosts: [ "*.serving-tests.svc.cluster.local", "*.serving-tests", "*.serving-tests.svc" ] diff --git a/hack/lib/mesh_resources/authorization-policies/allow-tenant-x-to-activator.yaml b/hack/lib/mesh_resources/authorization-policies/allow-tenant-x-to-activator.yaml deleted file mode 100644 index e7d9d6dfd1..0000000000 --- a/hack/lib/mesh_resources/authorization-policies/allow-tenant-x-to-activator.yaml +++ /dev/null @@ -1,36 +0,0 @@ ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-tenant-1-to-activator - namespace: knative-serving -spec: - selector: - matchLabels: - app: activator - action: ALLOW - rules: - - from: - - source: - namespaces: [ "tenant-1" ] - to: - - operation: - hosts: [ "*.tenant-1.svc.cluster.local" ] ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-tenant-2-to-activator - namespace: knative-serving -spec: - selector: - matchLabels: - app: activator - action: ALLOW - rules: - - from: - - source: - namespaces: [ "tenant-2" ] - to: - - operation: - hosts: [ "*.tenant-2.svc.cluster.local" ] diff --git a/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-serving-tests.yaml b/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-serving-tests.yaml deleted file mode 100644 index c62987c9f0..0000000000 --- a/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-serving-tests.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-traffic-to-serving-tests - namespace: serving-tests -spec: - action: ALLOW - rules: - - from: - - source: - namespaces: ["serving-tests", "knative-serving", "istio-system"] diff --git a/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-tenant-x.yaml b/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-tenant-x.yaml deleted file mode 100644 index 37ba49a576..0000000000 --- a/hack/lib/mesh_resources/authorization-policies/allow-traffic-to-tenant-x.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-traffic-to-tenant-1 - namespace: tenant-1 -spec: - action: ALLOW - rules: - - from: - - source: - namespaces: ["tenant-1", "knative-serving", "istio-system"] ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-traffic-to-tenant-2 - namespace: tenant-2 -spec: - action: ALLOW - rules: - - from: - - source: - namespaces: ["tenant-2", "knative-serving", "istio-system"] diff --git a/hack/lib/mesh_resources/authorization-policies/helm-chart-serverless-tests.yaml b/hack/lib/mesh_resources/authorization-policies/helm-chart-serverless-tests.yaml deleted file mode 100644 index 96c108b67d..0000000000 --- a/hack/lib/mesh_resources/authorization-policies/helm-chart-serverless-tests.yaml +++ /dev/null @@ -1,1353 +0,0 @@ ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml -# Allow imc-dispatcher to receive requests from pingsource-mt-adapter in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-pingsource-to-imc - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "imc-dispatcher" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow imc-dispatcher to receive requests from imc-dispatcher in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-imc-to-imc - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "imc-dispatcher" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow imc-dispatcher to receive requests from mt-broker-filter in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-broker-filter-to-imc - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "imc-dispatcher" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow imc-dispatcher to receive requests from knative-kafka-source-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-eks-to-imc - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "imc-dispatcher" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow imc-dispatcher to receive requests from knative-kafka-broker-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-ekb-to-imc - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "imc-dispatcher" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow imc-dispatcher to receive requests from knative-kafka-channel-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-ekc-to-imc - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "imc-dispatcher" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-broker-receiver to receive requests from pingsource-mt-adapter in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-pingsource-to-ekb - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-broker-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-broker-receiver to receive requests from imc-dispatcher in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-imc-to-ekb - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-broker-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-broker-receiver to receive requests from mt-broker-filter in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-broker-filter-to-ekb - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-broker-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-broker-receiver to receive requests from knative-kafka-source-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-eks-to-ekb - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-broker-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-broker-receiver to receive requests from knative-kafka-broker-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-ekb-to-ekb - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-broker-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-broker-receiver to receive requests from knative-kafka-channel-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-ekc-to-ekb - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-broker-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-channel-receiver to receive requests from pingsource-mt-adapter in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-pingsource-to-ekc - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-channel-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-channel-receiver to receive requests from imc-dispatcher in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-imc-to-ekc - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-channel-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-channel-receiver to receive requests from mt-broker-filter in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-broker-filter-to-ekc - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-channel-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-channel-receiver to receive requests from knative-kafka-source-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-eks-to-ekc - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-channel-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-channel-receiver to receive requests from knative-kafka-broker-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-ekb-to-ekc - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-channel-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-channel-receiver to receive requests from knative-kafka-channel-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-ekc-to-ekc - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-channel-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-sink-receiver to receive requests from pingsource-mt-adapter in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-pingsource-to-eks - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-sink-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-sink-receiver to receive requests from imc-dispatcher in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-imc-to-eks - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-sink-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-sink-receiver to receive requests from mt-broker-filter in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-broker-filter-to-eks - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-sink-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-sink-receiver to receive requests from knative-kafka-source-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-eks-to-eks - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-sink-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-sink-receiver to receive requests from knative-kafka-broker-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-ekb-to-eks - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-sink-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow kafka-sink-receiver to receive requests from knative-kafka-channel-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-ekc-to-eks - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-sink-receiver" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow broker-ingress to receive requests from pingsource-mt-adapter in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-pingsource-to-broker-ingress - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "broker-ingress" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow broker-ingress to receive requests from imc-dispatcher in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-imc-to-broker-ingress - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "broker-ingress" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow broker-ingress to receive requests from mt-broker-filter in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-broker-filter-to-broker-ingress - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "broker-ingress" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow broker-ingress to receive requests from knative-kafka-source-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-eks-to-broker-ingress - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "broker-ingress" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow broker-ingress to receive requests from knative-kafka-broker-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-ekb-to-broker-ingress - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "broker-ingress" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-eventing-receiver.yaml ---- -# Allow broker-ingress to receive requests from knative-kafka-channel-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-ekc-to-broker-ingress - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "broker-ingress" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-serving-receiver.yaml -# Allow activator to receive requests from pingsource-mt-adapter in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-pingsource-to-activator - namespace: knative-serving -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "activator" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-serving-receiver.yaml ---- -# Allow activator to receive requests from imc-dispatcher in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-imc-to-activator - namespace: knative-serving -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "activator" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/imc-dispatcher" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-serving-receiver.yaml ---- -# Allow activator to receive requests from mt-broker-filter in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-broker-filter-to-activator - namespace: knative-serving -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "activator" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/mt-broker-filter" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-serving-receiver.yaml ---- -# Allow activator to receive requests from knative-kafka-source-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-eks-to-activator - namespace: knative-serving -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "activator" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-serving-receiver.yaml ---- -# Allow activator to receive requests from knative-kafka-broker-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-ekb-to-activator - namespace: knative-serving -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "activator" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-eventing-sender-to-knative-serving-receiver.yaml ---- -# Allow activator to receive requests from knative-kafka-channel-data-plane in knative-eventing. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-ekc-to-activator - namespace: knative-serving -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "activator" - rules: - - from: - - source: - namespaces: [ "knative-eventing" ] - principals: [ "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" ] - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-knative-to-ns.yaml -# Allow namespace serverless-tests to receive requests from Knative system components. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-from-knative - namespace: serverless-tests -spec: - action: ALLOW - rules: - - from: - - source: - namespaces: - - "serverless-tests" - - "knative-eventing" - - "knative-serving" - - "istio-system" ---- -# Source: knative-istio-authz-onboarding/templates/allow-ns-to-activator.yaml -# Activator is the component handling requests for services that scaled to 0, see -# https://github.com/knative/serving/blob/main/docs/scaling/SYSTEM.md#scaling-to-zero for more details. -# -# Allow Knative activator to receive requests from serverless-tests. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-to-activator - namespace: knative-serving -spec: - selector: - matchLabels: - app: activator - action: ALLOW - rules: - - from: - - source: - namespaces: - - "serverless-tests" - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" ---- -# Source: knative-istio-authz-onboarding/templates/allow-ns-to-imc-channel.yaml -# Allow Knative InMemoryChannel to receive requests from serverless-tests. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-imc-channel - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "imc-dispatcher" - rules: - - from: - - source: - namespaces: - - "serverless-tests" - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-ns-to-kafka-broker-reply.yaml -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-kafka-broker-reply - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-broker-receiver" - rules: - - from: - - source: - namespaces: - - "knative-eventing" - principals: - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-ns-to-kafka-broker.yaml -# Allow Knative Broker for Apache Kafka to receive requests from serverless-tests. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-kafka-broker - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-broker-receiver" - rules: - - from: - - source: - namespaces: - - "serverless-tests" - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-ns-to-kafka-channel.yaml -# Allow Knative Channel for Apache Kafka to receive requests from serverless-tests. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-kafka-channel - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-channel-receiver" - rules: - - from: - - source: - namespaces: - - "serverless-tests" - to: - - operation: - hosts: - - "*.serverless-tests.svc.cluster.local" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-ns-to-kafka-sink.yaml -# Allow Knative Sink for Apache Kafka to receive requests from serverless-tests. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-kafka-sink - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "kafka-sink-receiver" - rules: - - from: - - source: - namespaces: - - "serverless-tests" - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-ns-to-mt-channel-based-broker-reply.yaml -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-mt-channel-based-broker-reply - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "broker-ingress" - rules: - - from: - - source: - namespaces: - - "knative-eventing" - principals: - - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" - - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -# Source: knative-istio-authz-onboarding/templates/allow-ns-to-mt-channel-based-broker.yaml -# Allow Knative Broker with class MTChannelBasedBroker to receive requests from serverless-tests. -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: allow-serverless-tests-mt-channel-based-broker - namespace: knative-eventing -spec: - action: ALLOW - selector: - matchLabels: - app.kubernetes.io/component: "broker-ingress" - rules: - - from: - - source: - namespaces: - - "serverless-tests" - to: - - operation: - paths: - - "/serverless-tests/*" - methods: [ "POST" ] ---- -## WE PROBABLY DO NOT NEED THIS -## Source: knative-istio-authz-onboarding/templates/peer-authentication.yaml -## Enforce peer authentication to be mTLS in the namespace serverless-tests, so that we can define -## authorization policies based on client and server identities. -#apiVersion: security.istio.io/v1beta1 -#kind: PeerAuthentication -#metadata: -# name: default -# namespace: serverless-tests -#spec: -# mtls: -# mode: STRICT diff --git a/hack/lib/mesh_resources/authorization-policies/helm-serving-tests.yaml b/hack/lib/mesh_resources/authorization-policies/helm-serving-tests.yaml new file mode 100644 index 0000000000..6ffc881cbd --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/helm-serving-tests.yaml @@ -0,0 +1,543 @@ +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-knative-to-ns.yaml +# Allow namespace serving-tests to receive requests from Knative system components, from istio-system and from all namespaces of the tenant. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-from-knative-and-istio + namespace: serving-tests +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: + - "serving-tests" + - "knative-serving" + - "istio-system" + + - from: + - source: + namespaces: + - "knative-eventing" + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-via-knative-serving.yaml +# Allow activator to receive requests from workloads and resources in serving-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serving-tests-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + # Allow to receive requests for Knative services in serving-tests + - from: + - source: + namespaces: + - "serving-tests" + to: + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + + # Allow to receive requests from eventing sources, subscriptions and triggers in serving-tests. + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-kafka-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serving-tests-kafka-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-mt-channel-based-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serving-tests-mt-channel-based-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +# Allow imc-dispatcher to receive requests from workloads and resources in serving-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serving-tests-to-imc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + # Allow to receive requests from event sources in serving-tests + - from: + - source: + namespaces: + - "serving-tests" + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from workloads and resources in serving-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serving-tests-to-ekb + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + # Allow to receive requests from event sources in serving-tests + - from: + - source: + namespaces: + - "serving-tests" + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-channel-receiver to receive requests from workloads and resources in serving-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serving-tests-to-ekc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + # Allow to receive requests from event sources in serving-tests + - from: + - source: + namespaces: + - "serving-tests" + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from workloads and resources in serving-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serving-tests-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + # Allow to receive requests from event sources in serving-tests + - from: + - source: + namespaces: + - "serving-tests" + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow broker-ingress to receive requests from workloads and resources in serving-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serving-tests-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + # Allow to receive requests from event sources in serving-tests + - from: + - source: + namespaces: + - "serving-tests" + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serving-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serving-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serving-tests" +--- +# Source: knative-istio-authz-onboarding/templates/serving-allow-wait-for-drain.yaml +# Allow kubernetes to call the PreStopHook to wait for draining on port 8022 in serving-tests +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: "allow-wait-for-drain" + namespace: "serving-tests" +spec: + action: ALLOW + rules: + - to: + - operation: + ports: + - "8022" diff --git a/hack/lib/mesh_resources/authorization-policies/helm-tenant-1.yaml b/hack/lib/mesh_resources/authorization-policies/helm-tenant-1.yaml new file mode 100644 index 0000000000..248cfbb74b --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/helm-tenant-1.yaml @@ -0,0 +1,543 @@ +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-knative-to-ns.yaml +# Allow namespace tenant-1 to receive requests from Knative system components, from istio-system and from all namespaces of the tenant. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-from-knative-and-istio + namespace: tenant-1 +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: + - "tenant-1" + - "knative-serving" + - "istio-system" + + - from: + - source: + namespaces: + - "knative-eventing" + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-via-knative-serving.yaml +# Allow activator to receive requests from workloads and resources in tenant-1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + # Allow to receive requests for Knative services in tenant-1 + - from: + - source: + namespaces: + - "tenant-1" + to: + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + + # Allow to receive requests from eventing sources, subscriptions and triggers in tenant-1. + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-kafka-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-kafka-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-mt-channel-based-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-mt-channel-based-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +# Allow imc-dispatcher to receive requests from workloads and resources in tenant-1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-to-imc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + # Allow to receive requests from event sources in tenant-1 + - from: + - source: + namespaces: + - "tenant-1" + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from workloads and resources in tenant-1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-to-ekb + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + # Allow to receive requests from event sources in tenant-1 + - from: + - source: + namespaces: + - "tenant-1" + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-channel-receiver to receive requests from workloads and resources in tenant-1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-to-ekc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + # Allow to receive requests from event sources in tenant-1 + - from: + - source: + namespaces: + - "tenant-1" + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from workloads and resources in tenant-1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + # Allow to receive requests from event sources in tenant-1 + - from: + - source: + namespaces: + - "tenant-1" + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow broker-ingress to receive requests from workloads and resources in tenant-1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-1-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + # Allow to receive requests from event sources in tenant-1 + - from: + - source: + namespaces: + - "tenant-1" + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-1.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-1/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-1" +--- +# Source: knative-istio-authz-onboarding/templates/serving-allow-wait-for-drain.yaml +# Allow kubernetes to call the PreStopHook to wait for draining on port 8022 in tenant-1 +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: "allow-wait-for-drain" + namespace: "tenant-1" +spec: + action: ALLOW + rules: + - to: + - operation: + ports: + - "8022" diff --git a/hack/lib/mesh_resources/authorization-policies/helm-tenant-2.yaml b/hack/lib/mesh_resources/authorization-policies/helm-tenant-2.yaml new file mode 100644 index 0000000000..1378121c40 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/helm-tenant-2.yaml @@ -0,0 +1,543 @@ +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-knative-to-ns.yaml +# Allow namespace tenant-2 to receive requests from Knative system components, from istio-system and from all namespaces of the tenant. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-from-knative-and-istio + namespace: tenant-2 +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: + - "tenant-2" + - "knative-serving" + - "istio-system" + + - from: + - source: + namespaces: + - "knative-eventing" + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-via-knative-serving.yaml +# Allow activator to receive requests from workloads and resources in tenant-2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + # Allow to receive requests for Knative services in tenant-2 + - from: + - source: + namespaces: + - "tenant-2" + to: + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + + # Allow to receive requests from eventing sources, subscriptions and triggers in tenant-2. + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-kafka-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-kafka-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-mt-channel-based-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-mt-channel-based-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +# Allow imc-dispatcher to receive requests from workloads and resources in tenant-2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-to-imc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + # Allow to receive requests from event sources in tenant-2 + - from: + - source: + namespaces: + - "tenant-2" + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from workloads and resources in tenant-2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-to-ekb + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + # Allow to receive requests from event sources in tenant-2 + - from: + - source: + namespaces: + - "tenant-2" + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-channel-receiver to receive requests from workloads and resources in tenant-2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-to-ekc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + # Allow to receive requests from event sources in tenant-2 + - from: + - source: + namespaces: + - "tenant-2" + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from workloads and resources in tenant-2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + # Allow to receive requests from event sources in tenant-2 + - from: + - source: + namespaces: + - "tenant-2" + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow broker-ingress to receive requests from workloads and resources in tenant-2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-tenant-2-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + # Allow to receive requests from event sources in tenant-2 + - from: + - source: + namespaces: + - "tenant-2" + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.tenant-2.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/tenant-2/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "tenant-2" +--- +# Source: knative-istio-authz-onboarding/templates/serving-allow-wait-for-drain.yaml +# Allow kubernetes to call the PreStopHook to wait for draining on port 8022 in tenant-2 +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: "allow-wait-for-drain" + namespace: "tenant-2" +spec: + action: ALLOW + rules: + - to: + - operation: + ports: + - "8022" diff --git a/hack/lib/mesh_resources/authorization-policies/serverless-tests.yaml b/hack/lib/mesh_resources/authorization-policies/serverless-tests.yaml new file mode 100644 index 0000000000..eeb35ad946 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/serverless-tests.yaml @@ -0,0 +1,543 @@ +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-knative-to-ns.yaml +# Allow namespace serverless-tests to receive requests from Knative system components, from istio-system and from all namespaces of the tenant. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-from-knative-and-istio + namespace: serverless-tests +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: + - "serverless-tests" + - "knative-serving" + - "istio-system" + + - from: + - source: + namespaces: + - "knative-eventing" + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-via-knative-serving.yaml +# Allow activator to receive requests from workloads and resources in serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + # Allow to receive requests for Knative services in serverless-tests + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + + # Allow to receive requests from eventing sources, subscriptions and triggers in serverless-tests. + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-kafka-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-kafka-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-mt-channel-based-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-mt-channel-based-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +# Allow imc-dispatcher to receive requests from workloads and resources in serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-to-imc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + # Allow to receive requests from event sources in serverless-tests + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from workloads and resources in serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-to-ekb + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + # Allow to receive requests from event sources in serverless-tests + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-channel-receiver to receive requests from workloads and resources in serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-to-ekc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + # Allow to receive requests from event sources in serverless-tests + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from workloads and resources in serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + # Allow to receive requests from event sources in serverless-tests + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow broker-ingress to receive requests from workloads and resources in serverless-tests. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-serverless-tests-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + # Allow to receive requests from event sources in serverless-tests + - from: + - source: + namespaces: + - "serverless-tests" + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.serverless-tests.svc.cluster.local" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/serverless-tests/*" + methods: [ "POST" ] + when: + - key: request.headers[Kn-Namespace] + values: + - "serverless-tests" +--- +# Source: knative-istio-authz-onboarding/templates/serving-allow-wait-for-drain.yaml +# Allow kubernetes to call the PreStopHook to wait for draining on port 8022 in serverless-tests +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: "allow-wait-for-drain" + namespace: "serverless-tests" +spec: + action: ALLOW + rules: + - to: + - operation: + ports: + - "8022" diff --git a/hack/lib/mesh_resources/authorization-policies/setup/deny-all-by-default.yaml b/hack/lib/mesh_resources/authorization-policies/setup/common-deny-all-by-default.yaml similarity index 100% rename from hack/lib/mesh_resources/authorization-policies/setup/deny-all-by-default.yaml rename to hack/lib/mesh_resources/authorization-policies/setup/common-deny-all-by-default.yaml diff --git a/hack/lib/mesh_resources/authorization-policies/setup/allow-mt-channel-based-broker-to-channels.yaml b/hack/lib/mesh_resources/authorization-policies/setup/eventing-allow-mt-channel-based-broker-to-channels.yaml similarity index 100% rename from hack/lib/mesh_resources/authorization-policies/setup/allow-mt-channel-based-broker-to-channels.yaml rename to hack/lib/mesh_resources/authorization-policies/setup/eventing-allow-mt-channel-based-broker-to-channels.yaml diff --git a/hack/lib/mesh_resources/authorization-policies/setup/allow-probe-kafka-controller.yaml b/hack/lib/mesh_resources/authorization-policies/setup/eventing-allow-probe-kafka-controller.yaml similarity index 100% rename from hack/lib/mesh_resources/authorization-policies/setup/allow-probe-kafka-controller.yaml rename to hack/lib/mesh_resources/authorization-policies/setup/eventing-allow-probe-kafka-controller.yaml diff --git a/hack/lib/mesh_resources/authorization-policies/setup/allow-traffic-to-activator.yaml b/hack/lib/mesh_resources/authorization-policies/setup/serving-allow-traffic-to-activator.yaml similarity index 100% rename from hack/lib/mesh_resources/authorization-policies/setup/allow-traffic-to-activator.yaml rename to hack/lib/mesh_resources/authorization-policies/setup/serving-allow-traffic-to-activator.yaml diff --git a/hack/lib/mesh_resources/authorization-policies/setup/allow-traffic-to-autoscaler.yaml b/hack/lib/mesh_resources/authorization-policies/setup/serving-allow-traffic-to-autoscaler.yaml similarity index 100% rename from hack/lib/mesh_resources/authorization-policies/setup/allow-traffic-to-autoscaler.yaml rename to hack/lib/mesh_resources/authorization-policies/setup/serving-allow-traffic-to-autoscaler.yaml From 3b4317f02a523488e9b0f8e455f009284e3e5560 Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Fri, 21 Jul 2023 13:33:57 +0200 Subject: [PATCH 40/42] Cleanup --- hack/generate/csv.sh | 3 +-- hack/lib/mesh.bash | 14 -------------- 2 files changed, 1 insertion(+), 16 deletions(-) diff --git a/hack/generate/csv.sh b/hack/generate/csv.sh index 62d913ff04..af90ff371b 100755 --- a/hack/generate/csv.sh +++ b/hack/generate/csv.sh @@ -76,8 +76,7 @@ function default_knative_ingress_images() { export KNATIVE_KOURIER_GATEWAY=${KNATIVE_KOURIER_GATEWAY:-"quay.io/maistra-dev/proxyv2-ubi8:$(metadata.get dependencies.maistra)"} knative_istio="$(metadata.get dependencies.net_istio)" -# export KNATIVE_ISTIO_CONTROLLER=${KNATIVE_ISTIO_CONTROLLER:-"${registry}/net-istio-controller:${knative_istio}"} - export KNATIVE_ISTIO_CONTROLLER="quay.io/rlehmann/net-istio:maistra-fix" + export KNATIVE_ISTIO_CONTROLLER=${KNATIVE_ISTIO_CONTROLLER:-"${registry}/net-istio-controller:${knative_istio}"} export KNATIVE_ISTIO_WEBHOOK=${KNATIVE_ISTIO_WEBHOOK:-"${registry}/net-istio-webhook:${knative_istio}"} } diff --git a/hack/lib/mesh.bash b/hack/lib/mesh.bash index a766353fdd..8285d4f6f8 100644 --- a/hack/lib/mesh.bash +++ b/hack/lib/mesh.bash @@ -120,20 +120,6 @@ function deploy_gateways { oc apply -f "${resources_dir}"/authorization-policies/setup || return $? oc apply -f "${resources_dir}"/authorization-policies || return $? -# cat <<-EOF | oc apply -f - -#apiVersion: security.istio.io/v1beta1 -#kind: AuthorizationPolicy -#metadata: -# name: allow-traffic-to-cluster-domain -# namespace: istio-system -#spec: -# action: ALLOW -# rules: -# - to: -# - operation: -# hosts: [ "*.${subdomain}" ] -#EOF - oc apply -n "${EVENTING_NAMESPACE}" -f "${resources_dir}"/kafka-service-entry.yaml || return $? for ns in serverless-tests eventing-e2e0 eventing-e2e1 eventing-e2e2 eventing-e2e3 eventing-e2e4; do oc apply -n "$ns" -f "${resources_dir}"/kafka-service-entry.yaml || return $? From c1ca95902c5b057484a058529203778f948f3ed3 Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Mon, 24 Jul 2023 12:27:46 +0200 Subject: [PATCH 41/42] Skip Long Response message test for now Signed-off-by: Pierangelo Di Pilato --- Makefile | 2 +- test/eventinge2erekt/channelbasedbroker_ksvc_test.go | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 5b73f5e83e..a2f1352302 100644 --- a/Makefile +++ b/Makefile @@ -123,7 +123,7 @@ test-e2e-with-kafka: # Run E2E tests from the current repo for serving+eventing+mesh test-e2e-with-mesh-testonly: - FULL_MESH=true ./test/e2e-tests.sh + FULL_MESH=true TEST_KNATIVE_KAFKA=true ./test/e2e-tests.sh test-e2e-with-mesh: FULL_MESH="true" UNINSTALL_MESH="false" ./hack/mesh.sh diff --git a/test/eventinge2erekt/channelbasedbroker_ksvc_test.go b/test/eventinge2erekt/channelbasedbroker_ksvc_test.go index 93385067a7..b102cbca82 100644 --- a/test/eventinge2erekt/channelbasedbroker_ksvc_test.go +++ b/test/eventinge2erekt/channelbasedbroker_ksvc_test.go @@ -27,6 +27,7 @@ func TestChannelBasedBrokerToKsvc(t *testing.T) { // Test specifically Broker Filter. func TestBrokerDeliverLongResponseMessage(t *testing.T) { + t.Skip("Broken in FULL_MESH https://github.com/openshift-knative/serverless-operator/pull/2171#issuecomment-1647569195") t.Parallel() ctx, env := global.Environment( From 0abebad3633862031e257cc875f9345c30fd708b Mon Sep 17 00:00:00 2001 From: Reto Lehmann Date: Tue, 25 Jul 2023 08:17:56 +0200 Subject: [PATCH 42/42] Add all domain names to allowed hosts list --- ...-tests.yaml => helm-serverless-tests.yaml} | 366 +++++++++--------- .../helm-serving-tests.yaml | 6 +- .../authorization-policies/helm-tenant-1.yaml | 6 +- .../authorization-policies/helm-tenant-2.yaml | 6 +- 4 files changed, 200 insertions(+), 184 deletions(-) rename hack/lib/mesh_resources/authorization-policies/{serverless-tests.yaml => helm-serverless-tests.yaml} (56%) diff --git a/hack/lib/mesh_resources/authorization-policies/serverless-tests.yaml b/hack/lib/mesh_resources/authorization-policies/helm-serverless-tests.yaml similarity index 56% rename from hack/lib/mesh_resources/authorization-policies/serverless-tests.yaml rename to hack/lib/mesh_resources/authorization-policies/helm-serverless-tests.yaml index eeb35ad946..d36ba8de35 100644 --- a/hack/lib/mesh_resources/authorization-policies/serverless-tests.yaml +++ b/hack/lib/mesh_resources/authorization-policies/helm-serverless-tests.yaml @@ -23,7 +23,7 @@ spec: when: - key: request.headers[Kn-Namespace] values: - - "serverless-tests" + - "serverless-tests" --- # Source: knative-istio-authz-onboarding/templates/common-allow-via-knative-serving.yaml # Allow activator to receive requests from workloads and resources in serverless-tests. @@ -42,38 +42,42 @@ spec: - from: - source: namespaces: - - "serverless-tests" + - "serverless-tests" to: - operation: hosts: - - "*.serverless-tests.svc.cluster.local" + - "*.serverless-tests" + - "*.serverless-tests.svc" + - "*.serverless-tests.svc.cluster.local" # Allow to receive requests from eventing sources, subscriptions and triggers in serverless-tests. - from: - source: namespaces: [ "knative-eventing" ] principals: - - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" - - - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" - - - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" - + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: - operation: hosts: - - "*.serverless-tests.svc.cluster.local" + - "*.serverless-tests" + - "*.serverless-tests.svc" + - "*.serverless-tests.svc.cluster.local" methods: [ "POST" ] when: - key: request.headers[Kn-Namespace] values: - - "serverless-tests" + - "serverless-tests" --- # Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-kafka-broker-reply.yaml apiVersion: security.istio.io/v1beta1 @@ -92,16 +96,16 @@ spec: namespaces: - "knative-eventing" principals: - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" to: - operation: paths: - - "/serverless-tests/*" + - "/serverless-tests/*" methods: [ "POST" ] when: - key: request.headers[Kn-Namespace] values: - - "serverless-tests" + - "serverless-tests" --- # Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-mt-channel-based-broker-reply.yaml apiVersion: security.istio.io/v1beta1 @@ -118,20 +122,20 @@ spec: - from: - source: namespaces: - - "knative-eventing" + - "knative-eventing" principals: - - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" - - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" to: - operation: paths: - - "/serverless-tests/*" + - "/serverless-tests/*" methods: [ "POST" ] when: - key: request.headers[Kn-Namespace] values: - - "serverless-tests" + - "serverless-tests" --- # Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml # Allow imc-dispatcher to receive requests from workloads and resources in serverless-tests. @@ -150,66 +154,66 @@ spec: - from: - source: namespaces: - - "serverless-tests" + - "serverless-tests" to: - operation: paths: - - "/serverless-tests/*" + - "/serverless-tests/*" methods: [ "POST" ] - operation: hosts: - - "*.serverless-tests.svc.cluster.local" + - "*.serverless-tests.svc.cluster.local" methods: [ "POST" ] - from: - source: namespaces: [ "knative-eventing" ] principals: - - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" - - - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" - - - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" - + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: - operation: hosts: - - "*.serverless-tests.svc.cluster.local" + - "*.serverless-tests.svc.cluster.local" methods: [ "POST" ] when: - key: request.headers[Kn-Namespace] values: - - "serverless-tests" + - "serverless-tests" - from: - source: namespaces: [ "knative-eventing" ] principals: - - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" - - - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" - - - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" - + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: - operation: paths: - - "/serverless-tests/*" + - "/serverless-tests/*" methods: [ "POST" ] when: - key: request.headers[Kn-Namespace] values: - - "serverless-tests" + - "serverless-tests" --- # Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml --- @@ -229,66 +233,66 @@ spec: - from: - source: namespaces: - - "serverless-tests" + - "serverless-tests" to: - operation: paths: - - "/serverless-tests/*" + - "/serverless-tests/*" methods: [ "POST" ] - operation: hosts: - - "*.serverless-tests.svc.cluster.local" + - "*.serverless-tests.svc.cluster.local" methods: [ "POST" ] - from: - source: namespaces: [ "knative-eventing" ] principals: - - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" - - - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" - - - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" - + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: - operation: hosts: - - "*.serverless-tests.svc.cluster.local" + - "*.serverless-tests.svc.cluster.local" methods: [ "POST" ] when: - key: request.headers[Kn-Namespace] values: - - "serverless-tests" + - "serverless-tests" - from: - source: namespaces: [ "knative-eventing" ] principals: - - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" - - - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" - - - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" - + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: - operation: paths: - - "/serverless-tests/*" + - "/serverless-tests/*" methods: [ "POST" ] when: - key: request.headers[Kn-Namespace] values: - - "serverless-tests" + - "serverless-tests" --- # Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml --- @@ -308,66 +312,66 @@ spec: - from: - source: namespaces: - - "serverless-tests" + - "serverless-tests" to: - operation: paths: - - "/serverless-tests/*" + - "/serverless-tests/*" methods: [ "POST" ] - operation: hosts: - - "*.serverless-tests.svc.cluster.local" + - "*.serverless-tests.svc.cluster.local" methods: [ "POST" ] - from: - source: namespaces: [ "knative-eventing" ] principals: - - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" - - - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" - - - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" - + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: - operation: hosts: - - "*.serverless-tests.svc.cluster.local" + - "*.serverless-tests.svc.cluster.local" methods: [ "POST" ] when: - key: request.headers[Kn-Namespace] values: - - "serverless-tests" + - "serverless-tests" - from: - source: namespaces: [ "knative-eventing" ] principals: - - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" - - - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" - - - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" - + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: - operation: paths: - - "/serverless-tests/*" + - "/serverless-tests/*" methods: [ "POST" ] when: - key: request.headers[Kn-Namespace] values: - - "serverless-tests" + - "serverless-tests" --- # Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml --- @@ -387,66 +391,66 @@ spec: - from: - source: namespaces: - - "serverless-tests" + - "serverless-tests" to: - operation: paths: - - "/serverless-tests/*" + - "/serverless-tests/*" methods: [ "POST" ] - operation: hosts: - - "*.serverless-tests.svc.cluster.local" + - "*.serverless-tests.svc.cluster.local" methods: [ "POST" ] - from: - source: namespaces: [ "knative-eventing" ] principals: - - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" - - - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" - - - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" - + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: - operation: hosts: - - "*.serverless-tests.svc.cluster.local" + - "*.serverless-tests.svc.cluster.local" methods: [ "POST" ] when: - key: request.headers[Kn-Namespace] values: - - "serverless-tests" + - "serverless-tests" - from: - source: namespaces: [ "knative-eventing" ] principals: - - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" - - - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" - - - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" - + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: - operation: paths: - - "/serverless-tests/*" + - "/serverless-tests/*" methods: [ "POST" ] when: - key: request.headers[Kn-Namespace] values: - - "serverless-tests" + - "serverless-tests" --- # Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml --- @@ -466,66 +470,66 @@ spec: - from: - source: namespaces: - - "serverless-tests" + - "serverless-tests" to: - operation: paths: - - "/serverless-tests/*" + - "/serverless-tests/*" methods: [ "POST" ] - operation: hosts: - - "*.serverless-tests.svc.cluster.local" + - "*.serverless-tests.svc.cluster.local" methods: [ "POST" ] - from: - source: namespaces: [ "knative-eventing" ] principals: - - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" - - - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" - - - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" - + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: - operation: hosts: - - "*.serverless-tests.svc.cluster.local" + - "*.serverless-tests.svc.cluster.local" methods: [ "POST" ] when: - key: request.headers[Kn-Namespace] values: - - "serverless-tests" + - "serverless-tests" - from: - source: namespaces: [ "knative-eventing" ] principals: - - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" - - - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" - - - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" - - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" - + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: - operation: paths: - - "/serverless-tests/*" + - "/serverless-tests/*" methods: [ "POST" ] when: - key: request.headers[Kn-Namespace] values: - - "serverless-tests" + - "serverless-tests" --- # Source: knative-istio-authz-onboarding/templates/serving-allow-wait-for-drain.yaml # Allow kubernetes to call the PreStopHook to wait for draining on port 8022 in serverless-tests diff --git a/hack/lib/mesh_resources/authorization-policies/helm-serving-tests.yaml b/hack/lib/mesh_resources/authorization-policies/helm-serving-tests.yaml index 6ffc881cbd..0c529e7d52 100644 --- a/hack/lib/mesh_resources/authorization-policies/helm-serving-tests.yaml +++ b/hack/lib/mesh_resources/authorization-policies/helm-serving-tests.yaml @@ -46,6 +46,8 @@ spec: to: - operation: hosts: + - "*.serving-tests" + - "*.serving-tests.svc" - "*.serving-tests.svc.cluster.local" # Allow to receive requests from eventing sources, subscriptions and triggers in serving-tests. @@ -68,6 +70,8 @@ spec: to: - operation: hosts: + - "*.serving-tests" + - "*.serving-tests.svc" - "*.serving-tests.svc.cluster.local" methods: [ "POST" ] when: @@ -92,7 +96,7 @@ spec: namespaces: - "knative-eventing" principals: - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" to: - operation: paths: diff --git a/hack/lib/mesh_resources/authorization-policies/helm-tenant-1.yaml b/hack/lib/mesh_resources/authorization-policies/helm-tenant-1.yaml index 248cfbb74b..b39f95aaf5 100644 --- a/hack/lib/mesh_resources/authorization-policies/helm-tenant-1.yaml +++ b/hack/lib/mesh_resources/authorization-policies/helm-tenant-1.yaml @@ -46,6 +46,8 @@ spec: to: - operation: hosts: + - "*.tenant-1" + - "*.tenant-1.svc" - "*.tenant-1.svc.cluster.local" # Allow to receive requests from eventing sources, subscriptions and triggers in tenant-1. @@ -68,6 +70,8 @@ spec: to: - operation: hosts: + - "*.tenant-1" + - "*.tenant-1.svc" - "*.tenant-1.svc.cluster.local" methods: [ "POST" ] when: @@ -92,7 +96,7 @@ spec: namespaces: - "knative-eventing" principals: - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" to: - operation: paths: diff --git a/hack/lib/mesh_resources/authorization-policies/helm-tenant-2.yaml b/hack/lib/mesh_resources/authorization-policies/helm-tenant-2.yaml index 1378121c40..3d875e404c 100644 --- a/hack/lib/mesh_resources/authorization-policies/helm-tenant-2.yaml +++ b/hack/lib/mesh_resources/authorization-policies/helm-tenant-2.yaml @@ -46,6 +46,8 @@ spec: to: - operation: hosts: + - "*.tenant-2" + - "*.tenant-2.svc" - "*.tenant-2.svc.cluster.local" # Allow to receive requests from eventing sources, subscriptions and triggers in tenant-2. @@ -68,6 +70,8 @@ spec: to: - operation: hosts: + - "*.tenant-2" + - "*.tenant-2.svc" - "*.tenant-2.svc.cluster.local" methods: [ "POST" ] when: @@ -92,7 +96,7 @@ spec: namespaces: - "knative-eventing" principals: - - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" to: - operation: paths: