waypoint bypass detection and authz skip #971
Conversation
istio-testing
added
the
size/L
| @@ -147,6 +148,9 @@ pub struct Endpoint { | |||
|
|
|||
| /// The port mapping. | |||
| pub port: HashMap<u16, u16>, | |||
|
|
|||
| #[serde(skip_serializing)] | |||
| pub identity: Identity, | |||
There was a problem hiding this comment.
Copying this to Endpoint saves us a lot of Workload lookups.
|
I think we want the following if is_mesh_traffic {
if has_waypoint {
if from_waypoint {
allow();
} else if src_can_skip_waypoint { #skip waypoint API TBD
check_rbac();
} else {
deny("must go through waypoint")
}
} else {
check_rbac();
}
} else {
check_permissive();
} I've included a hypothetical future 'skip-waypoint' API which I think will be useful, particularly to enable something like ingress which may systematically skip waypoints but for which we have not done design work. I think the above (or the original) make it clear that authz is delegated to the waypoint when one is used by a workload. This lines up conceptually with how the APIs and compositional patterns are defined so I think this is overall good and better than the 'defaultAllow' alternatives. Its also pretty similar to the code that was there before so its not that disruptive. |
stevenctl
force-pushed
the
waypoint-check
branch
5 times, most recently
from
b1b00de
to
f512910
Compare
stevenctl
force-pushed
the
waypoint-check
branch
from
f512910
to
713e00a
Compare
istio-testing
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@stevenctl this is obsolete now, right? |
An alternative to istio/istio#50475.
We had a similar check in the past. One key difference in this version is that
has_waypointandfrom_waypointchecks both the destination workload and all it's services for waypoint attachment.