New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
waypoint bypass detection and authz skip #971
Conversation
@@ -147,6 +148,9 @@ pub struct Endpoint { | |||
|
|||
/// The port mapping. | |||
pub port: HashMap<u16, u16>, | |||
|
|||
#[serde(skip_serializing)] | |||
pub identity: Identity, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copying this to Endpoint saves us a lot of Workload lookups.
I think we want the following if is_mesh_traffic {
if has_waypoint {
if from_waypoint {
allow();
} else if src_can_skip_waypoint { #skip waypoint API TBD
check_rbac();
} else {
deny("must go through waypoint")
}
} else {
check_rbac();
}
} else {
check_permissive();
} I've included a hypothetical future 'skip-waypoint' API which I think will be useful, particularly to enable something like ingress which may systematically skip waypoints but for which we have not done design work. I think the above (or the original) make it clear that authz is delegated to the waypoint when one is used by a workload. This lines up conceptually with how the APIs and compositional patterns are defined so I think this is overall good and better than the 'defaultAllow' alternatives. Its also pretty similar to the code that was there before so its not that disruptive. |
b1b00de
to
f512910
Compare
f512910
to
713e00a
Compare
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@stevenctl this is obsolete now, right? |
An alternative to istio/istio#50475.
We had a similar check in the past. One key difference in this version is that
has_waypoint
andfrom_waypoint
checks both the destination workload and all it's services for waypoint attachment.