Add API details GEP-3779 - E/W Authorization #3891
Conversation
k8s-ci-robot
added
release-note-none
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: LiorLieberman The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
size/L
LiorLieberman
changed the title
LiorLieberman
force-pushed
the
gep-3779-apis
branch
from
2aada9b to
a410c68
Compare
| @@ -246,10 +246,261 @@ Cilium has the concept of CiliumIdentity. Pods are assigned identities derived f | |||
| More on https://docs.cilium.io/en/stable/internals/security-identities/ & https://docs.cilium.io/en/stable/security/network/identity/ | |||
|
|
|||
|
|
|||
|
|
|||
| ## API | |||
There was a problem hiding this comment.
I recommend moving this above the state of the world section.
geps/gep-3779/index.md
Outdated
| * **Sources:** The source identities to which the rule applies. A request’s identity must match one of the listed sources. Supported source kinds are: | ||
| * **SPIFFE ID** | ||
| * **Kubernetes ServiceAccount** | ||
| * **Kubernetes Namespace** | ||
| * **Attributes:** Conditions on the target workload, at the time of writing this, only port is supported. If no attributes are specified, the rule applies to all traffic toward the target. |
There was a problem hiding this comment.
The formatting is not working as intended - see https://deploy-preview-3891--kubernetes-sigs-gateway-api.netlify.app/geps/gep-3779/.
geps/gep-3779/index.md
Outdated
| * A request is allowed if: | ||
| * It matches at least one rule in any ALLOW policy targeting the workload **and** | ||
| * It is not explicitly denied by any DENY policy. |
There was a problem hiding this comment.
Same comment as above re: list formatting
| // TCPRules defines the list of matching criteria. A request is considered to | ||
| // match the policy if it matches any of the rules. | ||
| // +optional | ||
| TCPRules []AuthorizationTCPRule `json:"tcpRules,omitempty"` |
There was a problem hiding this comment.
This is a list of lists of lists, does each layer need to have its own distinct list? The exponential nature of this pattern can get pretty awful. We're currently missing max lengths for each of these, but let's just assume that we say 16 across the board. That means that we could end up needing support 4096 distinct sources in just one policy.
There was a problem hiding this comment.
Some ideas to potentially simplify this to 256 by removing one of the layers of lists:
Before
tcpRules:
- authorizationSources:
- identities: [foo]
- namespaces: [bar]After v1
tcpRules:
- authorizationSource:
- identity: foo
- namespace: barAfter v2
tcpRules:
- authorizationSource:
identities: [foo]
namespaces: [bar] |
|
||
| ##### **Experimental Pattern** | ||
|
|
||
| To mitigate some of the concerns, `LabelSelector` support in policy attachment is designated as an **experimental pattern**. |
There was a problem hiding this comment.
For the record, I really hate the combination of label selectors and policy attachment because we'd be combining 2 topics that are already quite complicated. With that said, this has been a widely requested feature, and testing it out in a relatively controlled way seems ~ok to me. We need to be ready to pivot to another approach if this doesn't work and/or ends up being too complicated.
| // While the exact workload identifier structure is implementation-specific, | ||
| // implementations are encouraged to follow the convention of | ||
| // `spiffe://<trust_domain>/ns/<namespace>/sa/<serviceaccount>` | ||
| // when representing Kubernetes workload identities. |
There was a problem hiding this comment.
Why would someone use this matcher to refer to Kubernetes identities when the serviceAccounts list is below? Is this intended primarily for cross-cluster use cases?
There was a problem hiding this comment.
I think cross-cluster or external workloads are reasonable examples which might apply.
It's niche at the moment, but I have seen users express desire to be able to assert policy at a sub-serviceAccount granularity. This seems to leave the door open for an implementation to support that use case.
|
|
||
| // Namespaces specifies a list of Kubernetes Namespaces that are matched | ||
| // by this rule. A request originating from any pod within one of these | ||
| // namespaces will match the rule, regardless of its specific Service Account. |
There was a problem hiding this comment.
So this is basically just another way of saying "match all ServiceAccounts in these namespaces"? Given the proposed format of ServiceAccounts is ns/name above, would ns/* be a reasonable alternative way to express this instead of having a separate field in the API?
There was a problem hiding this comment.
Thats valid. Happy to remove and support ns/* if we are fine with supporting "". I am worried we are opening a door for more use of "" or any regex in value fields here though.
|
|
||
| The `targetRef` of the policy specifies the workload(s) to which the policy applies. Two options are available for `targetRef`: | ||
|
|
||
| #### **Option 1: Targeting a Service** |
There was a problem hiding this comment.
I seem to remember "ServiceAccount" being raised as a potential option at a previous KubeCon when this topic came up. I think it ended up being deemed impractical/poor UX, but could be good to cover it here for completeness.
|
|
||
| // Action specifies the action to take when a request matches the rules. | ||
| // +kubebuilder:validation:Required | ||
| Action AuthorizationPolicyAction `json:"action"` |
There was a problem hiding this comment.
can you also define the UX for DENY_BY_DEFAULT policies and how a users can add allow rules to override deny_by_default posture.
Use Case (Assuming we have ns wide policy support as well) - User has created a deny all policy for the namespace, now workload owners add Allow policies for the workloads.
geps/gep-3779/index.md
Outdated
| type AuthorizationPolicySpec struct { | ||
| // TargetRef identifies the resource this policy is attached to. | ||
| // +kubebuilder:validation:Required | ||
| TargetRefs gatewayv1.PolicyTargetReferenceWithLabelSelectors `json:"targetRefs"` |
There was a problem hiding this comment.
how can we target the entire namespace? ns-wide authz policies are very common for meshes.
And with ns-wide policy we need to think about the clear separation between Gateway and mesh. This could be a valid scenario that Gateway and mesh workload are in the same namespace and user just wants to apply policy on namespace affecting only mesh workloads.
There was a problem hiding this comment.
added more section about this. PTAL!
| // for policies implemented within Gateway API. It is currently not intended for general-purpose | ||
| // use outside of Gateway API resources. | ||
| // +kubebuilder:validation:XValidation:rule="!(has(self.selector)) || (self.kind == 'Pod' && (self.group == '' || self.group == 'core'))",message="Selector may only be set when targeting Pods." | ||
| type PolicyTargetReferenceWithLabelSelectors struct { |
There was a problem hiding this comment.
will this "PolicyTargetReferenceWithLabelSelectors" ever be applicable for Gateways?
Gateways can be in-cluster and defined via K8s workload (Gateway may have a pod with some labels). If someone uses the pod labels for the gateway, do we select that Gateway with these semantics?
There was a problem hiding this comment.
I think that's a reasonable question that is one of the reasons that we haven't done label selecctors for pods before.
There was a problem hiding this comment.
Tricky, a gateway implemented by a pod in k8s is both a workload unto itself, and also a proxy for 0 or more other "entities". In some cases it might be handy to be able to express that certain identities can talk to a gateway (and by extension, may be allowed to talk to entities that gateway proxies for) independent of expressing policy against all the disparate entities which that gateway is a proxy for.
There was a problem hiding this comment.
This is also probably a complexity to worry about in the Service reference option as well. If you have a gateway selected by a service and attach policy to that service, what does it mean?
There was a problem hiding this comment.
I would say YES. With the option to exclude it if necessary (using the right label selector combination ,e.g with NotIn operator). Though as Ian pointed out there are cases where it will be useful to be able to distribute the policies to the gateway (which is also a workload in this case).
There was a problem hiding this comment.
added sections about it, PTAL!
| ##### **Enhanced Discoverability with `gwctl`** | ||
|
|
||
| A key challenge with `LabelSelector` is the loss of discoverability. It’s easier to see which policies target a `Service` but difficult to determine which policies might affect a specific pod. | ||
|
|
||
| To address this, **investment in tooling is required.** Specifically, the `gwctl` CLI tool should be enhanced to provide insights such as: | ||
|
|
||
| ```sh | ||
| TODO: complete gwctl commands | ||
| ``` | ||
|
|
||
| Without dedicated tooling, the `LabelSelector` approach could significantly degrade the user experience and observability. |
There was a problem hiding this comment.
This section is critical for making label selectors actually be understandable. As it stands, they are the very definition of spooky action at a distance - if you don't know to go and look for an AuthorizationPolicy, then requests will randomly fail or succeed based on things outside your control.
| * **No API Extension Required:** Works with the current PolicyAttachment model in Gateway API without modification. | ||
| * **Simplicity:** Intuitive for users familiar with Kubernetes networking concepts. | ||
|
|
||
| **Downsides and Open Questions:** |
There was a problem hiding this comment.
Does "addressing" of the traffic matter in the service binding case? For instance, if Prometheus sends directly to a pod should service-attached policy still apply? Perhaps this is just a twist of the topic about how pods "belong" to services.
There was a problem hiding this comment.
added some more clarifications above. the TL;DR is that I think there is no consistent/good way for a the (dst) component that enforces authorization to know what service was dialed, mainly with sidecar-based meshes.
So if we were to go with Service, the answer to you question would probably be yes, cause we will use the workload selector from the service. But this brings other complications that I described above
|
|
||
|
|
||
| // AuthorizationSource specifies the source of a request. | ||
| // Only one of its fields may be set. |
There was a problem hiding this comment.
Is the only one restriction necessary? I can envision an ask for:
from:
serviceaccounts
- monitoring/prometheus
- ingress/my-gw
namespaces
- valid-clientsPer Rob's other comment, allowing serviceaccount: [valid-clients/*] might be a way to express it.
There was a problem hiding this comment.
Its tricky, for example, in istio all of the attributes are ANDed together. We can say it will be ORed, but I don't see a reason to do so. We could support [valid-clients/*] if we need to, or in this case, just ask to have another rule for namespaces: valid-clients.
LiorLieberman
force-pushed
the
gep-3779-apis
branch
from
12b8a42 to
776e35c
Compare
| // AuthorizationSource specifies the source of a request. | ||
| // Only one of its fields may be set. | ||
| // +kubebuilder:validation:XValidation:rule="(size(self.identities) > 0 ? 1 : 0) + (size(self.serviceAccounts) > 0 ? 1 : 0) + (size(self.namespaces) > 0 ? 1 : 0) == 1",message="Exactly one of identities, serviceAccounts, or namespaces must be specified." | ||
| type AuthorizationSource struct { |
There was a problem hiding this comment.
i could be wrong, but i thought a Type string field is used for oneof fields.
for example -
gateway-api/apis/v1/httproute_types.go
Line 534 in 3842b4c
| // A request matches if its attributes are present in this list. | ||
| // | ||
| // +optional | ||
| Attributes []AuthorizationTCPAttributes `json:"attributes,omitempty"` |
There was a problem hiding this comment.
QQ: Should we rename this to DestinationAttributes to be clear that these are destination's attributes?
| * The presence of any authorization policy causes the system to default to **deny-by-default** for matching workloads. | ||
| * Another bullet to re-clarify the one above - the default behavior when no policies select a target workload is to allow all traffic. However, **as soon as at least one `AuthorizationPolicy` targets a workload, the model becomes implicitly deny-if-not-allowed**. | ||
|
|
There was a problem hiding this comment.
i'm a bit confused by this. Perhaps an example here might help me understand this better.
doesn't this contradict the statement from ALLOW policy above - If no ALLOW policy exists for a workload, traffic is permitted by default, unless any DENY policy applies. ?
There was a problem hiding this comment.
ok, i understood this now. but would help if there's an example.
| Kind Kind `json:"kind"` | ||
|
|
||
| // Selector is the label selector of target objects of the specified kind. | ||
| Selector *metav1.LabelSelector `json:"selector"` |
There was a problem hiding this comment.
should we add a Section Name here too? for example - port can be a section name . When specified, the policy would apply to the pod port specifically. This would be useful for this AuthZ Policy or some other future auth or "workload" policy.
While this is not my main point, the case for supporting this in AuthZPolicy is that it would allow the authz policy to be evaluated only for traffic destined to this port. As opposed to the current proposal, where the whole policy is evaluated for all traffic (perhaps implementations will optimize this behavior) which is going to wasteful.
There was a problem hiding this comment.
I perceive Port as an attribute of the request in this case, rather than the target. Our targets are workloads and not Workload*Port.
As an example, assuming we support that, what would it mean to have allow policy thats targeting workload foo on port 8080.
- If port is an attribute of the request - all requests to this workload in other ports are going to be denied (see the semantics above, if there is ANY allow policy, we deny anything thats not specifically allowed)
- However, with port being an attribute of the target - do we still do that? if yes, how?
|
/cc @kflynn @mikemorris |
Add API details for GEP-3779.
/kind gep
Related #3779
Does this PR introduce a user-facing change?: