33This resource allows users to define the authorization policy between
44applications and clients.
55
6- There are two high level concepts, ` TrafficRole ` and ` TrafficRoleBinding ` . A
7- ` TrafficRole ` describes a resource that will be receiving requests and what
8- traffic can be issued to that resource. As an example, a ` TrafficRole ` could be
9- configured to reference a pod and only allow ` GET ` requests to a specific
10- endpoint on that service.
11-
12- The ` TrafficRoleBinding ` associates a client's identity with a ` TrafficRole ` .
13- This client can then issue requests to the configured resource using the allowed
14- paths and methods. The design of Kubernetes RBAC has been heavily borrowed from.
15-
16- TrafficRoles are designed to work in an additive fashion and all traffic is
17- denied by default. See [ tradeoffs] ( #policy-tradeoffs ) for more details on that
18- decision.
19-
206## Specification
217
22- ### TrafficRole
23-
24- A ` TrafficRole ` contains a list of rules that have: resources, methods and
25- paths. These work in concert to define what an authorized client can request.
26-
27- Resources reference Kubernetes objects. These can be anything such as
28- deployments, services and pods. The resource concretely defines the resource
29- that will be serving the traffic itself either as a group (ex. deployment) or a
30- pod itself.
31-
32- The full list of resources that can be referenced is:
33-
34- * pods
35- * replicationscontrollers
36- * services
37- * daemonsets
38- * deployments
39- * replicasets
40- * statefulets
41- * jobs
42-
43- Methods describe the HTTP method that is allowed for the referenced resource.
44- This is limited to existing HTTP methods. It is possible to use ` * ` to allow any
45- value instead of enumerating them all.
46-
47- Paths describe the HTTP path that a referenced resource serves. The path is a
48- regex and is anchored (` ^ ` ) to the start of the URI. See [ use cases]
49- (#policy-use-cases) for some examples about how these can be generated
50- automatically without user interaction.
51-
52- Bringing everything together, an example specification:
8+ ### HTTPService
539
5410``` yaml
55- kind : TrafficRole
11+ kind : HTTPService
5612apiVersion : v1beta1
5713metadata :
58- name : path-specific
14+ name : foo
5915 namespace : default
60- rules :
61- - resources :
62- - name : foo
63- kind : Deployment
16+ resources :
17+ # v1.ObjectReference
18+ - kind : Service
19+ name : foo
20+ routes :
21+ - name : admin
6422 methods :
6523 - GET
66- paths :
67- - ' /authors/\d+'
24+ pathRegex : " /admin/.*"
25+ - name : default
26+ methods : ["*"]
27+ pathRegex : " .*"
6828` ` `
6929
70- This specification can be used to grant access to the ` foo` deployment for `GET`
71- requests to paths like `/authors/1234`. An accompanying `TrafficRoleBinding`
72- would allow authorized clients to request this path.
73-
74- Note that `namespace` is *not* part of the resource references. The resources
75- must be within the same namespace that a `TrafficRole` resides in. See
76- [tradeoffs](#policy-tradeoffs) for a discussion on why this is.
77-
78- While it is convenient to be extremely specific, most policies will be a little
79- bit more general. The following `TrafficRole` can be used to grant access to the
80- ` foo` service and by association the endpoints that service selects. Any method
81- and path would be accessible.
30+ ### gRPCService
8231
8332` ` ` yaml
84- kind: TrafficRole
33+ kind : gRPCService
8534apiVersion : v1beta1
8635metadata :
87- name: service-specific
36+ name : foo
8837 namespace : default
89- rules:
90- - resources:
91- - name: foo
92- kind: Service
93- methods: ["*"]
94- paths: ["*"]
38+ resources :
39+ - kind : Service
40+ name : foo
41+ package : foo.v1
42+ service : SearchService
43+ rpc :
44+ - name : Search
9545` ` `
9646
97- As roles are additive, policies that can allow all traffic are helpful for
98- testing environments or super users. To grant access to anything in a namespace,
99- ` *` can be used in combination with `kind`. The other keys are optional in this
100- example.
47+ ### TCPService
10148
10249` ` ` yaml
103- kind: TrafficRole
50+ kind : TCPService
10451apiVersion : v1beta1
10552metadata :
106- name: service-specific
53+ name : foo
10754 namespace : default
108- rules:
109- - resources:
110- - name: "*"
111- kind: Pod
112- methods: ["*"]
113- paths: ["*"]
55+ resources :
56+ - kind : Service
57+ name : foo
11458` ` `
11559
116- # ## TrafficRoleBinding
117-
118- A `TrafficRoleBinding` grants the permissions defined in a `TrafficRole` to a
119- specified identity. It holds a list of subjects (service accounts, deployments)
120- and a reference to the role being granted.
121-
122- The following binding grants the `path-specific` role to pods contained within
123- the deployment `bar` in the `default` namespace. Assuming the `path-specific`
124- definition from above, these pods will be authorized to issue `GET` requests to
125- the `foo` deployment with paths matching the `/authors/\d+` regex.
60+ ### TrafficRole
12661
12762` ` ` yaml
128- kind: TrafficRoleBinding
63+ kind : TrafficRole
12964apiVersion : v1beta1
13065metadata :
131- name: account -specific
66+ name : path -specific
13267 namespace : default
68+ resource :
69+ name : foo
70+ kind : Deployment
13371subjects :
134- - kind: Deployment
135- name: bar
136- namespace: default
137- roleRef:
138- kind: TrafficRole
139- name: path-specific
72+ - kind : HTTPService
73+ name : admin
14074` ` `
14175
142- Note : this specification defines that policy is *always* enforced on the
143- *server* side of a connection. It is up to implementations to decide whether
144- they would also like to enforce this policy on the *client* side of the
145- connection as well.
146-
147- Bindings reference subjects that can be defined based on identity. This allows
148- for references to be more than just groups of pods. In this example, a binding
149- is against a service account.
76+ ### TrafficRoleBinding
15077
15178` ` ` yaml
15279kind : TrafficRoleBinding
@@ -156,131 +83,42 @@ metadata:
15683 namespace : default
15784subjects :
15885- kind : ServiceAccount
159- name: foo-account
86+ name : bar
16087 namespace : default
16188roleRef :
16289 kind : TrafficRole
16390 name : path-specific
16491` ` `
16592
166- Implementations and cluster administrators can provide some default policy as
167- [ClusterTrafficRole](#clustertrafficrole). These can be bound to specific
168- namespaces and will only be valid for that specific namespace. In this example,
169- a `ClusterTrafficRole` that grants access to `/health` is bound only inside the
170- ` default` namespace for the pod `foobar`.
171-
172- ` ` ` yaml
173- kind: TrafficRoleBinding
174- apiVersion: v1beta1
175- metadata:
176- name: health-check
177- namespace: default
178- subjects:
179- - kind: Pod
180- name: foobar
181- roleRef:
182- kind: ClusterTrafficRole
183- name: health-check
184- ` ` `
185-
186- # ## ClusterTrafficRole
187-
188- Roles can be defined cluster-wide with `ClusterTrafficRole`. These roles can
189- grant access to applications in specific namespaces or across all namespaces and
190- are particularly useful for providing sane default policy.
191-
192- The following `ClusterTrafficRole` can be used to grant access to `/health`
193- endpoints.
194-
195- ` ` ` yaml
196- kind: ClusterTrafficRole
197- apiVersion: v1beta1
198- metadata:
199- name: health-check
200- rules:
201- - resources:
202- - name: "*"
203- kind: Pod
204- methods:
205- - GET
206- paths:
207- - '/health'
208- ` ` `
209-
210- A `ClusterTrafficRole` can also be used as a default allow policy.
211-
212- ` ` ` yaml
213- kind: ClusterTrafficRole
214- apiVersion: v1beta1
215- metadata:
216- name: default-allow
217- rules:
218- - resources:
219- - name: "*"
220- kind: Pod
221- methods: ["*"]
222- paths: ["*"]
223- ` ` `
224-
225- # ## ClusterTrafficRoleBinding
226-
227- The following `ClusterTrafficRoleBinding` will grant access every node in the
228- cluster to request the `/health` endpoint served by pods in any namespace.
229-
230- ` ` ` yaml
231- kind: ClusterTrafficRoleBinding
232- apiVersion: v1beta1
233- metadata:
234- name: default-allow
235- subjects:
236- - name: *
237- kind: Node
238- roleRef:
239- kind: ClusterTrafficRole
240- name: health-check
241- ` ` `
242-
243- To grant the pod `root` running in any namespace access to every pod serving any
244- endpoint in any namespace, it would be possible to do :
93+ Note: this specification defines that policy is *always* enforced on the
94+ *server* side of a connection. It is up to implementations to decide whether
95+ they would also like to enforce this policy on the *client* side of the
96+ connection as well.
24597
246- ` ` ` yaml
247- kind: ClusterTrafficRoleBinding
248- apiVersion: v1beta1
249- metadata:
250- name: default-allow
251- subjects:
252- - name: root
253- kind: Pod
254- roleRef:
255- kind: ClusterTrafficRole
256- name: default-allow
257- ` ` `
98+ ## Use Cases
25899
259- # # Workflow
100+ ## Admission Control
260101
261- # # Use Cases {#policy-use-cases}
102+ TODO ...
262103
263- # ## OpenAPI/Swagger
104+ ## RBAC
264105
265- Many REST applications provide OpenAPI definitions for their endpoints,
266- operations and authentication methods. Consuming these definitions and
267- generating policy automatically allows developers and organizations keep the
268- definition of their policy in a single location. A given specification can be
269- used to create `TrafficRole` and `TrafficRoleBinding` objects as part of a CI/CD
270- workflow.
106+ TODO ...
271107
272- TODO - specification mapping
108+ ## Example Implementation
273109
274110## Tradeoffs {#policy-tradeoffs}
275111
276112* Additive policy - policy that denies instead of only allows is valuable
277113 sometimes. Unfortunately, it makes it extremely difficult to reason about what
278114 is allowed or denied in a configuration.
115+
279116* It would be possible to support ` kind: Namespace`. This ends up having some
280117 special casing as to references and doesn't cover all cases. Instead, there
281118 has been a conscious decision to allow `*` kinds instead of supporting
282119 non-namespaced resources (for example, namespaces). This solves the same user
283120 goal and is slightly more flexible.
121+
284122* Namespaces are explicitly left out of the resource reference (`namespace:
285123 foobar`). This is because the reference could be used to point to a resource
286124 in a different namespace that a user might not have permissions to access or
@@ -291,16 +129,18 @@ TODO - specification mapping
291129
292130* Egress policy - while this specification allows for the possibility of
293131 defining egress configuration, this functionality is currently out of scope.
132+
294133* Non-HTTP traffic - this specification will need to be expanded to support
295134 traffic such as Kafka or MySQL.
296135
297136# # Open Questions
298137
299138* Why include namespace in the reference *and* role? Is there any reason a user
300139 would create a role in one namespace that references another?
140+
301141* Namespaces should *not* be possible to define on `TrafficRole` for resource
302142 references but are required for `ClusterTrafficRole`. Is it okay only allow
303143 this key in `ClusterTrafficRole` references?
144+
304145* I'm not sure `kind: pod` and `name: *` is the best solution for generic allow
305146 policies. Is there a better way to do it? `kind : *` feels wrong as well.
306-
0 commit comments