From f375f9aacb077ec2e35ff1348df41ffe42a10cc8 Mon Sep 17 00:00:00 2001 From: Nicholas Jackson Date: Wed, 8 May 2019 17:29:53 +0100 Subject: [PATCH 1/4] Rename HTTPRoutes HTTPRoute --- traffic-specs.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/traffic-specs.md b/traffic-specs.md index 5e347a8..145e962 100644 --- a/traffic-specs.md +++ b/traffic-specs.md @@ -12,14 +12,14 @@ to define the traffic in a protocol specific fashion. ## Specification -### HTTPRoutes +### HTTPRoute This resource is used to describe HTTP/1 and HTTP/2 traffic. It enumerates the routes that can be served by an application. ```yaml apiVersion: specs.smi-spec.io/v1alpha1 -kind: HTTPRoutes +kind: HTTPRoute metadata: name: the-routes matches: @@ -51,7 +51,7 @@ an HTTP request. This is where `filters` come in: ```yaml apiVersion: v1beta1 -kind: HTTPRoutes +kind: HTTPRoute metadata: name: the-routes namespace: default From 8f6a88e32e0690254ce5c88ee58cad888e4d6718 Mon Sep 17 00:00:00 2001 From: Nicholas Jackson Date: Wed, 8 May 2019 20:07:09 +0100 Subject: [PATCH 2/4] Rename HTTPRoutes something more sane --- traffic-specs.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/traffic-specs.md b/traffic-specs.md index 145e962..d7c240a 100644 --- a/traffic-specs.md +++ b/traffic-specs.md @@ -12,14 +12,14 @@ to define the traffic in a protocol specific fashion. ## Specification -### HTTPRoute +### HTTPRouteGroup This resource is used to describe HTTP/1 and HTTP/2 traffic. It enumerates the routes that can be served by an application. ```yaml apiVersion: specs.smi-spec.io/v1alpha1 -kind: HTTPRoute +kind: HTTPRouteGroup metadata: name: the-routes matches: @@ -51,7 +51,7 @@ an HTTP request. This is where `filters` come in: ```yaml apiVersion: v1beta1 -kind: HTTPRoute +kind: HTTPRouteGroup metadata: name: the-routes namespace: default @@ -94,7 +94,7 @@ automatically generate the list of routes from code. ## Out of scope * gRPC - there should be a gRPC specific traffic spec. As part of the first - version, this has been left out as HTTPRoutes can be used in the interim. + version, this has been left out as HTTPRouteGroup can be used in the interim. * Arbitrary header filtering - there should be a way to filter based on headers. This has been left out for now, but the specification should be expanded to From 0f1ccc5420311734dacc789d6b31adcc947a224e Mon Sep 17 00:00:00 2001 From: Nicholas Jackson Date: Wed, 8 May 2019 20:09:51 +0100 Subject: [PATCH 3/4] update comments for IdentityBinding and ClusterBinding --- traffic-access-control.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/traffic-access-control.md b/traffic-access-control.md index f57ce31..6131a8b 100644 --- a/traffic-access-control.md +++ b/traffic-access-control.md @@ -78,7 +78,9 @@ connection as well. A `IdentityBinding` grants access for a specific identity to the rules in a TrafficTarget. It holds a list of subjects (service accounts for now) and a -reference to the traffic target defining what has been granted. +reference to the traffic target defining what has been granted. The TrafficTarget +which is referenced in targetRef should always be in the same namespace +as the IdentityBinding. ```yaml kind: IdentityBinding @@ -154,7 +156,8 @@ protected label. A `ClusterIdentityBinding` grants access for a specific identity, originating in a specific namespace, to a ClusterTrafficTarget associated with pods in any -namespace. +namespace. The ClusterTrafficTarget referenced by targetRef should always be in +the same namespace as the ClusterIdentityBinding. ```yaml kind: ClusterIdentityBinding From aaef7d5eed85428228a763c5249f3a094278b5ba Mon Sep 17 00:00:00 2001 From: Nicholas Jackson Date: Thu, 9 May 2019 18:12:23 +0100 Subject: [PATCH 4/4] Added namespace to allow selection from CRD --- traffic-access-control.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/traffic-access-control.md b/traffic-access-control.md index 6131a8b..176e530 100644 --- a/traffic-access-control.md +++ b/traffic-access-control.md @@ -22,7 +22,7 @@ as an expression with `matchExpressions`. Rules are [traffic specs](traffic-specs.md) that define what traffic for specific protocols would look like. The kind can be different depending on what -traffic a target is serving. In the following examples, `HTTPRoutes` is used for +traffic a target is serving. In the following examples, `HTTPRouteGroup` is used for applications serving HTTP based traffic. To understand how this all fits together, first define the routes for some @@ -30,7 +30,7 @@ traffic. ```yaml apiVersion: v1beta1 -kind: HTTPRoutes +kind: HTTPRouteGroup metadata: name: the-routes matches: @@ -58,8 +58,9 @@ selector: app: foo port: 8080 rules: -- kind: HTTPRoutes +- kind: HTTPRouteGroup name: the-routes + namespace: default matches: - metrics ``` @@ -78,9 +79,7 @@ connection as well. A `IdentityBinding` grants access for a specific identity to the rules in a TrafficTarget. It holds a list of subjects (service accounts for now) and a -reference to the traffic target defining what has been granted. The TrafficTarget -which is referenced in targetRef should always be in the same namespace -as the IdentityBinding. +reference to the traffic target defining what has been granted. ```yaml kind: IdentityBinding @@ -95,6 +94,7 @@ subjects: targetRef: kind: TrafficTarget name: path-specific + namespace: default ``` This example grants the ability to access the `/metrics` route to any client @@ -115,9 +115,10 @@ metadata: subjects: - kind: Group name: system:unauthenticated -roleRef: +targetRef: kind: TrafficTarget name: path-specific + namespace: default ``` This example allows any unauthenticated client access to the rules defined in @@ -156,8 +157,7 @@ protected label. A `ClusterIdentityBinding` grants access for a specific identity, originating in a specific namespace, to a ClusterTrafficTarget associated with pods in any -namespace. The ClusterTrafficTarget referenced by targetRef should always be in -the same namespace as the ClusterIdentityBinding. +namespace. ```yaml kind: ClusterIdentityBinding @@ -172,6 +172,7 @@ subjects: targetRef: kind: ClusterTrafficTarget name: metrics-scrape + namespace: default ``` Continuing with the Prometheus example from above, it is possible to have a