From 894612ad68207376bececa477ee4312f0cda4d22 Mon Sep 17 00:00:00 2001 From: stefanprodan Date: Thu, 13 Aug 2020 10:36:57 +0300 Subject: [PATCH 1/8] Add TCP/UDP port matching to specs/v1alpha4 Signed-off-by: stefanprodan --- apis/traffic-specs/traffic-specs-WD.md | 48 +++++++++++++++++++++++--- 1 file changed, 44 insertions(+), 4 deletions(-) diff --git a/apis/traffic-specs/traffic-specs-WD.md b/apis/traffic-specs/traffic-specs-WD.md index b6d79d7..3ed6a91 100644 --- a/apis/traffic-specs/traffic-specs-WD.md +++ b/apis/traffic-specs/traffic-specs-WD.md @@ -137,14 +137,54 @@ to any path and all HTTP methods. ### TCPRoute -This resource is used to describe L4 TCP traffic. It is a simple route which configures -an application to receive raw non protocol specific traffic. +This resource is used to describe L4 TCP traffic for a list of ports. ```yaml kind: TCPRoute metadata: - name: tcp-route -spec: {} + name: the-routes +spec: + matches: + ports: + - 3306 + - 6446 +``` + +When matching ports are not specified, the TCP route will match all the ports of a Kubernetes service: + +```yaml +kind: TCPRoute +metadata: + name: the-routes +spec: + matches: + ports: [] +``` + +### UDPRoute + +This resource is used to describe L4 UDP traffic for a list of ports. + +```yaml +kind: UDPRoute +metadata: + name: the-routes +spec: + matches: + ports: + - 989 + - 990 +``` + +When matching ports are not specified, the UDP route will match all the ports of a Kubernetes service: + +```yaml +kind: UDPRoute +metadata: + name: the-routes +spec: + matches: + ports: [] ``` ## Automatic Generation From 8008055c7f469a8acd5cf38fe78f24ebc93d8559 Mon Sep 17 00:00:00 2001 From: stefanprodan Date: Thu, 13 Aug 2020 10:38:40 +0300 Subject: [PATCH 2/8] Add TCP/UDP routes to access/v1alpha3 Replace 'destination.port' with TCP/UDPRoute 'matches.ports' Signed-off-by: stefanprodan --- apis/traffic-access/traffic-access-WD.md | 79 ++++++++++++++++++++++-- 1 file changed, 73 insertions(+), 6 deletions(-) diff --git a/apis/traffic-access/traffic-access-WD.md b/apis/traffic-access/traffic-access-WD.md index 5f42ab9..67d2721 100644 --- a/apis/traffic-access/traffic-access-WD.md +++ b/apis/traffic-access/traffic-access-WD.md @@ -4,7 +4,7 @@ **API Version:** v1alpha3-WD -**Compatible With:** specs.smi-spec.io/v1alpha3 +**Compatible With:** specs.smi-spec.io/v1alpha4 This set of resources allows users to define access control policy for their applications. It is the authorization side of the picture. Authentication should @@ -40,6 +40,14 @@ To understand how this all fits together, first define the routes for some traffic. ```yaml +kind: TCPRoute +metadata: + name: the-routes +spec: + matches: + ports: + - 8080 +--- kind: HTTPRouteGroup metadata: name: the-routes @@ -69,8 +77,9 @@ spec: kind: ServiceAccount name: service-a namespace: default - port: 8080 rules: + - kind: TCPRoute + name: the-routes - kind: HTTPRouteGroup name: the-routes matches: @@ -85,8 +94,8 @@ This example selects all the pods which have the `service-a` `ServiceAccount`. Traffic destined on a path `/metrics` is allowed. The `matches` field is optional and if omitted, a rule is valid for all the matches in a traffic spec (a OR relationship). It is possible for a service to expose multiple ports, -the `port` field allows the user to specify specifically which port traffic -should be allowed on. `port` is an optional element, if not specified, traffic +the TCPRoute/UDPRoute `matches.ports` field allows the user to specify specifically which port traffic +should be allowed on. The `matches.ports` is an optional element, if not specified, traffic will be allowed to all ports on the destination service. Allowing destination traffic should only be possible with permission of the @@ -103,13 +112,21 @@ Source identities which are allowed to connect to the destination is defined in the sources list. Only pods which have a `ServiceAccount` which is named in the sources list are allowed to connect to the destination. -## Example Implementation +## Example implementation for L7 The following implementation shows four services api, website, payment and prometheus. It shows how it is possible to write fine grained TrafficTargets which allow access to be controlled by route and source. ```yaml +kind: TCPRoute +metadata: + name: api-service-port +spec: + matches: + ports: + - 8080 +--- kind: HTTPRouteGroup metadata: name: api-service-routes @@ -132,6 +149,8 @@ spec: name: api-service namespace: default rules: + - kind: TCPRoute + name: api-service-port - kind: HTTPRouteGroup name: api-service-routes matches: @@ -150,8 +169,9 @@ spec: kind: ServiceAccount name: api-service namespace: default - port: 8080 rules: + - kind: TCPRoute + name: api-service-port - kind: HTTPRouteGroup name: api-service-routes matches: @@ -173,6 +193,53 @@ The previous example would allow the following HTTP traffic: | payments-service | api-service | /api | * | | prometheus | api-service | /metrics | GET | +## Example implementation for L4 + +The following implementation how to define TrafficTargets for allowing TCP and UDP +traffic to specific ports. + +```yaml +kind: TCPRoute +metadata: + name: tcp-ports +spec: + matches: + ports: + - 8301 + - 8302 + - 8300 +--- +kind: UDPRoute +metadata: + name: udp-ports +spec: + matches: + ports: + - 8301 + - 8302 +--- +kind: TrafficTarget +metadata: + name: protocal-specific +spec: + destination: + kind: ServiceAccount + name: server + namespace: default + rules: + - kind: TCPRoute + name: tcp-ports + - kind: UDPRoute + name: udp-ports + sources: + - kind: ServiceAccount + name: client + namespace: default +``` + +Note that the above configuration will allow TCP and UDP traffic to both `8301` and `8302` ports, +but will block UDP traffic to `8300`. + ## Tradeoffs * Additive policy - policy that denies instead of only allows is valuable From c8bc04ba6bd99bdc002f9c614cbbbc2a1e7a773d Mon Sep 17 00:00:00 2001 From: stefanprodan Date: Thu, 13 Aug 2020 10:55:24 +0300 Subject: [PATCH 3/8] Fix formatting Signed-off-by: stefanprodan --- apis/traffic-access/traffic-access-WD.md | 13 +++++++------ apis/traffic-specs/traffic-specs-WD.md | 6 ++++-- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/apis/traffic-access/traffic-access-WD.md b/apis/traffic-access/traffic-access-WD.md index 67d2721..99aa6e2 100644 --- a/apis/traffic-access/traffic-access-WD.md +++ b/apis/traffic-access/traffic-access-WD.md @@ -94,8 +94,9 @@ This example selects all the pods which have the `service-a` `ServiceAccount`. Traffic destined on a path `/metrics` is allowed. The `matches` field is optional and if omitted, a rule is valid for all the matches in a traffic spec (a OR relationship). It is possible for a service to expose multiple ports, -the TCPRoute/UDPRoute `matches.ports` field allows the user to specify specifically which port traffic -should be allowed on. The `matches.ports` is an optional element, if not specified, traffic +the TCPRoute/UDPRoute `matches.ports` field allows the user to specify +specifically which port traffic should be allowed on. +The `matches.ports` is an optional element, if not specified, traffic will be allowed to all ports on the destination service. Allowing destination traffic should only be possible with permission of the @@ -195,8 +196,8 @@ The previous example would allow the following HTTP traffic: ## Example implementation for L4 -The following implementation how to define TrafficTargets for allowing TCP and UDP -traffic to specific ports. +The following implementation shows how to define TrafficTargets for +allowing TCP and UDP traffic to specific ports. ```yaml kind: TCPRoute @@ -237,8 +238,8 @@ spec: namespace: default ``` -Note that the above configuration will allow TCP and UDP traffic to both `8301` and `8302` ports, -but will block UDP traffic to `8300`. +Note that the above configuration will allow TCP and UDP traffic to +both `8301` and `8302` ports, but will block UDP traffic to `8300`. ## Tradeoffs diff --git a/apis/traffic-specs/traffic-specs-WD.md b/apis/traffic-specs/traffic-specs-WD.md index 3ed6a91..ee56692 100644 --- a/apis/traffic-specs/traffic-specs-WD.md +++ b/apis/traffic-specs/traffic-specs-WD.md @@ -150,7 +150,8 @@ spec: - 6446 ``` -When matching ports are not specified, the TCP route will match all the ports of a Kubernetes service: +When matching ports are not specified, +the TCP route will match all the ports of a Kubernetes service: ```yaml kind: TCPRoute @@ -176,7 +177,8 @@ spec: - 990 ``` -When matching ports are not specified, the UDP route will match all the ports of a Kubernetes service: +When matching ports are not specified, +the UDP route will match all the ports of a Kubernetes service: ```yaml kind: UDPRoute From 5ea7e93b29d4580ea615d0508d28a6ae0094a19a Mon Sep 17 00:00:00 2001 From: Patrice Krakow Date: Tue, 29 Sep 2020 21:55:41 +0200 Subject: [PATCH 4/8] Align the structure of the 4 APIs Signed-off-by: Patrice Krakow --- apis/traffic-access/traffic-access-WD.md | 6 +++--- apis/traffic-metrics/traffic-metrics-WD.md | 6 +++--- apis/traffic-specs/traffic-specs-WD.md | 2 +- apis/traffic-split/traffic-split-WD.md | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/apis/traffic-access/traffic-access-WD.md b/apis/traffic-access/traffic-access-WD.md index 5f42ab9..23923fd 100644 --- a/apis/traffic-access/traffic-access-WD.md +++ b/apis/traffic-access/traffic-access-WD.md @@ -4,7 +4,9 @@ **API Version:** v1alpha3-WD -**Compatible With:** specs.smi-spec.io/v1alpha3 +**Compatible with:** specs.smi-spec.io/v1alpha4-WD + +## Specification This set of resources allows users to define access control policy for their applications. It is the authorization side of the picture. Authentication should @@ -13,8 +15,6 @@ already be handled by the underlying implementation and surfaced through a subje Access control in this specification is additive, all traffic is denied by default. See [tradeoffs](#tradeoffs) for a longer discussion about why. -## Specification - ### TrafficTarget A `TrafficTarget` associates a set of traffic definitions (rules) with a diff --git a/apis/traffic-metrics/traffic-metrics-WD.md b/apis/traffic-metrics/traffic-metrics-WD.md index ff41e39..fb5754e 100644 --- a/apis/traffic-metrics/traffic-metrics-WD.md +++ b/apis/traffic-metrics/traffic-metrics-WD.md @@ -4,7 +4,7 @@ **API Version:** v1alpha2-WD -## Specfication +## Specification This specification describes a resource that provides a common integration point for tools that can benefit by consuming metrics related to HTTP traffic. @@ -51,7 +51,7 @@ are two main ways to query the API for metrics: * A sub-resource allows querying for all the edges associated with a specific resource. -## Specification +### TrafficMetrics The core resource is `TrafficMetrics`. It references a `resource`, has an `edge` and surfaces latency percentiles and request volume. @@ -441,7 +441,7 @@ targets pods with an Envoy sidecar and periodically requests rules and force integrations to query those directly. This feels like it increases the bar for metrics stores to change their internal configuration around to support this specification. There is also not a multi-tenant story - for Prometheus series visibility that maps across Kuberenetes RBAC. From the + for Prometheus series visibility that maps across Kubernetes RBAC. From the other side, consumers of these metrics will have to do discovery of Prometheus' location in the cluster and do some kind of queries to surface the data that they need. diff --git a/apis/traffic-specs/traffic-specs-WD.md b/apis/traffic-specs/traffic-specs-WD.md index b6d79d7..b3cf3f3 100644 --- a/apis/traffic-specs/traffic-specs-WD.md +++ b/apis/traffic-specs/traffic-specs-WD.md @@ -2,7 +2,7 @@ **API Group:** specs.smi-spec.io -**Version:** v1alpha4-WD +**API Version:** v1alpha4-WD ## Specification diff --git a/apis/traffic-split/traffic-split-WD.md b/apis/traffic-split/traffic-split-WD.md index c6dfe86..afaf373 100644 --- a/apis/traffic-split/traffic-split-WD.md +++ b/apis/traffic-split/traffic-split-WD.md @@ -4,7 +4,7 @@ **API Version:** v1alpha4-WD -**Compatible with:** specs.smi-spec.io/v1alpha3 +**Compatible with:** specs.smi-spec.io/v1alpha4-WD ## Specification From 8378df7c6479569ce4f2a5ecd2178e9f74efbd59 Mon Sep 17 00:00:00 2001 From: kevinpollet Date: Wed, 21 Oct 2020 11:18:15 +0200 Subject: [PATCH 5/8] Rename maesh to traefik mesh in readme Signed-off-by: kevinpollet --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d86b56f..274a0fc 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ The following documents are available: * **Flagger:** progressive delivery operator ([flagger.app](https://flagger.app)) * **Istio\*:** connect, secure, control, observe ([servicemeshinterface/smi-adapter-istio](https://github.com/servicemeshinterface/smi-adapter-istio)) * **Linkerd:** ultralight service mesh ([linkerd.io](https://linkerd.io)) -* **Maesh:** simpler service mesh ([mae.sh](https://mae.sh)) +* **Traefik Mesh:** simpler service mesh ([traefik.io/traefik-mesh](https://traefik.io/traefik-mesh)) * **Meshery:** the service mesh management plane ([layer5.io/meshery](https://layer5.io/meshery)) * **Rio:** application deployment engine ([rio.io](https://rio.io)) * **Service Mesh Hub:** unified dashboard ([solo.io/products/service-mesh-hub](https://solo.io/products/service-mesh-hub)) From 6004c3045942a5cf9ddbd91fb493984115cd47b4 Mon Sep 17 00:00:00 2001 From: Michelle Noorali Date: Thu, 22 Oct 2020 14:39:34 -0400 Subject: [PATCH 6/8] Add Michael Hausenblas as maintainer Signed-off-by: Michelle Noorali --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 2751227..4ee1b86 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -* @grampelberg @lachie83 @leecalcote @nicholasjackson @slack @stefanprodan @michelleN @bridgetkromhout @ilevine +* @grampelberg @lachie83 @leecalcote @nicholasjackson @slack @stefanprodan @michelleN @bridgetkromhout @ilevine @mhausenblas From e3b3c9958485a246864b5b1cb1fa3054e4d2018d Mon Sep 17 00:00:00 2001 From: Michelle Noorali Date: Thu, 22 Oct 2020 18:41:51 -0400 Subject: [PATCH 7/8] Add Tarun Pothulapati as maintainer Signed-off-by: Michelle Noorali --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 4ee1b86..77537ad 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -* @grampelberg @lachie83 @leecalcote @nicholasjackson @slack @stefanprodan @michelleN @bridgetkromhout @ilevine @mhausenblas +* @grampelberg @lachie83 @leecalcote @nicholasjackson @slack @stefanprodan @michelleN @bridgetkromhout @ilevine @mhausenblas @pothulapati From 70f301a00e2e80bb1d4040b4566b0289812eddcb Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Wed, 2 Dec 2020 11:44:25 +0200 Subject: [PATCH 8/8] Update setup-node GH action Signed-off-by: Stefan Prodan --- .github/workflows/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 36ff41f..9b0bccb 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -13,7 +13,9 @@ jobs: - name: Checkout uses: actions/checkout@v2 - name: Setup Node.js - uses: actions/setup-node@v1.1.0 + uses: actions/setup-node@v2-beta + with: + node-version: '12.x' - name: Run lint run: | make lint