Replies: 9 comments
-
Great question! TLDR, we're following Kubernetes guidance on this one. I used to have a good explanation of why they did that, but my google-fu is failing me this morning. The use case you're mentioning is super important and there's a discussion in the spec about how to do that (at least for metrics). You'd add a allow all policy to your cluster either at install time by default or when the access control was enabled. By doing this as configuration, instead of as part of the spec is that it is explicit, auditable and easy to debug. In addition to that, here's my reasons for wanting it to be only additive:
|
Beta Was this translation helpful? Give feedback.
-
@grampelberg - thanks for the explanation. I took a look at the metrics spec but couldnt find it. Maybe its hidden somewhere and i missed it.
I had some follow up questions
|
Beta Was this translation helpful? Give feedback.
-
Yup, mesh creation. The install of the mesh would add a Traffic Control Policy that is permissive. When a user decides that they'd lock things down, they'd slowly make the initial policy less and less permissive while adding more specific configuration.
You could do it that way I guess. I was just thinking of optionally installing the original permissive policy. For folks who want it locked down from the beginning, during mesh installation they could just skip the permissive policy. |
Beta Was this translation helpful? Give feedback.
-
@grampelberg Is there a permissive policy available in SMI or is this just an idea at this moment? |
Beta Was this translation helpful? Give feedback.
-
We could probably make it easier, but this works for now:
|
Beta Was this translation helpful? Give feedback.
-
@grampelberg - one concern i had was the following - since we are deny all to begin with and need a policy such as the above to become allow-all, keeping up with the addition of new services and service accounts would be challenging. It will require a lot of sidecar proxy configuration just for one service addition. Wouldnt this become a perf problem then? |
Beta Was this translation helpful? Give feedback.
-
You'll get performance issues pretty much no matter which way you go on this one, though that'll be primarily RSS related performance issues and not inline latency. That said, I think we could change that spec around a little to make the permissive policies less specific. |
Beta Was this translation helpful? Give feedback.
-
Isnt the above proposal pretty generic already for the permissive policy? What did you have in mind? |
Beta Was this translation helpful? Give feedback.
-
@aanandr I was thinking we could do some wildcards like k8s RBAC does. |
Beta Was this translation helpful? Give feedback.
-
The Traffic Access Control spec (https://github.com/servicemeshinterface/smi-spec/blob/master/traffic-access-control.md#tradeoffs) talks about all traffic being denied by default. I would like to know why. The spec says due to the additive nature but its still not clear to me.
Customers usually want to see what the interactions between various microservices look like before deciding what access control policies to create. We could always allow all traffic to begin with and then later plumb a policy that says a certain service S1 can accept traffic only from S2 and S3 and still achieve restricted access. We dont even need deny policies. In some ways this is how K8S Network Policies work - before you apply the policy all Pods can talk to each other and K8S policies then define ingress and egress allow rules for a Pod.
Beta Was this translation helpful? Give feedback.
All reactions