Define access control #16
Conversation
|
@nicholasjackson couple updates to talk through:
Outstanding issues with this current proposal:
There's a couple different ways this all can come together and I'm looking forward to some brainstorming tomorrow morning! |
|
@grampelberg posting this here rather than sending a direct email but here are some thoughts and explanation on Envoy topology. Sorry if this is a little rough, I am multi-tasking while eating dinner. Envoy defines listeners, these generally have two uses:
In terms of object mapping Envoy to This is not 100% exact but it would be pretty easy to map an HTTPService to Envoy configuration objects kind: HTTPService // Envoy Listener
apiVersion: v1beta1
metadata:
name: foo
namespace: default
resources:
# v1.ObjectReference
- kind: Service
name: foo //Envoy cluster
routes:
- name: admin // Envoy route
methods: // Envoy route match
- GET
pathRegex: "/admin/.*" // Envoy route match
- name: default // Envoy route
methods: ["*"]
pathRegex: ".*"With this logical model you could move service to route, it might also make sense to reason about HTTPService, etc as HTTPListener, gRPCListener, TCPListener. Listener or whatever the term is would be a higher level object, not owned by policy but the configuration for the data plane which is yet to be defined. It would be accessed from a TrafficRole like so: kind: TrafficRole
apiVersion: v1beta1
metadata:
name: path-specific
namespace: default
resource:
name: foo
kind: Deployment
subjects:
- kind: HTTPListener
name: admin
routes:
- admin
- defaultThe tradeoff with this approach is that Role would not be able to sub filter a route, i.e. limit a route to a particular subpath or method. This would be achieved by adding an explicitly named route on the higher level listener. The example below defines an Envoy HTTP based public listener, this will be the mTLS ingress to the data plane, generally, this points to a local service. {
"@type": "type.googleapis.com/envoy.api.v2.Listener",
"name": "public_listener:${POD_IP}:20000",
"address": {
"socketAddress": {
"address": "${POD_IP}",
"portValue": 20000
}
},
"filterChains": [
{
"filters": [
{
"name": "envoy.http_connection_manager",
"config": {
"stat_prefix": "ingress_http",
"route_config": {
"name": "local_route",
"virtual_hosts": [
{
"name": "backend",
"domains": ["*"],
"routes": [
{
"match": {
"prefix": "/"
},
"route": {
"cluster": "local_app"
}
}
]
}
]
},
"http_filters": [
{
"name": "envoy.router",
"config": {}
}
]
}
}
]
}
]
}Example cluster definition for a local app (data plane ingress) {
"@type": "type.googleapis.com/envoy.api.v2.Cluster",
"name": "local_app",
"connect_timeout": "5s",
"http2_protocol_options": {},
"hosts": [
{
"socket_address": {
"address": "127.0.0.1",
"port_value": 9090
}
}
]
}Example cluster definition using endpoint discovery service (typically remote service catalog) {
"@type": "type.googleapis.com/envoy.api.v2.Cluster",
"name": "service:emojify-cache",
"type": "EDS",
"http2_protocol_options": {},
"eds_cluster_config": {
"eds_config": {
"ads": {}
}
},
"connect_timeout": "5s" // connection to endpoint not request, request timeout is on route
} |
|
Alright, new update:
|
|
@nicholasjackson I think I covered everything we chatted about this morning. Let's cover in the call tomorrow. |
|
@grampelberg Awesome, I think this is looking pretty good to merge. I think there is one addition I need for my implementation but let's get this merged I can raise a PR separately for this. |
|
@nicholasjackson there's definitely some more things I want to add as well. I'm into the merge and iterate idea. Let's make sure everyone's happy with the renaming and then merge later today. I'm interested in what else you'll need =) |
grampelberg
force-pushed
the
grampelberg/policy
branch
from
ac5ffdd to
b9d385d
Compare
|
Reached consensus on merging this out of band. |
Supersedes #13.