Update naming and definition for access control

[grampelberg]

Access Control

• Change TrafficRole to TrafficTarget. This is to hopefully clear up that this is authorization and for the target of traffic, not the mutual connection between client and server.
• Move aware from resources to pod selectors. This is to allow a little bit more flexible policy (fit into the canary use case) and make the target definition a little bit more clear. Pods being selected is now explicit instead of the implicit relationship through higher order resources such as deployments.
• Change specs to matches. This feels like a slightly better word and is 1:1 with the new definition in HTTPRoutes.
• Change TrafficRoleBinding to IdentityBinding. This makes it explicit that the binding is an identity and not something else.
• Call out the use of groups a little bit more. This is the best way to do allow all policies and disable identity for some endpoints (via system:unauthenticated).
• Show an example of using matchExpressions to show a TrafficTarget that works for everything (or as close as possible).

Traffic Spec

• Change routes to matches so that the interface can be general across protocols.
• Add filters to allow for matching things other than a URI. This is currently useful for filtering the Host header FQDN/port combination.

[grampelberg]

@slack do these new names and structures make the access control side of this a little more obvious?

@aanandr check out the IdentityBinding section, in particular system:unauthenticated. Does that work for your mesh external use case?

@nicholasjackson this all fits together a little bit better, there were some ugly edge cases that I tripped over earlier today. WDYT?

[grampelberg]

@stefanprodan check out how HTTPRoutes and TrafficTargets work together. The idea is to have a new object that works with HTTPRoutes to apply other types of policy across those routes (retries, timeouts and rate limits). Check out #19 to track the thinking there. Definitely needs some more thought first =)

[slack]

@grampelberg I think this is a lot better.

I was thinking through the typical "client/server" mental model over the weekend, I think that's the thing that makes this hilariously slippery!

The statement "clients have access to services" in SMI becomes "IdentityBindings have permission to TrafficTargets". Would changing IdentityBinding to TrafficSource or TrafficSourceBinding help the mental model?

Otherwise, this is a great improvement over Role-bits. LGTM.

[grampelberg]

I thought about TrafficSource and had a good reason for not going down that route. @olix0r you wouldn't happen to remember would you? I think it didn't work when thinking about other policies like rate limits and retries.

[nicholasjackson]

LGTM

[aanandr]

What does this mean? The target is a service. What does it mean to say that target resides in multiple namespaces?

[grampelberg]

Think global allow policies, there would be multiple things serving traffic and they'd live in multiple namespaces.

[aanandr]

Thanks, that makes sense

[aanandr]

A few questions here

1. How will we handle access definition to multiple such services? Would we create a separate ClusterTrafficTarget spec for each or is the matchexpression rich in terms of accepting lists/wildcards?
2. What is the namespace parameter under "rules" for? So far rules were generic and didnt have any namespace associated with them

[aanandr]

Does such a group (similar to the system one used in this example) have to be created upfront? Would like to understand this a bit more

[aanandr]

Would this be done by playing with the "matches" param a bit and providing an "access all" kind of option in HttpRoutes?

[aanandr]

1. I would like to understand how all this will be used by customers to define access policies for their service mesh. From my understanding it looks like the moment a Policy is defined and applied all communication between all services (both originating from within the cluster and from outside) and destined to the selected service (e.g. "foo" used here) will be blocked except for the ones allowed per the policy. This is a good design but i am also wondering how customers will handle situations where there are many services wanting to talk to a single service. We have a mechanism for talking "TO" multiple services. Do we need one for requests originating "FROM" multiple services and going to a single service?

2. If i want to restrict traffic originating from a Pod/Service and going to an endpoint outside the cluster how do i do that? For e.g., i may want the Pod to be able to access only specific endpoints in my network and residing outside the cluster. I think this has been called out as out of scope below - maybe the solution is something else but bringing up the point here because we are discussing access policies. Would we use Network Policies?

[aanandr]

Ingress Policy kind of touches upon the point i raised earlier

[aanandr]

Wouldnt retries and rate limiting also fall under traffic mgmt/routing?

[aanandr]

This will be very useful, for e.g. tying identity to cloud resident identity providers/services like AAD. But for now K8S service accounts is a good start.

[aanandr]

Cool. I think groups here are addressing the earlier comment i had for not enforcing mTLS for a service for all communication that it terminates