Skip to content
This repository has been archived by the owner on Oct 20, 2023. It is now read-only.

New Resource: IdentityBinding #248

Merged
merged 4 commits into from
May 4, 2022
Merged

New Resource: IdentityBinding #248

merged 4 commits into from
May 4, 2022

Conversation

keithmattix
Copy link
Contributor

@keithmattix keithmattix commented Mar 13, 2022
edited
Loading

This PR adds a new TrafficAccess resource: IdentityBinding. Note that a new release with this change would advance TrafficAccess to v1alpha4 and modify TrafficTarget to accept a(n) (optional) group along with a kind for source and destination resouces.

@keithmattix keithmattix force-pushed the feature/identitybinding branch 2 times, most recently from 78d3639 to 0f2fd35 Compare March 14, 2022 01:34
@keithmattix
New Resource: IdentityBinding
c70e90d 
Signed-off-by: Keith Mattix II <[email protected]>
@keithmattix keithmattix force-pushed the feature/identitybinding branch from 0f2fd35 to c70e90d Compare March 14, 2022 01:43
mikemorris
mikemorris reviewed Mar 17, 2022
View reviewed changes
apis/traffic-access/v1alpha4/traffic-access.md Outdated Show resolved Hide resolved
apis/traffic-access/v1alpha4/traffic-access.md Outdated Show resolved Hide resolved
apis/traffic-access/v1alpha4/traffic-access.md
Comment on lines +349 to +352
- Other types of policy - having policy around retries, timeouts and rate limits
would be great. This specific object only manages access control. As policy
for these examples would be HTTP specific, there needs to be a HTTP specific
policy object created.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A resource like https://gateway-api.sigs.k8s.io/v1alpha2/references/policy-attachment/ might be a reasonable way of handling this in the future?

apis/traffic-access/v1alpha4/traffic-access.md
Comment on lines +344 to +347
- Ingress policy - assuming clients present the correct identity, this *should*
work for some kind of ingress. Unfortunately, it does not cover many of the
common use cases (filtering by hostname) and will need to be expanded to cover
this use case.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be a relevant case to consider proposing TrafficTarget at some point in the future (maybe with a different name to better reflect its authorization purpose?) as an extension to the Kubernetes Gateway API, which I believe intends to support some forms of authentication, but AFAIK doesn't yet have any way of representing those (JWT identity is probably something that would be desirable to add at that point).

apis/traffic-access/v1alpha4/traffic-access.md Outdated Show resolved Hide resolved
@keithmattix
Make serviceAccount and podLabelSelector mutually exclusive
2340800 
Also add some clarification around security model

Signed-off-by: Keith Mattix II <[email protected]>
@keithmattix keithmattix force-pushed the feature/identitybinding branch from 33d7527 to 2340800 Compare March 25, 2022 17:42
@keithmattix keithmattix requested review from stefanprodan and removed request for stefanprodan March 25, 2022 17:42
nicholasjackson
nicholasjackson previously approved these changes Mar 26, 2022
View reviewed changes
Copy link
Collaborator

@nicholasjackson nicholasjackson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great Keith

stefanprodan
stefanprodan previously approved these changes Mar 28, 2022
View reviewed changes
Copy link
Contributor

@stefanprodan stefanprodan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @keithmattix 🏅

@keithmattix
Limit to 1 podLabelSelector
4314b5f 
Multiple podLabelSelectors doesn't seem necessary and the semantics
around such configuration are confusing. If the need arises for
multiple selectors, we can reconsider, but let's keep it simple
for now

Signed-off-by: Keith Mattix II <[email protected]>
@keithmattix keithmattix force-pushed the feature/identitybinding branch from 6ef1d7e to 4314b5f Compare March 30, 2022 15:59
@keithmattix keithmattix mentioned this pull request Apr 5, 2022
Merged
bridgetkromhout
bridgetkromhout approved these changes May 4, 2022
View reviewed changes
Copy link
Member

@bridgetkromhout bridgetkromhout left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@keithmattix keithmattix merged commit 87904c8 into servicemeshinterface:main May 4, 2022
@keithmattix keithmattix deleted the feature/identitybinding branch May 4, 2022 19:02
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mikemorris mikemorris mikemorris left review comments

@bridgetkromhout bridgetkromhout bridgetkromhout approved these changes

@nicholasjackson nicholasjackson nicholasjackson approved these changes

@stefanprodan stefanprodan stefanprodan left review comments

@grampelberg grampelberg Awaiting requested review from grampelberg grampelberg is a code owner

@lachie83 lachie83 Awaiting requested review from lachie83 lachie83 is a code owner

@leecalcote leecalcote Awaiting requested review from leecalcote leecalcote is a code owner

@slack slack Awaiting requested review from slack slack is a code owner

@ilevine ilevine Awaiting requested review from ilevine ilevine is a code owner

@mhausenblas mhausenblas Awaiting requested review from mhausenblas mhausenblas is a code owner

@Pothulapati Pothulapati Awaiting requested review from Pothulapati Pothulapati is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@keithmattix @nicholasjackson @mikemorris @bridgetkromhout @stefanprodan