Add authorization policy v1beta1 #918
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: yangminzhu If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
443eb7f
to
6b4bab2
Compare
|
Link to istio/istio#12394 for tracking |
There was a problem hiding this comment.
Not commenting on the content - but timing. We are 2 weeks before the 1.2 freeze, and I'm not sure this
API will be implemented and has all the required testing ( perf, stability, etc ) in the remaining time.
At the same time, the existing alpha1 is still not fully automated (AFAIK) and probably has code mauve gaps.
Would it make sense to delay this for 1.3 - and focus on code mauve ?
Even if it may be possible to finish implementation in the remaining 6 working days until freeze - I'm worried it will be rushed and not ready for prod.
If the plan is to have alpha-quality implementation for this - it would be better to focus the remaining time
on testing the stuff prod users use and not confuse users.
|
@costinm |
|
Great, but please hold it until we cut the branch, to avoid confusion. And
to allow people to focus on tests for 1.2 instead of getting distracted, we
have large gaps in auth testing (sds, automating, scale)
…On Fri, May 10, 2019, 17:07 Yangmin Zhu ***@***.***> wrote:
@costinm <https://github.com/costinm>
This is targeted for 1.3 so no rush for 1.2.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#918 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAAUR2Q4KENM5BV2DQYYYALPUYE2PANCNFSM4HLEZVXQ>
.
|
25a45f3
to
9d3b0a5
Compare
e62b8fc
to
e740981
Compare
|
Just to double check, are we waiting for 1.2 release before we check in this PR? |
|
I think we can update the API now, given that the design has been approved? |
43fe5bf
to
459578c
Compare
|
@liminw @pitlv2109 PTAL, thanks. |
There was a problem hiding this comment.
Thanks for the changes.
In the PR description, add reference to the design doc https://docs.google.com/document/d/1diwa9oYVwmLtarXb-kfWPq-Ul3O2Ic3b8Y21Z3R8DzQ.
security/v1beta1/authorization.proto
Outdated
|
|
||
| // $hide_from_docs | ||
| // WorkloadSelector specifies the scope where the authorization policy should be applied to. | ||
| message WorkloadSelector { |
There was a problem hiding this comment.
can you use this opportunity to move the workloadSelector from sidecar and use the same one? I do not want to duplicate the workload selector again. Second, you have a different field in workload selector than what sidecar has, which is not a good UX.
|
+1
…On Thu, Aug 8, 2019 at 8:15 AM Shriram Rajagopalan ***@***.***> wrote:
***@***.**** requested changes on this pull request.
Please reconcile with the workload selector in sidecar/envoyfilters. We
cannot have yet another implementation of workload selector with different
semantics (matchLabels, etc.)..
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#918?email_source=notifications&email_token=AAAUR2TPRUQU7ZHHOQPIAT3QDQ2CRA5CNFSM4HLEZVX2YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCBAEDUA#pullrequestreview-272646608>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAAUR2RG2TATGLR7MU2KMELQDQ2CRANCNFSM4HLEZVXQ>
.
|
|
And preferably use one of the protos and syntax for selector that already
exists - either the one in Sidecar or Envoyfilters.
…On Thu, Aug 8, 2019 at 8:16 AM Costin Manolache ***@***.***> wrote:
+1
On Thu, Aug 8, 2019 at 8:15 AM Shriram Rajagopalan <
***@***.***> wrote:
> ***@***.**** requested changes on this pull request.
>
> Please reconcile with the workload selector in sidecar/envoyfilters. We
> cannot have yet another implementation of workload selector with different
> semantics (matchLabels, etc.)..
>
> —
> You are receiving this because you were assigned.
> Reply to this email directly, view it on GitHub
> <#918?email_source=notifications&email_token=AAAUR2TPRUQU7ZHHOQPIAT3QDQ2CRA5CNFSM4HLEZVX2YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOCBAEDUA#pullrequestreview-272646608>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AAAUR2RG2TATGLR7MU2KMELQDQ2CRANCNFSM4HLEZVXQ>
> .
>
|
|
Add @louiscryan @smawson @costinm @rshriram Agree that we should have a single "selector" syntax. Based on Istio Config Model, the following is the only approved "selector" format. Shall we reconcile the existing APIs to move to the agreed syntax? |
|
@rshriram @costinm @liminw I changed to use the WorkloadSelector in Sidecar. We could move the As for Gateway, I would prefer not to change it in this PR. The syntax will change and all code and yaml need to update, and this should be done in a separate PR. |
|
In existing code, there are two different selector definitions. In sidecar In Gateway, Both are different from the agreed on selector definition in Istio config model doc. Either picking one of the definitions above, or following the recommendation in Istio config model, we need a standard selector definition, and use it for all APIs consistently. |
|
/test api-presubmit |
|
Within this PR's scope, I think we have 3 options:
@rshriram @costinm @louiscryan @smawson @liminw I can do any of the above in this PR, could you let me know which one you prefer? Thank you. |
|
I care less about naming. We need consistency. So, if this new "selector" is the answer, then lets go for it. You can change the EnvoyFilter's workloadSelector to this new Selector thing immediately as it has not been released yet. For the gateway, you have a problem. Sidecars would need some deprecation model.. |
This PR adds the authorization v1beta1 API.
Design doc: https://docs.google.com/document/d/1diwa9oYVwmLtarXb-kfWPq-Ul3O2Ic3b8Y21Z3R8DzQ.
istio/istio#12394