Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disallow empty AuthPolicies #1034

Merged
merged 1 commit into from
Nov 27, 2024
Merged

Conversation

guicassolato
Copy link
Contributor

@guicassolato guicassolato commented Nov 19, 2024

Verification steps

make local-setup
kubectl -n kuadrant-system apply -f - <<EOF
apiVersion: kuadrant.io/v1beta1
kind: Kuadrant
metadata:
  name: kuadrant
spec: {}
EOF

Must all return: The AuthPolicy "gateway-auth" is invalid: spec: Invalid value: "object": At least one spec.rules must be defined

kubectl apply -n gateway-system -f -<<EOF
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
  name: gateway-auth
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: kuadrant-ingressgateway
EOF
kubectl apply -n gateway-system -f -<<EOF
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
  name: gateway-auth
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: kuadrant-ingressgateway
  rules: {}
EOF
kubectl apply -n gateway-system -f -<<EOF
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
  name: gateway-auth
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: kuadrant-ingressgateway
  rules:
    authentication: {}
EOF

Must return: The AuthPolicy "gateway-auth" is invalid: spec: Invalid value: "object": At least one spec.defaults.rules must be defined

kubectl apply -n gateway-system -f -<<EOF
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
  name: gateway-auth
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: kuadrant-ingressgateway
  defaults: {}
EOF

Must return: The AuthPolicy "gateway-auth" is invalid: spec: Invalid value: "object": At least one spec.overrides.rules must be defined

kubectl apply -n gateway-system -f -<<EOF
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
  name: gateway-auth
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: kuadrant-ingressgateway
  overrides: {}
EOF

Must all succeed:

kubectl apply -n gateway-system -f -<<EOF
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
  name: gateway-auth
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: kuadrant-ingressgateway
  rules:
    authentication:
      no-auth:
        anonymous: {}
EOF
kubectl apply -n gateway-system -f -<<EOF
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
  name: gateway-auth
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: kuadrant-ingressgateway
  rules:
    authorization:
      denyAll:
        opa:
          rego: allow = false
EOF
kubectl apply -n gateway-system -f -<<EOF
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
  name: gateway-auth
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: kuadrant-ingressgateway
  defaults:
    rules:
      authorization:
        denyAll:
          opa:
            rego: allow = false
EOF
kubectl apply -n gateway-system -f -<<EOF
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
  name: gateway-auth
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: Gateway
    name: kuadrant-ingressgateway
  overrides:
    rules:
      authorization:
        denyAll:
          opa:
            rego: allow = false
EOF

Copy link

codecov bot commented Nov 19, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.77%. Comparing base (cc1b41f) to head (3c86f02).
Report is 55 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1034      +/-   ##
==========================================
+ Coverage   76.15%   83.77%   +7.62%     
==========================================
  Files         111       81      -30     
  Lines        8986     6694    -2292     
==========================================
- Hits         6843     5608    -1235     
+ Misses       1852      868     -984     
+ Partials      291      218      -73     
Flag Coverage Δ
bare-k8s-integration 15.70% <ø> (+4.82%) ⬆️
controllers-integration 76.29% <ø> (+17.43%) ⬆️
envoygateway-integration 40.72% <ø> (+8.21%) ⬆️
gatewayapi-integration 16.08% <ø> (+2.64%) ⬆️
istio-integration 43.65% <ø> (+9.32%) ⬆️
unit 18.12% <ø> (-7.24%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
api/v1beta1 (u) 90.00% <100.00%> (-2.19%) ⬇️
api/v1beta2 (u) ∅ <ø> (∅)
pkg/common (u) ∅ <ø> (∅)
pkg/istio (u) 62.06% <ø> (+15.03%) ⬆️
pkg/log (u) 93.18% <ø> (ø)
pkg/reconcilers (u) 24.67% <ø> (∅)
pkg/rlptools (u) ∅ <ø> (∅)
controllers (i) 86.66% <90.18%> (+2.24%) ⬆️
Files with missing lines Coverage Δ
api/v1/authpolicy_types.go 86.55% <ø> (ø)

... and 38 files with indirect coverage changes

@guicassolato guicassolato force-pushed the empty-authpolicy-not-allowed branch 2 times, most recently from 50bb948 to 8f19232 Compare November 19, 2024 16:02
@maleck13
Copy link
Collaborator

@guicassolato what is the priority of this in your mind? Is it a must for v1?

@guicassolato guicassolato force-pushed the empty-authpolicy-not-allowed branch 2 times, most recently from 2784176 to 821e9cd Compare November 26, 2024 11:35
@guicassolato guicassolato marked this pull request as ready for review November 26, 2024 11:53
@guicassolato guicassolato marked this pull request as draft November 26, 2024 12:02
@guicassolato
Copy link
Contributor Author

@guicassolato what is the priority of this in your mind? Is it a must for v1?

I think I replied about this on Slack, but for the record...

This is mainly for consistency with the RateLimitPolicy.

Until then, an AuthPolicy without any rules is reported as not in the path to any existing routes and indeed not enforced. This is not very helpful, especially in face of the defaults otherwise implemented by Authorino for the AuthConfig CRs, where an empty spec falls back to anonymous access.

For Kuadrant, we want policies to be more explicit and contain at least one rule.

@guicassolato guicassolato force-pushed the empty-authpolicy-not-allowed branch 3 times, most recently from 65b39dd to 9e0430b Compare November 26, 2024 14:52
Signed-off-by: Guilherme Cassolato <guicassolato@gmail.com>
@guicassolato guicassolato force-pushed the empty-authpolicy-not-allowed branch from 9e0430b to 3c86f02 Compare November 26, 2024 15:10
@guicassolato guicassolato marked this pull request as ready for review November 26, 2024 16:28
@maleck13
Copy link
Collaborator

Verified. Changes look good. Shame the validation has to be so complex takes a while when reading it but it is what we have to work with.

/lgtm

@guicassolato guicassolato merged commit 877a742 into main Nov 27, 2024
34 checks passed
@guicassolato guicassolato deleted the empty-authpolicy-not-allowed branch November 27, 2024 11:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

2 participants