public/policy-generator
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

emojivoto is working.

Browse Source 
But... need to do major rework

only a single networkauthentication may be set
the required authenticationRefs in the authorization policy are anded
together so we should use a separate authorization policy for each
communication link
This commit is contained in:
Erik Brakkee 2025-01-25 12:44:01 +01:00
parent 56398027b7
commit cd4023f5ce
3 changed files with 24 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
cmd/policygen/linkerd_generator.go
View File

@ -3,9 +3,12 @@ package main
import ( import (
"fmt" "fmt"
"io" "io"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"os" "os"
"slices" "slices"
"strconv" "strconv"
"strings"
) )
type LinkerdPolicyGenerator struct { type LinkerdPolicyGenerator struct {
@ -104,7 +107,7 @@ func (g *LinkerdPolicyGenerator) GenerateCommunicationRule(
// linkerd rules // linkerd rules
// 1. an authpolicy may contain only one meshtlsauthentication rule // 1. an authpolicy may contain only one meshtlsauthentication rule
// 2. an authpolicy may contain only one service account . // 2. an authpolicy may contain only one service account .
// 3. an authpolicy may contain more than one networkauthentication // 3. an authpolicy may contain only one networkauthentication
// //
// Should generate here a methtlsautheorization for every port // Should generate here a methtlsautheorization for every port
// and pass in a list of service accounts instead of a list of apps. // and pass in a list of service accounts instead of a list of apps.
@ -136,13 +139,24 @@ func (g *LinkerdPolicyGenerator) GenerateCommunicationRule(
return nil return nil
} }
func (g *LinkerdPolicyGenerator) serviceAccounts(peers []*ApplicationPeer) []string { func (g *LinkerdPolicyGenerator) serviceAccounts(peers []*ApplicationPeer) []v1.ServiceAccount {
serviceAccounts := []string{} serviceAccounts := []v1.ServiceAccount{}
for _, peer := range peers { for _, peer := range peers {
serviceAccounts = append(serviceAccounts, peer.Application.ServiceAccounts...) for _, sa := range peer.Application.ServiceAccounts {
serviceAccounts = append(serviceAccounts, v1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: sa,
Namespace: peer.Application.Namespace.Name,
},
})
}
} }
slices.Sort(serviceAccounts) slices.SortFunc(serviceAccounts, func(s1 v1.ServiceAccount, s2 v1.ServiceAccount) int {
return slices.Compact(serviceAccounts) return strings.Compare(s1.Namespace+"/"+s1.Name, s2.Namespace+"/"+s2.Name)
})
return slices.CompactFunc(serviceAccounts, func(s1, s2 v1.ServiceAccount) bool {
return s1.Namespace == s2.Namespace && s1.Name == s2.Name
})
} }
func (g *LinkerdPolicyGenerator) Finalize(writer io.Writer) error { func (g *LinkerdPolicyGenerator) Finalize(writer io.Writer) error {

5
cmd/policygen/templates/linkerd/application/meshtlsauthentication.yaml
View File

@ -2,12 +2,13 @@
apiVersion: policy.linkerd.io/v1alpha1 apiVersion: policy.linkerd.io/v1alpha1
kind: MeshTLSAuthentication kind: MeshTLSAuthentication
metadata: metadata:
name: {{ .app.Name }}-{{.port}} name: {{ .app.Name }}-p{{.port}}
namespace: {{ .app.Namespace.Name }} namespace: {{ .app.Namespace.Name }}
spec: spec:
identityRefs: identityRefs:
{{- range $sa := .serviceAccounts }} {{- range $sa := .serviceAccounts }}
- kind: ServiceAccount - kind: ServiceAccount
name: {{ $sa }} name: {{ $sa.Name }}
namespace: {{ $sa.Namespace }}
{{- end }} {{- end }}

2
cmd/policygen/templates/linkerd/application/server.yaml
View File

@ -1,7 +1,7 @@
{{- range $port := .Ports }} {{- range $port := .Ports }}
{{- if or (eq $port.Protocol "TCP") (not $port.Protocol) }} {{- if or (eq $port.Protocol "TCP") (not $port.Protocol) }}
--- ---
apiVersion: policy.linkerd.io/v1beta1 apiVersion: policy.linkerd.io/v1beta3
kind: Server kind: Server
metadata: metadata:
name: {{ $.Name }}-p{{ $port.Port }} name: {{ $.Name }}-p{{ $port.Port }}