feat: auth policy enforced condition #411
Conversation
KevFan
added
kind/enhancement
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #411 +/- ##
==========================================
- Coverage 66.18% 65.59% -0.60%
==========================================
Files 38 38
Lines 3901 3991 +90
==========================================
+ Hits 2582 2618 +36
- Misses 1131 1179 +48
- Partials 188 194 +6
Flags with carried forward coverage won't be shown. Click here to find out more.
|
KevFan
force-pushed
the
ap-enforced
branch
4 times, most recently
from
38a9336 to
f19dcf4
Compare
KevFan
force-pushed
the
ap-enforced
branch
5 times, most recently
from
5b15865 to
336c81d
Compare
KevFan
changed the title
KevFan
force-pushed
the
ap-enforced
branch
3 times, most recently
from
87c3578 to
233405a
Compare
|
Verification steps work as expected 🎉 After the last step, I've added: kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
kind: AuthPolicy
metadata:
name: gw-auth
namespace: istio-system
spec:
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: istio-ingressgateway
rules:
authorization:
allow-all:
opa:
rego: "allow = true"
EOFThen: kubectl get authpolicy -A -o widekubectl get authpolicy gw-auth -n istio-system -o yaml | yq '.status'conditions:
- lastTransitionTime: "2024-02-13T13:23:05Z"
message: AuthPolicy has been accepted
reason: Accepted
status: "True"
type: Accepted
- lastTransitionTime: "2024-02-13T13:23:05Z"
message: AuthPolicy is overridden by [{"Namespace":"default","Name":"auth0"}]
reason: Overridden
status: "False"
type: Enforced
observedGeneration: 1kubectl delete authpolicy auth0kubectl get authpolicy -A -o widekubectl get authpolicy gw-auth -n istio-system -o yaml | yq '.status'conditions:
- lastTransitionTime: "2024-02-13T13:23:05Z"
message: AuthPolicy has been accepted
reason: Accepted
status: "True"
type: Accepted
- lastTransitionTime: "2024-02-13T13:26:34Z"
message: AuthPolicy has been successfully enforced
reason: Enforced
status: "True"
type: Enforced
observedGeneration: 1 |
| // +kubebuilder:printcolumn:name="Accepted",type=string,JSONPath=`.status.conditions[?(@.type=="Accepted")].status`,description="RateLimitPolicy Accepted",priority=2 | ||
| // +kubebuilder:printcolumn:name="Enforced",type=string,JSONPath=`.status.conditions[?(@.type=="Enforced")].status`,description="RateLimitPolicy Enforced",priority=2 |
There was a problem hiding this comment.
Though the title says "auth policy", it's good to have this here as well, for completeness 👍
| @@ -22,6 +22,7 @@ import ( | |||
| "os" | |||
| "runtime" | |||
|
|
|||
| "github.com/kuadrant/kuadrant-operator/pkg/common" | |||
There was a problem hiding this comment.
nitpick: I fail to see the logic behind how we group these dependencies. Maybe in another PR we can work on this and give them some order people can reason about. E.g. Kuadrant-controlled packages always grouped together, or layered based on proximity to the Golang std lib.
There was a problem hiding this comment.
Yeah, grouping is inconsistent in a few places. I think the main reason, at least for me, for this inconsistency is that these are frequently auto added by an IDE but ignores the groups that have been already been logically broken up previously. Goland IDE seems to always auto add a dependency to the first group list after the Golang std libs 🤔
There was a problem hiding this comment.
fyi, i had opened a PR to add the openshift goimports to keep module grouping consistent #415. Backed it out as we seem to already use goimports in CI tests, but maybe we could look into it more.
There was a problem hiding this comment.
Created #426 to track this
Description
Part of #290 Kuadrant/architecture#38
Closes: #349
Add
Enforcedcondition type to AuthPolicy.Verification
Functionality is generally already tested with the integration tests added.
To verify manually instead:
Setup
make local-setupAccepted-TrueEnforced-FalseAccepted-TrueEnforced-True