From 460b6ec560094733f00266a1bdd67c730de7789c Mon Sep 17 00:00:00 2001 From: Zijun Wang Date: Fri, 10 Nov 2023 13:32:19 -0800 Subject: [PATCH] Add IamAuthPolicy doc --- docs/reference/iam-auth-policy.md | 211 ++++++++++++++++++++++++++++++ 1 file changed, 211 insertions(+) create mode 100644 docs/reference/iam-auth-policy.md diff --git a/docs/reference/iam-auth-policy.md b/docs/reference/iam-auth-policy.md new file mode 100644 index 00000000..7f0e8ea1 --- /dev/null +++ b/docs/reference/iam-auth-policy.md @@ -0,0 +1,211 @@ +# IAMAuthPolicy API Reference + +## Introduction + +VPC Lattice auth policies are IAM policy documents that you attach to service networks or services to control whether a specified principal has access to a group of services or specific service (AuthZ). +By attaching Kubernetes IAMAuthPolicy CRD to the k8s gateway or k8s route, you could apply auth policy to corresponding VPC Lattice service network or VPC Lattice service that you want to control access. +Please check [VPC Lattice auth policy documentation](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html) for more details. + +[This article](https://aws.amazon.com/blogs/containers/implement-aws-iam-authentication-with-amazon-vpc-lattice-and-amazon-eks/) is also a good reference to understand how VPC Lattice auth policy works in the kubernetes. + +## API Specification + +

IAMAuthPolicy

+
+ + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+ metadata
+ + + Kubernetes meta/v1.ObjectMeta + + + 		+ Refer to the Kubernetes API documentation for the fields of the + metadata field. +
+ spec
+ + + IAMAuthPolicySpec + + + 		+
+
+ + + + + + + + + +
+ policy
+ + string + + 		+

IAM auth policy content. It is a JSON string that uses the same syntax as AWS IAM policies. Please check the VPC Lattice documentation to get the common elements in an auth policy

+
+ targetRef
+ + sigs.k8s.io/gateway-api/apis/v1alpha2.PolicyTargetReference + + 		+

TargetRef points to the Kubernetes Gateway, HTTPRoute, or GRPCRoute resource that will have this policy attached.

+

This field is following the guidelines of Kubernetes Gateway API policy attachment.

+
+
+ status
+ + + IAMAuthPolicyStatus + + + 		+

Status defines the current state of IAMAuthPolicy.

+
+

IAMAuthPolicySpec

+

+ (Appears on:IAMAuthPolicy) +

+
+

IAMAuthPolicySpec defines the desired state of IAMAuthPolicy. + When the controller handles IAMAuthPolicy creation, if the targetRef k8s and VPC Lattice resource exists, the controller will change the auth_type of that VPC Lattice resource to AWS_IAM and attach this policy. + When the controller handles IAMAuthPolicy deletion, if the targetRef k8s and VPC Lattice resource exists, the controller will change the auth_type of that VPC Lattice resource to NONE and detach this policy. +

+
+ + + + + + + + + + + + + + + + + +
FieldDescription
+ policy
+ + string + + 		+

IAM auth policy content. It is a JSON string that uses the same syntax as AWS IAM policies. Please check the VPC Lattice documentation to get the common elements in an auth policy

+
+ targetRef
+ + sigs.k8s.io/gateway-api/apis/v1alpha2.PolicyTargetReference + + 		+

TargetRef points to the Kubernetes Gateway, HTTPRoute, or GRPCRoute resource that will have this policy attached.

+

This field is following the guidelines of Kubernetes Gateway API policy attachment.

+
+

IAMAuthPolicyStatus

+

+ (Appears on:IAMAuthPolicy) +

+
+

IAMAuthPolicyStatus defines the observed state of IAMAuthPolicy.

+
+ + + + + + + + + + + + + +
FieldDescription
+ conditions
+ + + []Kubernetes meta/v1.Condition + + + 		+ (Optional) +

Conditions describe the current conditions of the IAMAuthPolicy.

+

Implementations should prefer to express Policy conditions + using the PolicyConditionType and PolicyConditionReason + constants so that operators and tools can converge on a common + vocabulary to describe IAMAuthPolicy state. +

+

Known condition types are:

+
    +
  • “Accepted”
    • +
  • “Ready”
    • +
+
+ + +## IAMAauthPolicy Example + +```yaml +apiVersion: application-networking.k8s.aws/v1alpha1 +kind: IAMAuthPolicy +metadata: + name: test-iam-auth-policy +spec: + targetRef: + group: "gateway.networking.k8s.io" + kind: HTTPRoute + name: my-route + policy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": "*", + "Action": "vpc-lattice-svcs:Invoke", + "Resource": "*", + "Condition": { + "StringEquals": { + "vpc-lattice-svcs:RequestHeader/header1": "value1" + } + } + } + ] + } +``` + +If you create the above IAMAuthPolicy in the k8s cluster, the `my-route` (and it's corresponding VPC Lattice service) will be attached with the given IAM auth policy. Only HTTP traffic with header `header1:value1` will be allowed to access the my-route(and it's corresponding VPC Lattice service). Please check the [VPC Lattice documentation]("https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-common-elements) to get the detail on how lattice auth policy work. + + +