From 0a9a758f154a9d5efda7697d753e9dae87af11c1 Mon Sep 17 00:00:00 2001 From: Zijun Wang Date: Fri, 10 Nov 2023 13:32:19 -0800 Subject: [PATCH 1/3] Add IamAuthPolicy doc --- docs/reference/iam-auth-policy.md | 212 ++++++++++++++++++++++++++++++ 1 file changed, 212 insertions(+) create mode 100644 docs/reference/iam-auth-policy.md diff --git a/docs/reference/iam-auth-policy.md b/docs/reference/iam-auth-policy.md new file mode 100644 index 00000000..4eb8d933 --- /dev/null +++ b/docs/reference/iam-auth-policy.md @@ -0,0 +1,212 @@ +# IAMAuthPolicy API Reference + +## Introduction + +VPC Lattice auth policies are IAM policy documents that you attach to service networks or services to control whether a specified principal has access to a group of services or specific service (AuthZ). +By attaching Kubernetes IAMAuthPolicy CRD to the k8s gateway or k8s route, you could apply auth policy to corresponding VPC Lattice service network or VPC Lattice service that you want to control access. +Please check [VPC Lattice auth policy documentation](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html) for more details. + +[This article](https://aws.amazon.com/blogs/containers/implement-aws-iam-authentication-with-amazon-vpc-lattice-and-amazon-eks/) is also a good reference on how to set up VPC Lattice auth policy in the kubernetes. + +## API Specification + +

IAMAuthPolicy

+
+ + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+ metadata
+ + + Kubernetes meta/v1.ObjectMeta + + + 		+ Refer to the Kubernetes API documentation for the fields of the + metadata field. +
+ spec
+ + + IAMAuthPolicySpec + + + 		+
+
+ + + + + + + + + +
+ policy
+ + string + + 		+

IAM auth policy content. It is a JSON string that uses the same syntax as AWS IAM policies. Please check the VPC Lattice documentation to get the common elements in an auth policy

+
+ targetRef
+ + sigs.k8s.io/gateway-api/apis/v1alpha2.PolicyTargetReference + + 		+

TargetRef points to the Kubernetes Gateway, HTTPRoute, or GRPCRoute resource that will have this policy attached.

+

This field is following the guidelines of Kubernetes Gateway API policy attachment.

+
+
+ status
+ + + IAMAuthPolicyStatus + + + 		+

Status defines the current state of IAMAuthPolicy.

+
+

IAMAuthPolicySpec

+

+ (Appears on:IAMAuthPolicy) +

+
+

IAMAuthPolicySpec defines the desired state of IAMAuthPolicy. + When the controller handles IAMAuthPolicy creation, if the targetRef k8s and VPC Lattice resource exists, the controller will change the auth_type of that VPC Lattice resource to AWS_IAM and attach this policy. + When the controller handles IAMAuthPolicy deletion, if the targetRef k8s and VPC Lattice resource exists, the controller will change the auth_type of that VPC Lattice resource to NONE and detach this policy. +

+
+ + + + + + + + + + + + + + + + + +
FieldDescription
+ policy
+ + string + + 		+

IAM auth policy content. It is a JSON string that uses the same syntax as AWS IAM policies. Please check the VPC Lattice documentation to get the common elements in an auth policy

+
+ targetRef
+ + sigs.k8s.io/gateway-api/apis/v1alpha2.PolicyTargetReference + + 		+

TargetRef points to the Kubernetes Gateway, HTTPRoute, or GRPCRoute resource that will have this policy attached.

+

This field is following the guidelines of Kubernetes Gateway API policy attachment.

+
+

IAMAuthPolicyStatus

+

+ (Appears on:IAMAuthPolicy) +

+
+

IAMAuthPolicyStatus defines the observed state of IAMAuthPolicy.

+
+ + + + + + + + + + + + + +
FieldDescription
+ conditions
+ + + []Kubernetes meta/v1.Condition + + + 		+ (Optional) +

Conditions describe the current conditions of the IAMAuthPolicy.

+

Implementations should prefer to express Policy conditions + using the PolicyConditionType and PolicyConditionReason + constants so that operators and tools can converge on a common + vocabulary to describe IAMAuthPolicy state. +

+

Known condition types are:

+
    +
  • “Accepted”
    • +
  • “Ready”
    • +
+
+ + +## IAMAauthPolicy Example + +```yaml +apiVersion: application-networking.k8s.aws/v1alpha1 +kind: IAMAuthPolicy +metadata: + name: test-iam-auth-policy +spec: + targetRef: + group: "gateway.networking.k8s.io" + kind: HTTPRoute + name: my-route + policy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": "*", + "Action": "vpc-lattice-svcs:Invoke", + "Resource": "*", + "Condition": { + "StringEquals": { + "vpc-lattice-svcs:RequestHeader/header1": "value1" + } + } + } + ] + } +``` + +If you create the above IAMAuthPolicy in the k8s cluster, the `my-route` (and it's corresponding VPC Lattice service) will be attached with the given IAM auth policy. +Only HTTP traffic with header `header1:value1` will be allowed to access the `my-route`. Please check the [VPC Lattice documentation](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-common-elements) to get more detail on how lattice auth policy work. + + + From be4f32e1189f850e67b1256ac66a60e70b00e34b Mon Sep 17 00:00:00 2001 From: Zijun Wang Date: Fri, 10 Nov 2023 17:03:37 -0800 Subject: [PATCH 2/3] Add IAMAuthPolicy doc --- docs/reference/iam-auth-policy.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/reference/iam-auth-policy.md b/docs/reference/iam-auth-policy.md index 4eb8d933..e28e8897 100644 --- a/docs/reference/iam-auth-policy.md +++ b/docs/reference/iam-auth-policy.md @@ -6,6 +6,8 @@ VPC Lattice auth policies are IAM policy documents that you attach to service ne By attaching Kubernetes IAMAuthPolicy CRD to the k8s gateway or k8s route, you could apply auth policy to corresponding VPC Lattice service network or VPC Lattice service that you want to control access. Please check [VPC Lattice auth policy documentation](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html) for more details. +Notice that the IAMAuthPolicy can only do authorization for traffic that go through gateway or HTTPRoute/GRPCRoute. The authorization will not take effect if the client directly send traffic to the k8s service DNS. + [This article](https://aws.amazon.com/blogs/containers/implement-aws-iam-authentication-with-amazon-vpc-lattice-and-amazon-eks/) is also a good reference on how to set up VPC Lattice auth policy in the kubernetes. ## API Specification @@ -207,6 +209,3 @@ spec: If you create the above IAMAuthPolicy in the k8s cluster, the `my-route` (and it's corresponding VPC Lattice service) will be attached with the given IAM auth policy. Only HTTP traffic with header `header1:value1` will be allowed to access the `my-route`. Please check the [VPC Lattice documentation](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-common-elements) to get more detail on how lattice auth policy work. - - - From b3727cbd9a03db5904096b8087e2a248346d2287 Mon Sep 17 00:00:00 2001 From: Zijun Wang Date: Tue, 14 Nov 2023 09:41:23 -0800 Subject: [PATCH 3/3] Address PR comments --- docs/reference/iam-auth-policy.md | 44 ++++--------------------------- 1 file changed, 5 insertions(+), 39 deletions(-) diff --git a/docs/reference/iam-auth-policy.md b/docs/reference/iam-auth-policy.md index e28e8897..b819008c 100644 --- a/docs/reference/iam-auth-policy.md +++ b/docs/reference/iam-auth-policy.md @@ -2,9 +2,10 @@ ## Introduction -VPC Lattice auth policies are IAM policy documents that you attach to service networks or services to control whether a specified principal has access to a group of services or specific service (AuthZ). -By attaching Kubernetes IAMAuthPolicy CRD to the k8s gateway or k8s route, you could apply auth policy to corresponding VPC Lattice service network or VPC Lattice service that you want to control access. -Please check [VPC Lattice auth policy documentation](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html) for more details. +VPC Lattice auth policies are IAM policy documents that you attach to service networks or services to control whether a specified principal has access to a group of services or specific service (AuthZ). +IAMAuthPolicy implements Direct Policy Attachment of Gateway API's [GEP-713: Metaresources and Policy Attachment](https://gateway-api.sigs.k8s.io/geps/gep-713). +Policy can be attached to [Gateway, HTTPRoute, GRPCRoute Kinds](#application-networking.k8s.aws/v1alpha1.IAMAuthPolicySpec). Gateway policy attaches to Lattice Service Network and HTTP/GRPCRoute to Lattice Service. +Please see [Control access to services using auth policies](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html) for more details about Lattice Auth Policies. Notice that the IAMAuthPolicy can only do authorization for traffic that go through gateway or HTTPRoute/GRPCRoute. The authorization will not take effect if the client directly send traffic to the k8s service DNS. @@ -173,39 +174,4 @@ Notice that the IAMAuthPolicy can only do authorization for traffic that go thro - - - -## IAMAauthPolicy Example - -```yaml -apiVersion: application-networking.k8s.aws/v1alpha1 -kind: IAMAuthPolicy -metadata: - name: test-iam-auth-policy -spec: - targetRef: - group: "gateway.networking.k8s.io" - kind: HTTPRoute - name: my-route - policy: | - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": "*", - "Action": "vpc-lattice-svcs:Invoke", - "Resource": "*", - "Condition": { - "StringEquals": { - "vpc-lattice-svcs:RequestHeader/header1": "value1" - } - } - } - ] - } -``` - -If you create the above IAMAuthPolicy in the k8s cluster, the `my-route` (and it's corresponding VPC Lattice service) will be attached with the given IAM auth policy. -Only HTTP traffic with header `header1:value1` will be allowed to access the `my-route`. Please check the [VPC Lattice documentation](https://docs.aws.amazon.com/vpc-lattice/latest/ug/auth-policies.html#auth-policies-common-elements) to get more detail on how lattice auth policy work. + \ No newline at end of file