Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expand tests to account for audit access policy #12847

Merged
merged 1 commit into from
Jul 26, 2024
Merged

Expand tests to account for audit access policy #12847

merged 1 commit into from
Jul 26, 2024

Conversation

alpeb
Copy link
Member

@alpeb alpeb commented Jul 16, 2024
edited
Loading

Followup to #12846, branched off alpeb/policy-audit-impl

This fixes the policy controller unit and integration tests by accounting for the new Audit default policy and the new accessPolicy field in Server.

New integration tests added:

  • e2e_audit.rs exercising first the audit policy in Server, and then at the namespace level
  • in admit_server.rs a new test checks invalid accessPolicy values are rejected.
  • in inbound_api.rs server_with_audit_policy verifies the synthesized audit authorization is returned for a Server with accessPolicy=audit

Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.

@alpeb alpeb requested a review from a team as a code owner July 16, 2024 13:30
@alpeb alpeb marked this pull request as draft July 16, 2024 13:30
@alpeb alpeb mentioned this pull request Jul 16, 2024
Merged
@alpeb alpeb marked this pull request as ready for review July 16, 2024 13:46
@alpeb alpeb force-pushed the alpeb/policy-audit-impl branch 3 times, most recently from bff10a5 to a9caff0 Compare July 23, 2024 18:49
alpeb added a commit that referenced this pull request Jul 23, 2024
@alpeb
Audit access policy implementation
a0ded8a 
Followup to #12845

This expands the policy controller index in the following ways:

- Adds the new Audit variant to the DefaultPolicy enum
- Expands the function that synthesizes the authorizations for a given default policy (DefaultPolicy::default_authzs) so that it also creates an Unauthenticated client auth and a allow-all NetworkMatch for the new Audit default policy.
- Now that a Server can have a default policy different than Deny, when generating InboundServer authorizations (PolicyIndex::client_authzs) make sure to append the default authorizations when DefaultPolicy is Allow or Audit

Also, the admission controller ensures the new accessPolicy field contains a valid value.

Required test changes are addressed in #12847. Also note you'll need the proxy changes at linkerd/linkerd2-proxy#3068 to make this work.

Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.
@alpeb alpeb force-pushed the alpeb/policy-audit-impl branch from a9caff0 to a0ded8a Compare July 23, 2024 18:58
@alpeb alpeb force-pushed the alpeb/policy-audit-tests branch from 17eb633 to 5670f17 Compare July 23, 2024 19:31
alpeb added a commit that referenced this pull request Jul 24, 2024
@alpeb
Trigger policy tests on Rust files changes
f3a3543 
The filter for the changed-files job in the integration.yml workflow
wasn't taking into account Rust files. So changes that touched only the
policy controller weren't triggering the policy controller integration
tests, as seen in #12847
@alpeb alpeb mentioned this pull request Jul 24, 2024
Merged
alpeb added a commit that referenced this pull request Jul 25, 2024
@alpeb
Trigger policy tests on Rust files changes (#12881)
5422f01 
The filter for the changed-files job in the integration.yml workflow
wasn't taking into account Rust files. So changes that touched only the
policy controller weren't triggering the policy controller integration
tests, as seen in #12847
alpeb added a commit that referenced this pull request Jul 25, 2024
@alpeb
Audit access policy implementation
5ff8d95 
Followup to #12845

This expands the policy controller index in the following ways:

- Adds the new Audit variant to the DefaultPolicy enum
- Expands the function that synthesizes the authorizations for a given default policy (DefaultPolicy::default_authzs) so that it also creates an Unauthenticated client auth and a allow-all NetworkMatch for the new Audit default policy.
- Now that a Server can have a default policy different than Deny, when generating InboundServer authorizations (PolicyIndex::client_authzs) make sure to append the default authorizations when DefaultPolicy is Allow or Audit

Also, the admission controller ensures the new accessPolicy field contains a valid value.

Required test changes are addressed in #12847. Also note you'll need the proxy changes at linkerd/linkerd2-proxy#3068 to make this work.

Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.
@alpeb alpeb force-pushed the alpeb/policy-audit-impl branch from a0ded8a to 5ff8d95 Compare July 25, 2024 11:38
@alpeb alpeb force-pushed the alpeb/policy-audit-tests branch from 5670f17 to b196083 Compare July 25, 2024 11:41
alpeb added a commit that referenced this pull request Jul 26, 2024
@alpeb
Audit access policy implementation
9ad80a5 
Followup to #12845

This expands the policy controller index in the following ways:

- Adds the new Audit variant to the DefaultPolicy enum
- Expands the function that synthesizes the authorizations for a given default policy (DefaultPolicy::default_authzs) so that it also creates an Unauthenticated client auth and a allow-all NetworkMatch for the new Audit default policy.
- Now that a Server can have a default policy different than Deny, when generating InboundServer authorizations (PolicyIndex::client_authzs) make sure to append the default authorizations when DefaultPolicy is Allow or Audit

Also, the admission controller ensures the new accessPolicy field contains a valid value.

Required test changes are addressed in #12847. Also note you'll need the proxy changes at linkerd/linkerd2-proxy#3068 to make this work.

Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.
@alpeb alpeb force-pushed the alpeb/policy-audit-impl branch from 5ff8d95 to 9ad80a5 Compare July 26, 2024 16:26
@alpeb
Expand tests to account for audit access policy
aa8f607 
Followup to #12846, branched off alpeb/policy-audit-impl

This fixes the policy controller unit and integration tests by accounting for the new Audit default policy and the new accessPolicy field in Server.

New integration tests added:

- e2e_audit.rs exercising first the audit policy in Server, and then at the namespace level
- in admit_server.rs a new test checks invalid accessPolicy values are rejected.
- in inbound_api.rs server_with_audit_policy verifies the synthesized audit authorization is returned for a Server with accessPolicy=audit
@alpeb alpeb force-pushed the alpeb/policy-audit-tests branch from b196083 to aa8f607 Compare July 26, 2024 16:28
@alpeb alpeb merged commit e5e1b1e into alpeb/policy-audit-impl Jul 26, 2024
44 checks passed
@alpeb alpeb deleted the alpeb/policy-audit-tests branch July 26, 2024 18:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adleong adleong adleong approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alpeb @adleong