tyk-operator icon indicating copy to clipboard operation
tyk-operator copied to clipboard

Published 20 hours ago verified publisher icon TykTechnologies

[TT-3677] Security Policies not implemented

Open FredyR4zox opened this issue 4 years ago • 6 comments

Hello

When applying a Security Policy through CRD's, the following error is displayed on tyk-operator pod logs:

{"level":"info","ts":1630596023.564985,"logger":"controllers.SecurityPolicy","msg":"Reconciling SecurityPolicy instance","SecurityPolicy":"tyk/jwt-policy"}
{"level":"info","ts":1630596023.5653167,"logger":"controllers.SecurityPolicy","msg":"updating access rights"}
{"level":"info","ts":1630596023.5653343,"logger":"controllers.SecurityPolicy","msg":"Creating  policy"}
{"level":"error","ts":1630596023.5653653,"logger":"controllers.SecurityPolicy","msg":"Failed to create policy","error":"TODO: This feature is not implemented yet","stacktrace":"github.com/TykTechnologies/tyk-operator/controllers.(*SecurityPolicyReconciler).Reconcile.func1\n\t/workspace/controllers/securitypolicy_controller.go:89\nsigs.k8s.io/controller-runtime/pkg/controller/controllerutil.mutate\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/controller/controllerutil/controllerutil.go:341\nsigs.k8s.io/controller-runtime/pkg/controller/controllerutil.CreateOrUpdate\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/controller/controllerutil/controllerutil.go:213\ngithub.com/TykTechnologies/tyk-operator/controllers.(*SecurityPolicyReconciler).Reconcile\n\t/workspace/controllers/securitypolicy_controller.go:72\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:298\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:253\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:214"}
{"level":"error","ts":1630596023.5654993,"logger":"controller-runtime.manager.controller.securitypolicy","msg":"Reconciler error","reconciler group":"tyk.tyk.io","reconciler kind":"SecurityPolicy","name":"jwt-policy","namespace":"tyk","error":"TODO: This feature is not implemented yet","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:253\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:214"}

https://github.com/TykTechnologies/tyk-operator/blob/master/pkg/client/gateway/security_policy.go

In the comments it says that the gateway does not provide an API for security policies. So, how is it supposed to insert Security Policies in the gateway through the operator?

This leads to an error when trying to contact with routes: error: "failed to create key: policy not found: "dHlrL2p3dC1wb2xpY3k""

This means that these example does not work: https://github.com/TykTechnologies/tyk-operator/blob/master/config/samples/jwt-auth/example1.yaml https://github.com/TykTechnologies/tyk-operator/blob/master/config/samples/jwt-auth/example2.yaml

Thank you

FredyR4zox avatar Sep 02 '21 15:09 FredyR4zox

Hi, thanks for raising.

Security policy resources are currently only available when using Tyk with a dashboard (paid license).

You can get round this with headless (open source) by mounting the policy object as a volume into the gateway container.

We are currently awaiting the core gateway team to expose a security policy API for the gateway. Once this occurs, we can then look to implementing security policy resources for community users also.

asoorm avatar Sep 02 '21 15:09 asoorm

Hi @asoorm,

Thank you for your response. I will mount a file with the policy then. Seems the best thing to do (and only).

Thank you

FredyR4zox avatar Sep 02 '21 15:09 FredyR4zox

Feel free to reopen this feature request. This is the PR in the gateway that needs to be tracked. I've just nudged the gateway team to see if they can prioritise it.

https://github.com/TykTechnologies/tyk/pull/3302

asoorm avatar Sep 02 '21 16:09 asoorm

The pull request was merged, the course of action now is to implement the client and disable it until we have docker images withe releases containing the PR.

gernest avatar Sep 21 '21 11:09 gernest

Looks you guys are close to implement this right? Any ETA? Thanks a lot!

Also its not clear to me what this in the readme means..

You can get round this by mounting the policy object as a volume into the gateway container.

brahama avatar Apr 24 '22 02:04 brahama

Hi @brahama, we're looking to implement security policies in the next release. At the moment, you can get more information about the policies file here: https://tyk.io/docs/getting-started/create-security-policy/

caroltyk avatar May 06 '22 15:05 caroltyk

hi @FredyR4zox and @brahama, SecurityPolicies are now supported in Tyk OSS. It will be available in the next release. Thank you for raising this feature request!

buraksekili avatar Jan 09 '23 07:01 buraksekili