clusterlink icon indicating copy to clipboard operation
clusterlink copied to clipboard
verified publisher icon clusterlink-net

Support "allow only from/to" policies

Open elevran opened this issue 2 years ago • 0 comments

Based on discussions, seems that we can't currently support a (useful?) construct that allows only specific to/from (e.g., "allow ssh only to workload X"). As it could be thought of as combining allow and deny in the same policy, it could potentially be implemented as combination of "privileged allow" with "normal deny", but this opens up the possibility of normal users removing the deny rule. Perhaps we need another type level for "allow-only", sitting below the deny and above the allow in each priority level?

@zivnevo commented:

Actually, we can currently support this use case with just privileged deny policies - simply use K8s set-based requirements (a.k.a. matchExpressions) for defining the label selectors. Suppose your workload X is distinguishable from all other workloads by having the unique value X for the workloadName label key (or any other attribute that is not under user control). The following policy should work:

apiVersion: clusterlink/v1alpha1
kind: PrivilegedConnectivityPolicy
metadata:
  name: deny-ssh-to-all-but-x
spec:
  action: deny
  from:
  - workloadSelector:
      labelSelector: {}
  to:
  - workloadSelector:
      matchExpressions:
        - { key: workloadName, operator: NotIn, values: [X] }
  connectionAttrs:
  - protocol: TCP
    port: 22

Now, this uses double negation (deny + NotIn), which some people find confusing. Based on the usefulness of the "allow only" construct, we can decide whether or not add a new policy type.

elevran avatar Sep 21 '23 15:09 elevran