kmesh
kmesh copied to clipboard
Enhance authz
What would you like to be added:
- Currently we support only src ip, port authorizationpolicy. Some more dimesions should be supported.
type Match struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Namespaces []*StringMatch `protobuf:"bytes,1,rep,name=namespaces,proto3" json:"namespaces,omitempty"`
NotNamespaces []*StringMatch `protobuf:"bytes,2,rep,name=not_namespaces,json=notNamespaces,proto3" json:"not_namespaces,omitempty"`
Principals []*StringMatch `protobuf:"bytes,3,rep,name=principals,proto3" json:"principals,omitempty"`
NotPrincipals []*StringMatch `protobuf:"bytes,4,rep,name=not_principals,json=notPrincipals,proto3" json:"not_principals,omitempty"`
SourceIps []*Address `protobuf:"bytes,5,rep,name=source_ips,json=sourceIps,proto3" json:"source_ips,omitempty"`
NotSourceIps []*Address `protobuf:"bytes,6,rep,name=not_source_ips,json=notSourceIps,proto3" json:"not_source_ips,omitempty"`
DestinationIps []*Address `protobuf:"bytes,7,rep,name=destination_ips,json=destinationIps,proto3" json:"destination_ips,omitempty"`
NotDestinationIps []*Address `protobuf:"bytes,8,rep,name=not_destination_ips,json=notDestinationIps,proto3" json:"not_destination_ips,omitempty"`
DestinationPorts []uint32 `protobuf:"varint,9,rep,packed,name=destination_ports,json=destinationPorts,proto3" json:"destination_ports,omitempty"`
NotDestinationPorts []uint32 `protobuf:"varint,10,rep,packed,name=not_destination_ports,json=notDestinationPorts,proto3" json:"not_destination_ports,omitempty"`
}
-
currently authz is done async in userspace, while it do reset on xdp hook point, so before the authz run successfully, we may miss some packets, and uncorrectly let them go to the server instances.
-
Client may be aware of the conneciton rst after a longe time ~1minute
Why is this needed:
/assign @supercharge-xsy @tacslon