forked from openservicemesh/osm
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathrbac.go
89 lines (74 loc) · 3.52 KB
/
rbac.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
package lds
import (
xds_listener "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
xds_rbac "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3"
xds_network_rbac "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/rbac/v3"
"github.com/envoyproxy/go-control-plane/pkg/wellknown"
"google.golang.org/protobuf/types/known/anypb"
"github.com/openservicemesh/osm/pkg/envoy/rbac"
"github.com/openservicemesh/osm/pkg/errcode"
"github.com/openservicemesh/osm/pkg/identity"
"github.com/openservicemesh/osm/pkg/trafficpolicy"
)
// buildRBACFilter builds an RBAC filter based on SMI TrafficTarget policies.
// The returned RBAC filter has policies that gives downstream principals full access to the local service.
func (lb *listenerBuilder) buildRBACFilter() (*xds_listener.Filter, error) {
networkRBACPolicy, err := lb.buildInboundRBACPolicies()
if err != nil {
log.Error().Err(err).Msgf("Error building inbound RBAC policies for principal %q", lb.serviceIdentity)
return nil, err
}
marshalledNetworkRBACPolicy, err := anypb.New(networkRBACPolicy)
if err != nil {
log.Error().Err(err).Str(errcode.Kind, errcode.GetErrCodeWithMetric(errcode.ErrMarshallingXDSResource)).
Msgf("Error marshalling RBAC policy: %v", networkRBACPolicy)
return nil, err
}
rbacFilter := &xds_listener.Filter{
Name: wellknown.RoleBasedAccessControl,
ConfigType: &xds_listener.Filter_TypedConfig{TypedConfig: marshalledNetworkRBACPolicy},
}
return rbacFilter, nil
}
// buildInboundRBACPolicies builds the RBAC policies based on allowed principals
func (lb *listenerBuilder) buildInboundRBACPolicies() (*xds_network_rbac.RBAC, error) {
proxyIdentity := identity.ServiceIdentity(lb.serviceIdentity.String())
trafficTargets, err := lb.meshCatalog.ListInboundTrafficTargetsWithRoutes(lb.serviceIdentity)
if err != nil {
log.Error().Err(err).Str(errcode.Kind, errcode.GetErrCodeWithMetric(errcode.ErrGettingInboundTrafficTargets)).
Msgf("Error listing allowed inbound traffic targets for proxy identity %s", proxyIdentity)
return nil, err
}
rbacPolicies := make(map[string]*xds_rbac.Policy)
// Build an RBAC policies based on SMI TrafficTarget policies
for _, targetPolicy := range trafficTargets {
rbacPolicies[targetPolicy.Name] = buildRBACPolicyFromTrafficTarget(targetPolicy, lb.trustDomain)
}
log.Debug().Msgf("RBAC policy for proxy with identity %s: %+v", proxyIdentity, rbacPolicies)
// Create an inbound RBAC policy that denies a request by default, unless a policy explicitly allows it
networkRBACPolicy := &xds_network_rbac.RBAC{
StatPrefix: "network-", // will be displayed as network-rbac.<path>
Rules: &xds_rbac.RBAC{
Action: xds_rbac.RBAC_ALLOW, // Allows the request if and only if there is a policy that matches the request
Policies: rbacPolicies,
},
}
return networkRBACPolicy, nil
}
// buildRBACPolicyFromTrafficTarget creates an XDS RBAC policy from the given traffic target policy
func buildRBACPolicyFromTrafficTarget(trafficTarget trafficpolicy.TrafficTargetWithRoutes, trustDomain string) *xds_rbac.Policy {
pb := &rbac.PolicyBuilder{}
// Create the list of identities for this policy
for _, downstreamIdentity := range trafficTarget.Sources {
pb.AddIdentity(downstreamIdentity)
}
// Create the list of permissions for this policy
for _, tcpRouteMatch := range trafficTarget.TCPRouteMatches {
// Matching ports have an OR relationship
for _, port := range tcpRouteMatch.Ports {
pb.AddAllowedDestinationPort(port)
}
}
pb.SetTrustDomain(trustDomain)
return pb.Build()
}