Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SKIP-1076] AuthorizationSettings for circumventing default blocked actuator #219

Merged
merged 13 commits into from
Jun 7, 2023
Merged

[SKIP-1076] AuthorizationSettings for circumventing default blocked actuator #219

merged 13 commits into from
Jun 7, 2023

Conversation

anderssonw
Copy link
Contributor

@anderssonw anderssonw commented May 16, 2023
edited
Loading

Adds new AuthorizationSettings field in application spec for controlling actuator blocking.

It is possible to allow Actuator completely by passing spec.authorizationSettings.allowAll: true, and allow certain endpoints using spec.authorizationSettings.allowList: ["health", "etc"].

According to Istio documentation ALLOW rules are checked after DENY rules, making these trump the earlier DENY rules.

As of now, the tests are not able to spawn the default DENY rule after removing the allowAll: true flag. This is odd however, as this seems to be working just fine when applying the test resources to a local cluster. This seems to be a kuttl issue, see kudobuilder/kuttl#471.

@anderssonw anderssonw marked this pull request as ready for review May 16, 2023 13:17
@anderssonw anderssonw requested a review from a team as a code owner May 16, 2023 13:17
@omaen
Copy link
Contributor

omaen commented May 16, 2023

Great work @anderssonw! I was just about to hit "Approve" when it hit me that adding a field to the skiperator spec that covers actuator endpoints might be a bit too specific 🤔 If we later find out that another framework also should have som sane defaults for blocked endpoints it would be easier to have a more generic approach to this.

I should have thought about this earlier, so I'm keen on hearing your opinion on this. Is it possible to rename the spec field to spec.authorizationSettings perhaps and use the full path in spec.authorizationSettings.allowList: ["actuator/health", "actuator/etc"]. Might have to rename the existing default deny rule to have a more generic name as well. That way we can use the same logic for blocking and allowing other paths.

@anderssonw
Copy link
Contributor Author

Great input, generalising the specification should be a goal in general, IMO. I will peep this next week :)

@anderssonw anderssonw changed the title [SKIP-1076] ActuatorSettings for circumventing default blocked actuator [SKIP-1076] AuthorizationSettings for circumventing default blocked actuator May 22, 2023
evenh
evenh reviewed May 22, 2023
View reviewed changes
README.md Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
api/v1alpha1/application.go Outdated Show resolved Hide resolved
@anderssonw
Copy link
Contributor Author

Should be good now @omaen :)

omaen
omaen approved these changes May 22, 2023
View reviewed changes
Copy link
Contributor

@omaen omaen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@anderssonw anderssonw added this pull request to the merge queue Jun 7, 2023
Merged via the queue into main with commit 185c190 Jun 7, 2023
@anderssonw anderssonw deleted the actuator-circumvention branch June 7, 2023 08:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evenh evenh evenh approved these changes

@omaen omaen omaen approved these changes

@eliihen eliihen Awaiting requested review from eliihen eliihen is a code owner automatically assigned from kartverket/skip

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@anderssonw @omaen @evenh