Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[waypoint] Support AuthorizationPolicy #10807

Open
stevenctl opened this issue Mar 11, 2025 · 0 comments
Open

[waypoint] Support AuthorizationPolicy #10807

stevenctl opened this issue Mar 11, 2025 · 0 comments

Comments

@stevenctl
Copy link
Contributor

Add support for AuthorizationPolicy in our Waypoint implementation. To do this, we will likely leverage a NetworkFilters plugin that calls Istio's own control plane code as a library.

// BuildRBACForService gives three lists of filters:
// tcpRBAC - only used in tcp chains (using this on an HTTP chain could cause improper DENY)
// httpRBAC - only used in http chains
// httpNetworkFilters - includes a common network-filter between TCP and HTTP
// that passes id from metadata to filter state (see ProxyProtocolTLVAuthorityNetworkFilter)
func BuildRBACForService(
	authzPolicies []*authcr.AuthorizationPolicy,
	gw *gwapi.Gateway,
	svc *waypointquery.Service,
) (
	tcpRBAC []NetworkFilter,
	httpRBAC []HTTPFilter,
	httpNetworkFilters []NetworkFilter,
) {
	authzBuilder := getAuthzBuilder(
		authzPolicies,
		gw.Name,
		gw.Namespace,
		RootNamespace,
		svc,
	)
	if authzBuilder != nil {
		const stage = filters.FilterStage_AuthZStage
		const predicate = filters.FilterStage_After

		tcpRBAC = append(tcpRBAC, ProxyProtocolTLVAuthorityNetworkFilter)
		tcpRBAC = append(tcpRBAC, CustomNetworkFilters(authzBuilder.BuildTCP(), stage, predicate)...)

		httpRBAC = CustomHTTPFilters(authzBuilder.BuildHTTP(), stage, predicate)
		httpNetworkFilters = ProxyProtocolTLVAuthorityNetworkFilter // maybe just added by Sandwich plugin 
	}
	return
}

// getAuthzBuilder constructs the istio builder.
// It can be nil if it filters out all the policies.
// This relies heavily on Istio code so that we can get similar behavior:
// https://github.com/istio/istio/blob/master/pilot/pkg/model/policyattachment.go
func getAuthzBuilder(
	policies []*authcr.AuthorizationPolicy,
	gatewayName, gatewayNamespace string,
	rootNamespace string,
	svc *waypointquery.Service,
) *builder.Builder {
	// first wrangle it into the format that istio accepts
	policiesMap := model.AuthorizationPolicies{
		NamespaceToPolicies: map[string][]model.AuthorizationPolicy{},
		RootNamespace:       rootNamespace,
	}
	for _, policy := range policies {
		convertedSpec := crdclient.TranslateObject(policy, gvk.AuthorizationPolicy, "").Spec.(*authpb.AuthorizationPolicy)
		convertedPolicy := model.AuthorizationPolicy{
			Name:        policy.Name,
			Namespace:   policy.Namespace,
			Annotations: map[string]string{},
			Spec:        convertedSpec,
		}
		policiesMap.NamespaceToPolicies[policy.Namespace] = append(policiesMap.NamespaceToPolicies[policy.Namespace], convertedPolicy)
	}

	policyResult := policiesMap.ListAuthorizationPolicies(model.WorkloadPolicyMatcher{
		IsWaypoint: true,
		Services: []model.ServiceInfoForPolicyMatcher{
			{
				Name:      svc.GetName(),
				Namespace: svc.GetNamespace(),
				Registry:  provider.Kubernetes,
			},
		},
		WorkloadNamespace: gatewayNamespace,
		WorkloadLabels: map[string]string{
			label.IoK8sNetworkingGatewayGatewayName.Name: gatewayName,
		},
	})

	trustBundle := trustdomain.NewBundle("cluster.local", nil)

	return builder.New(trustBundle, nil, policyResult, builder.Option{
		IsCustomBuilder: false,
		UseFilterState:  true,
	})
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Kgateway Planning
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@stevenctl