-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add OPA feature example #480
Merged
edwarnicke
merged 2 commits into
networkservicemesh:main
from
denis-tingaikin:add-opa-example
Mar 8, 2021
Merged
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
--- | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
generateName: ns- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,137 @@ | ||
# Feature OPA | ||
|
||
|
||
Let's consider a current simplified version of NSM authorization. | ||
|
||
![NSM Authorize Scheme](./scheme.png "NSM Authorize Scheme") | ||
|
||
*Note: This scheme simplified many of the complex things that happen in every client and endpoint for simplicity. To understand it in deep consider looking at the source code of applications.* | ||
|
||
Each application in the path of NSM request doesn't trust anybody. Each endpoint doesn't trust the client and on each incoming request the endpoint validates tokens in the path and if they invalid then the endpoint returns an error. | ||
Each client also doesn't trust the endpoint and checks tokens on the response. | ||
|
||
Authorization checks enabled by default in NSM. | ||
For example, all [use-cases](../../use-cases) are using valid token chains by default. | ||
|
||
The example below will do token from step1 from the scheme as invalid. | ||
Expected that Endpoint(in this case NSMgr) will fail the Request from the client on step 4. | ||
|
||
## Run | ||
|
||
1. Create test namespace: | ||
```bash | ||
NAMESPACE=($(kubectl create -f ../namespace.yaml)[0]) | ||
NAMESPACE=${NAMESPACE:10} | ||
``` | ||
|
||
2. Register namespace in `spire` server: | ||
```bash | ||
kubectl exec -n spire spire-server-0 -- \ | ||
/opt/spire/bin/spire-server entry create \ | ||
-spiffeID spiffe://example.org/ns/${NAMESPACE}/sa/default \ | ||
-parentID spiffe://example.org/ns/spire/sa/spire-agent \ | ||
-selector k8s:ns:${NAMESPACE} \ | ||
-selector k8s:sa:default | ||
``` | ||
|
||
3. Select node to deploy NSC and NSE: | ||
```bash | ||
NODE=($(kubectl get nodes -o go-template='{{range .items}}{{ if not .spec.taints }}{{index .metadata.labels "kubernetes.io/hostname"}} {{end}}{{end}}')[0]) | ||
``` | ||
|
||
4. Create customization file: | ||
```bash | ||
cat > kustomization.yaml <<EOF | ||
--- | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
|
||
namespace: ${NAMESPACE} | ||
|
||
bases: | ||
- ../../../apps/nsc-kernel | ||
- ../../../apps/nse-kernel | ||
|
||
patchesStrategicMerge: | ||
- patch-nsc.yaml | ||
- patch-nse.yaml | ||
EOF | ||
``` | ||
|
||
5. **Create NSC patch that making any generated token invalid:** | ||
```bash | ||
cat > patch-nsc.yaml <<EOF | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: nsc | ||
spec: | ||
template: | ||
spec: | ||
containers: | ||
- name: nsc | ||
env: | ||
- name: NSM_MAX_TOKEN_LIFETIME | ||
value: -1m | ||
- name: NSM_NETWORK_SERVICES | ||
value: kernel://icmp-responder/nsm-1 | ||
nodeSelector: | ||
kubernetes.io/hostname: ${NODE} | ||
EOF | ||
``` | ||
|
||
6. Create NSE patch: | ||
```bash | ||
cat > patch-nse.yaml <<EOF | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: nse | ||
spec: | ||
template: | ||
spec: | ||
containers: | ||
- name: nse | ||
env: | ||
- name: NSE_CIDR_PREFIX | ||
value: 172.16.1.100/31 | ||
nodeSelector: | ||
kubernetes.io/hostname: ${NODE} | ||
EOF | ||
``` | ||
|
||
7. Deploy NSC and NSE: | ||
```bash | ||
kubectl apply -k . | ||
``` | ||
|
||
8. Wait for applications ready: | ||
```bash | ||
kubectl wait --for=condition=ready --timeout=1m pod -l app=nsc -n ${NAMESPACE} | ||
``` | ||
```bash | ||
kubectl wait --for=condition=ready --timeout=1m pod -l app=nse -n ${NAMESPACE} | ||
``` | ||
|
||
9. Find nsc and nse pods by labels: | ||
```bash | ||
NSC=$(kubectl get pods -l app=nsc -n ${NAMESPACE} --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}') | ||
``` | ||
```bash | ||
NSE=$(kubectl get pods -l app=nse -n ${NAMESPACE} --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}') | ||
``` | ||
|
||
10. Check that NSC is not privileged and it cannot connect to NSE. | ||
|
||
```bash | ||
kubectl logs ${NSC} -n ${NAMESPACE} | grep "PermissionDenied desc = no sufficient privileges" | ||
``` | ||
|
||
## Cleanup | ||
|
||
Delete ns: | ||
```bash | ||
kubectl delete ns ${NAMESPACE} | ||
``` |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Features
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops!