Open randmonkey opened 4 days ago
Can be also reproduced by adding a unit test in internal/dataplane/kongstate/kongstate_test.go
:
func TestIsRemotePluginReferenceAllowed(t *testing.T) {
var (
serviceTypeMeta = metav1.TypeMeta{
Kind: "Service",
}
)
testCases := []struct {
name string
referrer client.Object
pluginNamespace string
pluginName string
referenceGrants []*gatewayapi.ReferenceGrant
shouldAllow bool
}{
{
name: "have reference grant",
referrer: &corev1.Service{
TypeMeta: serviceTypeMeta,
ObjectMeta: metav1.ObjectMeta{
Namespace: "foo",
Name: "service-foo",
},
},
pluginNamespace: "bar",
pluginName: "plugin-bar",
referenceGrants: []*gatewayapi.ReferenceGrant{
{
ObjectMeta: metav1.ObjectMeta{
Namespace: "bar", // same namespace as plugin; will fail the test. If we change it to `foo` that is the same as the service, it will pass.
Name: "grant-1",
},
Spec: gatewayapi.ReferenceGrantSpec{
From: []gatewayapi.ReferenceGrantFrom{
{
Kind: gatewayapi.Kind("Service"),
Namespace: "foo",
},
},
To: []gatewayapi.ReferenceGrantTo{
{
Group: gatewayapi.Group(kongv1.GroupVersion.Group),
Kind: gatewayapi.Kind("KongPlugin"),
},
},
},
},
},
shouldAllow: true,
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
s, err := store.NewFakeStore(store.FakeObjects{
ReferenceGrants: tc.referenceGrants,
})
require.NoError(t, err)
err = isRemotePluginReferenceAllowed(s, pluginReference{
Referer: tc.referrer,
Namespace: tc.pluginNamespace,
Name: tc.pluginName,
})
if tc.shouldAllow {
require.NoError(t, err)
} else {
require.Error(t, err)
}
})
}
}
More cases about consumer:
If we change the To
part of created ReferenceGrant
in integration test case to TestPluginCrossNamespaceReference
to the following:
// Totally irrelevant to KongPlugin CRD
Group: gatewayapi.Group("konghq.com"),
Kind: gatewayapi.Kind("Kong"),
The test case still passes while there is no ReferenceGrant
grants reference from KongConsumer
to KongPlugin
.
While if there is no ReferneceGrant
about the Kongconsumer
, the access to ingress returns 401
(Is this expected? @rainest )
Is there an existing issue for this?
Current Behavior
In the original specification, if a service A in namespace
ns
refers to plugin B inns2
, there should be aReferenceGrant
inns2
to allow reference from namespacens1
and group/kind of A to group/kind (and maybe name) of B: https://gateway-api.sigs.k8s.io/api-types/referencegrant/. Actually, if we create aReferenceGrant
in namespacens1
and allow reference fromns1
and group/kind of A to group/kind of B, the reference check inisRemotePluginReferenceAllowed
passes. While we create it inns2
, the check fails.Expected Behavior
The reference permission check should pass when the
ReferenceGrant
is created in the namespace of the plugin.Steps To Reproduce
Kong Ingress Controller version
Kubernetes version
Anything else?
No response