search

Kuadrant / architecture

Architecture Documents
0 stars 10 forks source link

Single merged policy #4

Closed alexsnaps closed 7 months ago

guicassolato commented 1 year ago

I'd like to propose an exercise to put this to proof.

First, of course, we'd need to agree on the exact set of use cases to cover. IMO, the following one seems "real" enough. At the same time, it's simple (with only 2 Gateways, 2 HTTPRoutes, not too many matching rules) and yet possibly intricate enough.

Exercise

Given the following initial network resources:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: gateway-1
  namespace: gwns
spec:
  gatewayClassName: internal
  listeners:
    - hostname: *.acme.internal
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: gateway-2
  namespace: gwns
spec:
  gatewayClassName: internet
  listeners:
    - hostname: *.acme.com
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: toys
  namespace: toys
spec:
  parentRefs:
    - kind: Gateway
      namespace: gwns
      name: gateway-1
    - kind: Gateway
      namespace: gwns
      name: gateway-2
  hostnames:
    - toys.acme.com
    - toys.acme.internal
  rules:
    - backendRefs:
        - kind: Service
          name: toys
    - matches:
        - headers:
            - name: X-Env
              value: canary
      backendRefs:
        - kind: Service
          name: toys-canary
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: telemetry
  namespace: telemetry
spec:
  parentRefs:
    - kind: Gateway
      namespace: gwns
      name: gateway-1
  hostnames:
    - *.telemetry.acme.internal
  rules:
    - matches:
        - method: GET
        - method: POST
      backendRefs:
        - kind: Service
          name: telemetry

What are the set of policies (RLP and KAP) and possibly required changes to the network resources to implement the following use cases?

  1. RLP override 500 rps on all routes matching *.acme.com.
  2. RLP default 100 rps on POST requests to all routes matching *.acme.com.
  3. KAP override IP deny-list on all requests to *.acme.com.
  4. KAP default X.509 certificate authentication on all requests to *.acme.internal.
  5. RLP default 150 rps on all requests to toys.acme.(com|internal).
  6. RLP default 50 rps on all requests to toys.acme.(com|internal) containing X-Env: canary request header.
  7. RLP override unlimited rps on all requests to toys.acme.internal/admin/*.
  8. KAP override API key authentication on all requests to toys.acme.com.
  9. KAP override DELETE requests forbidden at toys.acme.com.
  10. KAP override all requests forbidden at toys.acme.com/admin/*.
  11. KAP override JSON pattern-matching authorisation to check path param {org_name} matches value stored in API key or X.509 cert on all requests to toys.acme.(com|internal)/[^admin/]orgs/{org_name}/*.
  12. KAP override K8s SAR authorisation on all requests to toys.acme.internal/admin/*.
  13. KAP default OIDC/JWT authentication on all endpoints matching *.telemetry.acme.internal.
  14. KAP override additional API key authentication to all requests to foo.telemetry.acme.internal.
alexsnaps commented 7 months ago

superseded by https://github.com/Kuadrant/architecture/pull/58