This expands the policy controller index in the following ways:
Adds the new Audit variant to the DefaultPolicy enum
Expands the function that synthesizes the authorizations for a given default policy (DefaultPolicy::default_authzs) so that it also creates an Unauthenticated client auth and a allow-all NetworkMatch for the new Audit default policy.
Now that a Server can have a default policy different than Deny, when generating InboundServer authorizations (PolicyIndex::client_authzs) make sure to append the default authorizations when DefaultPolicy is Allow or Audit
Also, the admission controller ensures the new accessPolicy field contains a valid value.
Tests
New integration tests added:
e2e_audit.rs exercising first the audit policy in Server, and then at the namespace level
in admit_server.rs a new test checks invalid accessPolicy values are rejected.
in inbound_api.rs server_with_audit_policy verifies the synthesized audit authorization is returned for a Server with accessPolicy=audit
[!NOTE]
Please check linkerd/website#1805 for how this is supposed to work from the user's perspective.
Followup to #12845
This expands the policy controller index in the following ways:
Also, the admission controller ensures the new accessPolicy field contains a valid value.
Tests
New integration tests added: