Skip to content

Add additional fields for ServiceRole, issue: #11516 (#11712) #12299

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 13, 2019
Merged

Add additional fields for ServiceRole, issue: #11516 (#11712) #12299

merged 1 commit into from
Mar 13, 2019

Conversation

pitlv2109
Copy link
Member

@pitlv2109 pitlv2109 commented Mar 6, 2019
edited
Loading

Similar to #11712 from the authz-v2 feature branch. This is to merge some changes from authz-v2 to master.

Support notPaths, notMethods, ports, notPorts, hosts, notHosts in ServiceRole (+ unit testing and refactoring).
PR for #11516.

@pitlv2109 pitlv2109 requested a review from liminw March 6, 2019 18:22
golangcibot
golangcibot reviewed Mar 6, 2019
View reviewed changes
@pitlv2109 pitlv2109 force-pushed the servicerole-fields branch from fe51daf to 23ec18a Compare March 6, 2019 18:35
@pitlv2109
Copy link
Member Author

/test istio-pilot-e2e-envoyv2-v1alpha3

yangminzhu
yangminzhu reviewed Mar 6, 2019
View reviewed changes
Copy link
Contributor

@yangminzhu yangminzhu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on previous review in #11712, looks good for the changes to rbac.

Could you copy the original PR description to this PR as well.

/lgtm

@pitlv2109 pitlv2109 force-pushed the servicerole-fields branch from 23ec18a to b69f5bc Compare March 6, 2019 21:43
@pitlv2109
Copy link
Member Author

@yangminzhu
New changes were pushed. Thanks!

@pitlv2109
Copy link
Member Author

/test istio_auth_sds_e2e

@pitlv2109
Copy link
Member Author

/cc @rshriram @costinm
Can you take a look at this PR to see if anything else is needed for this to be merged into master? Thanks!

@pitlv2109 pitlv2109 added this to the 1.2 milestone Mar 7, 2019
@andraxylia
Copy link
Contributor

What does this PR do?

@pitlv2109
Copy link
Member Author

@andraxylia
As described above, this PR adds notPaths, notMethods, ports, notPorts, hosts, notHosts in ServiceRole.

Originally PR and discussion here: #11712
Feature request: #11516

@yangminzhu yangminzhu mentioned this pull request Mar 11, 2019
Closed
21 tasks
@pitlv2109
Copy link
Member Author

/cc @diemtvu
Just realized you're also a Pilot owner :D. Please take a look at this PR. We have multiple PRs from authz-v2 that are waiting for this one to be merged.

@istio-testing istio-testing requested a review from diemtvu March 11, 2019 21:49
diemtvu
diemtvu reviewed Mar 13, 2019
View reviewed changes
Copy link
Contributor

@diemtvu diemtvu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just few nits
/lgtm

pilot/pkg/networking/plugin/authz/rbac.go
@@ -555,6 +558,26 @@ func convertRbacRulesToFilterConfig(service *serviceMetadata, option rbacOption)
return &http_config.RBAC{Rules: rbac}
}

// appendRule appends a |rule| to |rules| if |rule| is not nil.
func appendRule(rules *policyproto.Permission_AndRules, rule *policyproto.Permission) {
if rule == nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nit] Reverse the condition and put the append inside the if is more readable.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I will make the change in the next PR.

pilot/pkg/networking/plugin/authz/rbac.go

// appendNotRule appends a |notRule| to AndRules of |rules| if |notRule| is not nil.
func appendNotRule(rules *policyproto.Permission_AndRules, notRule *policyproto.Permission) {
if notRule == nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same here

@istio-testing
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: diemtvu, pitlv2109, yangminzhu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@istio-testing istio-testing merged commit a9fe655 into istio:master Mar 13, 2019
@istio-testing
Copy link
Collaborator

@pitlv2109: The following tests failed, say /retest to rerun them all:

Test name Commit Details Rerun command
prow/istio-integ-k8s-tests.sh b69f5bc link /test istio-integ-k8s-tests
prow/e2e-simpleTests-cni.sh b69f5bc link /test e2e-simpleTests-cni
prow/istio-pilot-multicluster-e2e.sh b69f5bc link /test istio-pilot-multicluster-e2e

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@pitlv2109 pitlv2109 deleted the servicerole-fields branch March 13, 2019 17:08
@yangminzhu
Copy link
Contributor

For #12394

@rlenglet rlenglet modified the milestones: 1.4, 1.3 Jul 9, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vadimeisenbergibm vadimeisenbergibm Awaiting requested review from vadimeisenbergibm

@liminw liminw Awaiting requested review from liminw

@costinm costinm Awaiting requested review from costinm

@rshriram rshriram Awaiting requested review from rshriram

@ymesika ymesika Awaiting requested review from ymesika

@andraxylia andraxylia Awaiting requested review from andraxylia

@hzxuzhonghu hzxuzhonghu Awaiting requested review from hzxuzhonghu

3 more reviewers

@yangminzhu yangminzhu yangminzhu left review comments

@diemtvu diemtvu diemtvu left review comments

@golangcibot golangcibot golangcibot left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@yangminzhu yangminzhu

@diemtvu diemtvu

Labels
area/security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@pitlv2109 @andraxylia @istio-testing @yangminzhu @diemtvu @golangcibot @rlenglet @googlebot