istio
574 строки · 18.7 Кб
1// Copyright Istio Authors2//3// Licensed under the Apache License, Version 2.0 (the "License");4// you may not use this file except in compliance with the License.5// You may obtain a copy of the License at6//7// http://www.apache.org/licenses/LICENSE-2.08//9// Unless required by applicable law or agreed to in writing, software10// distributed under the License is distributed on an "AS IS" BASIS,11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.12// See the License for the specific language governing permissions and13// limitations under the License.14package ambient16import (18"fmt"19"net/netip"20"strconv"21"strings"22metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"24"istio.io/api/security/v1beta1"26securityclient "istio.io/client-go/pkg/apis/security/v1beta1"27"istio.io/istio/pilot/pkg/model"28"istio.io/istio/pkg/config/schema/gvk"29"istio.io/istio/pkg/config/schema/kind"30"istio.io/istio/pkg/log"31"istio.io/istio/pkg/util/sets"32"istio.io/istio/pkg/workloadapi/security"33)34const (36staticStrictPolicyName = "istio_converted_static_strict" // use '_' character since those are illegal in k8s names37)38func (a *index) Policies(requested sets.Set[model.ConfigKey]) []model.WorkloadAuthorization {40// TODO: use many Gets instead of List?41cfgs := a.authorizationPolicies.List(metav1.NamespaceAll)42l := len(cfgs)43if len(requested) > 0 {44l = len(requested)45}46res := make([]model.WorkloadAuthorization, 0, l)47for _, cfg := range cfgs {48k := model.ConfigKey{49Kind: kind.AuthorizationPolicy,50Name: cfg.Authorization.Name,51Namespace: cfg.Authorization.Namespace,52}53if len(requested) > 0 && !requested.Contains(k) {55continue56}57res = append(res, cfg)58}59return res60}61// convertedSelectorPeerAuthentications returns a list of keys corresponding to one or both of:63// [static STRICT policy, port-level STRICT policy] based on the effective PeerAuthentication policy64func convertedSelectorPeerAuthentications(rootNamespace string, configs []*securityclient.PeerAuthentication) []string {65var meshCfg, namespaceCfg, workloadCfg *securityclient.PeerAuthentication66for _, cfg := range configs {67spec := &cfg.Spec68if spec.Selector == nil || len(spec.Selector.MatchLabels) == 0 {69// Namespace-level or mesh-level policy70if cfg.Namespace == rootNamespace {71if meshCfg == nil || cfg.CreationTimestamp.Before(&meshCfg.CreationTimestamp) {72log.Debugf("Switch selected mesh policy to %s.%s (%v)", cfg.Name, cfg.Namespace, cfg.CreationTimestamp)73meshCfg = cfg74}75} else {76if namespaceCfg == nil || cfg.CreationTimestamp.Before(&namespaceCfg.CreationTimestamp) {77log.Debugf("Switch selected namespace policy to %s.%s (%v)", cfg.Name, cfg.Namespace, cfg.CreationTimestamp)78namespaceCfg = cfg79}80}81} else if cfg.Namespace != rootNamespace {82if workloadCfg == nil || cfg.CreationTimestamp.Before(&workloadCfg.CreationTimestamp) {83log.Debugf("Switch selected workload policy to %s.%s (%v)", cfg.Name, cfg.Namespace, cfg.CreationTimestamp)84workloadCfg = cfg85}86}87}88// Whether it comes from a mesh-wide, namespace-wide, or workload-specific policy90// if the effective policy is STRICT, then reference our static STRICT policy91var isEffectiveStrictPolicy bool92// Only 1 per port workload policy can be effective at a time. In the case of a conflict93// the oldest policy wins.94var effectivePortLevelPolicyKey string95// Process in mesh, namespace, workload order to resolve inheritance (UNSET)97if meshCfg != nil {98if !isMtlsModeUnset(meshCfg.Spec.Mtls) {99isEffectiveStrictPolicy = isMtlsModeStrict(meshCfg.Spec.Mtls)100}101}102if namespaceCfg != nil {104if !isMtlsModeUnset(namespaceCfg.Spec.Mtls) {105isEffectiveStrictPolicy = isMtlsModeStrict(namespaceCfg.Spec.Mtls)106}107}108if workloadCfg == nil {110return effectivePeerAuthenticationKeys(rootNamespace, isEffectiveStrictPolicy, "")111}112workloadSpec := &workloadCfg.Spec114// Regardless of if we have port-level overrides, if the workload policy is STRICT, then we need to reference our static STRICT policy116if isMtlsModeStrict(workloadSpec.Mtls) {117isEffectiveStrictPolicy = true118}119// Regardless of if we have port-level overrides, if the workload policy is PERMISSIVE or DISABLE, then we shouldn't send our static STRICT policy121if isMtlsModePermissive(workloadSpec.Mtls) || isMtlsModeDisable(workloadSpec.Mtls) {122isEffectiveStrictPolicy = false123}124if workloadSpec.PortLevelMtls != nil {126switch workloadSpec.GetMtls().GetMode() {127case v1beta1.PeerAuthentication_MutualTLS_STRICT:128foundPermissive := false129for _, portMtls := range workloadSpec.PortLevelMtls {130if isMtlsModePermissive(portMtls) || isMtlsModeDisable(portMtls) {131foundPermissive = true132break133}134}135if foundPermissive {137// If we found a non-strict policy, we need to reference this workload policy to see the port level exceptions138effectivePortLevelPolicyKey = workloadCfg.Namespace + "/" + model.GetAmbientPolicyConfigName(model.ConfigKey{139Name: workloadCfg.Name,140Kind: kind.PeerAuthentication,141Namespace: workloadCfg.Namespace,142})143isEffectiveStrictPolicy = false // don't send our static STRICT policy since the converted form of this policy will include the default STRICT mode144}145case v1beta1.PeerAuthentication_MutualTLS_PERMISSIVE, v1beta1.PeerAuthentication_MutualTLS_DISABLE:146foundStrict := false147for _, portMtls := range workloadSpec.PortLevelMtls {148if isMtlsModeStrict(portMtls) {149foundStrict = true150break151}152}153// There's a STRICT port mode, so we need to reference this policy in the workload155if foundStrict {156effectivePortLevelPolicyKey = workloadCfg.Namespace + "/" + model.GetAmbientPolicyConfigName(model.ConfigKey{157Name: workloadCfg.Name,158Kind: kind.PeerAuthentication,159Namespace: workloadCfg.Namespace,160})161}162default: // Unset163if isEffectiveStrictPolicy {164// Strict mesh or namespace policy165foundPermissive := false166for _, portMtls := range workloadSpec.PortLevelMtls {167if isMtlsModePermissive(portMtls) {168foundPermissive = true169break170}171}172if foundPermissive {174// If we found a non-strict policy, we need to reference this workload policy to see the port level exceptions175effectivePortLevelPolicyKey = workloadCfg.Namespace + "/" + model.GetAmbientPolicyConfigName(model.ConfigKey{176Name: workloadCfg.Name,177Kind: kind.PeerAuthentication,178Namespace: workloadCfg.Namespace,179})180}181} else {182// Permissive mesh or namespace policy183isEffectiveStrictPolicy = false // any ports that aren't specified will be PERMISSIVE so this workload isn't effectively under a STRICT policy184foundStrict := false185for _, portMtls := range workloadSpec.PortLevelMtls {186if isMtlsModeStrict(portMtls) {187foundStrict = true188continue189}190}191// There's a STRICT port mode, so we need to reference this policy in the workload193if foundStrict {194effectivePortLevelPolicyKey = workloadCfg.Namespace + "/" + model.GetAmbientPolicyConfigName(model.ConfigKey{195Name: workloadCfg.Name,196Kind: kind.PeerAuthentication,197Namespace: workloadCfg.Namespace,198})199}200}201}202}203return effectivePeerAuthenticationKeys(rootNamespace, isEffectiveStrictPolicy, effectivePortLevelPolicyKey)205}206func effectivePeerAuthenticationKeys(rootNamespace string, isEffectiveStringPolicy bool, effectiveWorkloadPolicyKey string) []string {208res := sets.New[string]()209if isEffectiveStringPolicy {211res.Insert(fmt.Sprintf("%s/%s", rootNamespace, staticStrictPolicyName))212}213if effectiveWorkloadPolicyKey != "" {215res.Insert(effectiveWorkloadPolicyKey)216}217return sets.SortedList(res)219}220// convertPeerAuthentication converts a PeerAuthentication to an L4 authorization policy (i.e. security.Authorization) iff222// 1. the PeerAuthentication has a workload selector223// 2. The PeerAuthentication is NOT in the root namespace224// 3. There is a portLevelMtls policy (technically implied by 1)225// 4. If the top-level mode is PERMISSIVE or DISABLE, there is at least one portLevelMtls policy with mode STRICT226//227// STRICT policies that don't have portLevelMtls will be228// handled when the Workload xDS resource is pushed (a static STRICT-equivalent policy will always be pushed)229func convertPeerAuthentication(rootNamespace string, cfg *securityclient.PeerAuthentication) *security.Authorization {230pa := &cfg.Spec231mode := pa.GetMtls().GetMode()233scope := security.Scope_WORKLOAD_SELECTOR235// violates case #1, #2, or #3236if cfg.Namespace == rootNamespace || pa.Selector == nil || len(pa.PortLevelMtls) == 0 {237log.Debugf("skipping PeerAuthentication %s/%s for ambient since it isn't a workload policy with port level mTLS", cfg.Namespace, cfg.Name)238return nil239}240action := security.Action_DENY242var rules []*security.Rules243if mode == v1beta1.PeerAuthentication_MutualTLS_STRICT {245rules = append(rules, &security.Rules{246Matches: []*security.Match{247{248NotPrincipals: []*security.StringMatch{249{250MatchType: &security.StringMatch_Presence{},251},252},253},254},255})256}257// If we have a strict policy and all of the ports are strict, it's effectively a strict policy259// so we can exit early and have the WorkloadRbac xDS server push its static strict policy.260// Note that this doesn't actually attach the policy to any workload; it just makes it available261// to ztunnel in case a workload needs it.262foundNonStrictPortmTLS := false263for port, mtls := range pa.PortLevelMtls {264switch portMtlsMode := mtls.GetMode(); {265case portMtlsMode == v1beta1.PeerAuthentication_MutualTLS_STRICT:266rules = append(rules, &security.Rules{267Matches: []*security.Match{268{269NotPrincipals: []*security.StringMatch{270{271MatchType: &security.StringMatch_Presence{},272},273},274DestinationPorts: []uint32{port},275},276},277})278case portMtlsMode == v1beta1.PeerAuthentication_MutualTLS_PERMISSIVE:279// Check top-level mode280if mode == v1beta1.PeerAuthentication_MutualTLS_PERMISSIVE || mode == v1beta1.PeerAuthentication_MutualTLS_DISABLE {281// we don't care; log and continue282log.Debugf("skipping port %s/%s for PeerAuthentication %s/%s for ambient since the parent mTLS mode is %s",283port, portMtlsMode, cfg.Namespace, cfg.Name, mode)284continue285}286foundNonStrictPortmTLS = true287// If the top level policy is STRICT, we need to add a rule for the port that exempts it from the deny policy289rules = append(rules, &security.Rules{290Matches: []*security.Match{291{292NotDestinationPorts: []uint32{port}, // if the incoming connection does not match this port, deny (notice there's no principals requirement)293},294},295})296case portMtlsMode == v1beta1.PeerAuthentication_MutualTLS_DISABLE:297// Check top-level mode298if mode == v1beta1.PeerAuthentication_MutualTLS_PERMISSIVE || mode == v1beta1.PeerAuthentication_MutualTLS_DISABLE {299// we don't care; log and continue300log.Debugf("skipping port %s/%s for PeerAuthentication %s/%s for ambient since the parent mTLS mode is %s",301port, portMtlsMode, cfg.Namespace, cfg.Name, mode)302continue303}304foundNonStrictPortmTLS = true305// If the top level policy is STRICT, we need to add a rule for the port that exempts it from the deny policy307rules = append(rules, &security.Rules{308Matches: []*security.Match{309{310NotDestinationPorts: []uint32{port}, // if the incoming connection does not match this port, deny (notice there's no principals requirement)311},312},313})314default:315log.Debugf("skipping port %s for PeerAuthentication %s/%s for ambient since it is %s", port, cfg.Namespace, cfg.Name, portMtlsMode)316continue317}318}319// If the top level TLS mode is STRICT and all of the port level mTLS modes are STRICT, this is just a strict policy and we'll exit early321if mode == v1beta1.PeerAuthentication_MutualTLS_STRICT && !foundNonStrictPortmTLS {322return nil323}324if len(rules) == 0 {326// we never added any rules; return327return nil328}329opol := &security.Authorization{331Name: model.GetAmbientPolicyConfigName(model.ConfigKey{332Name: cfg.Name,333Kind: kind.PeerAuthentication,334Namespace: cfg.Namespace,335}),336Namespace: cfg.Namespace,337Scope: scope,338Action: action,339Groups: []*security.Group{{Rules: rules}},340}341return opol343}344func convertAuthorizationPolicy(rootns string, obj *securityclient.AuthorizationPolicy) *security.Authorization {346pol := &obj.Spec347polTargetRef := pol.GetTargetRef()349if polTargetRef != nil &&350polTargetRef.Group == gvk.KubernetesGateway.Group &&351polTargetRef.Kind == gvk.KubernetesGateway.Kind {352// we have a policy targeting a gateway, do not configure a WDS authorization353return nil354}355scope := security.Scope_WORKLOAD_SELECTOR357if pol.GetSelector() == nil {358scope = security.Scope_NAMESPACE359// TODO: TDA360if rootns == obj.Namespace {361scope = security.Scope_GLOBAL // TODO: global workload?362}363}364action := security.Action_ALLOW365switch pol.Action {366case v1beta1.AuthorizationPolicy_ALLOW:367case v1beta1.AuthorizationPolicy_DENY:368action = security.Action_DENY369default:370return nil371}372opol := &security.Authorization{373Name: obj.Name,374Namespace: obj.Namespace,375Scope: scope,376Action: action,377Groups: nil,378}379for _, rule := range pol.Rules {381rules := handleRule(action, rule)382if rules != nil {383rg := &security.Group{384Rules: rules,385}386opol.Groups = append(opol.Groups, rg)387}388}389return opol391}392func anyNonEmpty[T any](arr ...[]T) bool {394for _, a := range arr {395if len(a) > 0 {396return true397}398}399return false400}401func handleRule(action security.Action, rule *v1beta1.Rule) []*security.Rules {403toMatches := []*security.Match{}404for _, to := range rule.To {405op := to.Operation406if action == security.Action_ALLOW && anyNonEmpty(op.Hosts, op.NotHosts, op.Methods, op.NotMethods, op.Paths, op.NotPaths) {407// L7 policies never match for ALLOW408// For DENY they will always match, so it is more restrictive409return nil410}411match := &security.Match{412DestinationPorts: stringToPort(op.Ports),413NotDestinationPorts: stringToPort(op.NotPorts),414}415toMatches = append(toMatches, match)416}417fromMatches := []*security.Match{}418for _, from := range rule.From {419op := from.Source420if action == security.Action_ALLOW && anyNonEmpty(op.RemoteIpBlocks, op.NotRemoteIpBlocks, op.RequestPrincipals, op.NotRequestPrincipals) {421// L7 policies never match for ALLOW422// For DENY they will always match, so it is more restrictive423return nil424}425match := &security.Match{426SourceIps: stringToIP(op.IpBlocks),427NotSourceIps: stringToIP(op.NotIpBlocks),428Namespaces: stringToMatch(op.Namespaces),429NotNamespaces: stringToMatch(op.NotNamespaces),430Principals: stringToMatch(op.Principals),431NotPrincipals: stringToMatch(op.NotPrincipals),432}433fromMatches = append(fromMatches, match)434}435rules := []*security.Rules{}437if len(toMatches) > 0 {438rules = append(rules, &security.Rules{Matches: toMatches})439}440if len(fromMatches) > 0 {441rules = append(rules, &security.Rules{Matches: fromMatches})442}443for _, when := range rule.When {444l4 := l4WhenAttributes.Contains(when.Key)445if action == security.Action_ALLOW && !l4 {446// L7 policies never match for ALLOW447// For DENY they will always match, so it is more restrictive448return nil449}450positiveMatch := &security.Match{451Namespaces: whenMatch("source.namespace", when, false, stringToMatch),452Principals: whenMatch("source.principal", when, false, stringToMatch),453SourceIps: whenMatch("source.ip", when, false, stringToIP),454DestinationPorts: whenMatch("destination.port", when, false, stringToPort),455DestinationIps: whenMatch("destination.ip", when, false, stringToIP),456NotNamespaces: whenMatch("source.namespace", when, true, stringToMatch),458NotPrincipals: whenMatch("source.principal", when, true, stringToMatch),459NotSourceIps: whenMatch("source.ip", when, true, stringToIP),460NotDestinationPorts: whenMatch("destination.port", when, true, stringToPort),461NotDestinationIps: whenMatch("destination.ip", when, true, stringToIP),462}463rules = append(rules, &security.Rules{Matches: []*security.Match{positiveMatch}})464}465return rules466}467var l4WhenAttributes = sets.New(469"source.ip",470"source.namespace",471"source.principal",472"destination.ip",473"destination.port",474)475func whenMatch[T any](s string, when *v1beta1.Condition, invert bool, f func(v []string) []T) []T {477if when.Key != s {478return nil479}480if invert {481return f(when.NotValues)482}483return f(when.Values)484}485func stringToMatch(rules []string) []*security.StringMatch {487res := make([]*security.StringMatch, 0, len(rules))488for _, v := range rules {489var sm *security.StringMatch490switch {491case v == "*":492sm = &security.StringMatch{MatchType: &security.StringMatch_Presence{}}493case strings.HasPrefix(v, "*"):494sm = &security.StringMatch{MatchType: &security.StringMatch_Suffix{495Suffix: strings.TrimPrefix(v, "*"),496}}497case strings.HasSuffix(v, "*"):498sm = &security.StringMatch{MatchType: &security.StringMatch_Prefix{499Prefix: strings.TrimSuffix(v, "*"),500}}501default:502sm = &security.StringMatch{MatchType: &security.StringMatch_Exact{503Exact: v,504}}505}506res = append(res, sm)507}508return res509}510func stringToPort(rules []string) []uint32 {512res := make([]uint32, 0, len(rules))513for _, m := range rules {514p, err := strconv.ParseUint(m, 10, 32)515if err != nil || p > 65535 {516continue517}518res = append(res, uint32(p))519}520return res521}522func stringToIP(rules []string) []*security.Address {524res := make([]*security.Address, 0, len(rules))525for _, m := range rules {526if len(m) == 0 {527continue528}529var (531ipAddr netip.Addr532maxCidrPrefix uint32533)534if strings.Contains(m, "/") {536ipp, err := netip.ParsePrefix(m)537if err != nil {538continue539}540ipAddr = ipp.Addr()541maxCidrPrefix = uint32(ipp.Bits())542} else {543ipa, err := netip.ParseAddr(m)544if err != nil {545continue546}547ipAddr = ipa549maxCidrPrefix = uint32(ipAddr.BitLen())550}551res = append(res, &security.Address{553Address: ipAddr.AsSlice(),554Length: maxCidrPrefix,555})556}557return res558}559func isMtlsModeUnset(mtls *v1beta1.PeerAuthentication_MutualTLS) bool {561return mtls == nil || mtls.Mode == v1beta1.PeerAuthentication_MutualTLS_UNSET562}563func isMtlsModeStrict(mtls *v1beta1.PeerAuthentication_MutualTLS) bool {565return mtls != nil && mtls.Mode == v1beta1.PeerAuthentication_MutualTLS_STRICT566}567func isMtlsModeDisable(mtls *v1beta1.PeerAuthentication_MutualTLS) bool {569return mtls != nil && mtls.Mode == v1beta1.PeerAuthentication_MutualTLS_DISABLE570}571func isMtlsModePermissive(mtls *v1beta1.PeerAuthentication_MutualTLS) bool {573return mtls != nil && mtls.Mode == v1beta1.PeerAuthentication_MutualTLS_PERMISSIVE574}575