Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Applying v2alpha1 APIRule blocks in-cluster communication to the target #1632

Open
6 tasks
barchw opened this issue Jan 22, 2025 · 1 comment
Open
6 tasks

Applying v2alpha1 APIRule blocks in-cluster communication to the target #1632

barchw opened this issue Jan 22, 2025 · 1 comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Milestone
2.10.3

Comments

@barchw
Copy link
Contributor

barchw commented Jan 22, 2025

Description

Applying v2alpha1 APIRule blocks in-cluster communication to the target, as an AP (AuthorizationPolicy) (action type: ALLOW) is applied in all cases. As logic behind AP blocks all traffic except for a match to the ALLOW AuthorizationPolicy, the internal traffic is blocked unless it is allowed explicitly by a different AP of type ALLOW.

Expected result
Application of v2alpha1 APIRule to a workload should not block in-cluster traffic targeting the workload.

Actual result
Any traffic other than incoming from istio-ingressgateway and matching the APIRule restrictions is blocked.

Steps to reproduce

  1. APIGateway module installed
kubectl apply -f https://github.com/kyma-project/istio/releases/latest/download/istio-manager.yaml
kubectl apply -f https://github.com/kyma-project/istio/releases/latest/download/istio-default-cr.yaml

kubectl apply -f https://github.com/kyma-project/api-gateway/releases/latest/download/api-gateway-manager.yaml
kubectl apply -f https://github.com/kyma-project/api-gateway/releases/latest/download/apigateway-default-cr.yaml
  1. A target workload present (and Istio injected)
export NAMESPACE_NAME=sidecar-enabled
kubectl create ns ${NAMESPACE_NAME}
kubectl label namespace $NAMESPACE_NAME istio-injection=enabled --overwrite
kubectl -n ${NAMESPACE_NAME} apply -f https://raw.githubusercontent.com/istio/istio/master/samples/httpbin/httpbin.yaml
  1. An APIRule created, targeting the workload, handler is irrelevant (can be e.g. noAuth)
apiVersion: gateway.kyma-project.io/v2alpha1
kind: APIRule
metadata:
  name: "httpbin"
  namespace: sidecar-enabled
spec:
  gateway: "kyma-system/kyma-gateway"
  hosts:
    - "httpbin"
  service:
    name: httpbin
    port: 8000
  rules:
    - path: /anything/{**}
      methods: ["GET"]
      noAuth: true
  1. Internal traffic to the httpbin pod will be blocked

DoD [Developer & Reviewer]

  • Provide unit and integration tests.
  • Provide documentation.
  • Verify if the solution works for both open-source Kyma and SAP BTP, Kyma runtime.
  • If you changed the resource limits, explain why it was needed.
  • Verify that your contributions don't decrease code coverage. If they do, explain why this is the case.
  • Add release notes.
@barchw barchw added the kind/bug Categorizes issue or PR as related to a bug. label Jan 22, 2025
@strekm strekm added this to the 2.10.3 milestone Jan 22, 2025
@mluk-sap
Copy link
Contributor

mluk-sap commented Jan 23, 2025
edited by barchw
Loading

We discussed it during the refinement:

  • let's add AP that allows internal traffic except Ingress controller, like:
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: allow-internal
  namespace: sidecar-enabled
spec:
  selector:
    matchLabels:
      app: httpbin
  action: ALLOW
  rules:
  - from:
    - source:
        notPrincipals: ["cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"]

@strekm strekm mentioned this issue Jan 24, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
2.10.3
Development

No branches or pull requests
3 participants
@strekm @mluk-sap @barchw