From 747a0bb413a4a2041ce0eb0bb9dc0562c20b0302 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Tue, 29 Aug 2023 13:08:13 +0200 Subject: [PATCH 1/9] Test: test-upgrade is alias for test-upgrade-with-mesh This is to test https://issues.redhat.com/browse/SRVKS-1080 and to see if this still happens --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index c373b1c65b..18fedb1881 100644 --- a/Makefile +++ b/Makefile @@ -179,7 +179,7 @@ test-upstream-upgrade: TEST_KNATIVE_KAFKA=true TEST_KNATIVE_E2E=false TEST_KNATIVE_UPGRADE=true ./test/upstream-e2e-tests.sh # Alias. -test-upgrade: test-upstream-upgrade +test-upgrade: test-upgrade-with-mesh test-upgrade-with-mesh: FULL_MESH=true UNINSTALL_MESH=false ./hack/mesh.sh From a6501ae6fe4beaccbd61b14da13fe65979544b83 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 30 Aug 2023 08:18:05 +0200 Subject: [PATCH 2/9] Use -n for head command --- hack/lib/tracing.bash | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hack/lib/tracing.bash b/hack/lib/tracing.bash index 3ca30626f2..0fca33d293 100644 --- a/hack/lib/tracing.bash +++ b/hack/lib/tracing.bash @@ -14,8 +14,14 @@ function install_tracing { function dedicate_node_to_zipkin { logger.info "Placing zipkin taint on first worker node" local zipkin_node +<<<<<<< HEAD if [[ -z "$(oc get node -l 'zipkin,node-role.kubernetes.io/worker')" ]]; then zipkin_node=$(oc get node -l 'node-role.kubernetes.io/worker' -ojsonpath='{.items[0].metadata.name}') +======= + zipkin_node=$(oc get node -l 'zipkin,node-role.kubernetes.io/worker' -oname | head -n 1) + if [[ -z "$zipkin_node" ]]; then + zipkin_node=$(oc get node -l 'node-role.kubernetes.io/worker' -oname | head -n 1) +>>>>>>> d3ddfd18d (Use -n for head command) # Add label for placing the Zipkin pod via nodeAffinity oc label node "$zipkin_node" zipkin= # Add taint to prevent pods other than Zipkin from scheduling there From a198c37936c4388f610e407c69f6dc319a1aeeef Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 30 Aug 2023 09:16:43 +0200 Subject: [PATCH 3/9] Do not use dedicated node for zipkin --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 18fedb1881..62f93d58e8 100644 --- a/Makefile +++ b/Makefile @@ -183,7 +183,7 @@ test-upgrade: test-upgrade-with-mesh test-upgrade-with-mesh: FULL_MESH=true UNINSTALL_MESH=false ./hack/mesh.sh - TRACING_BACKEND=zipkin ZIPKIN_DEDICATED_NODE=true ./hack/tracing.sh + TRACING_BACKEND=zipkin ./hack/tracing.sh UNINSTALL_STRIMZI=false ./hack/strimzi.sh FULL_MESH=true INSTALL_PREVIOUS_VERSION=true INSTALL_KAFKA=true TRACING_BACKEND=zipkin ENABLE_TRACING=true SCALE_UP=5 ./hack/install.sh FULL_MESH=true TEST_KNATIVE_KAFKA=true TEST_KNATIVE_E2E=false TEST_KNATIVE_UPGRADE=true ./test/upstream-e2e-tests.sh From d0a2e879a18b72464ad76e4e1dbe54b5905a5ce7 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 30 Aug 2023 10:48:43 +0200 Subject: [PATCH 4/9] Enable Serving continual tests --- test/upgrade/upgrade_test.go | 5 ----- 1 file changed, 5 deletions(-) diff --git a/test/upgrade/upgrade_test.go b/test/upgrade/upgrade_test.go index 3fae9a8264..e96779f934 100644 --- a/test/upgrade/upgrade_test.go +++ b/test/upgrade/upgrade_test.go @@ -417,11 +417,6 @@ func ChannelContinualTests(testCtx *test.Context) []pkgupgrade.BackgroundOperati func ServingContinualTests(testCtx *test.Context) []pkgupgrade.BackgroundOperation { ctx, _ := defaultEnvironment(testCtx.T) - // https://issues.redhat.com/browse/SRVKS-1080 - if ic := environment.GetIstioConfig(ctx); ic.Enabled { - return nil - } - return []pkgupgrade.BackgroundOperation{ servingupgrade.ProbeTest(), servingupgrade.AutoscaleSustainingWithTBCTest(), From 62e8638cd500a976b8cd82cab9745e7e49999a76 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Wed, 30 Aug 2023 12:24:55 +0200 Subject: [PATCH 5/9] Remove usage of ctx --- test/upgrade/upgrade_test.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/test/upgrade/upgrade_test.go b/test/upgrade/upgrade_test.go index e96779f934..7ae11e0f48 100644 --- a/test/upgrade/upgrade_test.go +++ b/test/upgrade/upgrade_test.go @@ -415,8 +415,6 @@ func ChannelContinualTests(testCtx *test.Context) []pkgupgrade.BackgroundOperati } func ServingContinualTests(testCtx *test.Context) []pkgupgrade.BackgroundOperation { - ctx, _ := defaultEnvironment(testCtx.T) - return []pkgupgrade.BackgroundOperation{ servingupgrade.ProbeTest(), servingupgrade.AutoscaleSustainingWithTBCTest(), From 259d1ff5ff458a90f9ad4a22f11680abd66ed148 Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 1 Sep 2023 08:12:07 +0200 Subject: [PATCH 6/9] Generate auth policies for eventing-e2e0 .. eventing-e2e4 --- Makefile | 2 +- .../helm/eventing-e2e0.yaml | 544 ++++++++++++++++++ .../helm/eventing-e2e1.yaml | 544 ++++++++++++++++++ .../helm/eventing-e2e2.yaml | 544 ++++++++++++++++++ .../helm/eventing-e2e3.yaml | 544 ++++++++++++++++++ .../helm/eventing-e2e4.yaml | 544 ++++++++++++++++++ 6 files changed, 2721 insertions(+), 1 deletion(-) create mode 100644 hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e0.yaml create mode 100644 hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e1.yaml create mode 100644 hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e2.yaml create mode 100644 hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e3.yaml create mode 100644 hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e4.yaml diff --git a/Makefile b/Makefile index 62f93d58e8..cad770d65f 100644 --- a/Makefile +++ b/Makefile @@ -258,7 +258,7 @@ release-files: templates/images-rekt.yaml \ test/images-rekt.yaml ./hack/generate/mesh-auth-policies.sh \ - tenant-1,tenant-2,serving-tests,serverless-tests + tenant-1,tenant-2,serving-tests,serverless-tests,eventing-e2e0,eventing-e2e1,eventing-e2e2,eventing-e2e3,eventing-e2e4 # Generates all files that can be generated, includes release files, code generation # and updates vendoring. diff --git a/hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e0.yaml b/hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e0.yaml new file mode 100644 index 0000000000..0630a09287 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e0.yaml @@ -0,0 +1,544 @@ +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-knative-to-ns.yaml +# Allow namespace eventing-e2e0 to receive requests from Knative system components, from istio-system and from all namespaces of the tenant. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-from-knative-and-istio + namespace: eventing-e2e0 +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: + - "eventing-e2e0" + - "knative-serving" + - "istio-system" + + - from: + - source: + namespaces: + - "knative-eventing" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e0" +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-via-knative-serving.yaml +# Allow activator to receive requests from workloads and resources in eventing-e2e0. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e0-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + # Allow to receive requests for Knative services in eventing-e2e0 + - from: + - source: + namespaces: + - "eventing-e2e0" + to: + - operation: + hosts: + - "*.eventing-e2e0" + - "*.eventing-e2e0.svc" + - "*.eventing-e2e0.svc.cluster.local" + + # Allow to receive requests from eventing sources, subscriptions and triggers in eventing-e2e0. + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e0" + - "*.eventing-e2e0.svc" + - "*.eventing-e2e0.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e0" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-kafka-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e0-kafka-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + to: + - operation: + paths: + - "/eventing-e2e0/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e0" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-mt-channel-based-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e0-mt-channel-based-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/eventing-e2e0/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e0" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +# Allow imc-dispatcher to receive requests from workloads and resources in eventing-e2e0. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e0-to-imc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + # Allow to receive requests from event sources in eventing-e2e0 + - from: + - source: + namespaces: + - "eventing-e2e0" + to: + - operation: + paths: + - "/eventing-e2e0/*" + - operation: + hosts: + - "*.eventing-e2e0" + - "*.eventing-e2e0.svc" + - "*.eventing-e2e0.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e0" + - "*.eventing-e2e0.svc" + - "*.eventing-e2e0.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e0" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e0/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e0" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from workloads and resources in eventing-e2e0. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e0-to-ekb + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + # Allow to receive requests from event sources in eventing-e2e0 + - from: + - source: + namespaces: + - "eventing-e2e0" + to: + - operation: + paths: + - "/eventing-e2e0/*" + - operation: + hosts: + - "*.eventing-e2e0" + - "*.eventing-e2e0.svc" + - "*.eventing-e2e0.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e0" + - "*.eventing-e2e0.svc" + - "*.eventing-e2e0.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e0" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e0/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e0" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-channel-receiver to receive requests from workloads and resources in eventing-e2e0. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e0-to-ekc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + # Allow to receive requests from event sources in eventing-e2e0 + - from: + - source: + namespaces: + - "eventing-e2e0" + to: + - operation: + paths: + - "/eventing-e2e0/*" + - operation: + hosts: + - "*.eventing-e2e0" + - "*.eventing-e2e0.svc" + - "*.eventing-e2e0.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e0" + - "*.eventing-e2e0.svc" + - "*.eventing-e2e0.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e0" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e0/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e0" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from workloads and resources in eventing-e2e0. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e0-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + # Allow to receive requests from event sources in eventing-e2e0 + - from: + - source: + namespaces: + - "eventing-e2e0" + to: + - operation: + paths: + - "/eventing-e2e0/*" + - operation: + hosts: + - "*.eventing-e2e0" + - "*.eventing-e2e0.svc" + - "*.eventing-e2e0.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e0" + - "*.eventing-e2e0.svc" + - "*.eventing-e2e0.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e0" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e0/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e0" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow broker-ingress to receive requests from workloads and resources in eventing-e2e0. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e0-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + # Allow to receive requests from event sources in eventing-e2e0 + - from: + - source: + namespaces: + - "eventing-e2e0" + to: + - operation: + paths: + - "/eventing-e2e0/*" + - operation: + hosts: + - "*.eventing-e2e0" + - "*.eventing-e2e0.svc" + - "*.eventing-e2e0.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e0" + - "*.eventing-e2e0.svc" + - "*.eventing-e2e0.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e0" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e0/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e0" +--- +# Source: knative-istio-authz-onboarding/templates/serving-allow-wait-for-drain.yaml +# Allow kubernetes to call the PreStopHook to wait for draining on port 8022 in eventing-e2e0 +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: "allow-wait-for-drain" + namespace: "eventing-e2e0" +spec: + action: ALLOW + rules: + - to: + - operation: + ports: + - "8022" diff --git a/hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e1.yaml b/hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e1.yaml new file mode 100644 index 0000000000..18ae4fdb57 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e1.yaml @@ -0,0 +1,544 @@ +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-knative-to-ns.yaml +# Allow namespace eventing-e2e1 to receive requests from Knative system components, from istio-system and from all namespaces of the tenant. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-from-knative-and-istio + namespace: eventing-e2e1 +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: + - "eventing-e2e1" + - "knative-serving" + - "istio-system" + + - from: + - source: + namespaces: + - "knative-eventing" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e1" +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-via-knative-serving.yaml +# Allow activator to receive requests from workloads and resources in eventing-e2e1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e1-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + # Allow to receive requests for Knative services in eventing-e2e1 + - from: + - source: + namespaces: + - "eventing-e2e1" + to: + - operation: + hosts: + - "*.eventing-e2e1" + - "*.eventing-e2e1.svc" + - "*.eventing-e2e1.svc.cluster.local" + + # Allow to receive requests from eventing sources, subscriptions and triggers in eventing-e2e1. + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e1" + - "*.eventing-e2e1.svc" + - "*.eventing-e2e1.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-kafka-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e1-kafka-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + to: + - operation: + paths: + - "/eventing-e2e1/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-mt-channel-based-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e1-mt-channel-based-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/eventing-e2e1/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +# Allow imc-dispatcher to receive requests from workloads and resources in eventing-e2e1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e1-to-imc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + # Allow to receive requests from event sources in eventing-e2e1 + - from: + - source: + namespaces: + - "eventing-e2e1" + to: + - operation: + paths: + - "/eventing-e2e1/*" + - operation: + hosts: + - "*.eventing-e2e1" + - "*.eventing-e2e1.svc" + - "*.eventing-e2e1.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e1" + - "*.eventing-e2e1.svc" + - "*.eventing-e2e1.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e1" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e1/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from workloads and resources in eventing-e2e1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e1-to-ekb + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + # Allow to receive requests from event sources in eventing-e2e1 + - from: + - source: + namespaces: + - "eventing-e2e1" + to: + - operation: + paths: + - "/eventing-e2e1/*" + - operation: + hosts: + - "*.eventing-e2e1" + - "*.eventing-e2e1.svc" + - "*.eventing-e2e1.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e1" + - "*.eventing-e2e1.svc" + - "*.eventing-e2e1.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e1" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e1/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-channel-receiver to receive requests from workloads and resources in eventing-e2e1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e1-to-ekc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + # Allow to receive requests from event sources in eventing-e2e1 + - from: + - source: + namespaces: + - "eventing-e2e1" + to: + - operation: + paths: + - "/eventing-e2e1/*" + - operation: + hosts: + - "*.eventing-e2e1" + - "*.eventing-e2e1.svc" + - "*.eventing-e2e1.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e1" + - "*.eventing-e2e1.svc" + - "*.eventing-e2e1.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e1" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e1/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from workloads and resources in eventing-e2e1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e1-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + # Allow to receive requests from event sources in eventing-e2e1 + - from: + - source: + namespaces: + - "eventing-e2e1" + to: + - operation: + paths: + - "/eventing-e2e1/*" + - operation: + hosts: + - "*.eventing-e2e1" + - "*.eventing-e2e1.svc" + - "*.eventing-e2e1.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e1" + - "*.eventing-e2e1.svc" + - "*.eventing-e2e1.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e1" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e1/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e1" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow broker-ingress to receive requests from workloads and resources in eventing-e2e1. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e1-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + # Allow to receive requests from event sources in eventing-e2e1 + - from: + - source: + namespaces: + - "eventing-e2e1" + to: + - operation: + paths: + - "/eventing-e2e1/*" + - operation: + hosts: + - "*.eventing-e2e1" + - "*.eventing-e2e1.svc" + - "*.eventing-e2e1.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e1" + - "*.eventing-e2e1.svc" + - "*.eventing-e2e1.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e1" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e1/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e1" +--- +# Source: knative-istio-authz-onboarding/templates/serving-allow-wait-for-drain.yaml +# Allow kubernetes to call the PreStopHook to wait for draining on port 8022 in eventing-e2e1 +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: "allow-wait-for-drain" + namespace: "eventing-e2e1" +spec: + action: ALLOW + rules: + - to: + - operation: + ports: + - "8022" diff --git a/hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e2.yaml b/hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e2.yaml new file mode 100644 index 0000000000..c443d6c09d --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e2.yaml @@ -0,0 +1,544 @@ +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-knative-to-ns.yaml +# Allow namespace eventing-e2e2 to receive requests from Knative system components, from istio-system and from all namespaces of the tenant. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-from-knative-and-istio + namespace: eventing-e2e2 +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: + - "eventing-e2e2" + - "knative-serving" + - "istio-system" + + - from: + - source: + namespaces: + - "knative-eventing" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e2" +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-via-knative-serving.yaml +# Allow activator to receive requests from workloads and resources in eventing-e2e2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e2-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + # Allow to receive requests for Knative services in eventing-e2e2 + - from: + - source: + namespaces: + - "eventing-e2e2" + to: + - operation: + hosts: + - "*.eventing-e2e2" + - "*.eventing-e2e2.svc" + - "*.eventing-e2e2.svc.cluster.local" + + # Allow to receive requests from eventing sources, subscriptions and triggers in eventing-e2e2. + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e2" + - "*.eventing-e2e2.svc" + - "*.eventing-e2e2.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-kafka-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e2-kafka-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + to: + - operation: + paths: + - "/eventing-e2e2/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-mt-channel-based-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e2-mt-channel-based-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/eventing-e2e2/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +# Allow imc-dispatcher to receive requests from workloads and resources in eventing-e2e2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e2-to-imc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + # Allow to receive requests from event sources in eventing-e2e2 + - from: + - source: + namespaces: + - "eventing-e2e2" + to: + - operation: + paths: + - "/eventing-e2e2/*" + - operation: + hosts: + - "*.eventing-e2e2" + - "*.eventing-e2e2.svc" + - "*.eventing-e2e2.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e2" + - "*.eventing-e2e2.svc" + - "*.eventing-e2e2.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e2" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e2/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from workloads and resources in eventing-e2e2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e2-to-ekb + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + # Allow to receive requests from event sources in eventing-e2e2 + - from: + - source: + namespaces: + - "eventing-e2e2" + to: + - operation: + paths: + - "/eventing-e2e2/*" + - operation: + hosts: + - "*.eventing-e2e2" + - "*.eventing-e2e2.svc" + - "*.eventing-e2e2.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e2" + - "*.eventing-e2e2.svc" + - "*.eventing-e2e2.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e2" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e2/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-channel-receiver to receive requests from workloads and resources in eventing-e2e2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e2-to-ekc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + # Allow to receive requests from event sources in eventing-e2e2 + - from: + - source: + namespaces: + - "eventing-e2e2" + to: + - operation: + paths: + - "/eventing-e2e2/*" + - operation: + hosts: + - "*.eventing-e2e2" + - "*.eventing-e2e2.svc" + - "*.eventing-e2e2.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e2" + - "*.eventing-e2e2.svc" + - "*.eventing-e2e2.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e2" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e2/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from workloads and resources in eventing-e2e2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e2-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + # Allow to receive requests from event sources in eventing-e2e2 + - from: + - source: + namespaces: + - "eventing-e2e2" + to: + - operation: + paths: + - "/eventing-e2e2/*" + - operation: + hosts: + - "*.eventing-e2e2" + - "*.eventing-e2e2.svc" + - "*.eventing-e2e2.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e2" + - "*.eventing-e2e2.svc" + - "*.eventing-e2e2.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e2" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e2/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e2" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow broker-ingress to receive requests from workloads and resources in eventing-e2e2. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e2-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + # Allow to receive requests from event sources in eventing-e2e2 + - from: + - source: + namespaces: + - "eventing-e2e2" + to: + - operation: + paths: + - "/eventing-e2e2/*" + - operation: + hosts: + - "*.eventing-e2e2" + - "*.eventing-e2e2.svc" + - "*.eventing-e2e2.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e2" + - "*.eventing-e2e2.svc" + - "*.eventing-e2e2.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e2" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e2/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e2" +--- +# Source: knative-istio-authz-onboarding/templates/serving-allow-wait-for-drain.yaml +# Allow kubernetes to call the PreStopHook to wait for draining on port 8022 in eventing-e2e2 +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: "allow-wait-for-drain" + namespace: "eventing-e2e2" +spec: + action: ALLOW + rules: + - to: + - operation: + ports: + - "8022" diff --git a/hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e3.yaml b/hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e3.yaml new file mode 100644 index 0000000000..9281205cc7 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e3.yaml @@ -0,0 +1,544 @@ +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-knative-to-ns.yaml +# Allow namespace eventing-e2e3 to receive requests from Knative system components, from istio-system and from all namespaces of the tenant. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-from-knative-and-istio + namespace: eventing-e2e3 +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: + - "eventing-e2e3" + - "knative-serving" + - "istio-system" + + - from: + - source: + namespaces: + - "knative-eventing" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e3" +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-via-knative-serving.yaml +# Allow activator to receive requests from workloads and resources in eventing-e2e3. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e3-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + # Allow to receive requests for Knative services in eventing-e2e3 + - from: + - source: + namespaces: + - "eventing-e2e3" + to: + - operation: + hosts: + - "*.eventing-e2e3" + - "*.eventing-e2e3.svc" + - "*.eventing-e2e3.svc.cluster.local" + + # Allow to receive requests from eventing sources, subscriptions and triggers in eventing-e2e3. + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e3" + - "*.eventing-e2e3.svc" + - "*.eventing-e2e3.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e3" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-kafka-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e3-kafka-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + to: + - operation: + paths: + - "/eventing-e2e3/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e3" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-mt-channel-based-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e3-mt-channel-based-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/eventing-e2e3/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e3" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +# Allow imc-dispatcher to receive requests from workloads and resources in eventing-e2e3. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e3-to-imc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + # Allow to receive requests from event sources in eventing-e2e3 + - from: + - source: + namespaces: + - "eventing-e2e3" + to: + - operation: + paths: + - "/eventing-e2e3/*" + - operation: + hosts: + - "*.eventing-e2e3" + - "*.eventing-e2e3.svc" + - "*.eventing-e2e3.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e3" + - "*.eventing-e2e3.svc" + - "*.eventing-e2e3.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e3" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e3/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e3" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from workloads and resources in eventing-e2e3. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e3-to-ekb + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + # Allow to receive requests from event sources in eventing-e2e3 + - from: + - source: + namespaces: + - "eventing-e2e3" + to: + - operation: + paths: + - "/eventing-e2e3/*" + - operation: + hosts: + - "*.eventing-e2e3" + - "*.eventing-e2e3.svc" + - "*.eventing-e2e3.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e3" + - "*.eventing-e2e3.svc" + - "*.eventing-e2e3.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e3" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e3/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e3" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-channel-receiver to receive requests from workloads and resources in eventing-e2e3. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e3-to-ekc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + # Allow to receive requests from event sources in eventing-e2e3 + - from: + - source: + namespaces: + - "eventing-e2e3" + to: + - operation: + paths: + - "/eventing-e2e3/*" + - operation: + hosts: + - "*.eventing-e2e3" + - "*.eventing-e2e3.svc" + - "*.eventing-e2e3.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e3" + - "*.eventing-e2e3.svc" + - "*.eventing-e2e3.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e3" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e3/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e3" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from workloads and resources in eventing-e2e3. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e3-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + # Allow to receive requests from event sources in eventing-e2e3 + - from: + - source: + namespaces: + - "eventing-e2e3" + to: + - operation: + paths: + - "/eventing-e2e3/*" + - operation: + hosts: + - "*.eventing-e2e3" + - "*.eventing-e2e3.svc" + - "*.eventing-e2e3.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e3" + - "*.eventing-e2e3.svc" + - "*.eventing-e2e3.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e3" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e3/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e3" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow broker-ingress to receive requests from workloads and resources in eventing-e2e3. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e3-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + # Allow to receive requests from event sources in eventing-e2e3 + - from: + - source: + namespaces: + - "eventing-e2e3" + to: + - operation: + paths: + - "/eventing-e2e3/*" + - operation: + hosts: + - "*.eventing-e2e3" + - "*.eventing-e2e3.svc" + - "*.eventing-e2e3.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e3" + - "*.eventing-e2e3.svc" + - "*.eventing-e2e3.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e3" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e3/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e3" +--- +# Source: knative-istio-authz-onboarding/templates/serving-allow-wait-for-drain.yaml +# Allow kubernetes to call the PreStopHook to wait for draining on port 8022 in eventing-e2e3 +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: "allow-wait-for-drain" + namespace: "eventing-e2e3" +spec: + action: ALLOW + rules: + - to: + - operation: + ports: + - "8022" diff --git a/hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e4.yaml b/hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e4.yaml new file mode 100644 index 0000000000..57a0355356 --- /dev/null +++ b/hack/lib/mesh_resources/authorization-policies/helm/eventing-e2e4.yaml @@ -0,0 +1,544 @@ +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-knative-to-ns.yaml +# Allow namespace eventing-e2e4 to receive requests from Knative system components, from istio-system and from all namespaces of the tenant. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-from-knative-and-istio + namespace: eventing-e2e4 +spec: + action: ALLOW + rules: + - from: + - source: + namespaces: + - "eventing-e2e4" + - "knative-serving" + - "istio-system" + + - from: + - source: + namespaces: + - "knative-eventing" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e4" +--- +# Source: knative-istio-authz-onboarding/templates/common-allow-via-knative-serving.yaml +# Allow activator to receive requests from workloads and resources in eventing-e2e4. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e4-to-activator + namespace: knative-serving +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "activator" + rules: + # Allow to receive requests for Knative services in eventing-e2e4 + - from: + - source: + namespaces: + - "eventing-e2e4" + to: + - operation: + hosts: + - "*.eventing-e2e4" + - "*.eventing-e2e4.svc" + - "*.eventing-e2e4.svc.cluster.local" + + # Allow to receive requests from eventing sources, subscriptions and triggers in eventing-e2e4. + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e4" + - "*.eventing-e2e4.svc" + - "*.eventing-e2e4.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e4" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-kafka-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e4-kafka-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + to: + - operation: + paths: + - "/eventing-e2e4/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e4" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-ns-to-mt-channel-based-broker-reply.yaml +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e4-mt-channel-based-broker-reply + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + - from: + - source: + namespaces: + - "knative-eventing" + principals: + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + to: + - operation: + paths: + - "/eventing-e2e4/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e4" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +# Allow imc-dispatcher to receive requests from workloads and resources in eventing-e2e4. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e4-to-imc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "imc-dispatcher" + rules: + # Allow to receive requests from event sources in eventing-e2e4 + - from: + - source: + namespaces: + - "eventing-e2e4" + to: + - operation: + paths: + - "/eventing-e2e4/*" + - operation: + hosts: + - "*.eventing-e2e4" + - "*.eventing-e2e4.svc" + - "*.eventing-e2e4.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e4" + - "*.eventing-e2e4.svc" + - "*.eventing-e2e4.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e4" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e4/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e4" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-broker-receiver to receive requests from workloads and resources in eventing-e2e4. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e4-to-ekb + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-broker-receiver" + rules: + # Allow to receive requests from event sources in eventing-e2e4 + - from: + - source: + namespaces: + - "eventing-e2e4" + to: + - operation: + paths: + - "/eventing-e2e4/*" + - operation: + hosts: + - "*.eventing-e2e4" + - "*.eventing-e2e4.svc" + - "*.eventing-e2e4.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e4" + - "*.eventing-e2e4.svc" + - "*.eventing-e2e4.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e4" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e4/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e4" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-channel-receiver to receive requests from workloads and resources in eventing-e2e4. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e4-to-ekc + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-channel-receiver" + rules: + # Allow to receive requests from event sources in eventing-e2e4 + - from: + - source: + namespaces: + - "eventing-e2e4" + to: + - operation: + paths: + - "/eventing-e2e4/*" + - operation: + hosts: + - "*.eventing-e2e4" + - "*.eventing-e2e4.svc" + - "*.eventing-e2e4.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e4" + - "*.eventing-e2e4.svc" + - "*.eventing-e2e4.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e4" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e4/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e4" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow kafka-sink-receiver to receive requests from workloads and resources in eventing-e2e4. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e4-to-eks + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "kafka-sink-receiver" + rules: + # Allow to receive requests from event sources in eventing-e2e4 + - from: + - source: + namespaces: + - "eventing-e2e4" + to: + - operation: + paths: + - "/eventing-e2e4/*" + - operation: + hosts: + - "*.eventing-e2e4" + - "*.eventing-e2e4.svc" + - "*.eventing-e2e4.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e4" + - "*.eventing-e2e4.svc" + - "*.eventing-e2e4.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e4" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e4/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e4" +--- +# Source: knative-istio-authz-onboarding/templates/eventing-allow-to-knative-eventing-receiver.yaml +--- +# Allow broker-ingress to receive requests from workloads and resources in eventing-e2e4. +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-eventing-e2e4-to-broker-ingress + namespace: knative-eventing +spec: + action: ALLOW + selector: + matchLabels: + app.kubernetes.io/component: "broker-ingress" + rules: + # Allow to receive requests from event sources in eventing-e2e4 + - from: + - source: + namespaces: + - "eventing-e2e4" + to: + - operation: + paths: + - "/eventing-e2e4/*" + - operation: + hosts: + - "*.eventing-e2e4" + - "*.eventing-e2e4.svc" + - "*.eventing-e2e4.svc.cluster.local" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + hosts: + - "*.eventing-e2e4" + - "*.eventing-e2e4.svc" + - "*.eventing-e2e4.svc.cluster.local" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e4" + - from: + - source: + namespaces: [ "knative-eventing" ] + principals: + - "cluster.local/ns/knative-eventing/sa/pingsource-mt-adapter" + + - "cluster.local/ns/knative-eventing/sa/imc-dispatcher" + + - "cluster.local/ns/knative-eventing/sa/mt-broker-filter" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-source-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-broker-data-plane" + + - "cluster.local/ns/knative-eventing/sa/knative-kafka-channel-data-plane" + + to: + - operation: + paths: + - "/eventing-e2e4/*" + when: + - key: request.headers[Kn-Namespace] + values: + - "eventing-e2e4" +--- +# Source: knative-istio-authz-onboarding/templates/serving-allow-wait-for-drain.yaml +# Allow kubernetes to call the PreStopHook to wait for draining on port 8022 in eventing-e2e4 +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: "allow-wait-for-drain" + namespace: "eventing-e2e4" +spec: + action: ALLOW + rules: + - to: + - operation: + ports: + - "8022" From 39d21328afec2515a2b03102a273915ceb5fbf2b Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 1 Sep 2023 08:15:20 +0200 Subject: [PATCH 7/9] Fix after rebase --- hack/lib/tracing.bash | 6 ------ 1 file changed, 6 deletions(-) diff --git a/hack/lib/tracing.bash b/hack/lib/tracing.bash index 0fca33d293..3ca30626f2 100644 --- a/hack/lib/tracing.bash +++ b/hack/lib/tracing.bash @@ -14,14 +14,8 @@ function install_tracing { function dedicate_node_to_zipkin { logger.info "Placing zipkin taint on first worker node" local zipkin_node -<<<<<<< HEAD if [[ -z "$(oc get node -l 'zipkin,node-role.kubernetes.io/worker')" ]]; then zipkin_node=$(oc get node -l 'node-role.kubernetes.io/worker' -ojsonpath='{.items[0].metadata.name}') -======= - zipkin_node=$(oc get node -l 'zipkin,node-role.kubernetes.io/worker' -oname | head -n 1) - if [[ -z "$zipkin_node" ]]; then - zipkin_node=$(oc get node -l 'node-role.kubernetes.io/worker' -oname | head -n 1) ->>>>>>> d3ddfd18d (Use -n for head command) # Add label for placing the Zipkin pod via nodeAffinity oc label node "$zipkin_node" zipkin= # Add taint to prevent pods other than Zipkin from scheduling there From 7e2c4a2bb8a20ae0f97eb0c150cff4c4301fb98c Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 1 Sep 2023 11:22:50 +0200 Subject: [PATCH 8/9] Run AutoscaleSustaining tests only without Mesh --- test/upgrade/upgrade_test.go | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/test/upgrade/upgrade_test.go b/test/upgrade/upgrade_test.go index 7ae11e0f48..5cdb186c99 100644 --- a/test/upgrade/upgrade_test.go +++ b/test/upgrade/upgrade_test.go @@ -415,9 +415,19 @@ func ChannelContinualTests(testCtx *test.Context) []pkgupgrade.BackgroundOperati } func ServingContinualTests(testCtx *test.Context) []pkgupgrade.BackgroundOperation { - return []pkgupgrade.BackgroundOperation{ + tests := []pkgupgrade.BackgroundOperation{ servingupgrade.ProbeTest(), - servingupgrade.AutoscaleSustainingWithTBCTest(), - servingupgrade.AutoscaleSustainingTest(), } + + ctx, _ := defaultEnvironment(testCtx.T) + + // Run AutoscaleSustaining tests only without Mesh to + // give them enough CPU/Mem for scaling on CI clusters. + if ic := environment.GetIstioConfig(ctx); !ic.Enabled { + tests = append(tests, + servingupgrade.AutoscaleSustainingWithTBCTest(), + servingupgrade.AutoscaleSustainingTest()) + } + + return tests } From 0c679a2b048b9a0a985278c72b625af5fdf7720a Mon Sep 17 00:00:00 2001 From: Martin Gencur Date: Fri, 1 Sep 2023 12:42:58 +0200 Subject: [PATCH 9/9] Bring back Makefile alias test-upgrade: test-upstream-upgrade --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index cad770d65f..55659ce287 100644 --- a/Makefile +++ b/Makefile @@ -179,7 +179,7 @@ test-upstream-upgrade: TEST_KNATIVE_KAFKA=true TEST_KNATIVE_E2E=false TEST_KNATIVE_UPGRADE=true ./test/upstream-e2e-tests.sh # Alias. -test-upgrade: test-upgrade-with-mesh +test-upgrade: test-upstream-upgrade test-upgrade-with-mesh: FULL_MESH=true UNINSTALL_MESH=false ./hack/mesh.sh