From 4a991f7d87bb6c57ff8d330b0e1e4df63c1b3523 Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Wed, 12 Jun 2024 11:51:58 +0200 Subject: [PATCH] Add default-authorization-mode feature flag Signed-off-by: Pierangelo Di Pilato --- config/core/configmaps/features.yaml | 6 ++ pkg/apis/feature/features.go | 59 +++++++++++++++---- pkg/apis/feature/features_test.go | 1 + pkg/apis/feature/flag_names.go | 1 + .../feature/testdata/config-features.yaml | 1 + 5 files changed, 57 insertions(+), 11 deletions(-) diff --git a/config/core/configmaps/features.yaml b/config/core/configmaps/features.yaml index fe1ed2aa5f1..9dbec1753ef 100644 --- a/config/core/configmaps/features.yaml +++ b/config/core/configmaps/features.yaml @@ -56,6 +56,12 @@ data: # For more details: https://github.com/knative/eventing/issues/7174 authentication-oidc: "disabled" + # ALPHA feature: The default-authorization-mode flag allows you to change the default + # authorization mode for resources that have no EventPolicy associated with them. + # + # This feature flag is only used when "authentication-oidc" is enabled. + default-authorization-mode: "allow-same-namespace" + # ALPHA feature: The cross-namespace-event-links flag allows you to use cross-namespace referencing for Eventing. # For more details: https://github.com/knative/eventing/issues/7739 cross-namespace-event-links: "disabled" diff --git a/pkg/apis/feature/features.go b/pkg/apis/feature/features.go index e01195bb5f6..982ca8c67e0 100644 --- a/pkg/apis/feature/features.go +++ b/pkg/apis/feature/features.go @@ -45,6 +45,24 @@ const ( // - Addressables should advertise both HTTP and HTTPS endpoints // - Producers should prefer to send events to HTTPS endpoints, if available Permissive Flag = "Permissive" + + // AuthorizationAllowAll is a value for AuthorizationDefaultMode that indicates to allow all + // OIDC subjects by default. + // This configuration is applied when there is no EventPolicy with a "to" referencing a given + // resource. + AuthorizationAllowAll Flag = "Allow-All" + + // AuthorizationDenyAll is a value for AuthorizationDefaultMode that indicates to deny all + // OIDC subjects by default. + // This configuration is applied when there is no EventPolicy with a "to" referencing a given + // resource. + AuthorizationDenyAll Flag = "Deny-All" + + // AuthorizationAllowSameNamespace is a value for AuthorizationDefaultMode that indicates to allow + // OIDC subjects with the same namespace as a given resource. + // This configuration is applied when there is no EventPolicy with a "to" referencing a given + // resource. + AuthorizationAllowSameNamespace Flag = "Allow-Same-Namespace" ) // Flags is a map containing all the enabled/disabled flags for the experimental features. @@ -53,15 +71,16 @@ type Flags map[string]Flag func newDefaults() Flags { return map[string]Flag{ - KReferenceGroup: Disabled, - DeliveryRetryAfter: Disabled, - DeliveryTimeout: Enabled, - KReferenceMapping: Disabled, - NewTriggerFilters: Enabled, - TransportEncryption: Disabled, - OIDCAuthentication: Disabled, - EvenTypeAutoCreate: Disabled, - NewAPIServerFilters: Disabled, + KReferenceGroup: Disabled, + DeliveryRetryAfter: Disabled, + DeliveryTimeout: Enabled, + KReferenceMapping: Disabled, + NewTriggerFilters: Enabled, + TransportEncryption: Disabled, + OIDCAuthentication: Disabled, + EvenTypeAutoCreate: Disabled, + NewAPIServerFilters: Disabled, + AuthorizationDefaultMode: AuthorizationAllowSameNamespace, } } @@ -103,6 +122,18 @@ func (e Flags) IsCrossNamespaceEventLinks() bool { return e != nil && e[CrossNamespaceEventLinks] == Enabled } +func (e Flags) IsAuthorizationDefaultModeAllowAll() bool { + return e != nil && e[AuthorizationDefaultMode] == AuthorizationAllowAll +} + +func (e Flags) IsAuthorizationDefaultModeDenyAll() bool { + return e != nil && e[AuthorizationDefaultMode] == AuthorizationDenyAll +} + +func (e Flags) IsAuthorizationDefaultModeSameNamespace() bool { + return e != nil && e[AuthorizationDefaultMode] == AuthorizationAllowSameNamespace +} + func (e Flags) String() string { return fmt.Sprintf("%+v", map[string]Flag(e)) } @@ -142,10 +173,16 @@ func NewFlagsConfigFromMap(data map[string]string) (Flags, error) { flags[sanitizedKey] = Disabled } else if strings.EqualFold(v, string(Enabled)) { flags[sanitizedKey] = Enabled - } else if k == TransportEncryption && strings.EqualFold(v, string(Permissive)) { + } else if sanitizedKey == TransportEncryption && strings.EqualFold(v, string(Permissive)) { flags[sanitizedKey] = Permissive - } else if k == TransportEncryption && strings.EqualFold(v, string(Strict)) { + } else if sanitizedKey == TransportEncryption && strings.EqualFold(v, string(Strict)) { flags[sanitizedKey] = Strict + } else if sanitizedKey == AuthorizationDefaultMode && strings.EqualFold(v, string(AuthorizationAllowAll)) { + flags[sanitizedKey] = AuthorizationAllowAll + } else if sanitizedKey == AuthorizationDefaultMode && strings.EqualFold(v, string(AuthorizationDenyAll)) { + flags[sanitizedKey] = AuthorizationDenyAll + } else if sanitizedKey == AuthorizationDefaultMode && strings.EqualFold(v, string(AuthorizationAllowSameNamespace)) { + flags[sanitizedKey] = AuthorizationAllowSameNamespace } else if strings.Contains(k, NodeSelectorLabel) { flags[sanitizedKey] = Flag(v) } else { diff --git a/pkg/apis/feature/features_test.go b/pkg/apis/feature/features_test.go index 9b599e5049f..c03561cc616 100644 --- a/pkg/apis/feature/features_test.go +++ b/pkg/apis/feature/features_test.go @@ -56,6 +56,7 @@ func TestGetFlags(t *testing.T) { require.True(t, flags.IsAllowed("my-enabled-flag")) require.True(t, flags.IsAllowed("my-allowed-flag")) require.False(t, flags.IsAllowed("non-disabled-flag")) + require.True(t, flags.IsAuthorizationDefaultModeSameNamespace()) nodeSelector := flags.NodeSelector() expectedNodeSelector := map[string]string{"testkey": "testvalue", "testkey1": "testvalue1", "testkey2": "testvalue2"} diff --git a/pkg/apis/feature/flag_names.go b/pkg/apis/feature/flag_names.go index cd937554c4b..99abc20769c 100644 --- a/pkg/apis/feature/flag_names.go +++ b/pkg/apis/feature/flag_names.go @@ -28,4 +28,5 @@ const ( NodeSelectorLabel = "apiserversources-nodeselector-" CrossNamespaceEventLinks = "cross-namespace-event-links" NewAPIServerFilters = "new-apiserversource-filters" + AuthorizationDefaultMode = "default-authorization-mode" ) diff --git a/pkg/apis/feature/testdata/config-features.yaml b/pkg/apis/feature/testdata/config-features.yaml index 108b17851eb..6c3252ba429 100644 --- a/pkg/apis/feature/testdata/config-features.yaml +++ b/pkg/apis/feature/testdata/config-features.yaml @@ -25,6 +25,7 @@ data: my-enabled-flag: "enabled" my-disabled-flag: "disabled" my-allowed-flag: "allowed" + default-authorization-mode: allow-same-namespace apiserversources-nodeselector-testkey: testvalue apiserversources-nodeselector-testkey1: testvalue1 apiserversources-nodeselector-testkey2: testvalue2