Skip to content

Commit

Permalink
AuthPolicy CEL validation rules
Browse files Browse the repository at this point in the history
- Invalid targetRef.group
- Invalid targetRef.kind
- Route selectors not supported when targeting a Gateway

Note: cannot set a validation rule for !has(spec.targetRef.namespace) || spec.targetRef.namespace == metadata.namespace, because Kubernetes does not allow accessing `metadata.namespace`. See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation-rules
  • Loading branch information
guicassolato committed Oct 20, 2023
1 parent a73ab1d commit 05916cd
Show file tree
Hide file tree
Showing 4 changed files with 68 additions and 1 deletion.
9 changes: 9 additions & 0 deletions api/v1beta2/authpolicy_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -115,8 +115,17 @@ type CallbackSpec struct {
CommonAuthRuleSpec `json:""`
}

// +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.routeSelectors)",message="route selectors not supported when targeting a Gateway"
// +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules.authentication) || !self.rules.authentication.exists(x, has(self.rules.authentication[x].routeSelectors))",message="route selectors not supported when targeting a Gateway"
// +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules.metadata) || !self.rules.metadata.exists(x, has(self.rules.metadata[x].routeSelectors))",message="route selectors not supported when targeting a Gateway"
// +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules.authorization) || !self.rules.authorization.exists(x, has(self.rules.authorization[x].routeSelectors))",message="route selectors not supported when targeting a Gateway"
// +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules.response) || !has(self.rules.response.success) || self.rules.response.success.headers.exists(x, has(self.rules.response.success.headers[x].routeSelectors))",message="route selectors not supported when targeting a Gateway"
// +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules.response) || !has(self.rules.response.success) || self.rules.response.success.dynamicMetadata.exists(x, has(self.rules.response.success.dynamicMetadata[x].routeSelectors))",message="route selectors not supported when targeting a Gateway"
// +kubebuilder:validation:XValidation:rule="self.targetRef.kind != 'Gateway' || !has(self.rules.callbacks) || !self.rules.callbacks.exists(x, has(self.rules.callbacks[x].routeSelectors))",message="route selectors not supported when targeting a Gateway"
type AuthPolicySpec struct {
// TargetRef identifies an API object to apply policy to.
// +kubebuilder:validation:XValidation:rule="self.group == 'gateway.networking.k8s.io'",message="Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'"
// +kubebuilder:validation:XValidation:rule="self.kind == 'HTTPRoute' || self.kind == 'Gateway'",message="Invalid targetRef.kind. The only supported values are 'HTTPRoute' and 'Gateway'"
TargetRef gatewayapiv1alpha2.PolicyTargetReference `json:"targetRef"`

// Top-level route selectors.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ metadata:
capabilities: Basic Install
categories: Integration & Delivery
containerImage: quay.io/kuadrant/kuadrant-operator:latest
createdAt: "2023-10-18T14:03:29Z"
createdAt: "2023-10-20T05:02:47Z"
operators.operatorframework.io/builder: operator-sdk-v1.28.1
operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
repository: https://github.com/Kuadrant/kuadrant-operator
Expand Down
29 changes: 29 additions & 0 deletions bundle/manifests/kuadrant.io_authpolicies.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4121,6 +4121,12 @@ spec:
- kind
- name
type: object
x-kubernetes-validations:
- message: Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'
rule: self.group == 'gateway.networking.k8s.io'
- message: Invalid targetRef.kind. The only supported values are 'HTTPRoute'
and 'Gateway'
rule: self.kind == 'HTTPRoute' || self.kind == 'Gateway'
when:
description: Overall conditions for the AuthPolicy to be enforced.
If omitted, the AuthPolicy will be enforced at all requests to the
Expand Down Expand Up @@ -4177,6 +4183,29 @@ spec:
required:
- targetRef
type: object
x-kubernetes-validations:
- message: route selectors not supported when targeting a Gateway
rule: self.targetRef.kind != 'Gateway' || !has(self.routeSelectors)
- message: route selectors not supported when targeting a Gateway
rule: self.targetRef.kind != 'Gateway' || !has(self.rules.authentication)
|| !self.rules.authentication.exists(x, has(self.rules.authentication[x].routeSelectors))
- message: route selectors not supported when targeting a Gateway
rule: self.targetRef.kind != 'Gateway' || !has(self.rules.metadata)
|| !self.rules.metadata.exists(x, has(self.rules.metadata[x].routeSelectors))
- message: route selectors not supported when targeting a Gateway
rule: self.targetRef.kind != 'Gateway' || !has(self.rules.authorization)
|| !self.rules.authorization.exists(x, has(self.rules.authorization[x].routeSelectors))
- message: route selectors not supported when targeting a Gateway
rule: self.targetRef.kind != 'Gateway' || !has(self.rules.response)
|| !has(self.rules.response.success) || self.rules.response.success.headers.exists(x,
has(self.rules.response.success.headers[x].routeSelectors))
- message: route selectors not supported when targeting a Gateway
rule: self.targetRef.kind != 'Gateway' || !has(self.rules.response)
|| !has(self.rules.response.success) || self.rules.response.success.dynamicMetadata.exists(x,
has(self.rules.response.success.dynamicMetadata[x].routeSelectors))
- message: route selectors not supported when targeting a Gateway
rule: self.targetRef.kind != 'Gateway' || !has(self.rules.callbacks)
|| !self.rules.callbacks.exists(x, has(self.rules.callbacks[x].routeSelectors))
status:
properties:
conditions:
Expand Down
29 changes: 29 additions & 0 deletions config/crd/bases/kuadrant.io_authpolicies.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4120,6 +4120,12 @@ spec:
- kind
- name
type: object
x-kubernetes-validations:
- message: Invalid targetRef.group. The only supported value is 'gateway.networking.k8s.io'
rule: self.group == 'gateway.networking.k8s.io'
- message: Invalid targetRef.kind. The only supported values are 'HTTPRoute'
and 'Gateway'
rule: self.kind == 'HTTPRoute' || self.kind == 'Gateway'
when:
description: Overall conditions for the AuthPolicy to be enforced.
If omitted, the AuthPolicy will be enforced at all requests to the
Expand Down Expand Up @@ -4176,6 +4182,29 @@ spec:
required:
- targetRef
type: object
x-kubernetes-validations:
- message: route selectors not supported when targeting a Gateway
rule: self.targetRef.kind != 'Gateway' || !has(self.routeSelectors)
- message: route selectors not supported when targeting a Gateway
rule: self.targetRef.kind != 'Gateway' || !has(self.rules.authentication)
|| !self.rules.authentication.exists(x, has(self.rules.authentication[x].routeSelectors))
- message: route selectors not supported when targeting a Gateway
rule: self.targetRef.kind != 'Gateway' || !has(self.rules.metadata)
|| !self.rules.metadata.exists(x, has(self.rules.metadata[x].routeSelectors))
- message: route selectors not supported when targeting a Gateway
rule: self.targetRef.kind != 'Gateway' || !has(self.rules.authorization)
|| !self.rules.authorization.exists(x, has(self.rules.authorization[x].routeSelectors))
- message: route selectors not supported when targeting a Gateway
rule: self.targetRef.kind != 'Gateway' || !has(self.rules.response)
|| !has(self.rules.response.success) || self.rules.response.success.headers.exists(x,
has(self.rules.response.success.headers[x].routeSelectors))
- message: route selectors not supported when targeting a Gateway
rule: self.targetRef.kind != 'Gateway' || !has(self.rules.response)
|| !has(self.rules.response.success) || self.rules.response.success.dynamicMetadata.exists(x,
has(self.rules.response.success.dynamicMetadata[x].routeSelectors))
- message: route selectors not supported when targeting a Gateway
rule: self.targetRef.kind != 'Gateway' || !has(self.rules.callbacks)
|| !self.rules.callbacks.exists(x, has(self.rules.callbacks[x].routeSelectors))
status:
properties:
conditions:
Expand Down

0 comments on commit 05916cd

Please sign in to comment.