Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce permissions of API gateway policy #3230

Merged
merged 1 commit into from
Dec 8, 2023
Merged

Reduce permissions of API gateway policy #3230

merged 1 commit into from
Dec 8, 2023

Conversation

roncodingenthusiast
Copy link
Contributor

Changes proposed in this PR:

  • The reason api-gateway previously required service write on everything because it would create intentions for any service that the gateway was configured to route to. This is no longer the case as we only need service write on the api-gateway
  • This PR suggest only give service write on the API gateway
  • This is the first step into removing this completely to use templated policies

@roncodingenthusiast roncodingenthusiast added pr/no-backport signals that a PR will not contain a backport label pr/no-changelog PR does not need a corresponding .changelog entry labels Nov 17, 2023
@roncodingenthusiast roncodingenthusiast mentioned this pull request Nov 22, 2023
Merged
2 tasks
@roncodingenthusiast roncodingenthusiast force-pushed the replace-api-gateway-policy branch from 27d791c to 30ee813 Compare December 4, 2023 13:32
@roncodingenthusiast roncodingenthusiast marked this pull request as ready for review December 4, 2023 18:57
nathancoleman
nathancoleman reviewed Dec 5, 2023
View reviewed changes
Copy link
Member

@nathancoleman nathancoleman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM. Have you had a chance to test it yet? If not, I can help out with that

control-plane/api-gateway/cache/consul.go Outdated Show resolved Hide resolved
@roncodingenthusiast roncodingenthusiast force-pushed the replace-api-gateway-policy branch from 30ee813 to a71a1ee Compare December 6, 2023 14:36
@nathancoleman
Copy link
Member

I have confirmed that this works for native Consul API Gateway using the setup here, resulting in:

$ http http://34.148.240.250 -j
HTTP/1.1 200 OK
content-length: 255
content-type: text/plain; charset=utf-8
date: Thu, 07 Dec 2023 20:00:41 GMT
server: envoy
x-envoy-upstream-service-time: 5

{
    "body": "Hello World",
    "code": 200,
    "duration": "146.643µs",
    "end_time": "2023-12-07T20:00:41.767760",
    "ip_addresses": [
        "10.40.2.8"
    ],
    "name": "backend",
    "start_time": "2023-12-07T20:00:41.767613",
    "type": "HTTP",
    "uri": "/"
}

I have also confirmed that everything still works for legacy Consul API Gateway using the setup here, resulting in:

$ http http://104.196.141.50 -j
HTTP/1.1 200 OK
content-length: 256
content-type: text/plain; charset=utf-8
date: Thu, 07 Dec 2023 20:44:36 GMT
server: envoy
x-envoy-upstream-service-time: 10

{
    "body": "Hello World",
    "code": 200,
    "duration": "463.781µs",
    "end_time": "2023-12-07T20:44:36.868101",
    "ip_addresses": [
        "10.40.5.10"
    ],
    "name": "backend",
    "start_time": "2023-12-07T20:44:36.867637",
    "type": "HTTP",
    "uri": "/"
}

@roncodingenthusiast roncodingenthusiast merged commit 4dadb45 into main Dec 8, 2023
3 checks passed
@roncodingenthusiast roncodingenthusiast deleted the replace-api-gateway-policy branch December 8, 2023 13:31
jmurret pushed a commit that referenced this pull request Dec 8, 2023
@roncodingenthusiast @jmurret
Reduce permissions of API gateway policy (#3230)
0f3d15a
sarahalsmiller pushed a commit that referenced this pull request Jan 5, 2024
@roncodingenthusiast @sarahalsmiller
Reduce permissions of API gateway policy (#3230)
cd7923e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathancoleman nathancoleman nathancoleman approved these changes

Assignees
No one assigned
Labels
pr/no-backport signals that a PR will not contain a backport label pr/no-changelog PR does not need a corresponding .changelog entry
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@roncodingenthusiast @nathancoleman