Skip to content

Commit

Permalink
feat(authz): Authorino for Service Mesh
Browse files Browse the repository at this point in the history
This first iteration is to cover authentication needs for KServe

* Add templates to install Authorino
* Add templates to configure Service Mesh to use Authorino to delegate Authorization
* Add KServe-specific templates add ability to secure KServe Inference Services
* Add relevant fields to DSCInitialization resource
* Code for proper cleanup, in case of uninstalling

Most (if not all) of this code comes from pull request opendatahub-io#605. Attribution to original authors: @bartoszmajsak, @aslakknutsen, @cam-garrison, et. al.

Related opendatahub-io/kserve#128

Signed-off-by: Edgar Hernández <[email protected]>
  • Loading branch information
israel-hdez authored and bartoszmajsak committed Jan 23, 2024
1 parent 0e9c4ed commit b0754ae
Show file tree
Hide file tree
Showing 25 changed files with 628 additions and 43 deletions.
2 changes: 1 addition & 1 deletion apis/dscinitialization/v1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

49 changes: 49 additions & 0 deletions components/kserve/kserve.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ package kserve
import (
"context"
"fmt"
"path"
"path/filepath"
"strings"

Expand All @@ -19,6 +20,7 @@ import (
"github.com/opendatahub-io/opendatahub-operator/v2/pkg/cluster"
"github.com/opendatahub-io/opendatahub-operator/v2/pkg/deploy"
"github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature"
"github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature/servicemesh"
"github.com/opendatahub-io/opendatahub-operator/v2/pkg/monitoring"
)

Expand Down Expand Up @@ -163,6 +165,12 @@ func (k *Kserve) ReconcileComponent(ctx context.Context, cli client.Client, resC
return err
}
}

if enabled {
if err := k.configureServiceMesh(cli, dscispec); err != nil {
return err
}
}
return nil
}

Expand Down Expand Up @@ -229,3 +237,44 @@ func checkDepedentOps(cli client.Client) *multierror.Error {
}
return multiErr
}

func (k *Kserve) configureServiceMesh(cli client.Client, dscispec *dsciv1.DSCInitializationSpec) error {
shouldConfigureServiceMesh, err := deploy.ShouldConfigureServiceMesh(cli, dscispec)
if err != nil {
return err
}

if shouldConfigureServiceMesh {
serviceMeshInitializer := feature.NewFeaturesInitializer(dscispec, k.defineServiceMeshFeatures(dscispec))

if err := serviceMeshInitializer.Prepare(); err != nil {
return err
}

if err := serviceMeshInitializer.Apply(); err != nil {
return err
}
}

return nil
}

func (k *Kserve) defineServiceMeshFeatures(dscispec *dsciv1.DSCInitializationSpec) feature.DefinedFeatures {
return func(s *feature.FeaturesInitializer) error {
kserve, err := feature.CreateFeature("configure-kserve-for-external-authz").
For(dscispec).
Manifests(
path.Join(feature.KServeDir),
).
WithData(servicemesh.ClusterDetails).
Load()

if err != nil {
return err
}

s.Features = append(s.Features, kserve)

return nil
}
}
5 changes: 2 additions & 3 deletions components/kserve/serverless_setup.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,14 +11,13 @@ import (

const (
knativeServingNamespace = "knative-serving"
templatesDir = "templates/serverless"
)

func (k *Kserve) configureServerlessFeatures(s *feature.FeaturesInitializer) error {
servingDeployment, err := feature.CreateFeature("serverless-serving-deployment").
For(s.DSCInitializationSpec).
Manifests(
path.Join(templatesDir, "serving-install"),
path.Join(feature.ServerlessDir, "serving-install"),
).
WithData(PopulateComponentSettings(k)).
PreConditions(
Expand Down Expand Up @@ -49,7 +48,7 @@ func (k *Kserve) configureServerlessFeatures(s *feature.FeaturesInitializer) err
).
WithResources(serverless.ServingCertificateResource).
Manifests(
path.Join(templatesDir, "serving-istio-gateways"),
path.Join(feature.ServerlessDir, "serving-istio-gateways"),
).
Load()
if err != nil {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,48 @@ spec:
user experience; e.g. it provides unified authentication giving
a Single Sign On experience.
properties:
auth:
description: Auth holds configuration of authentication and authorization
services used by Service Mesh in Opendatahub.
properties:
authorino:
description: Authorino holds configuration of Authorino service
used as external authorization provider.
properties:
audiences:
default:
- https://kubernetes.default.svc
description: Audiences is a list of the identifiers that
the resource server presented with the token identifies
as. Audience-aware token authenticators will verify
that the token was intended for at least one of the
audiences in this list. If no audiences are provided,
the audience will default to the audience of the Kubernetes
apiserver (kubernetes.default.svc).
items:
type: string
type: array
image:
default: quay.io/kuadrant/authorino:v0.16.0
description: Image allows to define a custom container
image to be used when deploying Authorino's instance.
type: string
label:
default: authorino/topic=odh
description: Label narrows amount of AuthConfigs to process
by Authorino service.
type: string
name:
default: authorino-mesh-authz-provider
description: Name specifies how external authorization
provider should be called.
type: string
type: object
namespace:
default: auth-provider
description: Namespace where it is deployed.
type: string
type: object
controlPlane:
description: ControlPlane holds configuration of Service Mesh
used by Opendatahub.
Expand Down
48 changes: 48 additions & 0 deletions config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,30 @@ rules:
- statefulsets
verbs:
- '*'
- apiGroups:
- apps.openshift.io
resources:
- deploymentconfigs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps.openshift.io
resources:
- deploymentconfigs/instantiate
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- argoproj.io
resources:
Expand All @@ -128,6 +152,12 @@ rules:
- tokenreviews
verbs:
- create
- apiGroups:
- authorino.kuadrant.io
resources:
- authconfigs
verbs:
- '*'
- apiGroups:
- authorization.k8s.io
resources:
Expand Down Expand Up @@ -945,6 +975,12 @@ rules:
- deletecollection
- get
- patch
- apiGroups:
- networking.istio.io
resources:
- envoyfilters
verbs:
- '*'
- apiGroups:
- networking.istio.io
resources:
Expand Down Expand Up @@ -1025,6 +1061,12 @@ rules:
- patch
- update
- watch
- apiGroups:
- operator.authorino.kuadrant.io
resources:
- authorinos
verbs:
- '*'
- apiGroups:
- operator.knative.dev
resources:
Expand Down Expand Up @@ -1165,6 +1207,12 @@ rules:
- patch
- update
- watch
- apiGroups:
- security.istio.io
resources:
- authorizationpolicies
verbs:
- '*'
- apiGroups:
- security.openshift.io
resources:
Expand Down
30 changes: 17 additions & 13 deletions controllers/datasciencecluster/kubebuilder_rbac.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,25 @@ package datasciencecluster
//+kubebuilder:rbac:groups="datasciencecluster.opendatahub.io",resources=datascienceclusters/finalizers,verbs=update;patch
//+kubebuilder:rbac:groups="datasciencecluster.opendatahub.io",resources=datascienceclusters,verbs=get;list;watch;create;update;patch;delete

/* Service Mesh prerequisite */
// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshcontrolplanes,verbs=create;get;list;patch;update;use;watch

/* Serverless prerequisite */
// +kubebuilder:rbac:groups="networking.istio.io",resources=gateways,verbs=*
// +kubebuilder:rbac:groups="operator.knative.dev",resources=knativeservings,verbs=*
// +kubebuilder:rbac:groups="config.openshift.io",resources=ingresses,verbs=get

/* Service Mesh Integration */
// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshcontrolplanes,verbs=create;get;list;patch;update;use;watch
// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshmemberrolls,verbs=create;get;list;patch;update;use;watch
// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshmembers,verbs=create;get;list;patch;update;use;watch
// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshmembers/finalizers,verbs=create;get;list;patch;update;use;watch
// +kubebuilder:rbac:groups="networking.istio.io",resources=virtualservices/status,verbs=update;patch;delete
// +kubebuilder:rbac:groups="networking.istio.io",resources=virtualservices/finalizers,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups="networking.istio.io",resources=virtualservices,verbs=*
// +kubebuilder:rbac:groups="networking.istio.io",resources=gateways,verbs=*
// +kubebuilder:rbac:groups="networking.istio.io",resources=envoyfilters,verbs=*
// +kubebuilder:rbac:groups="security.istio.io",resources=authorizationpolicies,verbs=*
// +kubebuilder:rbac:groups="authorino.kuadrant.io",resources=authconfigs,verbs=*
// +kubebuilder:rbac:groups="operator.authorino.kuadrant.io",resources=authorinos,verbs=*

/* This is for DSP */
//+kubebuilder:rbac:groups="datasciencepipelinesapplications.opendatahub.io",resources=datasciencepipelinesapplications/status,verbs=update;patch;get
//+kubebuilder:rbac:groups="datasciencepipelinesapplications.opendatahub.io",resources=datasciencepipelinesapplications/finalizers,verbs=update;patch
Expand Down Expand Up @@ -93,10 +104,6 @@ package datasciencecluster
// +kubebuilder:rbac:groups="networking.k8s.io",resources=networkpolicies,verbs=get;create;list;watch;delete;update;patch
// +kubebuilder:rbac:groups="networking.k8s.io",resources=ingresses,verbs=create;delete;list;update;watch;patch;get

// +kubebuilder:rbac:groups="networking.istio.io",resources=virtualservices/status,verbs=update;patch;delete
// +kubebuilder:rbac:groups="networking.istio.io",resources=virtualservices/finalizers,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups="networking.istio.io",resources=virtualservices,verbs=*

// +kubebuilder:rbac:groups="monitoring.coreos.com",resources=servicemonitors,verbs=get;create;delete;update;watch;list;patch;deletecollection
// +kubebuilder:rbac:groups="monitoring.coreos.com",resources=podmonitors,verbs=get;create;delete;update;watch;list;patch
// +kubebuilder:rbac:groups="monitoring.coreos.com",resources=prometheusrules,verbs=get;create;patch;delete;deletecollection
Expand Down Expand Up @@ -199,7 +206,6 @@ package datasciencecluster

// +kubebuilder:rbac:groups="cert-manager.io",resources=certificates;issuers,verbs=create;patch

// OpenVino still need buildconfig
// +kubebuilder:rbac:groups="build.openshift.io",resources=builds,verbs=create;patch;delete;list;watch
// +kubebuilder:rbac:groups="build.openshift.io",resources=buildconfigs/instantiate,verbs=create;patch;delete;get;list;watch
// +kubebuilder:rbac:groups="build.openshift.io",resources=buildconfigs,verbs=list;watch;create;patch;delete
Expand Down Expand Up @@ -230,6 +236,9 @@ package datasciencecluster
// +kubebuilder:rbac:groups="*",resources=deployments,verbs=*
// +kubebuilder:rbac:groups="extensions",resources=deployments,verbs=*

// +kubebuilder:rbac:groups="apps.openshift.io",resources=deploymentconfigs,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups="apps.openshift.io",resources=deploymentconfigs/instantiate,verbs=get;list;watch;create;update;patch;delete

// +kubebuilder:rbac:groups="apiextensions.k8s.io",resources=customresourcedefinitions,verbs=get;list;watch;create;patch;delete

// +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;create;update;delete;patch
Expand All @@ -244,11 +253,6 @@ package datasciencecluster

// +kubebuilder:rbac:groups="*",resources=customresourcedefinitions,verbs=get;list;watch

// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshcontrolplanes,verbs=create;get;list;patch;update;use;watch
// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshmemberrolls,verbs=create;get;list;patch;update;use;watch
// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshmembers,verbs=create;get;list;patch;update;use;watch
// +kubebuilder:rbac:groups="maistra.io",resources=servicemeshmembers/finalizers,verbs=create;get;list;patch;update;use;watch

/* Only for RHODS */
// +kubebuilder:rbac:groups="user.openshift.io",resources=groups,verbs=get;create;list;watch;patch;delete
// +kubebuilder:rbac:groups="console.openshift.io",resources=consolelinks,verbs=create;get;patch;delete
47 changes: 43 additions & 4 deletions controllers/dscinitialization/servicemesh_setup.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,6 @@ import (
"github.com/opendatahub-io/opendatahub-operator/v2/pkg/feature/servicemesh"
)

const templatesDir = "templates/servicemesh"

func (r *DSCInitializationReconciler) configureServiceMesh(instance *dsciv1.DSCInitialization) error {
switch instance.Spec.ServiceMesh.ManagementState {
case operatorv1.Managed:
Expand Down Expand Up @@ -69,7 +67,7 @@ func configureServiceMeshFeatures(s *feature.FeaturesInitializer) error {
smcpCreation, errSmcp := feature.CreateFeature("mesh-control-plane-creation").
For(s.DSCInitializationSpec).
Manifests(
path.Join(templatesDir, "base", "create-smcp.tmpl"),
path.Join(feature.ServiceMeshDir, "base", "create-smcp.tmpl"),
).
PreConditions(
servicemesh.EnsureServiceMeshOperatorInstalled,
Expand All @@ -91,7 +89,7 @@ func configureServiceMeshFeatures(s *feature.FeaturesInitializer) error {
servicemesh.EnsureServiceMeshInstalled,
).
Manifests(
path.Join(templatesDir, "metrics-collection"),
path.Join(feature.ServiceMeshDir, "metrics-collection"),
).
Load()
if errMetrics != nil {
Expand All @@ -100,5 +98,46 @@ func configureServiceMeshFeatures(s *feature.FeaturesInitializer) error {
s.Features = append(s.Features, metricsCollection)
}

cfMaps, cfgMapErr := feature.CreateFeature("shared-config-maps").
For(s.DSCInitializationSpec).
WithResources(servicemesh.ConfigMaps).
Load()
if cfgMapErr != nil {
return cfgMapErr
}
s.Features = append(s.Features, cfMaps)

extAuthz, extAuthzErr := feature.CreateFeature("service-mesh-control-plane-setup-external-authorization").
For(s.DSCInitializationSpec).
Manifests(
path.Join(feature.AuthDir, "auth-smm.tmpl"),
path.Join(feature.AuthDir, "base"),
path.Join(feature.AuthDir, "mesh-authz-ext-provider.patch.tmpl"),
).
WithData(servicemesh.ClusterDetails).
PreConditions(
feature.EnsureCRDIsInstalled("authconfigs.authorino.kuadrant.io"),
servicemesh.EnsureServiceMeshInstalled,
feature.CreateNamespaceIfNotExists(serviceMeshSpec.Auth.Namespace),
).
PostConditions(
feature.WaitForPodsToBeReady(serviceMeshSpec.ControlPlane.Namespace),
feature.WaitForPodsToBeReady(serviceMeshSpec.Auth.Namespace),
func(f *feature.Feature) error {
// We do not have the control over deployment resource creation.
// It is created by Authorino operator using Authorino CR
//
// To make it part of Service Mesh we have to patch it with injection
// enabled instead, otherwise it will not have proxy pod injected.
return f.ApplyManifest(path.Join(feature.AuthDir, "deployment.injection.patch.tmpl"))
},
).
OnDelete(servicemesh.RemoveExtensionProvider).
Load()
if extAuthzErr != nil {
return extAuthzErr
}
s.Features = append(s.Features, extAuthz)

return nil
}
Loading

0 comments on commit b0754ae

Please sign in to comment.