diff --git a/pkg/core/resources/apis/donothingresource/api/v1alpha1/zz_generated.resource.go b/pkg/core/resources/apis/donothingresource/api/v1alpha1/zz_generated.resource.go index 188603c4e79a..212ab5fd5128 100644 --- a/pkg/core/resources/apis/donothingresource/api/v1alpha1/zz_generated.resource.go +++ b/pkg/core/resources/apis/donothingresource/api/v1alpha1/zz_generated.resource.go @@ -153,4 +153,5 @@ var DoNothingResourceResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "dnr", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/core/resources/apis/hostnamegenerator/api/v1alpha1/zz_generated.resource.go b/pkg/core/resources/apis/hostnamegenerator/api/v1alpha1/zz_generated.resource.go index 047c6e32e06a..408802fbe73d 100644 --- a/pkg/core/resources/apis/hostnamegenerator/api/v1alpha1/zz_generated.resource.go +++ b/pkg/core/resources/apis/hostnamegenerator/api/v1alpha1/zz_generated.resource.go @@ -154,4 +154,5 @@ var HostnameGeneratorResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: true, IsReferenceableInTo: false, ShortName: "hg", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/core/resources/apis/meshexternalservice/api/v1alpha1/zz_generated.resource.go b/pkg/core/resources/apis/meshexternalservice/api/v1alpha1/zz_generated.resource.go index 9a30fc24634a..709a81730645 100644 --- a/pkg/core/resources/apis/meshexternalservice/api/v1alpha1/zz_generated.resource.go +++ b/pkg/core/resources/apis/meshexternalservice/api/v1alpha1/zz_generated.resource.go @@ -165,4 +165,5 @@ var MeshExternalServiceResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: true, IsReferenceableInTo: true, ShortName: "extsvc", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/core/resources/apis/meshmultizoneservice/api/v1alpha1/zz_generated.resource.go b/pkg/core/resources/apis/meshmultizoneservice/api/v1alpha1/zz_generated.resource.go index b79eca98553b..3abf1903f938 100644 --- a/pkg/core/resources/apis/meshmultizoneservice/api/v1alpha1/zz_generated.resource.go +++ b/pkg/core/resources/apis/meshmultizoneservice/api/v1alpha1/zz_generated.resource.go @@ -165,4 +165,5 @@ var MeshMultiZoneServiceResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: true, ShortName: "mzsvc", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/core/resources/apis/meshservice/api/v1alpha1/zz_generated.resource.go b/pkg/core/resources/apis/meshservice/api/v1alpha1/zz_generated.resource.go index b80beca11d7c..0acc941e9872 100644 --- a/pkg/core/resources/apis/meshservice/api/v1alpha1/zz_generated.resource.go +++ b/pkg/core/resources/apis/meshservice/api/v1alpha1/zz_generated.resource.go @@ -165,4 +165,5 @@ var MeshServiceResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: true, ShortName: "msvc", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/core/resources/model/resource.go b/pkg/core/resources/model/resource.go index c2e152ea4dd8..cf3197d3389c 100644 --- a/pkg/core/resources/model/resource.go +++ b/pkg/core/resources/model/resource.go @@ -206,6 +206,9 @@ type ResourceTypeDescriptor struct { IsReferenceableInTo bool // ShortName a name that is used in kubectl or in the envoy configuration ShortName string + // InterpretFromEntriesAsRules if true, the entries in the spec.from field should be interpreted as rules. + // It's true for policies that allow only kind 'Mesh' in the spec.from.targetRef. + InterpretFromEntriesAsRules bool } func newObject(baseResource Resource) Resource { @@ -732,10 +735,6 @@ type PolicyItem interface { GetDefault() interface{} } -type RuleItem interface { - GetDefault() interface{} -} - type TransformDefaultAfterMerge interface { Transform() } diff --git a/pkg/plugins/policies/core/matchers/testdata/egressmatchedpolicies/fromrules/01.golden.yaml b/pkg/plugins/policies/core/matchers/testdata/egressmatchedpolicies/fromrules/01.golden.yaml index 7aadea1e0794..01b15addc187 100644 --- a/pkg/plugins/policies/core/matchers/testdata/egressmatchedpolicies/fromrules/01.golden.yaml +++ b/pkg/plugins/policies/core/matchers/testdata/egressmatchedpolicies/fromrules/01.golden.yaml @@ -1,3 +1,5 @@ +InboundRules: + :0: [] Rules: :0: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/matchers/testdata/egressmatchedpolicies/fromtorules/01.golden.yaml b/pkg/plugins/policies/core/matchers/testdata/egressmatchedpolicies/fromtorules/01.golden.yaml index 1539a537bcda..c0d648757abf 100644 --- a/pkg/plugins/policies/core/matchers/testdata/egressmatchedpolicies/fromtorules/01.golden.yaml +++ b/pkg/plugins/policies/core/matchers/testdata/egressmatchedpolicies/fromtorules/01.golden.yaml @@ -1,3 +1,24 @@ +InboundRules: + :0: + - conf: + - connectionTimeout: 33s + http: + requestTimeout: 33s + origin: + - Resource: + creationTime: "0001-01-01T00:00:00Z" + mesh: mesh-1 + modificationTime: "0001-01-01T00:00:00Z" + name: mt-2 + type: MeshTimeout + RuleIndex: 0 + - Resource: + creationTime: "0001-01-01T00:00:00Z" + mesh: mesh-1 + modificationTime: "0001-01-01T00:00:00Z" + name: mt-1 + type: MeshTimeout + RuleIndex: 0 Rules: :0: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/matchers/testdata/egressmatchedpolicies/torules/01.golden.yaml b/pkg/plugins/policies/core/matchers/testdata/egressmatchedpolicies/torules/01.golden.yaml index 4768bd3f2eb3..e4f92efd97fb 100644 --- a/pkg/plugins/policies/core/matchers/testdata/egressmatchedpolicies/torules/01.golden.yaml +++ b/pkg/plugins/policies/core/matchers/testdata/egressmatchedpolicies/torules/01.golden.yaml @@ -1,3 +1,4 @@ +InboundRules: null Rules: :0: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/matchers/testdata/egressmatchedpolicies/torules/02.golden.yaml b/pkg/plugins/policies/core/matchers/testdata/egressmatchedpolicies/torules/02.golden.yaml index d2939a02dccd..b7272599eebd 100644 --- a/pkg/plugins/policies/core/matchers/testdata/egressmatchedpolicies/torules/02.golden.yaml +++ b/pkg/plugins/policies/core/matchers/testdata/egressmatchedpolicies/torules/02.golden.yaml @@ -1,3 +1,4 @@ +InboundRules: null Rules: :0: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/matchers/testdata/matchedpolicies/fromrules/01.golden.yaml b/pkg/plugins/policies/core/matchers/testdata/matchedpolicies/fromrules/01.golden.yaml index 0e7ed8ccac34..3783c38d70b7 100644 --- a/pkg/plugins/policies/core/matchers/testdata/matchedpolicies/fromrules/01.golden.yaml +++ b/pkg/plugins/policies/core/matchers/testdata/matchedpolicies/fromrules/01.golden.yaml @@ -1,3 +1,6 @@ +InboundRules: + 1.1.1.1:8080: [] + 1.1.1.1:8081: [] Rules: 1.1.1.1:8080: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/matchers/testdata/matchedpolicies/fromrules/02.golden.yaml b/pkg/plugins/policies/core/matchers/testdata/matchedpolicies/fromrules/02.golden.yaml index 917ac3372809..203c0a52ed25 100644 --- a/pkg/plugins/policies/core/matchers/testdata/matchedpolicies/fromrules/02.golden.yaml +++ b/pkg/plugins/policies/core/matchers/testdata/matchedpolicies/fromrules/02.golden.yaml @@ -1,3 +1,6 @@ +InboundRules: + 1.1.1.1:8080: [] + 1.1.1.1:8081: [] Rules: 1.1.1.1:8080: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/matchers/testdata/matchedpolicies/fromrules/multiple-policies-lexicog-order.golden.yaml b/pkg/plugins/policies/core/matchers/testdata/matchedpolicies/fromrules/multiple-policies-lexicog-order.golden.yaml index 611a1825fd84..b9ee18e9e732 100644 --- a/pkg/plugins/policies/core/matchers/testdata/matchedpolicies/fromrules/multiple-policies-lexicog-order.golden.yaml +++ b/pkg/plugins/policies/core/matchers/testdata/matchedpolicies/fromrules/multiple-policies-lexicog-order.golden.yaml @@ -1,3 +1,5 @@ +InboundRules: + 1.1.1.1:8080: [] Rules: 1.1.1.1:8080: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/rules/inbound/inboundrules.go b/pkg/plugins/policies/core/rules/inbound/inboundrules.go new file mode 100644 index 000000000000..4b66b81b7895 --- /dev/null +++ b/pkg/plugins/policies/core/rules/inbound/inboundrules.go @@ -0,0 +1,110 @@ +package inbound + +import ( + core_model "github.com/kumahq/kuma/pkg/core/resources/model" + "github.com/kumahq/kuma/pkg/core/resources/registry" + "github.com/kumahq/kuma/pkg/plugins/policies/core/rules/common" + "github.com/kumahq/kuma/pkg/plugins/policies/core/rules/merge" +) + +type Rule struct { + Conf interface{} `json:"conf"` + Origin []common.Origin `json:"origin"` +} + +type RuleEntry interface { + common.BaseEntry +} + +// ruleEntryAdapter is a helper struct that allows using any BaseEntry as RuleEntry. For example, this is needed to +// provide backward compatibility for legacy FromEntries and use them as RuleEntries. Currently, RuleEntry and BaseEntry +// are the same, so this adapter is not needed, but in the future RuleEntry is expected to have additional methods +// like GetMatches() and GetTargetRef() that are not present in BaseEntry. +type ruleEntryAdapter[T common.BaseEntry] struct { + BaseEntry T +} + +func newRuleEntryAdapter[T common.BaseEntry](base T) *ruleEntryAdapter[T] { + return &ruleEntryAdapter[T]{BaseEntry: base} +} + +func (r *ruleEntryAdapter[T]) GetDefault() interface{} { + return r.BaseEntry.GetDefault() +} + +type PolicyWithRules interface { + core_model.Policy + GetRules() []RuleEntry +} + +func BuildRules(policies core_model.ResourceList) ([]*Rule, error) { + entries, err := getEntries(policies) + if err != nil { + return []*Rule{}, err + } + return buildRules(entries) +} + +func getEntries(resources core_model.ResourceList) ([]common.WithPolicyAttributes[RuleEntry], error) { + desc, err := registry.Global().DescriptorFor(resources.GetItemType()) + if err != nil { + return nil, err + } + + policies, ok := common.Cast[interface { + PolicyWithRules + core_model.PolicyWithFromList + }](resources.GetItems()) + if !ok { + return nil, nil + } + + entries := []common.WithPolicyAttributes[RuleEntry]{} + + for i, policy := range policies { + switch { + case len(policy.GetRules()) > 0: + for j, rule := range policy.GetRules() { + entries = append(entries, common.WithPolicyAttributes[RuleEntry]{ + Entry: rule, + Meta: resources.GetItems()[i].GetMeta(), + TopLevel: policy.GetTargetRef(), + RuleIndex: j, + }) + } + case desc.InterpretFromEntriesAsRules && len(policy.GetFromList()) > 0: + for j, fromEntry := range policy.GetFromList() { + entries = append(entries, common.WithPolicyAttributes[RuleEntry]{ + Entry: newRuleEntryAdapter(fromEntry), + Meta: resources.GetItems()[i].GetMeta(), + TopLevel: policy.GetTargetRef(), + RuleIndex: j, + }) + } + } + } + + return entries, nil +} + +func buildRules[T interface { + common.PolicyAttributes + common.Entry[RuleEntry] +}](list []T) ([]*Rule, error) { + if len(list) == 0 { + return []*Rule{}, nil + } + + Sort(list) + + merged, err := merge.Entries(list) + if err != nil { + return nil, err + } + + ruleOrigin, _ := common.Origins(list, true) + return []*Rule{{ + Conf: merged, + Origin: ruleOrigin, + }}, nil +} diff --git a/pkg/plugins/policies/core/rules/inbound/inboundrules_test.go b/pkg/plugins/policies/core/rules/inbound/inboundrules_test.go new file mode 100644 index 000000000000..73b26052200c --- /dev/null +++ b/pkg/plugins/policies/core/rules/inbound/inboundrules_test.go @@ -0,0 +1,48 @@ +package inbound_test + +import ( + "strings" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + "sigs.k8s.io/yaml" + + core_model "github.com/kumahq/kuma/pkg/core/resources/model" + "github.com/kumahq/kuma/pkg/plugins/policies/core/rules/inbound" + "github.com/kumahq/kuma/pkg/test" + "github.com/kumahq/kuma/pkg/test/matchers" + "github.com/kumahq/kuma/pkg/test/resources/file" +) + +var _ = Describe("BuildInboundRules", func() { + buildResourceList := func(rs []core_model.Resource) core_model.ResourceList { + Expect(rs).ToNot(BeEmpty()) + rl := rs[0].Descriptor().NewList() + for _, p := range rs { + if strings.HasPrefix(p.GetMeta().GetName(), "matched-for-rules-") { + _ = rl.AddItem(p) + } + } + return rl + } + + DescribeTable("should build a rule-based view for policies", + func(inputFile string) { + // given + resources := file.ReadInputFile(inputFile) + resourceList := buildResourceList(resources) + + // when + rules, err := inbound.BuildRules(resourceList) + Expect(err).ToNot(HaveOccurred()) + + // then + bytes, err := yaml.Marshal(struct { + Rules []*inbound.Rule `json:"rules"` + }{Rules: rules}) + Expect(err).ToNot(HaveOccurred()) + Expect(bytes).To(matchers.MatchGoldenYAML(strings.Replace(inputFile, ".input.", ".golden.", 1))) + }, + test.EntriesForFolder("inboundrules"), + ) +}) diff --git a/pkg/plugins/policies/core/rules/inbound/sort.go b/pkg/plugins/policies/core/rules/inbound/sort.go new file mode 100644 index 000000000000..c8f508ceea0f --- /dev/null +++ b/pkg/plugins/policies/core/rules/inbound/sort.go @@ -0,0 +1,15 @@ +package inbound + +import ( + "slices" + + "github.com/kumahq/kuma/pkg/plugins/policies/core/rules/common" + "github.com/kumahq/kuma/pkg/plugins/policies/core/rules/sort" +) + +func Sort[T common.PolicyAttributes](list []T) { + slices.SortStableFunc(list, sort.Compose( + sort.CompareByPolicyAttributes[T], + sort.CompareByDisplayName[T], + )) +} diff --git a/pkg/plugins/policies/core/rules/inbound/suite_test.go b/pkg/plugins/policies/core/rules/inbound/suite_test.go new file mode 100644 index 000000000000..6722faddcfa9 --- /dev/null +++ b/pkg/plugins/policies/core/rules/inbound/suite_test.go @@ -0,0 +1,11 @@ +package inbound_test + +import ( + "testing" + + "github.com/kumahq/kuma/pkg/test" +) + +func TestRules(t *testing.T) { + test.RunSpecs(t, "Inbound Rules Suite") +} diff --git a/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-from.golden.yaml b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-from.golden.yaml new file mode 100644 index 000000000000..5eaf04189d62 --- /dev/null +++ b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-from.golden.yaml @@ -0,0 +1,21 @@ +rules: +- conf: + - connectionTimeout: 1m41s + http: + requestTimeout: 12s + idleTimeout: 10s + origin: + - Resource: + creationTime: "0001-01-01T00:00:00Z" + mesh: mesh-1 + modificationTime: "0001-01-01T00:00:00Z" + name: matched-for-rules-mt-bbbbbb + type: MeshTimeout + RuleIndex: 0 + - Resource: + creationTime: "0001-01-01T00:00:00Z" + mesh: mesh-1 + modificationTime: "0001-01-01T00:00:00Z" + name: matched-for-rules-mt-aaaaaa + type: MeshTimeout + RuleIndex: 0 diff --git a/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-from.input.yaml b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-from.input.yaml new file mode 100644 index 000000000000..f8262ad5d73b --- /dev/null +++ b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-from.input.yaml @@ -0,0 +1,25 @@ +# it should handle policies with 'from' when InterpretFromEntriesAsRules is set to true +type: MeshTimeout +name: matched-for-rules-mt-aaaaaa +mesh: mesh-1 +spec: + from: + - targetRef: + kind: Mesh + default: + idleTimeout: 10s + http: + requestTimeout: 12s +--- +type: MeshTimeout +name: matched-for-rules-mt-bbbbbb +mesh: mesh-1 +spec: + from: + - targetRef: + kind: Mesh + default: + idleTimeout: 100s + connectionTimeout: 101s + http: + requestTimeout: 102s diff --git a/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-mixed.golden.yaml b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-mixed.golden.yaml new file mode 100644 index 000000000000..60ffc763c7c8 --- /dev/null +++ b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-mixed.golden.yaml @@ -0,0 +1,28 @@ +rules: +- conf: + - connectionTimeout: 1m41s + http: + requestTimeout: 3m22s + idleTimeout: 10s + origin: + - Resource: + creationTime: "0001-01-01T00:00:00Z" + mesh: mesh-1 + modificationTime: "0001-01-01T00:00:00Z" + name: matched-for-rules-mt-cccccc + type: MeshTimeout + RuleIndex: 0 + - Resource: + creationTime: "0001-01-01T00:00:00Z" + mesh: mesh-1 + modificationTime: "0001-01-01T00:00:00Z" + name: matched-for-rules-mt-bbbbbb + type: MeshTimeout + RuleIndex: 0 + - Resource: + creationTime: "0001-01-01T00:00:00Z" + mesh: mesh-1 + modificationTime: "0001-01-01T00:00:00Z" + name: matched-for-rules-mt-aaaaaa + type: MeshTimeout + RuleIndex: 0 diff --git a/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-mixed.input.yaml b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-mixed.input.yaml new file mode 100644 index 000000000000..fc1496ce13a9 --- /dev/null +++ b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-mixed.input.yaml @@ -0,0 +1,29 @@ +# it should handle policies when some of them have 'rules', some have 'from' and InterpretFromEntriesAsRules is set to true +type: MeshTimeout +name: matched-for-rules-mt-aaaaaa +mesh: mesh-1 +spec: + rules: + - default: + idleTimeout: 10s +--- +type: MeshTimeout +name: matched-for-rules-mt-bbbbbb +mesh: mesh-1 +spec: + from: + - targetRef: + kind: Mesh + default: + idleTimeout: 100s + connectionTimeout: 101s +--- +type: MeshTimeout +name: matched-for-rules-mt-cccccc +mesh: mesh-1 +spec: + rules: + - default: + idleTimeout: 200s + http: + requestTimeout: 202s diff --git a/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-order-by-origin.golden.yaml b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-order-by-origin.golden.yaml new file mode 100644 index 000000000000..aa9bb4c2e6ea --- /dev/null +++ b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-order-by-origin.golden.yaml @@ -0,0 +1,32 @@ +rules: +- conf: + - connectionTimeout: 1m51s + http: + requestTimeout: 3m29s + idleTimeout: 1m49s + origin: + - Resource: + creationTime: "0001-01-01T00:00:00Z" + labels: + kuma.io/origin: global + mesh: mesh-1 + modificationTime: "0001-01-01T00:00:00Z" + name: matched-for-rules-aaa + type: MeshTimeout + RuleIndex: 0 + - Resource: + creationTime: "0001-01-01T00:00:00Z" + mesh: mesh-1 + modificationTime: "0001-01-01T00:00:00Z" + name: matched-for-rules-bbb + type: MeshTimeout + RuleIndex: 0 + - Resource: + creationTime: "0001-01-01T00:00:00Z" + labels: + kuma.io/origin: zone + mesh: mesh-1 + modificationTime: "0001-01-01T00:00:00Z" + name: matched-for-rules-ccc + type: MeshTimeout + RuleIndex: 0 diff --git a/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-order-by-origin.input.yaml b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-order-by-origin.input.yaml new file mode 100644 index 000000000000..355e77275328 --- /dev/null +++ b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-order-by-origin.input.yaml @@ -0,0 +1,33 @@ +# should sort policies by origin +type: MeshTimeout +name: matched-for-rules-ccc +mesh: mesh-1 +labels: + kuma.io/origin: zone +spec: + rules: + - default: + connectionTimeout: 111s + idleTimeout: 109s +--- +type: MeshTimeout +name: matched-for-rules-bbb +mesh: mesh-1 +spec: + rules: + - default: + connectionTimeout: 211s + http: + requestTimeout: 209s +--- +type: MeshTimeout +name: matched-for-rules-aaa +mesh: mesh-1 +labels: + kuma.io/origin: global +spec: + rules: + - default: + connectionTimeout: 11s + http: + requestTimeout: 12s diff --git a/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-order-by-role.golden.yaml b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-order-by-role.golden.yaml new file mode 100644 index 000000000000..27df27ee2b5f --- /dev/null +++ b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-order-by-role.golden.yaml @@ -0,0 +1,34 @@ +rules: +- conf: + - connectionTimeout: 1m51s + http: + requestTimeout: 3m29s + idleTimeout: 1m49s + origin: + - Resource: + creationTime: "0001-01-01T00:00:00Z" + labels: + kuma.io/policy-role: system + mesh: mesh-1 + modificationTime: "0001-01-01T00:00:00Z" + name: matched-for-rules-aaa + type: MeshTimeout + RuleIndex: 0 + - Resource: + creationTime: "0001-01-01T00:00:00Z" + labels: + kuma.io/policy-role: producer + mesh: mesh-1 + modificationTime: "0001-01-01T00:00:00Z" + name: matched-for-rules-bbb + type: MeshTimeout + RuleIndex: 0 + - Resource: + creationTime: "0001-01-01T00:00:00Z" + labels: + kuma.io/policy-role: consumer + mesh: mesh-1 + modificationTime: "0001-01-01T00:00:00Z" + name: matched-for-rules-ccc + type: MeshTimeout + RuleIndex: 0 diff --git a/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-order-by-role.input.yaml b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-order-by-role.input.yaml new file mode 100644 index 000000000000..8524b98b3daa --- /dev/null +++ b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-order-by-role.input.yaml @@ -0,0 +1,35 @@ +# should sort policies by role +type: MeshTimeout +name: matched-for-rules-ccc +mesh: mesh-1 +labels: + kuma.io/policy-role: consumer +spec: + rules: + - default: + connectionTimeout: 111s + idleTimeout: 109s +--- +type: MeshTimeout +name: matched-for-rules-bbb +mesh: mesh-1 +labels: + kuma.io/policy-role: producer +spec: + rules: + - default: + connectionTimeout: 211s + http: + requestTimeout: 209s +--- +type: MeshTimeout +name: matched-for-rules-aaa +mesh: mesh-1 +labels: + kuma.io/policy-role: system +spec: + rules: + - default: + connectionTimeout: 11s + http: + requestTimeout: 12s diff --git a/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-rules.golden.yaml b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-rules.golden.yaml new file mode 100644 index 000000000000..5eaf04189d62 --- /dev/null +++ b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-rules.golden.yaml @@ -0,0 +1,21 @@ +rules: +- conf: + - connectionTimeout: 1m41s + http: + requestTimeout: 12s + idleTimeout: 10s + origin: + - Resource: + creationTime: "0001-01-01T00:00:00Z" + mesh: mesh-1 + modificationTime: "0001-01-01T00:00:00Z" + name: matched-for-rules-mt-bbbbbb + type: MeshTimeout + RuleIndex: 0 + - Resource: + creationTime: "0001-01-01T00:00:00Z" + mesh: mesh-1 + modificationTime: "0001-01-01T00:00:00Z" + name: matched-for-rules-mt-aaaaaa + type: MeshTimeout + RuleIndex: 0 diff --git a/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-rules.input.yaml b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-rules.input.yaml new file mode 100644 index 000000000000..a5ff2cba4da0 --- /dev/null +++ b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-rules.input.yaml @@ -0,0 +1,21 @@ +# it should build rules correctly when the resource list contains policies with rules +type: MeshTimeout +name: matched-for-rules-mt-aaaaaa +mesh: mesh-1 +spec: + rules: + - default: + idleTimeout: 10s + http: + requestTimeout: 12s +--- +type: MeshTimeout +name: matched-for-rules-mt-bbbbbb +mesh: mesh-1 +spec: + rules: + - default: + idleTimeout: 100s + connectionTimeout: 101s + http: + requestTimeout: 102s diff --git a/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-to.golden.yaml b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-to.golden.yaml new file mode 100644 index 000000000000..14ba58ba3154 --- /dev/null +++ b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-to.golden.yaml @@ -0,0 +1 @@ +rules: [] diff --git a/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-to.input.yaml b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-to.input.yaml new file mode 100644 index 000000000000..6284ce40f372 --- /dev/null +++ b/pkg/plugins/policies/core/rules/inbound/testdata/inboundrules/mt-to.input.yaml @@ -0,0 +1,12 @@ +# it should return empty list when policies don't have neither 'rules' nor 'from' +type: MeshTimeout +name: matched-for-rules-mt-aaaaaa +mesh: mesh-1 +spec: + to: + - targetRef: + kind: Mesh + default: + idleTimeout: 10s + http: + requestTimeout: 12s diff --git a/pkg/plugins/policies/core/rules/rules.go b/pkg/plugins/policies/core/rules/rules.go index 38cdca4ed699..252863c2dacb 100644 --- a/pkg/plugins/policies/core/rules/rules.go +++ b/pkg/plugins/policies/core/rules/rules.go @@ -16,6 +16,7 @@ import ( mesh_proto "github.com/kumahq/kuma/api/mesh/v1alpha1" core_model "github.com/kumahq/kuma/pkg/core/resources/model" "github.com/kumahq/kuma/pkg/plugins/policies/core/rules/common" + "github.com/kumahq/kuma/pkg/plugins/policies/core/rules/inbound" "github.com/kumahq/kuma/pkg/plugins/policies/core/rules/merge" "github.com/kumahq/kuma/pkg/plugins/policies/core/rules/outbound" "github.com/kumahq/kuma/pkg/plugins/policies/core/rules/subsetutils" @@ -44,7 +45,11 @@ func (i InboundListener) String() string { } type FromRules struct { + // Rules is a map of InboundListener to a list of rules built by using 'spec.from' field. + // Deprecated: use InboundRules instead Rules map[InboundListener]Rules + // InboundRules is a map of InboundListener to a list of inbound rules built by using 'spec.rules' field. + InboundRules map[InboundListener][]*inbound.Rule } type ToRules struct { @@ -182,7 +187,9 @@ func BuildFromRules( matchedPoliciesByInbound map[InboundListener]core_model.ResourceList, ) (FromRules, error) { rulesByInbound := map[InboundListener]Rules{} - for inbound, policies := range matchedPoliciesByInbound { + rulesByInboundNew := map[InboundListener][]*inbound.Rule{} + + for inb, policies := range matchedPoliciesByInbound { fromList := []PolicyItemWithMeta{} for _, p := range policies.GetItems() { policyWithFrom, ok := p.GetSpec().(core_model.PolicyWithFromList) @@ -195,10 +202,17 @@ func BuildFromRules( if err != nil { return FromRules{}, err } - rulesByInbound[inbound] = rules + rulesByInbound[inb] = rules + + rulesNew, err := inbound.BuildRules(policies) + if err != nil { + return FromRules{}, err + } + rulesByInboundNew[inb] = rulesNew } return FromRules{ - Rules: rulesByInbound, + Rules: rulesByInbound, + InboundRules: rulesByInboundNew, }, nil } diff --git a/pkg/plugins/policies/core/rules/testdata/rules/from/01.golden.yaml b/pkg/plugins/policies/core/rules/testdata/rules/from/01.golden.yaml index 532fc1d33731..2aa050349ed8 100644 --- a/pkg/plugins/policies/core/rules/testdata/rules/from/01.golden.yaml +++ b/pkg/plugins/policies/core/rules/testdata/rules/from/01.golden.yaml @@ -1,3 +1,5 @@ +InboundRules: + 127.0.0.1:80: [] Rules: 127.0.0.1:80: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/rules/testdata/rules/from/02.golden.yaml b/pkg/plugins/policies/core/rules/testdata/rules/from/02.golden.yaml index d73018d9f2a3..62f160579f38 100644 --- a/pkg/plugins/policies/core/rules/testdata/rules/from/02.golden.yaml +++ b/pkg/plugins/policies/core/rules/testdata/rules/from/02.golden.yaml @@ -1,3 +1,5 @@ +InboundRules: + 127.0.0.1:80: [] Rules: 127.0.0.1:80: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/rules/testdata/rules/from/03.golden.yaml b/pkg/plugins/policies/core/rules/testdata/rules/from/03.golden.yaml index 928f1b8540f4..4e35b12898eb 100644 --- a/pkg/plugins/policies/core/rules/testdata/rules/from/03.golden.yaml +++ b/pkg/plugins/policies/core/rules/testdata/rules/from/03.golden.yaml @@ -1,3 +1,5 @@ +InboundRules: + 127.0.0.1:80: [] Rules: 127.0.0.1:80: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/rules/testdata/rules/from/04.golden.yaml b/pkg/plugins/policies/core/rules/testdata/rules/from/04.golden.yaml index bc68f895ad65..0fae39d6b715 100644 --- a/pkg/plugins/policies/core/rules/testdata/rules/from/04.golden.yaml +++ b/pkg/plugins/policies/core/rules/testdata/rules/from/04.golden.yaml @@ -1,3 +1,5 @@ +InboundRules: + 127.0.0.1:80: [] Rules: 127.0.0.1:80: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/rules/testdata/rules/from/05.golden.yaml b/pkg/plugins/policies/core/rules/testdata/rules/from/05.golden.yaml index 7239dbd2397d..da38d5f18726 100644 --- a/pkg/plugins/policies/core/rules/testdata/rules/from/05.golden.yaml +++ b/pkg/plugins/policies/core/rules/testdata/rules/from/05.golden.yaml @@ -1,3 +1,5 @@ +InboundRules: + 127.0.0.1:80: [] Rules: 127.0.0.1:80: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/rules/testdata/rules/from/06.golden.yaml b/pkg/plugins/policies/core/rules/testdata/rules/from/06.golden.yaml index c4ed7762b3ae..4fa545867952 100644 --- a/pkg/plugins/policies/core/rules/testdata/rules/from/06.golden.yaml +++ b/pkg/plugins/policies/core/rules/testdata/rules/from/06.golden.yaml @@ -1,3 +1,5 @@ +InboundRules: + 127.0.0.1:80: [] Rules: 127.0.0.1:80: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/rules/testdata/rules/from/07.golden.yaml b/pkg/plugins/policies/core/rules/testdata/rules/from/07.golden.yaml index c30508d5c735..c3fc7e7b639e 100644 --- a/pkg/plugins/policies/core/rules/testdata/rules/from/07.golden.yaml +++ b/pkg/plugins/policies/core/rules/testdata/rules/from/07.golden.yaml @@ -1,3 +1,5 @@ +InboundRules: + 127.0.0.1:80: [] Rules: 127.0.0.1:80: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/rules/testdata/rules/from/meshtimeout.golden.yaml b/pkg/plugins/policies/core/rules/testdata/rules/from/meshtimeout.golden.yaml index 93bc983e243d..60fab1adb8d2 100644 --- a/pkg/plugins/policies/core/rules/testdata/rules/from/meshtimeout.golden.yaml +++ b/pkg/plugins/policies/core/rules/testdata/rules/from/meshtimeout.golden.yaml @@ -1,3 +1,25 @@ +InboundRules: + 127.0.0.1:80: + - conf: + - connectionTimeout: 20s + http: + requestTimeout: 5s + idleTimeout: 20s + origin: + - Resource: + creationTime: "0001-01-01T00:00:00Z" + mesh: default + modificationTime: "0001-01-01T00:00:00Z" + name: default + type: MeshTimeout + RuleIndex: 0 + - Resource: + creationTime: "0001-01-01T00:00:00Z" + mesh: default + modificationTime: "0001-01-01T00:00:00Z" + name: override + type: MeshTimeout + RuleIndex: 0 Rules: 127.0.0.1:80: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/rules/testdata/rules/from/mtp-mix-ms-and-mss.golden.yaml b/pkg/plugins/policies/core/rules/testdata/rules/from/mtp-mix-ms-and-mss.golden.yaml index 4aafbf8ec26a..6f8259a0ae1b 100644 --- a/pkg/plugins/policies/core/rules/testdata/rules/from/mtp-mix-ms-and-mss.golden.yaml +++ b/pkg/plugins/policies/core/rules/testdata/rules/from/mtp-mix-ms-and-mss.golden.yaml @@ -1,3 +1,5 @@ +InboundRules: + 127.0.0.1:80: [] Rules: 127.0.0.1:80: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/rules/testdata/rules/from/mtp-overrides-faulty.golden.yaml b/pkg/plugins/policies/core/rules/testdata/rules/from/mtp-overrides-faulty.golden.yaml index 6c4030220524..de018d887433 100644 --- a/pkg/plugins/policies/core/rules/testdata/rules/from/mtp-overrides-faulty.golden.yaml +++ b/pkg/plugins/policies/core/rules/testdata/rules/from/mtp-overrides-faulty.golden.yaml @@ -1,3 +1,5 @@ +InboundRules: + 127.0.0.1:80: [] Rules: 127.0.0.1:80: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/rules/testdata/rules/from/mtp-overrides.golden.yaml b/pkg/plugins/policies/core/rules/testdata/rules/from/mtp-overrides.golden.yaml index ee29e2740d68..1fe2fcc268f6 100644 --- a/pkg/plugins/policies/core/rules/testdata/rules/from/mtp-overrides.golden.yaml +++ b/pkg/plugins/policies/core/rules/testdata/rules/from/mtp-overrides.golden.yaml @@ -1,3 +1,5 @@ +InboundRules: + 127.0.0.1:80: [] Rules: 127.0.0.1:80: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/rules/testdata/rules/from/mtp-single-shadow-deny.golden.yaml b/pkg/plugins/policies/core/rules/testdata/rules/from/mtp-single-shadow-deny.golden.yaml index 4f2b9a629cb7..13d8aa7e4f65 100644 --- a/pkg/plugins/policies/core/rules/testdata/rules/from/mtp-single-shadow-deny.golden.yaml +++ b/pkg/plugins/policies/core/rules/testdata/rules/from/mtp-single-shadow-deny.golden.yaml @@ -1,3 +1,5 @@ +InboundRules: + 127.0.0.1:80: [] Rules: 127.0.0.1:80: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/rules/testdata/rules/from/multiple-mtp.golden.yaml b/pkg/plugins/policies/core/rules/testdata/rules/from/multiple-mtp.golden.yaml index c81c8efc3685..829e508e1652 100644 --- a/pkg/plugins/policies/core/rules/testdata/rules/from/multiple-mtp.golden.yaml +++ b/pkg/plugins/policies/core/rules/testdata/rules/from/multiple-mtp.golden.yaml @@ -1,3 +1,5 @@ +InboundRules: + 127.0.0.1:80: [] Rules: 127.0.0.1:80: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/core/rules/testdata/rules/from/single-mtp-from-overiding-one-another.golden.yaml b/pkg/plugins/policies/core/rules/testdata/rules/from/single-mtp-from-overiding-one-another.golden.yaml index 9e35f93d4b54..b742fbaede09 100644 --- a/pkg/plugins/policies/core/rules/testdata/rules/from/single-mtp-from-overiding-one-another.golden.yaml +++ b/pkg/plugins/policies/core/rules/testdata/rules/from/single-mtp-from-overiding-one-another.golden.yaml @@ -1,3 +1,5 @@ +InboundRules: + 127.0.0.1:80: [] Rules: 127.0.0.1:80: - BackendRefOriginIndex: {} diff --git a/pkg/plugins/policies/donothingpolicy/api/v1alpha1/zz_generated.resource.go b/pkg/plugins/policies/donothingpolicy/api/v1alpha1/zz_generated.resource.go index 3465bcbbe71a..b5ee5b92decb 100644 --- a/pkg/plugins/policies/donothingpolicy/api/v1alpha1/zz_generated.resource.go +++ b/pkg/plugins/policies/donothingpolicy/api/v1alpha1/zz_generated.resource.go @@ -153,4 +153,5 @@ var DoNothingPolicyResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "dnp", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/plugins/policies/meshaccesslog/api/v1alpha1/zz_generated.resource.go b/pkg/plugins/policies/meshaccesslog/api/v1alpha1/zz_generated.resource.go index ed662f39cac1..5c0187dea472 100644 --- a/pkg/plugins/policies/meshaccesslog/api/v1alpha1/zz_generated.resource.go +++ b/pkg/plugins/policies/meshaccesslog/api/v1alpha1/zz_generated.resource.go @@ -154,4 +154,5 @@ var MeshAccessLogResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "mal", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/plugins/policies/meshcircuitbreaker/api/v1alpha1/zz_generated.resource.go b/pkg/plugins/policies/meshcircuitbreaker/api/v1alpha1/zz_generated.resource.go index 8f3da055ab0a..9ba0ff9e5ac4 100644 --- a/pkg/plugins/policies/meshcircuitbreaker/api/v1alpha1/zz_generated.resource.go +++ b/pkg/plugins/policies/meshcircuitbreaker/api/v1alpha1/zz_generated.resource.go @@ -154,4 +154,5 @@ var MeshCircuitBreakerResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "mcb", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/plugins/policies/meshfaultinjection/api/v1alpha1/zz_generated.resource.go b/pkg/plugins/policies/meshfaultinjection/api/v1alpha1/zz_generated.resource.go index d8c144f8b8ba..14b40bfa3ec6 100644 --- a/pkg/plugins/policies/meshfaultinjection/api/v1alpha1/zz_generated.resource.go +++ b/pkg/plugins/policies/meshfaultinjection/api/v1alpha1/zz_generated.resource.go @@ -154,4 +154,5 @@ var MeshFaultInjectionResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "mfi", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/plugins/policies/meshhealthcheck/api/v1alpha1/zz_generated.resource.go b/pkg/plugins/policies/meshhealthcheck/api/v1alpha1/zz_generated.resource.go index ae0e34751e2d..b806de95a1c0 100644 --- a/pkg/plugins/policies/meshhealthcheck/api/v1alpha1/zz_generated.resource.go +++ b/pkg/plugins/policies/meshhealthcheck/api/v1alpha1/zz_generated.resource.go @@ -154,4 +154,5 @@ var MeshHealthCheckResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "mhc", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/plugins/policies/meshhttproute/api/v1alpha1/zz_generated.resource.go b/pkg/plugins/policies/meshhttproute/api/v1alpha1/zz_generated.resource.go index 97c559452562..8f227048d37d 100644 --- a/pkg/plugins/policies/meshhttproute/api/v1alpha1/zz_generated.resource.go +++ b/pkg/plugins/policies/meshhttproute/api/v1alpha1/zz_generated.resource.go @@ -154,4 +154,5 @@ var MeshHTTPRouteResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "mhttpr", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/plugins/policies/meshloadbalancingstrategy/api/v1alpha1/zz_generated.resource.go b/pkg/plugins/policies/meshloadbalancingstrategy/api/v1alpha1/zz_generated.resource.go index 5c69431e7692..fde97fc07996 100644 --- a/pkg/plugins/policies/meshloadbalancingstrategy/api/v1alpha1/zz_generated.resource.go +++ b/pkg/plugins/policies/meshloadbalancingstrategy/api/v1alpha1/zz_generated.resource.go @@ -154,4 +154,5 @@ var MeshLoadBalancingStrategyResourceTypeDescriptor = model.ResourceTypeDescript AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "mlbs", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/plugins/policies/meshmetric/api/v1alpha1/zz_generated.resource.go b/pkg/plugins/policies/meshmetric/api/v1alpha1/zz_generated.resource.go index 04b861b3b8ab..5cf54320cacf 100644 --- a/pkg/plugins/policies/meshmetric/api/v1alpha1/zz_generated.resource.go +++ b/pkg/plugins/policies/meshmetric/api/v1alpha1/zz_generated.resource.go @@ -154,4 +154,5 @@ var MeshMetricResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "mm", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/plugins/policies/meshpassthrough/api/v1alpha1/zz_generated.resource.go b/pkg/plugins/policies/meshpassthrough/api/v1alpha1/zz_generated.resource.go index e0d23dd69827..45a03b7682aa 100644 --- a/pkg/plugins/policies/meshpassthrough/api/v1alpha1/zz_generated.resource.go +++ b/pkg/plugins/policies/meshpassthrough/api/v1alpha1/zz_generated.resource.go @@ -154,4 +154,5 @@ var MeshPassthroughResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "mp", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/plugins/policies/meshproxypatch/api/v1alpha1/zz_generated.resource.go b/pkg/plugins/policies/meshproxypatch/api/v1alpha1/zz_generated.resource.go index c172a86c845e..4e173de6d013 100644 --- a/pkg/plugins/policies/meshproxypatch/api/v1alpha1/zz_generated.resource.go +++ b/pkg/plugins/policies/meshproxypatch/api/v1alpha1/zz_generated.resource.go @@ -154,4 +154,5 @@ var MeshProxyPatchResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "mpp", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/plugins/policies/meshratelimit/api/v1alpha1/zz_generated.resource.go b/pkg/plugins/policies/meshratelimit/api/v1alpha1/zz_generated.resource.go index 9397c5cf7aad..c4703f4b11e9 100644 --- a/pkg/plugins/policies/meshratelimit/api/v1alpha1/zz_generated.resource.go +++ b/pkg/plugins/policies/meshratelimit/api/v1alpha1/zz_generated.resource.go @@ -154,4 +154,5 @@ var MeshRateLimitResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "mrl", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/plugins/policies/meshretry/api/v1alpha1/zz_generated.resource.go b/pkg/plugins/policies/meshretry/api/v1alpha1/zz_generated.resource.go index 127e53dbc13f..fc0fecc30793 100644 --- a/pkg/plugins/policies/meshretry/api/v1alpha1/zz_generated.resource.go +++ b/pkg/plugins/policies/meshretry/api/v1alpha1/zz_generated.resource.go @@ -154,4 +154,5 @@ var MeshRetryResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "mr", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/plugins/policies/meshtcproute/api/v1alpha1/zz_generated.resource.go b/pkg/plugins/policies/meshtcproute/api/v1alpha1/zz_generated.resource.go index 388a38979d23..2d05b35795d7 100644 --- a/pkg/plugins/policies/meshtcproute/api/v1alpha1/zz_generated.resource.go +++ b/pkg/plugins/policies/meshtcproute/api/v1alpha1/zz_generated.resource.go @@ -154,4 +154,5 @@ var MeshTCPRouteResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "mtcpr", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/plugins/policies/meshtimeout/api/v1alpha1/meshtimeout.go b/pkg/plugins/policies/meshtimeout/api/v1alpha1/meshtimeout.go index 5c016878df00..fa60a50dbbd2 100644 --- a/pkg/plugins/policies/meshtimeout/api/v1alpha1/meshtimeout.go +++ b/pkg/plugins/policies/meshtimeout/api/v1alpha1/meshtimeout.go @@ -8,6 +8,7 @@ import ( ) // MeshTimeout allows users to configure timeouts for communication between services in mesh +// +kuma:policy:interpret_from_entries_as_rules=true type MeshTimeout struct { // TargetRef is a reference to the resource the policy takes an effect on. // The resource could be either a real store object or virtual resource diff --git a/pkg/plugins/policies/meshtimeout/api/v1alpha1/zz_generated.helpers.go b/pkg/plugins/policies/meshtimeout/api/v1alpha1/zz_generated.helpers.go index 7a4a1a100218..dd3598bbfef6 100644 --- a/pkg/plugins/policies/meshtimeout/api/v1alpha1/zz_generated.helpers.go +++ b/pkg/plugins/policies/meshtimeout/api/v1alpha1/zz_generated.helpers.go @@ -7,6 +7,7 @@ package v1alpha1 import ( common_api "github.com/kumahq/kuma/api/common/v1alpha1" core_model "github.com/kumahq/kuma/pkg/core/resources/model" + "github.com/kumahq/kuma/pkg/plugins/policies/core/rules/inbound" "github.com/kumahq/kuma/pkg/util/pointer" ) @@ -52,8 +53,8 @@ func (x *Rule) GetDefault() interface{} { return x.Default } -func (x *MeshTimeout) GetRules() []core_model.RuleItem { - var result []core_model.RuleItem +func (x *MeshTimeout) GetRules() []inbound.RuleEntry { + var result []inbound.RuleEntry for i := range x.Rules { item := x.Rules[i] result = append(result, &item) diff --git a/pkg/plugins/policies/meshtimeout/api/v1alpha1/zz_generated.resource.go b/pkg/plugins/policies/meshtimeout/api/v1alpha1/zz_generated.resource.go index b943968d95be..629788a40d3d 100644 --- a/pkg/plugins/policies/meshtimeout/api/v1alpha1/zz_generated.resource.go +++ b/pkg/plugins/policies/meshtimeout/api/v1alpha1/zz_generated.resource.go @@ -154,4 +154,5 @@ var MeshTimeoutResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "mt", + InterpretFromEntriesAsRules: true, } diff --git a/pkg/plugins/policies/meshtls/api/v1alpha1/zz_generated.resource.go b/pkg/plugins/policies/meshtls/api/v1alpha1/zz_generated.resource.go index bcc13890c886..efa9811b3859 100644 --- a/pkg/plugins/policies/meshtls/api/v1alpha1/zz_generated.resource.go +++ b/pkg/plugins/policies/meshtls/api/v1alpha1/zz_generated.resource.go @@ -154,4 +154,5 @@ var MeshTLSResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "mtls", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/plugins/policies/meshtrace/api/v1alpha1/zz_generated.resource.go b/pkg/plugins/policies/meshtrace/api/v1alpha1/zz_generated.resource.go index d976c58d49a1..9deecc0acffe 100644 --- a/pkg/plugins/policies/meshtrace/api/v1alpha1/zz_generated.resource.go +++ b/pkg/plugins/policies/meshtrace/api/v1alpha1/zz_generated.resource.go @@ -154,4 +154,5 @@ var MeshTraceResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "mtr", + InterpretFromEntriesAsRules: false, } diff --git a/pkg/plugins/policies/meshtrafficpermission/api/v1alpha1/zz_generated.resource.go b/pkg/plugins/policies/meshtrafficpermission/api/v1alpha1/zz_generated.resource.go index 371c317ee483..4611ca355fea 100644 --- a/pkg/plugins/policies/meshtrafficpermission/api/v1alpha1/zz_generated.resource.go +++ b/pkg/plugins/policies/meshtrafficpermission/api/v1alpha1/zz_generated.resource.go @@ -154,4 +154,5 @@ var MeshTrafficPermissionResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: false, IsReferenceableInTo: false, ShortName: "mtp", + InterpretFromEntriesAsRules: false, } diff --git a/tools/policy-gen/generator/cmd/core_resource.go b/tools/policy-gen/generator/cmd/core_resource.go index f4d20531dcb6..14a9dc075e34 100644 --- a/tools/policy-gen/generator/cmd/core_resource.go +++ b/tools/policy-gen/generator/cmd/core_resource.go @@ -224,5 +224,6 @@ var {{.Name}}ResourceTypeDescriptor = model.ResourceTypeDescriptor{ AllowedOnSystemNamespaceOnly: {{.AllowedOnSystemNamespaceOnly}}, IsReferenceableInTo: {{.IsReferenceableInTo}}, ShortName: "{{.ShortName}}", + InterpretFromEntriesAsRules: {{.InterpretFromEntriesAsRules}}, } `)) diff --git a/tools/policy-gen/generator/cmd/helpers.go b/tools/policy-gen/generator/cmd/helpers.go index a86871ed85eb..6d2f92989d45 100644 --- a/tools/policy-gen/generator/cmd/helpers.go +++ b/tools/policy-gen/generator/cmd/helpers.go @@ -58,7 +58,8 @@ package {{.version}} import ( common_api "github.com/kumahq/kuma/api/common/v1alpha1" - core_model "github.com/kumahq/kuma/pkg/core/resources/model" + core_model "github.com/kumahq/kuma/pkg/core/resources/model"{{ if .generateRules }} + "github.com/kumahq/kuma/pkg/plugins/policies/core/rules/inbound"{{ end }} "github.com/kumahq/kuma/pkg/util/pointer" ) @@ -114,8 +115,8 @@ func (x *Rule) GetDefault() interface{} { return x.Default } -func (x *{{.name}}) GetRules() []core_model.RuleItem { - var result []core_model.RuleItem +func (x *{{.name}}) GetRules() []inbound.RuleEntry { + var result []inbound.RuleEntry for i := range x.Rules { item := x.Rules[i] result = append(result, &item) diff --git a/tools/policy-gen/generator/pkg/parse/policyconfig.go b/tools/policy-gen/generator/pkg/parse/policyconfig.go index a09f04a64191..6ff48b58e093 100644 --- a/tools/policy-gen/generator/pkg/parse/policyconfig.go +++ b/tools/policy-gen/generator/pkg/parse/policyconfig.go @@ -45,6 +45,7 @@ type PolicyConfig struct { AllowedOnSystemNamespaceOnly bool IsReferenceableInTo bool KubebuilderMarkers []string + InterpretFromEntriesAsRules bool } func Policy(path string) (PolicyConfig, error) { @@ -166,6 +167,9 @@ func newPolicyConfig(pkg, name string, markers map[string]string, fields map[str if v, ok := parseBool(markers, "kuma:policy:is_referenceable_in_to"); ok { res.IsReferenceableInTo = v } + if v, ok := parseBool(markers, "kuma:policy:interpret_from_entries_as_rules"); ok { + res.InterpretFromEntriesAsRules = v + } if v, ok := markers["kuma:policy:kds_flags"]; ok { res.KDSFlags = v } else if res.HasTo {