8000 Support policies in VS routes and VSR subroutes · nginx/kubernetes-ingress@ffbc0d7 · GitHub
[go: up one dir, main page]
Skip to content

Commit ffbc0d7

Browse files
pleshakovpleshakov
committed
Support policies in VS routes and VSR subroutes
1 parent d5174ab commit ffbc0d7

File tree

19 files changed

+614
-94
lines changed
  • nginx.virtualserver.tmpl
  • templates_test.go
  • virtualserver.go
  • virtualserver_test.go
  • k8s
  • pkg/apis/configuration

    • 19 files changed

    +614
    -94
    lines changed

    deployments/common/vs-definition.yaml

    Lines changed: 11 additions & 0 deletions
    Original file line numberDiff line numberDiff line change
    @@ -398,6 +398,17 @@ spec:
    398398
    type: integer
    399399
    path:
    400400
    type: string
    401+
    policies:
    402+
    type: array
    403+
    items:
    404+
    description: PolicyReference references a policy by name and
    405+
    an optional namespace.
    406+
    type: object
    407+
    properties:
    408+
    name:
    409+
    type: string
    410+
    namespace:
    411+
    type: string
    401412
    route:
    402413 type: string
    403414
    splits:

    deployments/common/vsr-definition.yaml

    Lines changed: 11 additions & 0 deletions
    Original file line numberDiff line numberDiff line change
    @@ -383,6 +383,17 @@ spec:
    383383
    type: integer
    384384
    path:
    385385
    type: string
    386+
    policies:
    387+
    type: array
    388+
    items:
    389+
    description: PolicyReference references a policy by name and
    390+
    an optional namespace.
    391+
    type: object
    392+
    properties:
    393+
    name:
    394+
    type: string
    395+
    namespace:
    396+
    type: string
    386397
    route:
    387398
    type: string
    388399
    splits:

    deployments/helm-chart/crds/virtualserver.yaml

    Lines changed: 11 additions & 0 deletions
    Original file line numberDiff line numberDiff line change
    @@ -398,6 +398,17 @@ spec:
    398398
    type: integer
    399399
    path:
    400400
    type: string
    401+
    policies:
    402+
    type: array
    403+
    items:
    404+
    description: PolicyReference references a policy by name and
    405+
    an optional namespace.
    406+
    type: object
    407+
    properties:
    408+
    name:
    409+
    type: string
    410+
    namespace:
    411+
    type: string
    401412
    route:
    402413
    type: string
    403414
    splits:

    deployments/helm-chart/crds/virtualserverroute.yaml

    Lines changed: 11 additions & 0 deletions
    Original file line numberDiff line numberDiff line change
    @@ -385,6 +385,17 @@ spec:
    385385
    type: integer
    386386
    path:
    387387
    type: string
    388+
    policies:
    389+
    type: array
    390+
    items:
    391+
    description: PolicyReference references a policy by name and
    392+
    an optional namespace.
    393+
    type: object
    394+
    properties:
    395+
    name:
    396+
    type: string
    397+
    namespace:
    398+
    type: string
    388399
    route:
    389400
    type: string
    390401
    splits:

    docs-web/configuration/policy-resource.md

    Lines changed: 3 additions & 3 deletions
    Original file line numberDiff line numberDiff line change
    @@ -1,6 +1,6 @@
    11
    # Policy Resource
    22

    3-
    The Policy resource allows you to configure features like authentication, rate-limiting, and WAF, which you can add to your [VirtualServer resources](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/). In the initial release, we are introducing support for access control based on the client IP address.
    3+
    The Policy resource allows you to configure features like authentication, rate-limiting, and WAF, which you can add to your [VirtualServer and VirtualServerRoute resources](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/). In the initial release, we are introducing support for access control based on the client IP address.
    44

    55
    The resource is implemented as a [Custom Resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/).
    66

    2323

    2424
    ## Prerequisites
    2525

    26-
    Policies work together with [VirtualServer resources](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/), which you need to create separately.
    26+
    Policies work together with [VirtualServer and VirtualServerRoute resources](/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/), which you need to create separately.
    2727

    2828
    ## Policy Specification
    2929

    @@ -94,7 +94,7 @@ accessControl:
    9494

    9595
    #### AccessControl Merging Behavior
    9696

    97-
    A VirtualServer can reference multiple access control policies. For example, here we reference two policies, each with configured allow lists:
    97+
    A VirtualServer/VirtualServerRoute can reference multiple access control policies. For example, here we reference two policies, each with configured allow lists:
    9898
    ```yaml
    9999
    policies:
    100100
    - name: allow-policy-one

    docs-web/configuration/virtualserver-and-virtualserverroute-resources.md

    Lines changed: 8 additions & 0 deletions
    Original file line numberDiff line numberDiff line change
    @@ -217,6 +217,10 @@ The route defines rules for matching client requests to actions like passing a r
    217217
    - The path of the route. NGINX will match it against the URI of a request. Possible values are: a prefix (\ ``/``\ , ``/path``\ ), an exact match (\ ``=/exact/match``\ ), a case insensitive regular expression (\ ``~*^/Bar.*\\.jpg``\ ) or a case sensitive regular expression (\ ``~^/foo.*\\.jpg``\ ). In the case of a prefix (must start with ``/``\ ) or an exact match (must start with ``=``\ ), the path must not include any whitespace characters, ``{``\ , ``}`` or ``;``. In the case of the regex matches, all double quotes ``"`` must be escaped and the match can't end in an unescaped backslash ``\``. The path must be unique among the paths of all routes of the VirtualServer. Check the `location <https://nginx.org/en/docs/http/ngx_http_core_module.html#location>`_ directive for more information.
    218218
    - ``string``
    219219
    - Yes
    220+
    * - ``policies``
    221+
    - A list of policies. The policies override the policies of the same type defined in the ``spec`` of the VirtualServer. The overriding is done by NGINX: the route policies are configured in the ``location`` context, which overrides the spec policies of the same type defined in the ``server`` context.
    222+
    - `[]policy <#virtualserver-policy>`_
    223+
    - No
    220224
    * - ``action``
    221225
    - The default action to perform for a request.
    222226
    - `action <#action>`_
    @@ -346,6 +350,10 @@ action:
    346350
    - The path of the subroute. NGINX will match it against the URI of a request. Possible values are: a prefix (\ ``/``\ , ``/path``\ ), an exact match (\ ``=/exact/match``\ ), a case insensitive regular expression (\ ``~*^/Bar.*\\.jpg``\ ) or a case sensitive regular expression (\ ``~^/foo.*\\.jpg``\ ). In the case of a prefix, the path must start with the same path as the path of the route of the VirtualServer that references this resource. In the case of an exact or regex match, the path must be the same as the path of the route of the VirtualServer that references this resource. In the case of a prefix or an exact match, the path must not include any whitespace characters, ``{``\ , ``}`` or ``;``. In the case of the regex matches, all double quotes ``"`` must be escaped and the match can't end in an unescaped backslash ``\``. The path must be unique among the paths of all subroutes of the VirtualServerRoute.
    347351
    - ``string``
    348352
    - Yes
    353+
    * - ``policies``
    354+
    - A list of policies. The policies override *all* policies defined in the route of the VirtualServer that references this resource. This is done by the Ingress Controller: the route policies of the VirtualServer will not be present in the generated configuration. The policies also override the policies of the same type defined in the ``spec`` of the VirtualServer. This overriding is done by NGINX: the subroute policies are configured in the ``location`` context, which overrides the spec policies of the same type defined in the ``server`` context.
    355+
    - `[]policy <#virtualserver-policy>`_
    356+
    - No
    349357
    * - ``action``
    350358
    - The default action to perform for a request.
    351359
    - `action <#action>`_

    docs-web/troubleshooting.md

    Lines changed: 1 addition & 1 deletion
    Original file line numberDiff line numberDiff line change
    @@ -108,7 +108,7 @@ Events:
    108108
    ```
    109109
    Note that in the events section, we have a `Normal` event with the `AddedOrUpdated` reason, which informs us that the policy was successfully accepted.
    110110

    111-
    However, the fact that a policy was accepted doesn't guarantee that the NGINX configuration was successfully applied. To confirm that, check the events of the VirtualServer resources that reference that policy.
    111+
    However, the fact that a policy was accepted doesn't guarantee that the NGINX configuration was successfully applied. To confirm that, check the events of the VirtualServer and VirtualServerRoute resources that reference that policy.
    112112

    113113
    ### Checking the Events of the ConfigMap Resource
    114114

    internal/configs/version2/http.go

    Lines changed: 3 additions & 0 deletions
    Original file line numberDiff line numberDiff line change
    @@ -93,6 +93,9 @@ type Location struct {
    9393
    ErrorPages []ErrorPage
    9494
    ProxySSLName string
    9595
    InternalProxyPass string
    96+
    Allow []string
    97+
    Deny []string
    98+
    PoliciesErrorReturn *Return
    9699
    }
    97100

    98101
    // ReturnLocation defines a location for returning a fixed response.

    internal/configs/version2/nginx-plus.virtualserver.tmpl

    Lines changed: 18 additions & 0 deletions
    Original file line numberDiff line numberDiff line change
    @@ -164,6 +164,24 @@ server {
    164164
    {{ $snippet }}
    165165
    {{ end }}
    166166

    167+
    {{ with $l.PoliciesErrorReturn }}
    168+
    return {{ .Code }};
    169+
    {{ end }}
    170+
    171+
    {{ range $allow := $l.Allow }}
    172+
    allow {{ $allow }};
    173+
    {{ end }}
    174+
    {{ if gt (len $l.Allow) 0 }}
    175+
    deny all;
    176+
    {{ end }}
    177+
    178+
    {{ range $deny := $l.Deny }}
    179+
    deny {{ $deny }};
    180+
    {{ end }}
    181+
    {{ if gt (len $l.Deny) 0 }}
    182+
    allow all;
    183+
    {{ end }}
    184+
    167185
    {{ range $e := $l.ErrorPages }}
    168186
    error_page {{ $e.Codes }} {{ if ne 0 $e.ResponseCode }}={{ $e.ResponseCode }}{{ end }} "{{ $e.Name }}";
    169187
    {{ end }}

    internal/configs/version2/nginx.virtualserver.tmpl

    Lines changed: 18 additions & 0 deletions
    Original file line numberDiff line numberDiff line change
    @@ -133,6 +133,24 @@ server {
    133133
    {{ $snippet }}
    134134
    {{ end }}
    135135

    136+
    {{ with $l.PoliciesErrorReturn }}
    137+
    return {{ .Code }};
    138+
    {{ end }}
    139+
    140+
    {{ range $allow := $l.Allow }}
    141+
    allow {{ $allow }};
    142+
    {{ end }}
    143+
    {{ if gt (len $l.Allow) 0 }}
    144+
    deny all;
    145+
    {{ end }}
    146+
    147+
    {{ range $deny := $l.Deny }}
    148+
    deny {{ $deny }};
    149+
    {{ end }}
    150+
    {{ if gt (len $l.Deny) 0 }}
    151+
    allow all;
    152+
    {{ end }}
    153+
    136154
    {{ range $e := $l.ErrorPages }}
    137155
    error_page {{ $e.Codes }} {{ if ne 0 $e.ResponseCode }}={{ $e.ResponseCode }}{{ end }} "{{ $e.Name }}";
    138156
    {{ end }}

    0 commit comments

    Comments
     (0)
    0