Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add fundamental building blocks for zero-trust (certificate manager, authentication) as part of traffic governance module | 流量治理-零信任模块实现 #3182

Merged
merged 4 commits into from
Aug 16, 2023
Merged

Add fundamental building blocks for zero-trust (certificate manager, authentication) as part of traffic governance module | 流量治理-零信任模块实现 #3182

merged 4 commits into from
Aug 16, 2023

Conversation

xinlunanxinlunan
Copy link

@xinlunanxinlunan xinlunanxinlunan commented Jul 21, 2023
edited by sczyh30
Loading

Describe what this PR does / why we need it

With the development of cloud-native technologies, network boundaries are gradually disappearing, and the concept of zero trust therefore prevails. The most important functions of zero trust are certificate management and request authentication. As a generic, cloud-native traffic governance component, Sentinel 2.0 will support zero-trust capabilities for certificate management and request authentication:

  • Obtain the certificate from the external data source and use it to configure https when the web service is enabled.

  • Obtains authentication rules from the external data source and permits or blocks each request based on the authentication rules.

Does this pull request fix one issue?

Resolves #3166

Describe how you did it

  1. Add a sentinel-security-core module for:
    • Certificates and authentication rule management
    • Authentication rules include ALLOW rules, DENY rules, and JWT rules, which are the same as those in Istio
    • The authenticator will be placed in the core and used to determine whether the request should be allowed or blocked.

The specific rules are:

  • (1) If there is a JWT rule matching the request, the request is matched. If the matching result is rejected, the request is rejected.
  • (2) If any DENY policy matches the request, the request is denied.
  • (3) ALLOW the request if the workload does not have an Allow policy.
  • (4) ALLOW any Allow policy if it matches the request.

Istio authentication rules: https://istio.io/latest/docs/reference/config/security/authorization-policy/

  1. Extension module: We will temporarily use istio as the external data source:
    • Send a CSR with a k8s token to istio to get a certificate.
    • You can obtain authentication rules by subscribing to istio's xds in batches.
  2. Adatper module: Add sentinel certificates and authentication rules to the existing application framework adaptation module, and support microservice zero trust.

Describe how to verify it

  1. Modify the corresponding namespace podName in file sentinel-extension/sentinel-datasource-xds/src/test/java/com/alibaba/csp/sentinel/datasource/xds/util/TestUtil.java.

  2. Change the token in file sentinel-extension/sentinel-datasource-xds/src/test/resources/token,
    and token path in istio-proxy

cat /var/run/secrets/tokens/istio-token

  1. Change the root-cert.pem in file sentinel-extension/sentinel-datasource-xds/src/test/resources/root-cert.pem,and root-cert.pem path in istio-proxy

cat /var/run/secrets/istio/root-cert.pem

  1. Modify istiod.istio-system.svc in local /etc/hosts.

  2. Go test.

Special notes for reviews

@CLAassistant
Copy link

CLAassistant commented Jul 21, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@sczyh30 sczyh30 added to-review To review kind/feature Category issues or prs related to feature request. size/XXL Indicate a PR that changes 1000+ lines. area/traffic-governance Issues or PRs related to traffic governance labels Jul 25, 2023
@xinlunanxinlunan xinlunanxinlunan force-pushed the lwj-xds-0721-ori branch 2 times, most recently from cf87d0b to eb31e93 Compare July 25, 2023 03:15
@xinlunanxinlunan xinlunanxinlunan force-pushed the lwj-xds-0721-ori branch 2 times, most recently from 248b436 to 0e554de Compare August 16, 2023 06:49
@xinlunanxinlunan xinlunanxinlunan force-pushed the lwj-xds-0721-ori branch 2 times, most recently from fbfd5f0 to 91fb67c Compare August 16, 2023 08:10
@sczyh30 sczyh30 force-pushed the lwj-xds-0721-ori branch 2 times, most recently from 5bd1729 to 5f878c9 Compare August 16, 2023 08:14
@sczyh30 sczyh30 changed the title [RFC]Add fundamental building blocks for zero-trust (certificate manager, authentication) as part of traffic governance module | 流量治理-零信任模块基础骨架设计与实现 Add fundamental building blocks for zero-trust (certificate manager, authentication) as part of traffic governance module | 流量治理-零信任模块实现 Aug 16, 2023
@sczyh30 sczyh30 added this to the v2.0.0 milestone Aug 16, 2023
sczyh30
sczyh30 approved these changes Aug 16, 2023
View reviewed changes
Copy link
Member

@sczyh30 sczyh30 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sczyh30
Copy link
Member

sczyh30 commented Aug 16, 2023

For committers: please use "create a merge commit" mode for this.

LearningGp
LearningGp approved these changes Aug 16, 2023
View reviewed changes
Copy link
Collaborator

@LearningGp LearningGp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sczyh30 sczyh30 merged commit d00798f into alibaba:master Aug 16, 2023
4 checks passed
@sczyh30 sczyh30 removed the to-review To review label Aug 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LearningGp LearningGp LearningGp approved these changes

@sczyh30 sczyh30 sczyh30 approved these changes

Assignees
No one assigned
Labels
area/traffic-governance Issues or PRs related to traffic governance kind/feature Category issues or prs related to feature request. size/XXL Indicate a PR that changes 1000+ lines.
Projects
None yet
Milestone
v2.0.0
4 participants
@xinlunanxinlunan @CLAassistant @sczyh30 @LearningGp