Gate

cmd/guard-service/auth.go

@@ -18,3 +18,4 @@ package main
 
 // Uncomment when running in a development environment out side of the cluster
 // import _ "k8s.io/client-go/plugin/pkg/client/auth"
+// import _ "k8s.io/client-go/plugin/pkg/client/auth/oidc"

cmd/guard-service/main.go

@@ -40,7 +40,6 @@ const (
 
 type config struct {
 	GuardServiceLogLevel string `split_words:"true" required:"false"`
-	GuardServicePort     string `split_words:"true" required:"false"`
 	GuardServiceInterval string `split_words:"true" required:"false"`
 }
 
@@ -65,19 +64,29 @@ func (l *learner) baseHandler(query url.Values) (record *serviceRecord, err erro
 	ns := utils.Sanitize(nsSlice[0])
 
 	if strings.HasPrefix(sid, "ns-") {
-		log.Infof("baseHandler illegal sid")
 		sid = ""
 		err = fmt.Errorf("illegal sid %s", sid)
 		return
 	}
 
+	if len(sid) < 1 {
+		err = fmt.Errorf("wrong sid %s", sidSlice[0])
+		return
+	}
+
+	if len(ns) < 1 {
+		err = fmt.Errorf("wrong ns %s", nsSlice[0])
+		return
+	}
+
 	// extract and sanitize cmFlag
 	var cmFlag bool
 	if len(cmFlagSlice) > 0 {
 		cmFlag = (cmFlagSlice[0] == "true")
 	}
 
 	// get session record, create one if does not exist
+	log.Debugf("** baseHandler ** ns %s, sid %s, cmFlag %t", ns, sid, cmFlag)
 	record = l.services.get(ns, sid, cmFlag)
 	if record == nil {
 		// should never happen
@@ -132,8 +141,6 @@ func (l *learner) processPile(w http.ResponseWriter, req *http.Request) {
 }
 
 func (l *learner) mainEventLoop(quit chan string) {
-	log.Infof("l.pileLearnTicker %v", l.pileLearnTicker)
-
 	for {
 		select {
 		case <-l.pileLearnTicker.Ch():
@@ -166,13 +173,10 @@ func preMain(minimumInterval time.Duration) (*learner, *http.ServeMux, string, c
 	mux.HandleFunc("/pile", l.processPile)
 
 	target := ":8888"
-	if env.GuardServicePort != "" {
-		target = fmt.Sprintf(":%s", env.GuardServicePort)
-	}
 
 	quit := make(chan string)
 
-	log.Infof("Starting guard-learner on %s", target)
+	log.Infof("Starting guard-service on %s", target)
 	return l, mux, target, quit
 }
 
@@ -185,6 +189,6 @@ func main() {
 	go l.mainEventLoop(quit)
 
 	err := http.ListenAndServe(target, mux)
-	log.Infof("Failed to start %v", err)
+	log.Infof("Using target: %s - Failed to start %v", target, err)
 	quit <- "ListenAndServe failed"
 }

cmd/guard-service/main_test.go

@@ -233,15 +233,6 @@ func TestFetchConfigHandler_main(t *testing.T) {
 	if target != ":8888" {
 		t.Errorf("handler returned wrong default target code: got %s want %s", target, ":8888")
 	}
-
-	os.Setenv("GUARD_SERVICE_PORT", "9999")
-	_, _, target, _ = preMain(utils.MinimumInterval)
-
-	if target != ":9999" {
-		t.Errorf("handler returned wrong default target code: got %s want %s", target, ":9999")
-	}
-
-	os.Unsetenv("GUARD_SERVICE_PORT")
 }
 
 func TestFetchConfigHandler_POST(t *testing.T) {

cmd/queue/main.go

@@ -0,0 +1,35 @@
+/*
+Copyright 2018 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"os"
+
+	_ "knative.dev/security-guard/pkg/guard-gate"
+	"knative.dev/security-guard/pkg/qpoption"
+	"knative.dev/serving/pkg/queue/sharedmain"
+)
+
+func main() {
+	qOpt := qpoption.NewGateQPOption()
+	defer qOpt.Shutdown()
+
+	if sharedmain.Main(qOpt.Setup) != nil {
+		qOpt.Shutdown()
+		os.Exit(1)
+	}
+}

config/deploy-guard-service.yaml

@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: guard-service
+  labels:
+    app: guard-service
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: guard-service
+  template:
+    metadata:
+      labels:
+        app: guard-service
+    spec:
+      serviceAccountName: guard-service-account
+      imagePullSecrets:
+      - name: all-icr-io
+      containers:
+      - name: guard-service
+        image: ko://knative.dev/security-guard/cmd/guard-service
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8888
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: guard-service
+spec:
+  selector:
+    app: guard-service
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8888

config/deploy-queue-proxy.yaml

@@ -0,0 +1,27 @@
+# Copyright 2019 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-deployment
+  namespace: knative-serving
+  labels:
+    app.kubernetes.io/name: knative-serving
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/version: devel
+data:
+  # This overrides the configmap produced by knative serving
+  # It is useful for demonstration purposes or when using an unchanged configmap
+  queue-sidecar-image: ko://knative.dev/security-guard/cmd/queue

deploy/serviceAccount.yaml → config/serviceAccount.yaml

@@ -1,7 +1,7 @@
-kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
 metadata:
-  name: guardian-cluster-role
+  name: guardian-service
   labels:
     rbac.authorization.k8s.io/guardian: 'true'
 rules:
@@ -22,17 +22,15 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: guard-service-account
-  namespace: knative-guard
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: guardian-admin
 subjects:
   - kind: ServiceAccount
     name: guard-service-account
-    namespace: knative-guard
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: guardian-cluster-role
+  name: guardian-service

hack/setup-guard-service.sh

@@ -0,0 +1,6 @@
+kubectl apply -f config/gateAccount.yaml
+kubectl apply -f config/serviceAccount.yaml
+kubectl apply -f config/guardiansCrd.yaml
+
+./hack/update-guard-service.sh
+

hack/update-guard-service.sh

@@ -0,0 +1,2 @@
+export KO_DOCKER_REPO=us.icr.io/knat
+ko apply -Rf ./config/deploy-guard-service.yaml

pkg/guard-gate/client.go

@@ -32,7 +32,7 @@ type httpClientInterface interface {
 }
 
 type httpClient struct {
-	client *http.Client
+	client http.Client
 }
 
 func (hc *httpClient) Do(req *http.Request) (*http.Response, error) {
@@ -73,19 +73,17 @@ func (srv *gateClient) reportPile() {
 	}
 	defer srv.clearPile()
 
-	pi.Log.Infof("Reporting a pile with pileCount %d records to guard-service", srv.pile.Count)
-
 	postBody, marshalErr := json.Marshal(srv.pile)
 
 	if marshalErr != nil {
 		// should never happen
-		pi.Log.Warnf("Error during marshal: %v", marshalErr)
+		pi.Log.Infof("Error during marshal: %v", marshalErr)
 		return
 	}
 	reqBody := bytes.NewBuffer(postBody)
 	req, err := http.NewRequest(http.MethodPost, srv.guardServiceUrl+"/pile", reqBody)
 	if err != nil {
-		pi.Log.Warnf("Http.NewRequest error %v", err)
+		pi.Log.Infof("Http.NewRequest error %v", err)
 		return
 	}
 	query := req.URL.Query()
@@ -95,10 +93,11 @@ func (srv *gateClient) reportPile() {
 		query.Add("cm", "true")
 	}
 	req.URL.RawQuery = query.Encode()
+	pi.Log.Infof("Reporting a pile with pileCount %d records to guard-service", srv.pile.Count)
 
 	res, postErr := srv.httpClient.Do(req)
 	if postErr != nil {
-		pi.Log.Warnf("httpClient.Do error %v", postErr)
+		pi.Log.Infof("httpClient.Do error %v", postErr)
 		return
 	}
 	if res.Body != nil {
@@ -135,7 +134,7 @@ func (srv *gateClient) loadGuardian() *spec.GuardianSpec {
 func (srv *gateClient) loadGuardianFromService() *spec.GuardianSpec {
 	req, err := http.NewRequest(http.MethodGet, srv.guardServiceUrl+"/config", nil)
 	if err != nil {
-		pi.Log.Warnf("loadGuardianFromService Http.NewRequest error %v", err)
+		pi.Log.Infof("loadGuardianFromService Http.NewRequest error %v", err)
 		return nil
 	}
 	query := req.URL.Query()
@@ -148,7 +147,7 @@ func (srv *gateClient) loadGuardianFromService() *spec.GuardianSpec {
 
 	res, err := srv.httpClient.Do(req)
 	if err != nil {
-		pi.Log.Warnf("loadGuardianFromService httpClient.Do error %v", err)
+		pi.Log.Infof("loadGuardianFromService httpClient.Do error %v", err)
 		return nil
 	}