Istio AuthorizationPolicy with Wildcard - authorization

authorizationpolicy does not supports any wildcard pattern on paths?
i have the following endpoints:
/my-service/docs/active (GET)
/my-service/docs/<id>/activate/<bool> (PUT)
the first one will get all active docs, and second will activate/deactivate the specific doc.
i’ve tried to set it on the authorizationpolicy and it seems to ignore this policy due to willdcard.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: my-service-private
namespace: default
spec:
action: DENY
selector:
matchLabels:
app:my-service
rules:
- from:
- source:
notNamespaces: [ "default" ]
to:
- operation:
methods: ["GET"]
paths: ["/my-service/docs/active"]
- operation:
methods: ["PUT"]
paths: ["/my-service/docs/*/activate/*"]
any different solution here except updating all my endpoints?
10x

As I mentioned in comments
According to istio documentation:
Rule
Rule matches requests from a list of sources that perform a list of
operations subject to a list of conditions. A match occurs when at
least one source, operation and condition matches the request. An
empty rule is always matched.
Any string field in the rule supports Exact, Prefix, Suffix and
Presence match:
Exact match: “abc” will match on value “abc”.
Prefix match: “abc*” will match on value “abc” and “abcd”.
Suffix match: “*abc” will match on value “abc” and “xabc”.
Presence match: “*” will match when value is not empty.
So Authorization Policy does support wildcard, but I think the issue is with the */activate/* path, because paths can use wildcards only at the start, end or whole string, double wildcard just doesn't work.
There are related open github issues about that:
https://github.com/istio/istio/issues/16585
https://github.com/istio/istio/issues/25021

Related

Flux2 Image Reflector Controller not able to find a match on my image tags

I'm working with Flux2. I'm new to Flux and I'm trying to set up the Image Reflector controller to find the last image tag in my image registry but I'm getting an error on my image policy 'unable to determine latest version from provided list'
In my registry I have the following tags:
16
rc-9.20.7975.18473
Flux is reporting that it's connecting to my image registry and says 'successful scan, found 2 tags'. Based on my image policy below I was expecting only 1 tag to match.
Here is my Image Policy:
apiVersion: image.toolkit.fluxcd.io/v1beta1
kind: ImagePolicy
metadata:
name: xxxxxxxx
spec:
imageRepositoryRef:
name: xxxxxxxx
filterTags:
pattern: '^rc-(?P<ts>.*)'
extract: '$ts'
policy:
semver:
range: '^9.20.x.x'
I would like to it update on new 'rc' images. Any thoughts on why the Image Reflector is saying it found 2 tags when '16' isn't a match by the filter pattern? What should I change in my Image Policy to determine the latest version? Thx!
Your range is not correct. It should be '>=9.20.0.0'. For more details check https://fluxcd.io/flux/components/image/imagepolicies/

Traefik - apply middleware to router except a specific path

I use a IP whitelist middleware to filter the access of my web application to some IPS only and it works.
But, I want to unprotect a specific path to make it public (the path is /api/transaction).
For now, I have (in my docker-comose.yml) :
varnish:
labels:
- "traefik.http.routers.api_varnish.rule=Host(`api.local`, `api`)"
- "traefik.http.routers.api_varnish.tls=true"
- "traefik.http.routers.api_varnish.middlewares=https-redirect#file"
- "traefik.http.routers.api_varnish.middlewares=https-whitelist#file"
- "traefik.http.services.api_varnish.loadbalancer.server.port=80"
This part works, then I added:
# Open middleware for payment IPN calls
- "traefik.http.routers.api_varnish_transaction.rule=(Host(`api.local`, `api`) && PathPrefix(`/api/transaction`))"
- "traefik.http.routers.api_varnish_transaction.tls=true"
- "traefik.http.routers.api_varnish_transaction.priority=2"
- "traefik.http.routers.api_varnish_transaction.middlewares=https-redirect#file"
I duplicated the lines, but I didn't apply the middleware https-whitelist#file to the new host.
It doesn't work, I can't find the correct syntax or be sure if I can do it ? documentation is pretty poor.
Any idea?
Have 2 routers, 1 for /api/transaction and another one for /* and give the first router a higher priority (set a higher number) e.g.
# ...
labels:
- traefik.http.routers.router_1.priority=2
Now requests to /api/transaction will only hit router_1
https://doc.traefik.io/traefik/routing/routers/#priority

How to validate or filter a wildcard in path for http endpoints in Serverless and AWS API gateway before the process triggs the lambda function?

I have the following http path devices/{sn} in a Serverless-AWS APIgateway API. The wildcard sn is a 15 digits [A-Z0-9] pattern.
In the API today any string that is not recognized as a valid path is redirected to this end-point. Ex: devices/test goes to devices/{sn}, devices/bla goes to devices/{sn} and so on. All those strings will query the database and return null because there is no such sn in the table. I could create a validation process inside the lambda to avoid the unnecessary database query. But I want to save lambda resource and I would like to validate before call the lambda.
This is what I have today for this endpoint:
- http:
path: devices/{sn}
method: GET
private: false
cors: true
authorizer: ${file(env.yml):${self:provider.stage}.authorizer}
request:
parameters:
paths:
sn: true
How can I setup this validation or filter in Serverless.yml?
In fact it should be a very straight-forward functionality of AWS/Serverless.
Let's say we have the following scenario: myPath/{id}. In this case id is a integer (a pk in a table). If I type myPath/blabla it will trigg the lambda. The system will spend resource. It shoul have a kind of previous validation - trig the endpoint only if the {id} === integer.
Your issue is very similar to this issue
According to the post and from my experience, No, I don't think you can perform validation in api-gateway level.

kubernetes operator, how to hide property value in describe

I am writing a k8s operator. In my CR file, I want to get password and store it in secret.
Everything works fine except this password gets printed on the screen when I describe my object kubectl describe myKind myObject is there any way to hide particular property from spec or at least show *** instead of actual value? just like secret it just shows bytes and not actual value.
Added line before my property // +kubebuilder:validation:Format=password. this add format: password in CRD file but when I describe myObject it still prints all Spec values on the console.
Edit: SO putting more light on this:
my **_types.go snipplet is:
// DB username
DbUser string `json:"dbUser,required"`
// DB password
// +kubebuilder:validation:Format=password
DbPassword string `json:"dbPassword,required"`
so I am making k8s secret out of dbUser and dbPassword
I have another option to ask users to create a secret as pre-req but I am not happy with that approach.
Thanks in advance.
You should NOT store passwords / tokens etc. in plain text in the CR. It will be visible to anyone with permissions to read the CR (no matter if k describe shows it or not).
I would recommend changing the CRD spec so users can reference their secret by name. Users will need to create a secret of type opaque then create a CR that looks something like this:
apiVersion: "grp/v1"
kind: "mykind"
metadata:
name: "my-kind-cr"
namespace: "default"
spec:
secretName: mysecret
where the secret would look like this:
apiVersion: v1
kind: Secret
metadata:
name: dbpassword
namespace: default
type: Opaque
stringData:
dbPassword: "my password"

Serverless Framework - S3 upload lambda trigger

I'd like to trigger different lambdas on the same bucket according to the folder where the file is uploaded. Basically, when the user uploads a file to "user/some_id/bills" I want to trigger lambda 1; When the user upload a file to "user/some_id/docs" I want to trigger lambda 2;
I tried the configuration bellow but did not work...
insertUploadBill:
handler: resources/insertUploadBill.main
events:
- s3:
bucket: ${self:custom.settings.BUCKET}
event: s3:ObjectCreated:*
rules:
- prefix: user/*/bills/
insertUploadDocs:
handler: resources/insertUploadDoc.main
events:
- s3:
bucket: ${self:custom.settings.BUCKET}
event: s3:ObjectCreated:*
rules:
- prefix: user/*/docs/
if you look at the docs
https://docs.aws.amazon.com/AmazonS3/latest/dev/NotificationHowTo.html#notification-how-to-filtering
The wild card characters in rules (prefix / suffix) cannot be used.
So either you can change the S3 object key to match something like this
user/images/[user-id]
Or you can make a separate lambda to be invoked on all the s3:ObjectCreated:* events and then use this lambda to match the key and invoke your current lambdas. resources/insertUploadBill.main and resources/insertUploadDoc.main