evankanderson · April 7, 2020 17:03
diff --git a/policy.yaml b/policy.yaml
 apiGroup: security.knative.dev/v1alpha1
 kind: Policy
 metadata:
  name: green-policy
 spec:
  cloudEvent:
    type: green
  # Or
  cloudEventExpressions:
    - {key: type, operator: In, values: [green]}
 # This is a data-only resource, so may not need spec/status
 ---
 apiGroup: security.knative.dev/v1alpha1
 kind: PolicyAssignment  # PolicyAssignment creates PolicyBindings for each matched object in the list of subjects
 metadata:
  name: green-service
 spec:
  policy: green-policy
  targets:
  - apiGroup: serving.knative.dev/v1
    kind: Service
    selector:
      matchExpressions:  # Matcrh all services except those labelled with access=exposed
      - {key: access, operator: NotIn, values: [exposed]}
  - apiGroup: eventing.knative.dev/v1beta1
    kind: Broker
    name: x-broker
diff --git a/x-created-bindings.yaml b/x-created-bindings.yaml
 apiGroup: security.knative.dev/v1alpha1
 kind:PolicyBinding
 metadata:
  name: green-service
 spec:
  policy: green-policy
  target:
  - apiGroup: serving.knative.dev/v1
    kind: Service
    name: x-svc
 ---
 apiGroup: security.knative.dev/v1alpha1
 kind: PolicyBinding
 metadata:
  name: green-broker
 spec:
  policy: green-policy
  target:
  - apiGroup: eventing.knative.dev/v1beta1
    kind: Broker
    name: x-broker
diff --git a/x-updates-to-resources.yaml b/x-updates-to-resources.yaml
 # In x-broker:
 apiGroup: eventing.knative.dev/v1beta1
 kind: Broker
 metadata:
  name: x-broker
 spec:
  ...
  authorizers:
  # Single GRPC for all KPolicies. Note that it would be possible to plug in
  # other auth methods here by adding another webhook.
  # There are two protocols supported:
  # - grpc: A service.auth.v2.CheckRequest
  #   In this mode, the access controlled resource is denoted by attributes.destination labels
  #   https://www.envoyproxy.io/docs/envoy/v1.13.1/api-v2/service/auth/v2/external_auth.proto#envoy-api-msg-service-auth-v2-checkrequest
  # - https: An HTTP request with all the headers but no body content.
  #   In this mode, the access controlled resource must be denoted by additional path or query-string arguments
  #   Equivalent to a matcher of `{prefix: ""}` in envoy configuration:
  #   https://www.envoyproxy.io/docs/envoy/v1.13.1/api-v2/config/filter/http/ext_authz/v2/ext_authz.proto#envoy-api-msg-config-filter-http-ext-authz-v2-authorizationrequest
  - url: grpc://auth.knative-security.svc.cluster.local/
    timeout: 0.2s
 ---
 # In x-svc:
 apiGroup: serving.knative.dev/v1
 kind: Service
 metadata:
  name: x-svc
 spec:
  ...
  authorizers:
  - grpc://auth.knative-security.svc.cluster.local/
 ---
 # Status of green-service
 apiGroup: security.knative.dev/v1alpha1
 kind: PolicyBinding
 metadata:
  name: green-service
 ...
 status:
  conditions:
  - type: Ready
    status: True
    # Indicates that policy was validated and the target was Authorizable
 ---
 # Status of green-broker
 apiGroup: security.knative.dev/v1alpha1
 kind: PolicyBinding
 metadata:
  name: green-broker
 ...
 status:
  conditions:
  - type: Ready
    status: True
	apiGroup: security.knative.dev/v1alpha1
	kind: Policy
	metadata:
	name: green-policy
	spec:
	cloudEvent:
	type: green
	# Or
	cloudEventExpressions:
	- {key: type, operator: In, values: [green]}
	# This is a data-only resource, so may not need spec/status
	---
	apiGroup: security.knative.dev/v1alpha1
	kind: PolicyAssignment # PolicyAssignment creates PolicyBindings for each matched object in the list of subjects
	metadata:
	name: green-service
	spec:
	policy: green-policy
	targets:
	- apiGroup: serving.knative.dev/v1
	kind: Service
	selector:
	matchExpressions: # Matcrh all services except those labelled with access=exposed
	- {key: access, operator: NotIn, values: [exposed]}
	- apiGroup: eventing.knative.dev/v1beta1
	kind: Broker
	name: x-broker
	apiGroup: security.knative.dev/v1alpha1
	kind:PolicyBinding
	metadata:
	name: green-service
	spec:
	policy: green-policy
	target:
	- apiGroup: serving.knative.dev/v1
	kind: Service
	name: x-svc
	---
	apiGroup: security.knative.dev/v1alpha1
	kind: PolicyBinding
	metadata:
	name: green-broker
	spec:
	policy: green-policy
	target:
	- apiGroup: eventing.knative.dev/v1beta1
	kind: Broker
	name: x-broker
	# In x-broker:
	apiGroup: eventing.knative.dev/v1beta1
	kind: Broker
	metadata:
	name: x-broker
	spec:
	...
	authorizers:
	# Single GRPC for all KPolicies. Note that it would be possible to plug in
	# other auth methods here by adding another webhook.
	# There are two protocols supported:
	# - grpc: A service.auth.v2.CheckRequest
	# In this mode, the access controlled resource is denoted by attributes.destination labels
	# https://www.envoyproxy.io/docs/envoy/v1.13.1/api-v2/service/auth/v2/external_auth.proto#envoy-api-msg-service-auth-v2-checkrequest
	# - https: An HTTP request with all the headers but no body content.
	# In this mode, the access controlled resource must be denoted by additional path or query-string arguments
	# Equivalent to a matcher of `{prefix: ""}` in envoy configuration:
	# https://www.envoyproxy.io/docs/envoy/v1.13.1/api-v2/config/filter/http/ext_authz/v2/ext_authz.proto#envoy-api-msg-config-filter-http-ext-authz-v2-authorizationrequest
	- url: grpc://auth.knative-security.svc.cluster.local/
	timeout: 0.2s
	---
	# In x-svc:
	apiGroup: serving.knative.dev/v1
	kind: Service
	metadata:
	name: x-svc
	spec:
	...
	authorizers:
	- grpc://auth.knative-security.svc.cluster.local/
	---
	# Status of green-service
	apiGroup: security.knative.dev/v1alpha1
	kind: PolicyBinding
	metadata:
	name: green-service
	...
	status:
	conditions:
	- type: Ready
	status: True
	# Indicates that policy was validated and the target was Authorizable
	---
	# Status of green-broker
	apiGroup: security.knative.dev/v1alpha1
	kind: PolicyBinding
	metadata:
	name: green-broker
	...
	status:
	conditions:
	- type: Ready
	status: True