Skip to content

Commit

Permalink
Restrict sizes of types for kube apiserver cost analysis
Browse files Browse the repository at this point in the history
  • Loading branch information
@adam-cattermole
adam-cattermole committed Oct 31, 2023
1 parent 7e69b1f commit 7243ec3
Show file tree
Hide file tree
Showing 5 changed files with 34 additions and 0 deletions.
8 changes: 8 additions & 0 deletions api/v1beta2/authpolicy_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,16 +18,19 @@ type AuthSchemeSpec struct {
// Authentication configs.
// At least one config MUST evaluate to a valid identity object for the auth request to be successful.
// +optional
// +kubebuilder:validation:MaxProperties=14
Authentication map[string]AuthenticationSpec `json:"authentication,omitempty"`

// Metadata sources.
// Authorino fetches auth metadata as JSON from sources specified in this config.
// +optional
// +kubebuilder:validation:MaxProperties=14
Metadata map[string]MetadataSpec `json:"metadata,omitempty"`

// Authorization policies.
// All policies MUST evaluate to "allowed = true" for the auth request be successful.
// +optional
// +kubebuilder:validation:MaxProperties=14
Authorization map[string]AuthorizationSpec `json:"authorization,omitempty"`

// Response items.
Expand All @@ -38,6 +41,7 @@ type AuthSchemeSpec struct {
// Callback functions.
// Authorino sends callbacks at the end of the auth pipeline to the endpoints specified in this config.
// +optional
// +kubebuilder:validation:MaxProperties=14
Callbacks map[string]CallbackSpec `json:"callbacks,omitempty"`
}

Expand All @@ -47,6 +51,7 @@ type CommonAuthRuleSpec struct {
// At least one selected HTTPRoute rule must match to trigger the auth rule.
// If no route selectors are specified, the auth rule will be evaluated at all requests to the protected routes.
// +optional
// +kubebuilder:validation:MaxItems=15
RouteSelectors []RouteSelector `json:"routeSelectors,omitempty"`
}

Expand Down Expand Up @@ -93,11 +98,13 @@ type ResponseSpec struct {
type WrappedSuccessResponseSpec struct {
// Custom success response items wrapped as HTTP headers.
// For integration of Authorino via proxy, the proxy must use these settings to inject data in the request.
// +kubebuilder:validation:MaxProperties=14
Headers map[string]HeaderSuccessResponseSpec `json:"headers,omitempty"`

// Custom success response items wrapped as HTTP headers.
// For integration of Authorino via proxy, the proxy must use these settings to propagate dynamic metadata.
// See https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata
// +kubebuilder:validation:MaxProperties=14
DynamicMetadata map[string]SuccessResponseSpec `json:"dynamicMetadata,omitempty"`
}

Expand Down Expand Up @@ -133,6 +140,7 @@ type AuthPolicySpec struct {
// At least one selected HTTPRoute rule must match to trigger the AuthPolicy.
// If no route selectors are specified, the AuthPolicy will be enforced at all requests to the protected routes.
// +optional
// +kubebuilder:validation:MaxItems=15
RouteSelectors []RouteSelector `json:"routeSelectors,omitempty"`

// Named sets of patterns that can be referred in `when` conditions and in pattern-matching authorization policy rules.
Expand Down
2 changes: 2 additions & 0 deletions api/v1beta2/ratelimitpolicy_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ type WhenCondition struct {
type Limit struct {
// RouteSelectors defines semantics for matching an HTTP request based on conditions
// +optional
// +kubebuilder:validation:MaxItems=15
RouteSelectors []RouteSelector `json:"routeSelectors,omitempty"`

// When holds the list of conditions for the policy to be enforced.
Expand Down Expand Up @@ -119,6 +120,7 @@ type RateLimitPolicySpec struct {

// Limits holds the struct of limits indexed by a unique name
// +optional
// +kubebuilder:validation:MaxProperties=14
Limits map[string]Limit `json:"limits,omitempty"`
}

Expand Down
1 change: 1 addition & 0 deletions api/v1beta2/route_selectors.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ type RouteSelector struct {
// Matches define conditions used for matching the rule against incoming HTTP requests.
// https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRouteSpec
// +optional
// +kubebuilder:validation:MaxItems=8
Matches []gatewayapiv1.HTTPRouteMatch `json:"matches,omitempty"`
}

Expand Down
20 changes: 20 additions & 0 deletions config/crd/bases/kuadrant.io_authpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -321,8 +321,10 @@ spec:
- name
x-kubernetes-list-type: map
type: object
maxItems: 8
type: array
type: object
maxItems: 15
type: array
rules:
description: The auth rules of the policy. See Authorino's AuthConfig
Expand Down Expand Up @@ -875,8 +877,10 @@ spec:
- name
x-kubernetes-list-type: map
type: object
maxItems: 8
type: array
type: object
maxItems: 15
type: array
when:
description: Conditions for Authorino to enforce this config.
Expand Down Expand Up @@ -1001,6 +1005,7 @@ spec:
description: Authentication configs. At least one config MUST
evaluate to a valid identity object for the auth request to
be successful.
maxProperties: 14
type: object
authorization:
additionalProperties:
Expand Down Expand Up @@ -1781,8 +1786,10 @@ spec:
- name
x-kubernetes-list-type: map
type: object
maxItems: 8
type: array
type: object
maxItems: 15
type: array
spicedb:
description: Authorization decision delegated to external
Expand Down Expand Up @@ -1972,6 +1979,7 @@ spec:
type: object
description: Authorization policies. All policies MUST evaluate
to "allowed = true" for the auth request be successful.
maxProperties: 14
type: object
callbacks:
additionalProperties:
Expand Down Expand Up @@ -2499,8 +2507,10 @@ spec:
- name
x-kubernetes-list-type: map
type: object
maxItems: 8
type: array
type: object
maxItems: 15
type: array
when:
description: Conditions for Authorino to enforce this config.
Expand Down Expand Up @@ -2561,6 +2571,7 @@ spec:
description: Callback functions. Authorino sends callbacks at
the end of the auth pipeline to the endpoints specified in this
config.
maxProperties: 14
type: object
metadata:
additionalProperties:
Expand Down Expand Up @@ -3088,8 +3099,10 @@ spec:
- name
x-kubernetes-list-type: map
type: object
maxItems: 8
type: array
type: object
maxItems: 15
type: array
uma:
description: User-Managed Access (UMA) source of resource
Expand Down Expand Up @@ -3184,6 +3197,7 @@ spec:
type: object
description: Metadata sources. Authorino fetches auth metadata
as JSON from sources specified in this config.
maxProperties: 14
type: object
response:
description: Response items. Authorino builds custom responses
Expand Down Expand Up @@ -3612,8 +3626,10 @@ spec:
- name
x-kubernetes-list-type: map
type: object
maxItems: 8
type: array
type: object
maxItems: 15
type: array
when:
description: Conditions for Authorino to enforce
Expand Down Expand Up @@ -3748,6 +3764,7 @@ spec:
HTTP headers. For integration of Authorino via proxy,
the proxy must use these settings to propagate dynamic
metadata. See https://www.envoyproxy.io/docs/envoy/latest/configuration/advanced/well_known_dynamic_metadata
maxProperties: 14
type: object
headers:
additionalProperties:
Expand Down Expand Up @@ -4165,8 +4182,10 @@ spec:
- name
x-kubernetes-list-type: map
type: object
maxItems: 8
type: array
type: object
maxItems: 15
type: array
when:
description: Conditions for Authorino to enforce
Expand Down Expand Up @@ -4301,6 +4320,7 @@ spec:
HTTP headers. For integration of Authorino via proxy,
the proxy must use these settings to inject data in
the request.
maxProperties: 14
type: object
type: object
unauthenticated:
Expand Down
3 changes: 3 additions & 0 deletions config/crd/bases/kuadrant.io_ratelimitpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -345,8 +345,10 @@ spec:
- name
x-kubernetes-list-type: map
type: object
maxItems: 8
type: array
type: object
maxItems: 15
type: array
when:
description: When holds the list of conditions for the policy
Expand Down Expand Up @@ -388,6 +390,7 @@ spec:
type: object
description: Limits holds the struct of limits indexed by a unique
name
maxProperties: 14
type: object
targetRef:
description: TargetRef identifies an API object to apply policy to.
Expand Down

0 comments on commit 7243ec3

Please sign in to comment.