Skip to content

Commit

Permalink
add xdp authz proposal
Browse files Browse the repository at this point in the history
Signed-off-by: superCharge-xsy <[email protected]>
  • Loading branch information
supercharge-xsy committed Sep 30, 2024
1 parent 684782d commit 574fec7
Showing 1 changed file with 30 additions and 5 deletions.
35 changes: 30 additions & 5 deletions docs/proposal/layer4_authorization.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,18 +10,16 @@ approvers:
- TBD

creation-date: 2024-05-28


---

## Support L4 authorization in workload mode

### Summary

This article aims to explain how Kmesh achieves layer 4 authorization functionality in workload mode. For an introduction to the authentication features, please refer to:[Kmesh TCP Authorization](https://kmesh.net/en/docs/userguide/tcp_authorization/)
This article aims to explain how Kmesh achieves layer 4 authorization functionality in workload mode. For an introduction to the authentication features, please refer to:[Kmesh TCP Authorization](https://kmesh.net/en/docs/userguide/tcp_authorization/). Currently, kmesh supports two authentication architectures, packet first go through XDP authentication processing, if the type is not supported, the quintuple information is passed to Userspace authentication via a ring buffer, the ultimate goal is to completely handle authentication within XDP.[Userspace authentication](#Userspace-authentication)

### Design details
### Userspace authentication

#### Design detail

![l4_authz](pics/kmesh_l4_authorization.svg#pic_center)

Expand Down Expand Up @@ -56,5 +54,32 @@ struct {
- 3.2: If the matched record shows `value=deny`, it alters the message flag, sends an RST message to the server, clears the corresponding `auth_map` record. If no record is matched, implying authorization is allowed, the message is passed through.
4. **client retry**: The client attempts to send another message, but because the server has closed the connection, the client receives a "reset by peer" signal and subsequently closes its own channel.
### Xdp-authentication
#### Desing detail

Check failure on line 59 in docs/proposal/layer4_authorization.md

View workflow job for this annotation

GitHub Actions / Check for spelling errors

Desing ==> Design
![l4_authz](pics/kmesh_l4_authorization_xdp.svg#pic_center)
#### Map definition
map_of_wl_policy: records the policies that are configured for the workload.
map_of_authz: records the authz rules of policys

Check failure on line 67 in docs/proposal/layer4_authorization.md

View workflow job for this annotation

GitHub Actions / Check for spelling errors

policys ==> policies, police
```.c
struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(key_size, sizeof(__u32));
__uint(value_size, sizeof(wl_policies_v));
__uint(map_flags, BPF_F_NO_PREALLOC);
__uint(max_entries, MAP_SIZE_OF_AUTH_POLICY);
} map_of_wl_policy SEC(".maps");
struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(key_size, sizeof(__u32));
__uint(value_size, sizeof(Istio__Security__Authorization));
__uint(map_flags, BPF_F_NO_PREALLOC);
__uint(max_entries, MAP_SIZE_OF_AUTH_POLICY);
} map_of_authz SEC(".maps");
```

0 comments on commit 574fec7

Please sign in to comment.