diff --git a/docs/proposal/layer4_authorization.md b/docs/proposal/layer4_authorization.md index bca7e8be6..a56ad03f4 100644 --- a/docs/proposal/layer4_authorization.md +++ b/docs/proposal/layer4_authorization.md @@ -10,18 +10,16 @@ approvers: - TBD creation-date: 2024-05-28 - - --- - ## Support L4 authorization in workload mode ### Summary -This article aims to explain how Kmesh achieves layer 4 authorization functionality in workload mode. For an introduction to the authentication features, please refer to:[Kmesh TCP Authorization](https://kmesh.net/en/docs/userguide/tcp_authorization/) +This article aims to explain how Kmesh achieves layer 4 authorization functionality in workload mode. For an introduction to the authentication features, please refer to:[Kmesh TCP Authorization](https://kmesh.net/en/docs/userguide/tcp_authorization/). Currently, kmesh supports two authentication architectures, packet first go through XDP authentication processing, if the type is not supported, the quintuple information is passed to Userspace authentication via a ring buffer, the ultimate goal is to completely handle authentication within XDP.[Userspace authentication](#Userspace-authentication) -### Design details +### Userspace authentication +#### Design detail ![l4_authz](pics/kmesh_l4_authorization.svg#pic_center) @@ -56,5 +54,32 @@ struct { - 3.2: If the matched record shows `value=deny`, it alters the message flag, sends an RST message to the server, clears the corresponding `auth_map` record. If no record is matched, implying authorization is allowed, the message is passed through. 4. **client retry**: The client attempts to send another message, but because the server has closed the connection, the client receives a "reset by peer" signal and subsequently closes its own channel. +### Xdp-authentication + +#### Desing detail + +![l4_authz](pics/kmesh_l4_authorization_xdp.svg#pic_center) + +#### Map definition + +map_of_wl_policy: records the policies that are configured for the workload. +map_of_authz: records the authz rules of policys +```.c +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(key_size, sizeof(__u32)); + __uint(value_size, sizeof(wl_policies_v)); + __uint(map_flags, BPF_F_NO_PREALLOC); + __uint(max_entries, MAP_SIZE_OF_AUTH_POLICY); +} map_of_wl_policy SEC(".maps"); + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(key_size, sizeof(__u32)); + __uint(value_size, sizeof(Istio__Security__Authorization)); + __uint(map_flags, BPF_F_NO_PREALLOC); + __uint(max_entries, MAP_SIZE_OF_AUTH_POLICY); +} map_of_authz SEC(".maps"); +```