Deny 1 route in an application with many HTTP endpoints?

kzap · September 11, 2023, 10:57pm

As of Linkerd 2.14, when I specify AuthorizationPolicy on a HTTPRoute it automatically makes all unspecified routes deny? I remember this from one of the workshops https://www.youtube.com/watch?v=hzj65jVtEwc

Thus if I just want to deny access only to /internal/ , I have to allow access and enumerate all other routes in my service?

Asking because we have a legacy monolith of ~300+ endpoints and I dont think we can enumerate them all just so we can deny 1 route

william · September 12, 2023, 3:43pm

Interesting question. I believe we support regex matching for paths in HTTPRoutes using the Rust regex library. Unfortunately this library does not support lookahead, so something like ^(?!internal) won’t work.

There are ways to create negative regular expressions but it won’t be pretty. You could try something like ^([^i].*)|(i[^n].*)|(in[^t].)| ..... |(interna[^l].*)$.

Hopefully there’s a better solution out there than this…

william · September 12, 2023, 5:30pm

Try making one HTTPRoute (and ServerAuthorization, etc) for /internal/ that denies traffic accordingly, and a second HTTPRoute (and SA, etc) for * that allows traffic. Precedence rules for HTTPRoute should apply.

kzap · September 12, 2023, 9:51pm

Thanks @william , will test this out and let you know how it goes.

Alex · September 13, 2023, 12:42am

I tried this with a config like:

---
apiVersion: policy.linkerd.io/v1beta1
kind: Server
metadata:
  name: web-server
  namespace: emojivoto
spec:
  podSelector:
    matchLabels:
      app: web-svc
  port: http
---
apiVersion: policy.linkerd.io/v1beta1
kind: HTTPRoute
metadata:
  name: web-internal-route
  namespace: emojivoto
spec:
  parentRefs:
    - name: web-server
      kind: Server
      group: policy.linkerd.io
  rules:
    - matches:
      - path:
          value: "/internal/"
          type: "PathPrefix"
---
apiVersion: policy.linkerd.io/v1beta1
kind: HTTPRoute
metadata:
  name: web-public-route
  namespace: emojivoto
spec:
  parentRefs:
    - name: web-server
      kind: Server
      group: policy.linkerd.io
  rules:
    - matches:
      - path:
          value: "/"
          type: "PathPrefix"
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
  name: public-authz
  namespace: emojivoto
spec:
  targetRef:
    group: policy.linkerd.io
    kind: HTTPRoute
    name: web-public-route
  requiredAuthenticationRefs: []

and confirmed that requests to /internal/* got denied while all other requests got allowed.