Merge pull request #179 from michelleN/release/v0.5.0

Michelle Noorali · web-flow · commit d0eef50d4c93 · 2020-07-15T11:42:36.000-04:00
prepare repo for v0.5.0 release
diff --git a/README.md b/README.md
@@ -18,12 +18,12 @@ The following documents are available:
 |                               |         Latest Release             |    Working Draft                           |
 | :---------------------------- | :--------------------------------: | :----------------------------------------: |
 | **Core Specification:**       |
-| SMI Specification             |  [v0.4.0](/SPEC_LATEST_STABLE.md) |  [v0.5.0-WD](/SPEC_WORKING_DRAFT.md)  |
+| SMI Specification             |  [v0.5.0](/SPEC_LATEST_STABLE.md) |  [v0.6.0-WD](/SPEC_WORKING_DRAFT.md)  |
 |                               |
 | **Specification Components**  |
-| Traffic Access Control  |  [v1alpha1](/apis/traffic-access/v1alpha1/traffic-access.md)  |  [v1alpha2-WD](/apis/traffic-access/traffic-access-WD.md)          |
+| Traffic Access Control  |  [v1alpha2](/apis/traffic-access/v1alpha2/traffic-access.md)  |  [v1alpha3-WD](/apis/traffic-access/traffic-access-WD.md)          |
 | Traffic Metrics   |  [v1alpha1](/apis/traffic-metrics/v1alpha1/traffic-metrics.md)  |  [v1alpha2-WD](/apis/traffic-metrics/traffic-metrics-WD.md)          |
-| Traffic Specs  |  [v1alpha2](/apis/traffic-specs/v1alpha2/traffic-specs.md)  |  [v1alpha3-WD](/apis/traffic-specs/traffic-specs-WD.md)          |
+| Traffic Specs  |  [v1alpha3](/apis/traffic-specs/v1alpha3/traffic-specs.md)  |  [v1alpha4-WD](/apis/traffic-specs/traffic-specs-WD.md)          |
 | Traffic Split  |  [v1alpha3](/apis/traffic-split/v1alpha3/traffic-split.md) |  [v1alpha4-WD](/apis/traffic-split/traffic-split-WD.md)          |
 
 ## Ecosystem
diff --git a/SPEC_LATEST_STABLE.md b/SPEC_LATEST_STABLE.md
@@ -2,7 +2,7 @@
 
 ## Version
 
-This is SMI **spec** version **v0.4.0**.
+This is SMI **spec** version **v0.5.0**.
 Learn more about versioning [below](#versioning).
 
 ## Table of Contents
@@ -80,7 +80,7 @@ drafts can be found under the [apis/ directory](apis/)_
 
 Apply policies like identity and transport encryption across services.
 
-The [Traffic Access Control](apis/traffic-access/v1alpha1/traffic-access.md) API
+The [Traffic Access Control](apis/traffic-access/v1alpha2/traffic-access.md) API
 describes a resource to configure access to specific pods and routes based
 on the identity of a client for locking down applications to only allowed
 users and services.
@@ -97,7 +97,7 @@ to assist in building out canary rollouts.
 
 Describe traffic on a per-protocol basis.
 
-The [Traffic Specs](apis/traffic-specs/v1alpha2/traffic-specs.md) API describes
+The [Traffic Specs](apis/traffic-specs/v1alpha3/traffic-specs.md) API describes
 a set of resources to define how traffic looks on a per-protocol basis. These
 resources work in concert with access control and other types of policy to manage
 traffic at a protocol level.
diff --git a/SPEC_WORKING_DRAFT.md b/SPEC_WORKING_DRAFT.md
@@ -2,7 +2,7 @@
 
 ## Version
 
-This is SMI **spec** version **v0.5.0-WD**.
+This is SMI **spec** version **v0.6.0-WD**.
 Learn more about versioning [below](#versioning).
 
 ## Table of Contents
diff --git a/apis/traffic-access/traffic-access-WD.md b/apis/traffic-access/traffic-access-WD.md
@@ -2,7 +2,7 @@
 
 **API Group:** access.smi-spec.io
 
-**API Version:** v1alpha2-WD
+**API Version:** v1alpha3-WD
 
 **Compatible With:** specs.smi-spec.io/v1alpha3
 
@@ -19,7 +19,7 @@ See [tradeoffs](#tradeoffs) for a longer discussion about why.
 
 A `TrafficTarget` associates a set of traffic definitions (rules) with a
 service identity which is allocated to a group of pods.  Access is controlled
-via referenced [TrafficSpecs](/apis/traffic-specs/v1alpha2/traffic-specs.md)
+via referenced [TrafficSpecs](/apis/traffic-specs/v1alpha3/traffic-specs.md)
 and by a list of source service identities.  If a pod which holds the reference
 service identity makes a call to the destination on one of the defined routes
 then access will be allowed. Any pod which attempts to connect and is not in
@@ -31,7 +31,7 @@ Access is controlled based on service identity, at present the method of
 assigning service identity is using Kubernetes service accounts, provision for
 other identity mechanisms will be handled by the spec at a later date.
 
-Rules are [traffic specs](/apis/traffic-specs/v1alpha2/traffic-specs.md) that
+Rules are [traffic specs](/apis/traffic-specs/v1alpha3/traffic-specs.md) that
 define what traffic for specific protocols would look like. The kind can be
 different depending on what traffic a target is serving. In the following
 examples, `HTTPRouteGroup` is used for applications serving HTTP based traffic.
diff --git a/apis/traffic-access/v1alpha2/traffic-access.md b/apis/traffic-access/v1alpha2/traffic-access.md
@@ -0,0 +1,209 @@
+# Traffic Access Control
+
+**API Group:** access.smi-spec.io
+
+**API Version:** v1alpha2
+
+**Compatible With:** specs.smi-spec.io/v1alpha3
+
+This set of resources allows users to define access control policy for their
+applications. It is the authorization side of the picture. Authentication should
+already be handled by the underlying implementation and surfaced through a subject.
+
+Access control in this specification is additive, all traffic is denied by default.
+See [tradeoffs](#tradeoffs) for a longer discussion about why.
+
+## Specification
+
+### TrafficTarget
+
+A `TrafficTarget` associates a set of traffic definitions (rules) with a
+service identity which is allocated to a group of pods.  Access is controlled
+via referenced [TrafficSpecs](/apis/traffic-specs/v1alpha3/traffic-specs.md)
+and by a list of source service identities.  If a pod which holds the reference
+service identity makes a call to the destination on one of the defined routes
+then access will be allowed. Any pod which attempts to connect and is not in
+the defined list of sources will be denied.  Any pod which is in the defined
+list but attempts to connect on a route which is not in the list of
+`TrafficSpecs` will be denied.
+
+Access is controlled based on service identity, at present the method of
+assigning service identity is using Kubernetes service accounts, provision for
+other identity mechanisms will be handled by the spec at a later date.
+
+Rules are [traffic specs](/apis/traffic-specs/v1alpha3/traffic-specs.md) that
+define what traffic for specific protocols would look like. The kind can be
+different depending on what traffic a target is serving. In the following
+examples, `HTTPRouteGroup` is used for applications serving HTTP based traffic.
+
+To understand how this all fits together, first define the routes for some
+traffic.
+
+```yaml
+kind: HTTPRouteGroup
+metadata:
+  name: the-routes
+spec:
+  matches:
+  - name: metrics
+    pathRegex: "/metrics"
+    methods:
+    - GET
+  - name: everything
+    pathRegex: ".*"
+    methods: ["*"]
+```
+
+For this definition, there are two routes: metrics and everything. It is a
+common use case to restrict access to `/metrics` to only be scraped by
+Prometheus. To define the target for this traffic, it takes a `TrafficTarget`.
+
+```yaml
+---
+kind: TrafficTarget
+metadata:
+  name: path-specific
+  namespace: default
+spec:
+  destination:
+    kind: ServiceAccount
+    name: service-a
+    namespace: default
+    port: 8080
+  rules:
+  - kind: HTTPRouteGroup
+    name: the-routes
+    matches:
+    - metrics
+  sources:
+  - kind: ServiceAccount
+    name: prometheus
+    namespace: default
+```
+
+This example selects all the pods which have the `service-a` `ServiceAccount`.
+Traffic destined on a path `/metrics` is allowed. The `matches` field is
+optional and if omitted, a rule is valid for all the matches in a traffic spec
+(a OR relationship).  It is possible for a service to expose multiple ports,
+the `port` field allows the user to specify specifically which port traffic
+should be allowed on. `port` is an optional element, if not specified, traffic
+will be allowed to all ports on the destination service.
+
+Allowing destination traffic should only be possible with permission of the
+service owner. Therefore, RBAC rules should be configured to control the pods
+which are allowed to assign the `ServiceAccount` defined in the TrafficTarget
+destination.
+
+**Note:** access control is *always* enforced on the *server* side of a
+connection (or the target). It is up to implementations to decide whether they
+would also like to enforce access control on the *client* (or source) side of
+the connection as well.
+
+Source identities which are allowed to connect to the destination is defined in
+the sources list.  Only pods which have a `ServiceAccount` which is named in
+the sources list are allowed to connect to the destination.
+
+## Example Implementation
+
+The following implementation shows four services api, website, payment and
+prometheus. It shows how it is possible to write fine grained TrafficTargets
+which allow access to be controlled by route and source.
+
+```yaml
+kind: HTTPRouteGroup
+metadata:
+  name: api-service-routes
+spec:
+  matches:
+  - name: api
+    pathRegex: /api
+    methods: ["*"]
+  - name: metrics
+    pathRegex: /metrics
+    methods: ["GET"]
+---
+kind: TrafficTarget
+metadata:
+  name: api-service-metrics
+  namespace: default
+spec:
+  destination:
+    kind: ServiceAccount
+    name: api-service
+    namespace: default
+  rules:
+  - kind: HTTPRouteGroup
+    name: api-service-routes
+    matches:
+    - metrics
+  sources:
+  - kind: ServiceAccount
+    name: prometheus
+    namespace: default
+---
+kind: TrafficTarget
+metadata:
+  name: api-service-api
+  namespace: default
+spec:
+  destination:
+    kind: ServiceAccount
+    name: api-service
+    namespace: default
+    port: 8080
+  rules:
+  - kind: HTTPRouteGroup
+    name: api-service-routes
+    matches:
+    - api
+  sources:
+  - kind: ServiceAccount
+    name: website-service
+    namespace: default
+  - kind: ServiceAccount
+    name: payments-service
+    namespace: default
+```
+
+The previous example would allow the following HTTP traffic:
+
+| source            | destination   | path     | method |
+| ----------------- | ------------- | -------- | ------ |
+| website-service   | api-service   | /api     | *      |
+| payments-service  | api-service   | /api     | *      |
+| prometheus        | api-service   | /metrics | GET    |
+
+## Tradeoffs
+
+* Additive policy - policy that denies instead of only allows is valuable
+  sometimes. Unfortunately, it makes it extremely difficult to reason about what
+  is allowed or denied in a configuration.
+
+* Resources vs selectors - it would be possible to reference concrete resources
+  such as a deployment instead of selecting across pods.
+
+* As this access control is on the destination (server) side, implicitly
+
+* Currently the specification does not have provision for the definition of
+  higher level elements such as a service. It is probable that this specification
+  will change once these elements are defined.
+
+## Out of scope
+
+* Egress policy - TrafficTarget does *not* allow for the possibility of egress
+  access control as it selects specific pods and not hostnames. Another object
+  will need to be created to manage this use case.
+
+* Ingress policy - assuming clients present the correct identity, this *should*
+  work for some kind of ingress. Unfortunately, it does not cover many of the
+  common use cases (filtering by hostname) and will need to be expanded to cover
+  this use case.
+
+* Other types of policy - having policy around retries, timeouts and rate limits
+  would be great. This specific object only manages access control. As policy
+  for these examples would be HTTP specific, there needs to be a HTTP specific
+  policy object created.
+
+* Other types of identity - there is room to expand the `kind` accepted for
+  subjects in IdentityBinding to other types of identity. This needs further
+  definition to explain use cases and implementation.
diff --git a/apis/traffic-specs/traffic-specs-WD.md b/apis/traffic-specs/traffic-specs-WD.md
@@ -2,13 +2,13 @@
 
 **API Group:** specs.smi-spec.io
 
-**Version:** v1alpha3-WD
+**Version:** v1alpha4-WD
 
 ## Specification
 
 This specification describes a set of resources that allows users to specify
 how their traffic looks. It is used in concert with
-[access control](/apis/traffic-access/v1alpha1/traffic-access.md) and
+[access control](/apis/traffic-access/v1alpha2/traffic-access.md) and
 other policies to concretely define what should happen to specific
 types of traffic as it flows through the mesh.
 
@@ -44,7 +44,7 @@ URI and is anchored (`^`) to the beginning of the URI. Methods can either be
 specific (`GET`) or `*` to match all methods.
 
 These routes have not yet been associated with any resources. See
-[Traffic Target](/apis/traffic-access/v1alpha1/traffic-access.md) for an example
+[Traffic Target](/apis/traffic-access/v1alpha2/traffic-access.md) for an example
 of how routes become associated with applications serving traffic.
 
 The `matches` field only applies to URIs and HTTP headers.
diff --git a/apis/traffic-specs/v1alpha3/traffic-specs.md b/apis/traffic-specs/v1alpha3/traffic-specs.md
diff --git a/apis/traffic-split/traffic-split-WD.md b/apis/traffic-split/traffic-split-WD.md
diff --git a/apis/traffic-split/v1alpha3/traffic-split.md b/apis/traffic-split/v1alpha3/traffic-split.md
