Skip to content

Commit 78e6d97

Browse files
committed
docs: added info about restricting cross unit communication
1 parent 998e7ce commit 78e6d97

File tree

2 files changed

+35
-0
lines changed

2 files changed

+35
-0
lines changed

docs/explanation/traffic-authorization.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,10 @@ class DetailsK8sCharm(CharmBase):
5959

6060
This means that, when related to a Beacon charm via the `service_mesh` relation, `bookinfo-details-k8s` will request traffic authorization for every application related to its `details` integration. Specifically, it will request that those related applications can `GET` the `/health` and `/details/*` endpoints on a given port. It is then the responsibility of the related beacon charm to create the policies necessary for this communication in the given service mesh.
6161

62+
```{note}
63+
By default different units of the charm are allowed to access each other without any policy restrictions. This behavior can be changed if required. Check this [How-to](../how-to/add-mesh-support-to-your-charm.md) guide for more details.
64+
```
65+
6266
## Authorization Management in Charmed Istio
6367

6468
Istio's [Authorization](https://istio.io/latest/docs/concepts/security/#authorization) model centers around the [`AuthorizationPolicy`](https://istio.io/latest/docs/reference/config/security/authorization-policy/). This object is how service-to-service communication is opened in an Istio service mesh. The [istio-beacon-k8s](https://charmhub.io/istio-beacon-k8s) charm manages `AuthorizationPolicies` for Charmed Istio. It automatically creates policies for charms related to it via the [`service_mesh`](https://charmhub.io/istio-beacon-k8s/integrations) interface.

docs/how-to/add-mesh-support-to-your-charm.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,37 @@ class MyCharm(CharmBase):
9191

9292
Exactly what should be defined for your `Endpoint`s depends on the application you've charmed. Generally, you can look at your applications API reference or typical usage and include exactly what is needed, exposing only the necessary attack surface.
9393

94+
When a charm that is on the mesh is scaled to have more than one unit, by default all the units of the charm are allowed to communicate with each other Without any restriction. But the `ServiceMeshConsumer` allows you to configure your charm to restrict the cross unit communication within your charm. This can be achieved by setting the `restrict_cross_unit_communication` argument of the `ServiceMeshConsumer` object to `True`.
95+
96+
For example:
97+
98+
```python
99+
class MyCharm(CharmBase):
100+
def __init__(self, *args):
101+
super().__init__(*args)
102+
self._mesh = ServiceMeshConsumer(
103+
self,
104+
policies=[
105+
AppPolicy(
106+
relation="database", # On the database relation
107+
endpoints=[ # allow a related application to access...
108+
Endpoint(
109+
paths=["/db"], # these specific paths
110+
ports=[DB_PORT], # on these specific ports
111+
methods=[Method.get, Method.Post], # using only these methods
112+
),
113+
],
114+
),
115+
UnitPolicy(
116+
relation="metrics-endpoint", # On the metrics-endpoint relations
117+
ports=[HTTP_PORT], # allow a related application to access this charm's individual units on these specific ports
118+
),
119+
],
120+
restrict_cross_unit_communication=True, # restrict the communication between the units of this charm
121+
)
122+
```
123+
124+
94125
## Cross-model Integrations (Optional)
95126

96127
If your Charm provides integrations that can be used cross-model, the `ServiceMeshConsumer` library offers the additional `provide-cmr-mesh` and `require-cmr-mesh` integrations to ensure these generate policies properly. These additional integrations are required because Juju cross-model relations do not natively provide all the information needed for a service mesh authorization policy to be generated.

0 commit comments

Comments
 (0)