Merge branch 'master' into target-no-rule

Author: Michelle Noorali

.github/workflows/main.yml

@@ -13,7 +13,9 @@ jobs:
     - name: Checkout
       uses: actions/checkout@v2
     - name: Setup Node.js
-      uses: actions/setup-node@v1.1.0
+      uses: actions/setup-node@v2-beta
+      with:
+        node-version: '12.x'
     - name: Run lint
       run: |
         make lint

CODEOWNERS

@@ -1 +1 @@
-* @grampelberg @lachie83 @leecalcote @nicholasjackson @slack @stefanprodan @michelleN @bridgetkromhout @ilevine
+* @grampelberg @lachie83 @leecalcote @nicholasjackson @slack @stefanprodan @michelleN @bridgetkromhout @ilevine @mhausenblas @pothulapati

README.md

@@ -32,7 +32,7 @@ The following documents are available:
 * **Flagger:** progressive delivery operator ([flagger.app](https://flagger.app))
 * **Istio\*:** connect, secure, control, observe ([servicemeshinterface/smi-adapter-istio](https://github.com/servicemeshinterface/smi-adapter-istio))
 * **Linkerd:** ultralight service mesh ([linkerd.io](https://linkerd.io))
-* **Maesh:** simpler service mesh ([mae.sh](https://mae.sh))
+* **Traefik Mesh:** simpler service mesh ([traefik.io/traefik-mesh](https://traefik.io/traefik-mesh))
 * **Meshery:** the service mesh management plane ([layer5.io/meshery](https://layer5.io/meshery))
 * **Rio:** application deployment engine ([rio.io](https://rio.io))
 * **Service Mesh Hub:** unified dashboard ([solo.io/products/service-mesh-hub](https://solo.io/products/service-mesh-hub))

apis/traffic-access/traffic-access-WD.md

@@ -4,7 +4,9 @@
 
 **API Version:** v1alpha3-WD
 
-**Compatible With:** specs.smi-spec.io/v1alpha4-WD
+**Compatible with:** specs.smi-spec.io/v1alpha4-WD
+
+## Specification
 
 This set of resources allows users to define access control policy for their
 applications. It is the authorization side of the picture. Authentication should
@@ -13,8 +15,6 @@ already be handled by the underlying implementation and surfaced through a subje
 Access control in this specification is additive, all traffic is denied by default.
 See [tradeoffs](#tradeoffs) for a longer discussion about why.
 
-## Specification
-
 ### TrafficTarget
 
 A `TrafficTarget` associates a set of traffic definitions (rules) with a
@@ -43,6 +43,14 @@ To understand how this all fits together, first define the routes for some
 traffic.
 
 ```yaml
+kind: TCPRoute
+metadata:
+  name: the-routes
+spec:
+  matches:
+    ports:
+    - 8080
+---
 kind: HTTPRouteGroup
 metadata:
   name: the-routes
@@ -72,8 +80,9 @@ spec:
     kind: ServiceAccount
     name: service-a
     namespace: default
-    port: 8080
   rules:
+  - kind: TCPRoute
+    name: the-routes
   - kind: HTTPRouteGroup
     name: the-routes
     matches:
@@ -88,8 +97,9 @@ This example selects all the pods which have the `service-a` `ServiceAccount`.
 Traffic destined on a path `/metrics` is allowed. The `matches` field is
 optional and if omitted, a rule is valid for all the matches in a traffic spec
 (a OR relationship).  It is possible for a service to expose multiple ports,
-the `port` field allows the user to specify specifically which port traffic
-should be allowed on. `port` is an optional element, if not specified, traffic
+the TCPRoute/UDPRoute `matches.ports` field allows the user to specify
+specifically which port traffic should be allowed on.
+The `matches.ports` is an optional element, if not specified, traffic
 will be allowed to all ports on the destination service.
 
 Allowing destination traffic should only be possible with permission of the
@@ -106,13 +116,21 @@ Source identities which are allowed to connect to the destination is defined in
 the sources list.  Only pods which have a `ServiceAccount` which is named in
 the sources list are allowed to connect to the destination.
 
-## Example Implementation
+## Example implementation for L7
 
 The following implementation shows four services api, website, payment and
 prometheus. It shows how it is possible to write fine grained TrafficTargets
 which allow access to be controlled by route and source.
 
 ```yaml
+kind: TCPRoute
+metadata:
+  name: api-service-port
+spec:
+  matches:
+    ports:
+    - 8080
+---
 kind: HTTPRouteGroup
 metadata:
   name: api-service-routes
@@ -135,6 +153,8 @@ spec:
     name: api-service
     namespace: default
   rules:
+  - kind: TCPRoute
+    name: api-service-port
   - kind: HTTPRouteGroup
     name: api-service-routes
     matches:
@@ -153,8 +173,9 @@ spec:
     kind: ServiceAccount
     name: api-service
     namespace: default
-    port: 8080
   rules:
+  - kind: TCPRoute
+    name: api-service-port
   - kind: HTTPRouteGroup
     name: api-service-routes
     matches:
@@ -176,6 +197,53 @@ The previous example would allow the following HTTP traffic:
 | payments-service  | api-service   | /api     | *      |
 | prometheus        | api-service   | /metrics | GET    |
 
+## Example implementation for L4
+
+The following implementation shows how to define TrafficTargets for
+allowing TCP and UDP traffic to specific ports.
+
+```yaml
+kind: TCPRoute
+metadata:
+  name: tcp-ports
+spec:
+  matches:
+    ports:
+    - 8301
+    - 8302
+    - 8300
+---
+kind: UDPRoute
+metadata:
+  name: udp-ports
+spec:
+  matches:
+    ports:
+    - 8301
+    - 8302
+---
+kind: TrafficTarget
+metadata:
+  name: protocal-specific
+spec:
+  destination:
+    kind: ServiceAccount
+    name: server
+    namespace: default
+  rules:
+  - kind: TCPRoute
+    name: tcp-ports
+  - kind: UDPRoute
+    name: udp-ports
+  sources:
+  - kind: ServiceAccount
+    name: client
+    namespace: default
+```
+
+Note that the above configuration will allow TCP and UDP traffic to
+both `8301` and `8302` ports, but will block UDP traffic to `8300`.
+
 ## Tradeoffs
 
 * Additive policy - policy that denies instead of only allows is valuable

apis/traffic-metrics/traffic-metrics-WD.md

@@ -4,7 +4,7 @@
 
 **API Version:** v1alpha2-WD
 
-## Specfication
+## Specification
 
 This specification describes a resource that provides a common integration
 point for tools that can benefit by consuming metrics related to HTTP traffic.
@@ -51,7 +51,7 @@ are two main ways to query the API for metrics:
 * A sub-resource allows querying for all the edges associated with a specific
   resource.
 
-## Specification
+### TrafficMetrics
 
 The core resource is `TrafficMetrics`. It references a `resource`, has an `edge`
 and surfaces latency percentiles and request volume.
@@ -441,7 +441,7 @@ targets pods with an Envoy sidecar and periodically requests
   rules and force integrations to query those directly. This feels like it
   increases the bar for metrics stores to change their internal configuration
   around to support this specification. There is also not a multi-tenant story
-  for Prometheus series visibility that maps across Kuberenetes RBAC. From the
+  for Prometheus series visibility that maps across Kubernetes RBAC. From the
   other side, consumers of these metrics will have to do discovery of
   Prometheus' location in the cluster and do some kind of queries to surface the
   data that they need.

apis/traffic-specs/traffic-specs-WD.md

@@ -2,7 +2,7 @@
 
 **API Group:** specs.smi-spec.io
 
-**Version:** v1alpha4-WD
+**API Version:** v1alpha4-WD
 
 ## Specification
 
@@ -137,14 +137,56 @@ to any path and all HTTP methods.
 
 ### TCPRoute
 
-This resource is used to describe L4 TCP traffic. It is a simple route which configures
-an application to receive raw non protocol specific traffic.
+This resource is used to describe L4 TCP traffic for a list of ports.
 
 ```yaml
 kind: TCPRoute
 metadata:
-  name: tcp-route
-spec: {}
+  name: the-routes
+spec:
+  matches:
+    ports:
+    - 3306
+    - 6446
+```
+
+When matching ports are not specified,
+the TCP route will match all the ports of a Kubernetes service:
+
+```yaml
+kind: TCPRoute
+metadata:
+  name: the-routes
+spec:
+  matches:
+    ports: []
+```
+
+### UDPRoute
+
+This resource is used to describe L4 UDP traffic for a list of ports.
+
+```yaml
+kind: UDPRoute
+metadata:
+  name: the-routes
+spec:
+  matches:
+    ports:
+    - 989
+    - 990
+```
+
+When matching ports are not specified,
+the UDP route will match all the ports of a Kubernetes service:
+
+```yaml
+kind: UDPRoute
+metadata:
+  name: the-routes
+spec:
+  matches:
+    ports: []
 ```
 
 ## Automatic Generation

apis/traffic-split/traffic-split-WD.md

@@ -4,7 +4,7 @@
 
 **API Version:** v1alpha4-WD
 
-**Compatible with:** specs.smi-spec.io/v1alpha3
+**Compatible with:** specs.smi-spec.io/v1alpha4-WD
 
 ## Specification