Use Case k8s Allowed Network Policy Secrets GCP - GoogleCloudPlatform/anthos-appconfig GitHub Wiki

Use-Case-k8s--Allowed-Network-Policy-Secrets-GCP

  • Namespace: uc-secrets-k8s

We will use pubsub topic ACL’s to demonstrate the adding the secrets to the pod via a mutating webhook. At this point, the secret is available and protected by RBAC in the Controller workspace β€˜appconfigmgrv2-system’. Webhook copies the appropriate secret into the application namespace and adds it as a volume and as an Environment Variable (pointing to the volume mount) named GOOGLE_APPLICATION_CREDENTIALS as required by Google API’s.

gsutil cat  gs://anthos-appconfig_public/deploy/${RELEASE_NAME}/examples/use-cases/uc-secrets-k8s/deploy-apps.yaml | kubectl apply -f -

*NOTE - Assume you have name the secrets consistently as in appconfig.yaml

Dev Service -> All
Svc 1 -> Svc 4, Pubsub
Svc 2 -> Svc 1, Svc 4
Svc 3 -> No One
Svc 4 -> Svc 2, Svc 3

External Access via NAT (open)

Svc 2 -> Svc 1 -> Outbound (Should Work)

curl "http://${INGRESS_NO_ISTIO_HOST}/testcallseq?call1=http://app-secrets-k8s-appconfigv2-service-sm-2.uc-secrets-k8s/testcallseq&call2=http://app-secrets-k8s-appconfigv2-service-sm-1/testcallseq&call3=https://httpbin.org/get"

Response (Success)

host:hello-app-drv-py-1-5c7cdd4947-f75q9
host:hello-app-sm-py-2-7769c48764-mwl4v
host:hello-app-sm-py-1-76b8fb54f8-pkmkj
{
  "args": {},
  "headers": {
    "Accept": "*/*",
    "Accept-Encoding": "gzip, deflate",
    "Host": "httpbin.org",
    "User-Agent": "python-requests/2.22.0"
  },
  "origin": "35.184.53.199, 35.184.53.199",
  "url": "https://httpbin.org/get"
}

Svc 2 -> Svc 1 -> pubsub topic1 Outbound Should Work

curl "http://${INGRESS_NO_ISTIO_HOST}/testcallseq?call1=http://app-secrets-k8s-appconfigv2-service-sm-2.uc-secrets-k8s/testcallseq&call2=http://app-secrets-k8s-appconfigv2-service-sm-1/testcallseq&call3=http://app-secrets-k8s-appconfigv2-service-pubsub?gcpProjectID=${PROJECT_NAME}&topic=appconfigcrd-demo-topic1&message=hello1"

Result

host:hello-app-drv-py-1-5c7cdd4947-f75q9
host:hello-app-sm-py-2-65bb79f7d5-6sxlf
host:hello-app-sm-py-1-669578dd95-pqpnc
Publish Success: 608858688012712

gcloud pubsub subscriptions pull --auto-ack  appconfigcrd-demo-topic1 --project $PROJECT_NAME
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  DATA  β”‚    MESSAGE_ID   β”‚ ATTRIBUTES β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ hello1 β”‚ <Message Id     β”‚            β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Try different topic (2)

curl "http://${INGRESS_NO_ISTIO_HOST}/testcallseq?call1=http://app-secrets-k8s-appconfigv2-service-sm-2.uc-secrets-k8s/testcallseq&call2=http://app-secrets-k8s-appconfigv2-service-sm-1/testcallseq&call3=http://app-secrets-k8s-appconfigv2-service-pubsub?gcpProjectID=${PROJECT_NAME}&topic=appconfigcrd-demo-topic2&message=hello1"

Response(Error)

host:hello-app-drv-py-1-5c7cdd4947-f75q9
host:hello-app-sm-py-2-65bb79f7d5-6sxlf
host:hello-app-sm-py-1-669578dd95-pqpnc
*Error*-Happened - Making the request-url[http://app-secrets-k8s-appconfigv2-service-sm-1/testcallseq?call3=http%3A%2F%2Fapp-secrets-k8s-appconfigv2-service-pubsub%3Ftopic%3Dappconfigcrd-demo-topic2&message=hello1]
Traceback (most recent call last):
  File "/app/hello_app_sm_py.py", line 141, in testcallseq
    result_text = RestHelper.call_with_sequence(next_call, collection, headers=headers_dict)
  File "/app/http_rest_helper.py", line 54, in call_with_sequence
    raise Exception("Respose Failure for HTTP - {} - {}".format(result.status_code, result.text))
Exception: Respose Failure for HTTP - 500 - Could not publish: rpc error: code = PermissionDenied desc = User not authorized to perform this action.Could not publish: rpc error: code = PermissionDenied desc = User not authorized to perform this action.