support HTTPRoute in authz command (#10)

aatarasoff · Sep 12, 2022 · 00ddabf · 00ddabf
1 parent 7c85c6d
commit 00ddabf
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 3 deletions.
diff --git a/cmd/fastauthz.go b/cmd/fastauthz.go
@@ -43,17 +43,22 @@ func newCmdAuthz() *cobra.Command {
 
 			k8sAPI, err := k8s.NewAPI(kubeconfigPath, kubeContext, impersonate, impersonateGroup, 0)
 
-			authzs, err := common.AuthorizationsForResource(cmd.Context(), k8sAPI, prefetched.AuthorizationPolicies, prefetched.ServerAuthorizations, prefetched.Servers, options.namespace, resource)
+			authzs, err := common.AuthorizationsForResource(cmd.Context(), k8sAPI, prefetched.AuthorizationPolicies, prefetched.HTTPRoutes, prefetched.ServerAuthorizations, prefetched.Servers, options.namespace, resource)
 			if err != nil {
 				fmt.Fprintf(os.Stderr, "Failed to get serverauthorization resources: %s\n", err)
 				os.Exit(1)
 			}
 
 			for _, authz := range authzs {
-				rows = append(rows, table.Row{authz.Server, authz.ServerAuthorization, authz.AuthorizationPolicy})
+				route := "*"
+				if authz.Route != "" {
+					route = authz.Route
+				}
+				rows = append(rows, table.Row{route, authz.Server, authz.ServerAuthorization, authz.AuthorizationPolicy})
 			}
 
 			cols := []table.Column{
+				{Header: "ROUTE", Width: 10, Flexible: true},
 				{Header: "SERVER", Width: 10, Flexible: true},
 				{Header: "SERVER_AUTHORIZATION", Width: 21, Flexible: true},
 				{Header: "AUTHORIZATION_POLICY", Width: 21, Flexible: true},

diff --git a/pkg/k8s.go b/pkg/k8s.go
@@ -19,7 +19,7 @@ type authCandidate struct {
 	Authorization k8s.Authorization
 }
 
-func AuthorizationsForResource(ctx context.Context, k8sAPI *k8s.KubernetesAPI, policies []*policies.AuthorizationPolicy, serverAuthorizations []*serverauthorizationv1beta1.ServerAuthorization, servers []*serverv1beta1.Server, namespace string, resource string) ([]k8s.Authorization, error) {
+func AuthorizationsForResource(ctx context.Context, k8sAPI *k8s.KubernetesAPI, policies []*policies.AuthorizationPolicy, httpRoutes []*policies.HTTPRoute, serverAuthorizations []*serverauthorizationv1beta1.ServerAuthorization, servers []*serverv1beta1.Server, namespace string, resource string) ([]k8s.Authorization, error) {
 	pods, err := k8s.GetPodsFor(ctx, k8sAPI, namespace, resource)
 	if err != nil {
 		return nil, err
@@ -62,6 +62,26 @@ func AuthorizationsForResource(ctx context.Context, k8sAPI *k8s.KubernetesAPI, p
 				}
 			}
 		}
+
+		if target.Kind == k8s.HTTPRouteKind {
+			for _, httpRoute := range httpRoutes {
+				for _, targetRef := range httpRoute.Spec.ParentRefs {
+					if *targetRef.Kind == k8s.ServerKind {
+						for _, srv := range servers {
+							if *targetRef.Kind == k8s.ServerKind && string(targetRef.Name) == srv.GetName() && string(policy.Spec.TargetRef.Name) == httpRoute.GetName() {
+								authorization := k8s.Authorization{
+									Route:               httpRoute.Name,
+									Server:              srv.GetName(),
+									ServerAuthorization: "",
+									AuthorizationPolicy: policy.GetName(),
+								}
+								candidates = append(candidates, authCandidate{Server: *srv, Authorization: authorization})
+							}
+						}
+					}
+				}
+			}
+		}
 	}
 
 	for _, candidate := range candidates {