feat(kuma-cp): implement possibility to select proxies in policies by new kind Dataplane

pkg/plugins/policies/core/matchers/dataplane.go

@@ -162,6 +162,12 @@ func dppSelectedByPolicy(
 			return inbounds, gwListeners, gateway, nil
 		}
 		return []core_rules.InboundListener{}, nil, false, nil
+	case common_api.Dataplane:
+		if allDataplanesSelected(ref) || isSelectedByName(dpp, ref) || isSelectedByLabels(dpp, ref) {
+			inbounds := inboundsSelectedBySectionName(ref.SectionName, dpp)
+			return inbounds, nil, false, nil
+		}
+		return []core_rules.InboundListener{}, nil, false, nil
 	case common_api.MeshSubset:
 		if isSupportedProxyType(ref.ProxyTypes, resolveDataplaneProxyType(dpp)) {
 			inbounds, gwListeners, gateway := inboundsSelectedByTags(ref.Tags, dpp, gateway)
@@ -199,6 +205,44 @@ func dppSelectedByPolicy(
 	}
 }
 
+func allDataplanesSelected(ref common_api.TargetRef) bool {
+	return ref.Name == "" && ref.Namespace == "" && ref.Labels == nil
+}
+
+func inboundsSelectedBySectionName(sectionName string, dpp *core_mesh.DataplaneResource) []core_rules.InboundListener {
+	var selectedInbounds []core_rules.InboundListener
+	for _, inbound := range dpp.Spec.GetNetworking().Inbound {
+		if inbound.State == mesh_proto.Dataplane_Networking_Inbound_Ignored {
+			continue
+		}
+		if sectionName == "" || inbound.Name == sectionName {
+			intf := dpp.Spec.GetNetworking().ToInboundInterface(inbound)
+			selectedInbounds = append(selectedInbounds, core_rules.InboundListener{
+				Address: intf.DataplaneIP,
+				Port:    intf.DataplanePort,
+			})
+		}
+	}
+	return selectedInbounds
+}
+
+func isSelectedByLabels(dpp *core_mesh.DataplaneResource, ref common_api.TargetRef) bool {
+	if ref.Labels == nil {
+		return false
+	}
+
+	for label, value := range ref.Labels {
+		if dpp.GetMeta().GetLabels()[label] != value {
+			return false
+		}
+	}
+	return true
+}
+
+func isSelectedByName(dpp *core_mesh.DataplaneResource, ref common_api.TargetRef) bool {
+	return core_model.GetDisplayName(dpp.GetMeta()) == ref.Name
+}
+
 func dppSelectedByNamespace(meta core_model.ResourceMeta, dpp *core_mesh.DataplaneResource) bool {
 	switch core_model.PolicyRole(meta) {
 	case mesh_proto.ConsumerPolicyRole, mesh_proto.WorkloadOwnerPolicyRole:

pkg/plugins/policies/core/matchers/testdata/matchedpolicies/dataplanepolicies/dataplane-targetref-by-lables.dataplane.yaml

@@ -0,0 +1,16 @@
+type: Dataplane
+mesh: mesh-1
+name: dp-1
+labels:
+  app: demo
+networking:
+  address: 1.1.1.1
+  inbound:
+    - port: 8080
+      tags:
+        kuma.io/service: web
+        version: v1
+    - port: 8081
+      tags:
+        kuma.io/service: web
+        version: v3

pkg/plugins/policies/core/matchers/testdata/matchedpolicies/dataplanepolicies/dataplane-targetref-by-lables.golden.yaml

@@ -0,0 +1,18 @@
+items:
+- creationTime: "0001-01-01T00:00:00Z"
+  mesh: mesh-1
+  modificationTime: "0001-01-01T00:00:00Z"
+  name: mtp-1
+  spec:
+    from:
+    - default:
+        action: Deny
+      targetRef:
+        kind: Mesh
+    targetRef:
+      kind: Dataplane
+      labels:
+        app: demo
+  type: MeshTrafficPermission
+next: null
+total: 0

pkg/plugins/policies/core/matchers/testdata/matchedpolicies/dataplanepolicies/dataplane-targetref-by-lables.policies.yaml

@@ -0,0 +1,27 @@
+type: MeshTrafficPermission
+mesh: mesh-1
+name: mtp-1
+spec:
+  targetRef:
+    kind: Dataplane
+    labels:
+      app: demo
+  from:
+    - targetRef:
+        kind: Mesh
+      default:
+        action: Deny
+---
+type: MeshTrafficPermission
+mesh: mesh-1
+name: mtp-2
+spec:
+  targetRef:
+    kind: Dataplane
+    labels:
+      app: test
+  from:
+    - targetRef:
+        kind: Mesh
+      default:
+        action: Allow

pkg/plugins/policies/core/matchers/testdata/matchedpolicies/dataplanepolicies/dataplane-targetref-by-name.dataplane.yaml

@@ -0,0 +1,14 @@
+type: Dataplane
+mesh: mesh-1
+name: dp-1
+networking:
+  address: 1.1.1.1
+  inbound:
+    - port: 8080
+      tags:
+        kuma.io/service: web
+        version: v1
+    - port: 8081
+      tags:
+        kuma.io/service: web
+        version: v3

pkg/plugins/policies/core/matchers/testdata/matchedpolicies/dataplanepolicies/dataplane-targetref-by-name.golden.yaml

@@ -0,0 +1,17 @@
+items:
+- creationTime: "0001-01-01T00:00:00Z"
+  mesh: mesh-1
+  modificationTime: "0001-01-01T00:00:00Z"
+  name: mtp-1
+  spec:
+    from:
+    - default:
+        action: Deny
+      targetRef:
+        kind: Mesh
+    targetRef:
+      kind: Dataplane
+      name: dp-1
+  type: MeshTrafficPermission
+next: null
+total: 0

pkg/plugins/policies/core/matchers/testdata/matchedpolicies/dataplanepolicies/dataplane-targetref-by-name.policies.yaml

@@ -0,0 +1,26 @@
+# 01. policies using kind Dataplane selecting Dataplanes by labels
+type: MeshTrafficPermission
+mesh: mesh-1
+name: mtp-1
+spec:
+  targetRef:
+    kind: Dataplane
+    name: dp-1
+  from:
+    - targetRef:
+        kind: Mesh
+      default:
+        action: Deny
+---
+type: MeshTrafficPermission
+mesh: mesh-1
+name: mtp-2
+spec:
+  targetRef:
+    kind: Dataplane
+    name: dp-2
+  from:
+    - targetRef:
+        kind: Mesh
+      default:
+        action: Allow

pkg/plugins/policies/core/matchers/testdata/matchedpolicies/fromrules/select-single-inbound.dataplane.yaml

@@ -0,0 +1,16 @@
+type: Dataplane
+mesh: mesh-1
+name: dp-1
+networking:
+  address: 1.1.1.1
+  inbound:
+    - port: 8080
+      name: main-port
+      tags:
+        kuma.io/service: web
+        version: v1
+    - port: 8081
+      name: secondary-port
+      tags:
+        kuma.io/service: web
+        version: v3

pkg/plugins/policies/core/matchers/testdata/matchedpolicies/fromrules/select-single-inbound.golden.yaml

@@ -0,0 +1,39 @@
+Rules:
+  1.1.1.1:8080:
+  - BackendRefOriginIndex: {}
+    Conf:
+      action: AllowWithShadowDeny
+    Origin:
+    - creationTime: "0001-01-01T00:00:00Z"
+      mesh: mesh-1
+      modificationTime: "0001-01-01T00:00:00Z"
+      name: mtp-1
+      type: MeshTrafficPermission
+    Subset:
+    - Key: kuma.io/service
+      Not: false
+      Value: orders
+  - BackendRefOriginIndex: {}
+    Conf:
+      action: Allow
+    Origin:
+    - creationTime: "0001-01-01T00:00:00Z"
+      mesh: mesh-1
+      modificationTime: "0001-01-01T00:00:00Z"
+      name: mtp-1
+      type: MeshTrafficPermission
+    Subset:
+    - Key: kuma.io/service
+      Not: true
+      Value: orders
+  1.1.1.1:8081:
+  - BackendRefOriginIndex: {}
+    Conf:
+      action: Deny
+    Origin:
+    - creationTime: "0001-01-01T00:00:00Z"
+      mesh: mesh-1
+      modificationTime: "0001-01-01T00:00:00Z"
+      name: mtp-1
+      type: MeshTrafficPermission
+    Subset: []

pkg/plugins/policies/core/matchers/testdata/matchedpolicies/fromrules/select-single-inbound.policies.yaml

@@ -0,0 +1,32 @@
+type: MeshTrafficPermission
+mesh: mesh-1
+name: mtp-1
+spec:
+  targetRef:
+    kind: Dataplane
+    name: dp-1
+    sectionName: main-port
+  from:
+    - targetRef:
+        kind: Mesh
+      default:
+        action: Allow
+    - targetRef:
+        kind: MeshService
+        name: orders
+      default:
+        action: AllowWithShadowDeny
+---
+type: MeshTrafficPermission
+mesh: mesh-1
+name: mtp-1
+spec:
+  targetRef:
+    kind: Dataplane
+    name: dp-1
+    sectionName: secondary-port
+  from:
+    - targetRef:
+        kind: Mesh
+      default:
+        action: Deny

pkg/plugins/policies/meshtimeout/api/v1alpha1/validator.go

@@ -35,17 +35,20 @@ func (r *MeshTimeoutResource) validateTop(targetRef *common_api.TargetRef) valid
 			SupportedKinds: []common_api.TargetRefKind{
 				common_api.Mesh,
 				common_api.MeshSubset,
+				common_api.Dataplane,
 				common_api.MeshGateway,
 				common_api.MeshService,
 				common_api.MeshServiceSubset,
 				common_api.MeshHTTPRoute,
 			},
 			GatewayListenerTagsAllowed: true,
+			IsInboundPolicy:            true,
 		})
 	default:
 		return mesh.ValidateTargetRef(*targetRef, &mesh.ValidateTargetRefOpts{
 			SupportedKinds: []common_api.TargetRefKind{
 				common_api.Mesh,
+				common_api.Dataplane,
 				common_api.MeshSubset,
 				common_api.MeshService,
 				common_api.MeshServiceSubset,

pkg/plugins/policies/meshtrafficpermission/api/v1alpha1/validator.go

@@ -27,7 +27,9 @@ func validateTop(targetRef *common_api.TargetRef) validators.ValidationError {
 			common_api.MeshSubset,
 			common_api.MeshService,
 			common_api.MeshServiceSubset,
+			common_api.Dataplane,
 		},
+		IsInboundPolicy: true,
 	})
 	return targetRefErr
 }