Tyler King
6058e62348
Go-based network automation with YANG models, gRPC, Ansible, Terraform, and Kubernetes integration. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
52 lines
1.6 KiB
Go
52 lines
1.6 KiB
Go
package cni
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/containernetworking/cni/pkg/skel"
|
|
|
|
"github.com/guildhouse-co/kedge/internal/topology"
|
|
)
|
|
|
|
// applySVIDPolicy enforces SVID-scoped network policy on the pod's net1 interface.
|
|
// Restricts which subnets are reachable and which mode (overlay/underlay) is authorized
|
|
// based on the pod's SPIFFE identity.
|
|
func applySVIDPolicy(args *skel.CmdArgs, conf *NetConf, topo *topology.MeshTopology) error {
|
|
// Phase 1: permissive — all Bascule runtime pods get full access.
|
|
// TODO: Fetch pod's SPIFFE SVID from SPIRE agent unix socket.
|
|
// TODO: Evaluate SVID against accord-defined subnet and mode policies.
|
|
// TODO: Program iptables/nftables rules scoped to the pod's veth pair.
|
|
|
|
_ = args
|
|
_ = conf
|
|
_ = topo
|
|
|
|
return nil
|
|
}
|
|
|
|
// PolicyRule defines a subnet access rule scoped to a SPIFFE identity.
|
|
type PolicyRule struct {
|
|
SVID string // SPIFFE Verifiable Identity Document URI
|
|
AllowedDst []string // Allowed destination CIDRs
|
|
Mode string // "overlay", "underlay", or "both"
|
|
Operations []string // "read", "mutate", "admin"
|
|
}
|
|
|
|
// EvaluatePolicy checks whether the given SVID is authorized for the requested
|
|
// subnets and mode per the local accord policy.
|
|
func EvaluatePolicy(svid string, rules []PolicyRule, requestedDst string, mode string) error {
|
|
for _, rule := range rules {
|
|
if rule.SVID != svid {
|
|
continue
|
|
}
|
|
if rule.Mode != "both" && rule.Mode != mode {
|
|
continue
|
|
}
|
|
for _, allowed := range rule.AllowedDst {
|
|
if allowed == requestedDst {
|
|
return nil
|
|
}
|
|
}
|
|
}
|
|
return fmt.Errorf("SVID %s not authorized for %s in mode %s", svid, requestedDst, mode)
|
|
}
|