Skip to content

Support authorization policy config #1239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 20, 2025
Merged

Support authorization policy config #1239

merged 2 commits into from
Oct 20, 2025
+240 −8

Conversation

labuladong
Copy link
Member

@labuladong labuladong commented Oct 16, 2025
edited
Loading

Master https://github.com/streamnative/eng-support-tickets/issues/3263

Example

# Enable necessary components
components:
  zookeeper: true
  bookkeeper: true
  broker: true
  autorecovery: true
  proxy: false
  toolset: false

# Enable Istio to trigger AuthorizationPolicy creation
istio:
  enabled: true

# Configure AuthorizationPolicy for ZooKeeper
zookeeper:
  authorizationPolicy:
    from:
      - source:
          principals:
            - "cluster.local/ns/pulsar/sa/pulsar-broker"
            - "cluster.local/ns/pulsar/sa/pulsar-bookie"
      - source:
          namespaces:
            - "pulsar"
            - "monitoring"
    to:
      - operation:
          ports:
            - "2181"
            - "9990"
            - "2888"
            - "3888"
            - "8000"
          methods:
            - "GET"
            - "POST"
          paths:
            - "/metrics"
            - "/health"
          hosts:
            - "zookeeper.pulsar.svc.cluster.local"
            - "*.zookeeper.pulsar.svc.cluster.local"

# Configure AuthorizationPolicy for BookKeeper
bookkeeper:
  authorizationPolicy:
    from:
      - source:
          principals:
            - "cluster.local/ns/pulsar/sa/pulsar-broker"
            - "cluster.local/ns/pulsar/sa/pulsar-proxy"
      - source:
          namespaces:
            - "pulsar"
    to:
      - operation:
          ports:
            - "3181"
            - "8000"
          methods:
            - "GET"
            - "POST"
            - "PUT"
          paths:
            - "/metrics"
            - "/api/v1/*"
          hosts:
            - "bookie.pulsar.svc.cluster.local"
            - "bookkeeper.pulsar.svc.cluster.local"

# Configure AuthorizationPolicy for AutoRecovery
autorecovery:
  authorizationPolicy:
    from:
      - source:
          principals:
            - "cluster.local/ns/pulsar/sa/pulsar-broker"
      - source:
          namespaces:
            - "pulsar"
            - "pulsar-system"
    to:
      - operation:
          ports:
            - "8000"
          methods:
            - "GET"
            - "POST"
          paths:
            - "/metrics"
            - "/recovery/*"
          hosts:
            - "recovery.pulsar.svc.cluster.local"

# Configure AuthorizationPolicy for Broker
broker:
  authorizationPolicy:
    from:
      - source:
          principals:
            - "cluster.local/ns/pulsar/sa/pulsar-proxy"
            - "cluster.local/ns/pulsar/sa/pulsar-broker"
      - source:
          namespaces:
            - "pulsar"
            - "default"
    to:
      - operation:
          ports:
            - "6650"
            - "8080"
            - "9092"
            - "5682"
          methods:
            - "GET"
            - "POST"
            - "PUT"
            - "DELETE"
          paths:
            - "/metrics"
            - "/admin/*"
            - "/lookup/*"
          hosts:
            - "broker.pulsar.svc.cluster.local"
            - "*.broker.pulsar.svc.cluster.local"

@github-actions GitHub Actions
Copy link

@labuladong:Thanks for your contribution. For this PR, do we need to update docs?
(The PR template contains info about doc, which helps others know more about the changes. Can you provide doc-related info in this and future PR descriptions? Thanks)

@github-actions github-actions bot added the doc-info-missing This pr needs to mark a document option in description label Oct 16, 2025
@labuladong labuladong marked this pull request as ready for review October 17, 2025 02:11
@labuladong labuladong requested review from a team as code owners October 17, 2025 02:11
@Copilot Copilot AI review requested due to automatic review settings October 17, 2025 02:11
Copilot
Copilot AI reviewed Oct 17, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds configurable Istio AuthorizationPolicy support for ZooKeeper, BookKeeper, AutoRecovery, and Broker via Helm values, enabling teams to restrict traffic by source and HTTP operation fields when istio.enabled is true.

  • Introduces authorizationPolicy.from and authorizationPolicy.operation (methods/paths/hosts) values for each component
  • Updates the corresponding AuthorizationPolicy templates to render optional from/methods/paths/hosts blocks
  • Minor YAML/quoting cleanups

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
charts/sn-platform/values.yaml Adds authorizationPolicy configuration blocks for components; minor quoting changes; introduces a YAML issue in pulsar_coordinator.component.
charts/sn-platform/templates/zookeeper/zookeeper-authorizationpolicy.yaml Renders optional from and operation (methods/paths/hosts) under the ZK AuthorizationPolicy.
charts/sn-platform/templates/broker/broker-authorizationpolicy.yaml Renders optional from and operation (methods/paths/hosts) under the Broker AuthorizationPolicy.
charts/sn-platform/templates/bookkeeper/bookkeeper-authorizationpolicy.yaml Renders optional from and operation for BookKeeper and AutoRecovery AuthorizationPolicies.
charts/sn-platform-slim/values.yaml Mirrors authorizationPolicy configuration blocks and introduces the same pulsar_coordinator.component YAML issue.
charts/sn-platform-slim/templates/zookeeper/zookeeper-authorizationpolicy.yaml Same optional from and operation rendering for ZK in slim chart.
charts/sn-platform-slim/templates/broker/broker-authorizationpolicy.yaml Same optional from and operation rendering for Broker in slim chart.
charts/sn-platform-slim/templates/bookkeeper/bookkeeper-authorizationpolicy.yaml Same optional from and operation rendering for BookKeeper and AutoRecovery in slim chart.

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@labuladong labuladong force-pushed the donglai/improve/authorization-policy branch from 3b2119a to 8428a75 Compare October 17, 2025 07:10
@labuladong labuladong force-pushed the donglai/improve/authorization-policy branch from 8428a75 to eb8e27a Compare October 17, 2025 07:31
@labuladong labuladong requested a review from Copilot October 17, 2025 08:20
Copilot
Copilot AI reviewed Oct 17, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 6 comments.

Comments suppressed due to low confidence (4)

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@labuladong labuladong merged commit 59d0a85 into master Oct 20, 2025
2 checks passed
@labuladong labuladong deleted the donglai/improve/authorization-policy branch October 20, 2025 09:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@tuteng tuteng tuteng approved these changes

Assignees

@labuladong labuladong

Labels

doc-info-missing This pr needs to mark a document option in description

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@labuladong @tuteng