Policies
Policies #
The installation of the mirrord operator defines two custom resources in your cluster:
the namespaced MirrordPolicy and the clusterwide MirrordClusterPolicy. With these policies you can limit
the use of some features of mirrord for selected targets.
MirrordPolicyandMirrordClusterPolicyhave the exact same specification;MirrordPolicyapplies only to targets living in the same namespace;MirrordClusterPolicyapplies to all targets in the cluster.
Blockable features #
Currently the set of blockable features contains:
steal- prevents stealing traffic from the targeted pods;steal-without-filter- prevents stealing traffic from the targeted pods, unless HTTP filter is used;mirror- prevents mirroring traffic from the targeted pods.
If you are not using the latest operator version, the set of supported blockable features might be different.
In order to see the exact set of features you can block, use the following kubectl command:
kubectl get crd mirrordpolicies.policies.mirrord.metalbear.co -o jsonpath='{.spec.versions[-1].schema.openAPIV3Schema.properties.spec.properties.block.items.enum}'
Restricting targets affected by mirrord policies #
By default, mirrord policies apply to all targets in the namespace or cluster.
You can use a target path pattern (.spec.targetPath) and/or a label selector
(.spec.selector) in order to limit the targets to which a policy applies.
The target path of a mirrord run is either targetless or has the form <TARGET_TYPE>/<NAME> followed by an optional
/container/<CONTAINER_NAME>, where <TARGET_TYPE> is one of deploy, pod, rollout and statefulset.
Examples for possible target paths:
deploy/boatspod/boats-5fffb9767c-w92qhpod/boats-5fffb9767c-w92qh/container/appcontainertargetless
By specifying a targetPath pattern in the policy, you limit the policy to only apply to runs that have
a target path that matches the specified pattern.
The target path pattern can contain ?, which will match a single character, and *, which will match arbitrarily many
characters.
For example, "deploy/*" will make a policy apply for any run with a deployment target. "*boats*" will make a
policy apply to any target with boats in its name, e.g. pod/boats-2kljw9,
pod/whatever-23oije2/container/boats-container, etc.
Note: when mirrord user specifies a container for the mirrord run, the target path ends with
/container/<CONTAINER_NAME>.This means the pattern
deploy/my-deploymentwill not match when a container is specified. That pattern can be changed todeploy/my-deployment*to also match on runs with a specified container (but will then also matchdeploy/my-deployment-1etc.)
Please note that the policy is applied according to the target given to mirrord. It is possible for a policy to apply to a deployment target, but not to apply to the deployment’s pods when targeted directly. For example, the following policy:
apiVersion: policies.mirrord.metalbear.co/v1alpha
kind: MirrordPolicy
metadata:
name: block-stealing-from-boats-deployment
namespace: default
spec:
targetPath: "deploy/boats*"
block:
- steal
prevents mirrord users from stealing traffic when using the whole boats deployment as a target. However, a user could
still use a specific pod out of that deployment as a target for mirrord and steal its traffic. In order to prevent that,
the targetPath pattern or the label selector needs to be changed to match the pods of that deployment.
If a workload is used as a target, this workload’s labels will be used to match against policies’ selector, if
set. If a pod is used as a target, the pod’s labels will be used.
Another example of a policy:
apiVersion: policies.mirrord.metalbear.co/v1alpha
kind: MirrordPolicy
metadata:
name: block-unfiltered-stealing-from-webserver-deployments
namespace: books
spec:
targetPath: "deploy/*"
selector:
matchLabels:
component: webserver
block:
- steal-without-filter
- mirror
This policy blocks mirroring and unfiltered stealing of traffic coming to all deployments in the namespace books
which are marked with label component: webserver.