ℹ️ Note
This repository is part of the PoliFlow framework.
For more details, please refer to: https://github.com/ATNoG/poliflow
Extension to the Knative queue-proxy for enforcing rules defined by the PoliFlow Extractor.
The image can be built using the build.sh Bash script.
However, before building, it is necessary to set the KO_DOCKER_REPO variable to the desired container registry to which the image will be pushed to.
Then, the Kubernetes cluster where Knative Services protected by the Enforcer also needs some configurations.
These can be automatically set by running the patch.sh script.
Note, however, that the script will only run successfully if Knative is already installed in the cluster.
Moreover, the script will also need a small modification to set the correct container registry (to the same set with KO_DOCKER_REPO in the build.sh script).
Regarding the Enforcer usage, Knative Services must have the following metadata annotations to work with this plugin:
spec:
template:
metadata:
annotations:
qpoption.knative.dev/flow-activate: enable
qpoption.knative.dev/flow-config-allowed_json_flows: |
<extracted allowed paths>
qpoption.knative.dev/flow-config-type: eventThe plugin is activated for any service that has the annotation qpoption.knative.dev/flow-activate set to enable.
Then, the allowed paths extracted by the PoliFlow Enforcer must be set (in JSON) as the value ot the qpoption.knative.dev/flow-config-allowed_json_flows annotation.
Finally, qpoption.knative.dev/flow-config-type is an optional annotation that can be used to set the type of protected Knative Service.
It accepts the values function (default) and event, used to define BaaS services (such as databases, that are called through callbacks within the workflow).