Docs: Add new Kafka Role to the docs

This change fixes the `Policy` docs to reflect the new `Kafka Role` Fixes: #3118 Signed-off-by: Manali Bhutiyani <manali@covalent.io>
cilium · Mar 19, 2018 · 796ad0e · 796ad0e
1 parent cfe4b64
commit 796ad0e
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 7 deletions.
diff --git a/Documentation/policy/language.rst b/Documentation/policy/language.rst
@@ -527,18 +527,30 @@ if all fields are empty or missing, the rule will match all Kafka messages.
 
 The following fields can be matched on:
 
-
-APIVersion
-  APIVersion is the version matched against the api version of the Kafka
-  message. If set, it has to be a string representing a positive integer. If
-  omitted or empty, all versions are allowed.
+Role
+  Role is a case-insensitive string and describes a group of API keys
+  necessary to perform certain higher level Kafka operations such as "produce"
+  or "consume". A Role automatically expands into all APIKeys required
+  to perform the specified higher level operation.
+
+  The following values are supported:
+	- "produce": Allow producing to the topics specified in the rule
+	- "consume": Allow consuming from the topics specified in the rule
+  This field is incompatible with the APIKey field, either APIKey or Role
+  may be specified. If omitted or empty, all keys are allowed, if APIKey is also
+  the empty
 
 APIKey
   APIKey is a case-insensitive string matched against the key of a request,
   e.g. "produce", "fetch", "createtopic", "deletetopic", et al Reference:
   https://kafka.apache.org/protocol#protocol_api_keys.  If omitted or empty,
   all keys are allowed.
 
+APIVersion
+  APIVersion is the version matched against the api version of the Kafka
+  message. If set, it has to be a string representing a positive integer. If
+  omitted or empty, all versions are allowed.
+
 ClientID
   ClientID is the client identifier as provided in the request.
 
@@ -566,8 +578,25 @@ Topic
 
   If omitted or empty, all topics are allowed.
 
-Only allow producing to topic empire-announce
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Only allow producing to topic empire-announce using Role
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. only:: html
+
+   .. tabs::
+     .. group-tab:: k8s YAML
+
+        .. literalinclude:: ../../examples/policies/l7/kafka/kafka-Role.yaml
+     .. group-tab:: JSON
+
+        .. literalinclude:: ../../examples/policies/l7/kafka/kafka-Role.json
+
+.. only:: epub or latex
+
+        .. literalinclude:: ../../examples/policies/l7/kafka/kafka-Role.json
+
+Only allow producing to topic empire-announce using apiKeys
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 .. only:: html
 

diff --git a/examples/policies/l7/kafka/kafka-Role.json b/examples/policies/l7/kafka/kafka-Role.json
@@ -0,0 +1,20 @@
+[{
+  "labels": [{"key": "name", "value": "rule1"}],
+  "endpointSelector": {"matchLabels": {"app": "kafka"}},
+  "ingress": [{
+    "fromEndpoints": [
+      {"matchLabels": {"app": "empire-hq"}}
+    ],
+    "toPorts": [{
+      "ports": [
+        {"port": "9092", "protocol": "TCP"}
+      ],
+      "rules": {
+        "kafka": [
+            {"Role": "produce","topic": "deathstar-plans"},
+            {"Role": "produce", "topic": "empire-announce"}
+        ]
+      }
+    }]
+  }]
+}]
diff --git a/examples/policies/l7/kafka/kafka-Role.yaml b/examples/policies/l7/kafka/kafka-Role.yaml
@@ -0,0 +1,23 @@
+apiVersion: "cilium.io/v2"
+kind: CiliumNetworkPolicy
+description: "enable empire-hq to produce to empire-announce and deathstar-plans"
+metadata:
+  name: "rule1"
+spec:
+  endpointSelector:
+    matchLabels:
+      app: kafka
+  ingress:
+  - fromEndpoints:
+    - matchLabels:
+        app: empire-hq
+    toPorts:
+    - ports:
+      - port: "9092"
+        protocol: TCP
+      rules:
+        kafka:
+        - Role: "produce"
+          topic: "deathstar-plans"
+        - Role: "produce"
+          topic: "empire-announce"