Applying security policies through tyk-operator (oss)

Anup_Rai · April 15, 2021, 12:21pm

We have applied SecurityPolicy given here through tyk-operator and it is reflecting when we run below command -

kubectl get securitypolicy -n tyk

But when I try to generate an OAuth Client with this security policy by giving policy_id it is throwing error as policy not found.
When I checked in the policies.json file present inside the pod then there also this security policy was not present.

After I added this policy manually in policies.json file then I was able to create OAuth clients.

Am I missing something in this policy or security policy creation is not supported through operator?

Anup_Rai · April 19, 2021, 8:51am

Below are the error messages logged when I create a security policy through operator -

{"level":"info","ts":1618821237.1511142,"logger":"securitypolicy-resource","msg":"default","name":"oauth-provider-policy"}
{"level":"info","ts":1618821237.1809022,"logger":"securitypolicy-resource","msg":"validate create","name":"oauth-provider-policy"}
{"level":"info","ts":1618821237.191932,"logger":"controllers.SecurityPolicy","msg":"Reconciling SecurityPolicy instance","SecurityPolicy":"tyk/oauth-provider-policy"}
{"level":"info","ts":1618821237.1919882,"logger":"controllers.SecurityPolicy","msg":"updating access rights"}
{"level":"info","ts":1618821237.2210846,"logger":"controllers.SecurityPolicy","msg":"Call","Method":"GET","URL":"http://tyk-svc.tyk.svc.cluster.local:8080/tyk/apis/dHlrL29hdXRoLXByb3ZpZGVyLWFwaQ","Status":200}
{"level":"info","ts":1618821237.221413,"logger":"controllers.SecurityPolicy","msg":"Creating  policy"}
{"level":"error","ts":1618821237.2214265,"logger":"controllers.SecurityPolicy","msg":"Failed to create policy","error":"TODO: This feature is not implemented yet","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128\ngithub.com/TykTechnologies/tyk-operator/controllers.(*SecurityPolicyReconciler).create\n\t/workspace/controllers/securitypolicy_controller.go:172\ngithub.com/TykTechnologies/tyk-operator/controllers.(*SecurityPolicyReconciler).Reconcile.func1\n\t/workspace/controllers/securitypolicy_controller.go:92\nsigs.k8s.io/controller-runtime/pkg/controller/controllerutil.mutate\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/controller/controllerutil/controllerutil.go:228\nsigs.k8s.io/controller-runtime/pkg/controller/controllerutil.CreateOrUpdate\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/controller/controllerutil/controllerutil.go:212\ngithub.com/TykTechnologies/tyk-operator/controllers.(*SecurityPolicyReconciler).Reconcile\n\t/workspace/controllers/securitypolicy_controller.go:65\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:244\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:218\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:197\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:90"}
{"level":"error","ts":1618821237.2215466,"logger":"controller","msg":"Reconciler error","reconcilerGroup":"tyk.tyk.io","reconcilerKind":"SecurityPolicy","controller":"securitypolicy","name":"oauth-provider-policy","namespace":"tyk","error":"TODO: This feature is not implemented yet","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:246\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:218\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:197\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:90"}

Here it is saying “This feature is not implemented yet”.
Is the Admin API support added for Security Policies? Are there any other ways for adding these for oss other than adding it manually inside the pod?

Anup_Rai · April 21, 2021, 5:20am

Is there any other way of doing this other than adding it manually inside the pod?

Andrew · April 22, 2021, 4:40pm

Hi Anup.

No there isn’t. If you are using OSS without Tyk dashboard you need to mount the policy inside the pod.

carol · January 13, 2023, 1:07pm

Tyk Operator v0.13.0 has added support for security policies for OSS users! You can use the SecurityPolicy CRD to protect your APIs now. Note this feature requires Tyk Gateway v4.1 or later.