US-12625719-B2 - Dynamic visibility and authorization policy management for a cloud service platform

Abstract

Architectures and techniques are described that can improve cloud service platforms by improving developer experiences throughout the development process and lifecycle of project offerings and by reducing platform resources utilized to facilitate the development process of the project offerings. For example, a container orchestration platform can be modified to allow policies for a project to be automatically generated, using templates, based on a declarative approach. By subsequently modifying the generated policies (e.g., creating different versions for different testing configurations), the projects can be conveniently tested against stable environments without the need to instantiate new instances of these stable environments for each offering under test.

Inventors

• Ameer Jabbar
• Juan Pablo Jofre
• Ching-Yun Chao

Assignees

• DELL PRODUCTS, L.P.

Dates

Publication Date

20260512

Application Date

20230711

Claims (20)

1. 1 . A device, comprising: at least one processor; and at least one memory that stores executable instructions that, when executed by the at least one processor, facilitate performance of operations, comprising: establishing a connection with a user interface element that is, based on developer identifier data, configured to receive declarative data indicative of a declarative approach for definition of policies for an application programming interface of a microservice, the declarative data comprising visibility data and authorization data; receiving, from the user interface element, the visibility data indicative of a declaration of a type of visibility to be applied to the application programming interface; receiving, from the user interface element, the authorization data indicative of a declaration of access control permissions to access the application programming interface; selecting at least one template based on the declarative data; generating a group of policy files based on the at least one template, the group of policy files comprising: a network policy file that is generated based on the visibility data and the at least one template; and an access control policy file that is generated based on the authorization data and the at least one template; and in response to determining that the microservice, residing in a first cluster of a container orchestration platform, is to be tested with respect to a second cluster, different than the first cluster, of the container orchestration platform, performing a policy modification procedure that modifies the group of policy files based on information associated with the second cluster.
2. 2 . The device of claim 1 , wherein the developer identifier data is indicative of a namespace, of a developer entity associated with the microservice, of a container orchestration platform.
3. 3 . The device of claim 2 , wherein the type of visibility is: a public type that indicates the application programming interface is to be visible to first entities outside of a network of the developer entity; an internal type that indicates the application programming interface is to be visible only to second entities that are included in the network of the developer entity; or a private type that indicates the application programming interface is to be visible only to third entities that are included in the namespace of the developer entity.
4. 4 . The device of claim 1 , wherein the authorization data further comprises one or more permissions and conditions, satisfaction of which allows access to the application programming interface.
5. 5 . The device of claim 1 , wherein the operations further comprise, storing data of the network policy file to a configuration file or a policy file of an associated container orchestration platform.
6. 6 . The device of claim 1 , wherein the operations further comprise, storing the access control policy file to a distributed access control policy data store configured as a shared store for multiple access control policy files for multiple different entities that utilize an associated container orchestration platform.
7. 7 . The device of claim 6 , wherein the access control policy file is indexed within the distributed access control policy data store by a unique identifier.
8. 8 . The device of claim 7 , wherein the unique identifier comprises: a namespace identifier indicative of a namespace of the associated container orchestration platform that includes the application programming interface; and a cluster identifier indicative of a cluster name of the associated container orchestration platform.
9. 9 . The device of claim 1 , wherein the operations further comprise, in response to a determination that the microservice represents a new microservice to be deployed to the container orchestration platform, updating an ingress gateway policy and a network policy of the second cluster to route traffic between the first cluster and the second cluster.
10. 10 . The device of claim 1 , wherein the operations further comprise, in response to a determination that the microservice represents an updated version of a previous microservice deployed to the container orchestration platform, updating an ingress gateway policy and a network policy of the second cluster to route traffic intended for the previous microservice of the second cluster to the microservice of the first cluster.
11. 11 . The device of claim 1 , wherein the first cluster and the second cluster are different ones of a group of clusters comprising a development cluster, a testing cluster, a staging cluster, a pre-production cluster, or a production cluster.
12. 12 . A non-transitory computer-readable medium comprising instructions that, in response to execution, cause a system comprising at least one processor to perform operations, comprising: receiving, from a user interface element that is configured to receive as input declarative data indicative of a declarative process applicable to policies for an application programming interface of a microservice configured to execute on a container orchestration platform, the declarative data comprising: visibility data indicative of a declaration of a type of visibility to be applied to the application programming interface; and authorization data indicative of a declaration of access control permissions to access the application programming interface; determining at least one template as a function of the declarative data; utilizing the at least one template to create a group of policy files comprising: a network policy file that is generated based on the visibility data and the at least one template, and an access control policy file that is generated based on the authorization data and the at least one template; and in response to determining that the microservice, residing in a first cluster of the container orchestration platform, is to be tested with respect to a second cluster, different than the first cluster, of the container orchestration platform, performing a policy modification procedure that modifies the group of policy files based on information associated with the second cluster.
13. 13 . The non-transitory computer-readable medium of claim 12 , wherein the operations further comprise, storing the access control policy file to a distributed access control policy data store configured as a shared store for multiple access control policy files for multiple different entities that utilize the container orchestration platform.
14. 14 . The non-transitory computer-readable medium of claim 13 , wherein the access control policy file is indexed within the distributed access control policy data store by a unique identifier comprising at least one of a namespace identifier or a cluster identifier.
15. 15 . A method, comprising: connecting, by a device comprising at least one processor, to a user interface element that is configured to receive declarative data indicative of a declarative approach to define policies for an application programming interface of a microservice configured to execute on a container orchestration platform, the declarative data comprising visibility data and authorization data; receiving, by the device and from the user interface element, the visibility data indicative of a declaration of a type of visibility to be applied to the application programming interface; receiving, by the device and from the user interface element, the authorization data indicative of a declaration of access control permissions to access the application programming interface; determining, by the device, at least one template as a function of the declarative data; employing, by the device, the at least one template to create a group of policy files comprising: a network policy file that is generated based on the visibility data and the at least one template, and an access control policy file that is generated based on the authorization data and the at least one template; and in response to determining that the microservice, residing in a first cluster of the container orchestration platform, is to be tested with respect to a second cluster, different than the first cluster, of the container orchestration platform, performing, by the device, a policy modification procedure that modifies the group of policy files based on information associated with the second cluster.
16. 16 . The method of claim 15 , further comprising storing, by the device, the access control policy file to a distributed access control policy data store configured as a shared store for multiple access control policy files for multiple different entities that utilize the container orchestration platform.
17. 17 . The method of claim 16 , further comprising indexing, by the device, the access control policy file within the distributed access control policy data store by a unique identifier.
18. 18 . The method of claim 15 , wherein connecting to the user interface element comprises connecting to the user interface element based on developer identifier data, and wherein the developer identifier data is indicative of a namespace, of a developer entity associated with the microservice, of a container orchestration platform.
19. 19 . The method of claim 15 , wherein the authorization data further comprises one or more permissions and conditions, satisfaction of which allows access to the application programming interface.
20. 20 . The method of claim 15 , further comprising: storing, by the device, data of the network policy file to a configuration file or a policy file of an associated container orchestration platform.

Description

BACKGROUND A common arrangement today relates to consuming offers and services provided by a cloud service platform. Many cloud service platform providers also enable value-add resellers and third-party vendors to develop solutions (e.g., applications or microservices) on that provider's cloud service platforms. By opening the cloud service platform to serve as a development platform for others, cloud service platform providers can build an ecosystem to create new offers and services for their cloud service platform. This approach can operate to grow the customer base of the cloud service platform, for instance, by creating a win-win situation among customers, value-add resellers, third-party vendors, and the cloud service platform provider. BRIEF DESCRIPTION OF THE DRAWINGS Numerous aspects, embodiments, objects, and advantages of the present embodiments will be apparent upon consideration of the following detailed description, taken in conjunction with the accompanying drawings, in which like reference characters refer to like parts throughout, and in which: FIG. 1 depicts a schematic block diagram illustrating an example device 100 that can automatically generate policies based on high-level declarations in accordance with certain embodiments of this disclosure; FIG. 2 depicts a schematic block diagram illustrating an example device 200 that can modify one or more of the group of policy files 128 to reduce resource allocation associated with testing microservice 116 in accordance with certain embodiments of this disclosure; FIG. 3 depicts a schematic block diagram 300 illustrating an example system in which a microservice in a dev cluster can be tested against a staging cluster stable environment in accordance with certain embodiments of this disclosure; FIG. 4 depicts a schematic block diagram 400 illustrating an example system in which a new microservice in a dev cluster can be tested against a staging cluster stable environment in accordance with certain embodiments of this disclosure; FIG. 5 depicts a schematic block diagram 500 illustrating an example system in which a new version of a microservice in a dev cluster can be tested against a staging cluster stable environment having a previous version of the microservice in accordance with certain embodiments of this disclosure; FIG. 6 depicts a schematic block diagram 600 illustrating an example system in which a microservice in a dev cluster can be tested against a production cluster as part of the stable environment in accordance with certain embodiments of this disclosure; FIG. 7 depicts a schematic block diagram 700 illustrating an example system in which network policies of a microservice can be enforced upon deployment of the microservice in accordance with certain embodiments of this disclosure; FIG. 8 illustrates an example method that can automatically generate policies based on high-level declarations in accordance with certain embodiments of this disclosure; FIG. 9 illustrates an example method that can provide for additional aspect or elements in connection with automatically generating policies based on high-level declarations in accordance with certain embodiments of this disclosure; FIG. 10 illustrates a block diagram of an example distributed file storage system that employs tiered cloud storage in accordance with certain embodiments of this disclosure; and FIG. 11 illustrates an example block diagram of a computer operable to execute certain embodiments of this disclosure. DETAILED DESCRIPTION Overview As noted in the Background section, it can be advantageous to all parties involved to position a cloud service platform as a development platform. However, to do so requires more than merely exposing some application programming interfaces (APIs) to third party developers so that those developers can build value-add offerings or new services. To attract developers to the platform or to accelerate growth of an ecosystem, a platform typically should attempt to create a superior developer experience. Such can include simplifying or automating certain development operations, which can operate to improve developer experiences and/or reduce related development costs, both in terms of time and money. Likewise, a successful platform might also reduce the operational costs to the platform, e.g., to scale the platform with optimal investment, such as, e.g., reducing the resources required for developers to develop, test, and deploy their solutions. In that regard, the disclosed subject matter can, in certain embodiments, employ techniques to automate the creation of policies (e.g., visibility policies, access control policies, and/or authorization policies) by which the microservice (or application) that is being developed will interact with other entities on the cloud service platform. Moreover, by dynamically modifying those policies, for instance, at various stages of the development process, the resources typically required for testing can be