Add docs for component denylist in Configuration CRD (#2854)

Fixes #2704 Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com> Signed-off-by: ItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com> Co-authored-by: Mark Fussell <markfussell@gmail.com>
2022-10-05 14:35:05 -07:00 · 2022-10-05 14:35:05 -07:00 · a3025dcb37
parent da492c4de3
commit a3025dcb37
1 changed files with 57 additions and 18 deletions
--- a/daprdocs/content/en/operations/configuration/configuration-overview.md
+++ b/daprdocs/content/en/operations/configuration/configuration-overview.md
@ -11,11 +11,13 @@ description: "Information on Dapr configuration and how to set options for your
 ### Setup sidecar configuration

 #### Self-hosted sidecar
+
 In self hosted mode the Dapr configuration is a configuration file, for example `config.yaml`. By default the Dapr sidecar looks in the default Dapr folder for the runtime configuration eg: `$HOME/.dapr/config.yaml` in Linux/MacOS and `%USERPROFILE%\.dapr\config.yaml` in Windows.

-A Dapr sidecar can also apply a configuration by using a ```--config``` flag to the file path with ```dapr run``` CLI command.
+A Dapr sidecar can also apply a configuration by using a `--config` flag to the file path with `dapr run` CLI command.

 #### Kubernetes sidecar
+
 In Kubernetes mode the Dapr configuration is a Configuration CRD, that is applied to the cluster. For example:

 ```bash
@ -28,7 +30,7 @@ You can use the Dapr CLI to list the Configuration CRDs
 dapr configurations -k
 ```

-A Dapr sidecar can apply a specific configuration by using a ```dapr.io/config``` annotation. For example:
+A Dapr sidecar can apply a specific configuration by using a `dapr.io/config` annotation. For example:

 ```yml
  annotations:
@ -37,17 +39,22 @@ A Dapr sidecar can apply a specific configuration by using a ```dapr.io/config``
    dapr.io/app-port: "3000"
    dapr.io/config: "myappconfig"
 ```
+
 Note: There are more [Kubernetes annotations]({{< ref "arguments-annotations-overview.md" >}}) available to configure the Dapr sidecar on activation by sidecar Injector system service.

 ### Sidecar configuration settings

 The following configuration settings can be applied to Dapr application sidecars:
+
 - [Tracing](#tracing)
 - [Metrics](#metrics)
 - [Middleware](#middleware)
- [Scoping secrets for secret stores](#scoping-secrets-for-secret-stores)
- [Access control allow lists for service invocation](#access-control-allow-lists-for-service-invocation)
- [Example application sidecar configuration](#example-application-sidecar-configuration)
+- [Scope secret store access](#scope-secret-store-access)
+- [Access Control allow lists for building block APIs](#access-control-allow-lists-for-building-block-apis)
+- [Access Control allow lists for service invocation API](#access-control-allow-lists-for-service-invocation-api)
+- [Disallow usage of certain component types](#disallow-usage-of-certain-component-types)
+- [Turning on preview features](#turning-on-preview-features)
+- [Example sidecar configuration](#example-sidecar-configuration)

 #### Tracing

@ -69,7 +76,6 @@ The following table lists the properties for tracing:
 | `samplingRate` | string | Set sampling rate for tracing to be enabled or disabled.
 | `zipkin.endpointAddress` | string | Set the Zipkin server address.

-
 `samplingRate` is used to enable or disable the tracing. To disable the sampling rate ,
 set `samplingRate : "0"` in the configuration. The valid range of samplingRate is between 0 and 1 inclusive. The sampling rate determines whether a trace span should be sampled or not based on value. `samplingRate : "1"` samples all traces. By default, the sampling rate is (0.0001) or 1 in 10,000 traces.

@ -96,7 +102,7 @@ See [metrics documentation]({{< ref "metrics-overview.md" >}}) for more informat

 #### Middleware

-Middleware configuration set named Http pipeline middleware handlers
+Middleware configuration set named HTTP pipeline middleware handlers
 The `httpPipeline` section under the `Configuration` spec contains the following properties:

 ```yml
@ -118,18 +124,45 @@ The following table lists the properties for HTTP handlers:
 See [Middleware pipelines]({{< ref "middleware.md" >}}) for more information

 #### Scope secret store access
+
 See the [Scoping secrets]({{< ref "secret-scope.md" >}}) guide for information and examples on how to scope secrets to an application.

 #### Access Control allow lists for building block APIs
+
 See the [selectively enable Dapr APIs on the Dapr sidecar]({{< ref "api-allowlist.md" >}}) guide for information and examples on how to set ACLs on the building block APIs lists.

 #### Access Control allow lists for service invocation API
+
 See the [Allow lists for service invocation]({{< ref "invoke-allowlist.md" >}}) guide for information and examples on how to set allow lists with ACLs which using service invocation API.

+#### Disallow usage of certain component types
+
+Using the `components.deny` property in the `Configuration` spec you can specify a denylist of component types that cannot be initialized.
+
+For example, the configuration below disallows the initialization of components of type `bindings.smtp` and `secretstores.local.file`:
+
+```yaml
+apiVersion: dapr.io/v1alpha1
+kind: Configuration
+metadata:
+  name: myappconfig
+spec: 
+  components:
+    deny:
+      - bindings.smtp
+      - secretstores.local.file
+```
+
+You can optionally specify a version to disallow by adding it at the end of the component name. For example, `state.in-memory/v1` disables initializing components of type `state.in-memory` and version `v1`, but does not disable a (hypothetical) `v2` version of the component.
+
+> Note: One special note applies to the component type `secretstores.kubernetes`. When you add that component to the denylist, Dapr forbids the creation of _additional_ components of type `secretstores.kubernetes`. However, it does not disable the built-in Kubernetes secret store, which is created by Dapr automatically and is used to store secrets specified in Components specs. If you want to disable the built-in Kubernetes secret store, you need to use the `dapr.io/disable-builtin-k8s-secret-store` [annotation]({{< ref arguments-annotations-overview.md >}}).
+
 #### Turning on preview features
+
 See the [preview features]({{< ref "preview-features.md" >}}) guide for information and examples on how to opt-in to preview features for a release. Preview feature enable new capabilities to be added that still need more time until they become generally available (GA) in the runtime.

 ### Example sidecar configuration
+
 The following yaml shows an example configuration file that can be applied to an applications' Dapr sidecar.

 ```yml
@ -150,27 +183,33 @@ spec:
      - storeName: localstore
        defaultAccess: allow
        deniedSecrets: ["redis-password"]
+  components:
+    deny:
+      - bindings.smtp
+      - secretstores.local.file
  accessControl:
    defaultAction: deny
    trustDomain: "public"
    policies:
-    - appId: app1
-      defaultAction: deny
-      trustDomain: 'public'
-      namespace: "default"
-      operations:
-      - name: /op1
-        httpVerb: ['POST', 'GET']
-        action: deny
-      - name: /op2/*
-        httpVerb: ["*"]
-        action: allow
+      - appId: app1
+        defaultAction: deny
+        trustDomain: 'public'
+        namespace: "default"
+        operations:
+          - name: /op1
+            httpVerb: ['POST', 'GET']
+            action: deny
+          - name: /op2/*
+            httpVerb: ["*"]
+            action: allow
 ```

 ## Control-plane configuration
+
 There is a single configuration file called `daprsystem` installed with the Dapr control plane system services that applies global settings. This is only set up when Dapr is deployed to Kubernetes.

 ### Control-plane configuration settings
+
 A Dapr control plane configuration can configure the following settings:

 | Property         | Type   | Description |