You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Update the status stanza of the AuthPolicy about route selectors that failed to select any HTTPRouteRule
User-guide: Enforcing authentication & authorisation with Kuadrant AuthPolicy, for app developers and platform engineers
Docs: Kuadrant AuthPolicy spec
Document uncovered use-cases. E.g.:
Host already taken: 2+ AuthPolicies targeting network resources that list the exact same hostnames (strict subsets not included). E.g.:
2 HTTPRoutes that declare the same hostname (or that declare no hostname at all and are attached to a common gateway); 1 AuthPolicy targeting each HTTPRoute
1 HTTPRoute that repeats a hostname declared in the Gateway (or that declares no hostname at all); 1 AuthPolicy targeting the HTTPRoute + another targeting the Gateway
Document edge-cases ("exceptions to rules"). E.g.:
Top-level route rules and requests to ext-authz
Rule: For each AuthPolicy created, the policy controller creates an Istio AuthorizationPolicy resource that ensures that only requests directed to the targeted HTTPRouteRules – based on the declared top-level route selectors (if present), or all requests for which a matching HTTPRouteRule exists (otherwise) – will be checked with the authorisation service (Authorino). Authorino will lookup for the auth scheme (AuthConfig resource) to enforce from the provided hostname of the original request, and check again if the request matches at least one of the selected HTTPRouteRules, in which case it enforces the auth scheme.
Exception: The following patterns used in HTTPRouteMatches of top-level route selectors will not be included in the Istio AuthorizationPolicy rules that trigger the check request with Authorino: PathMatchRegularExpression, HeaderMatchRegularExpression, HTTPQueryParamMatch. As a consequence, requests that do not match these rules and otherwise would not be checked with Authorino will be checked with Authorino. Authorino nonetheless will still verify those patterns and ensure the policy is enforced only when it matches at least one of the selected HTTPRouteRules. Users of Kuadrant may observe an unnecessary call to the authorisation service in those cases where the request is out of the scope of the AuthPolicy and therefore always authorised. This is due to limitations of the Istio AuthorizationPolicy that do not support specifying rules for those patterns.
AuthScheme
types to be based on AuthConfig v1beta2 types #253routeSelectors
fields to the AuthPolicy #248gateway.networking.k8s.io/policy
label at the AuthPolicy CRD #278The text was updated successfully, but these errors were encountered: