Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AuthPolicy API v2 #207

Closed
14 of 16 tasks
alexsnaps opened this issue Jul 6, 2023 · 0 comments
Closed
14 of 16 tasks

AuthPolicy API v2 #207

alexsnaps opened this issue Jul 6, 2023 · 0 comments
Labels
kind/epic Master issue tracking broken down work

Comments

@alexsnaps
Copy link
Member

alexsnaps commented Jul 6, 2023

  • AuthConfig v1beta2 authorino#400
  • Bump Authorino to v0.15.0 #262
  • Upgrade AuthPolicy inner types to AuthConfig v1beta2 #247
  • Bump Authorino Operator to v0.9.0 #263
  • Enable superseding of strict host subsets between AuthConfigs #264
  • Use Well-known attributes in the generated AuthConfig #265
  • AuthPolicy status #290
    • Implementation of RFC 0004 for the AuthPolicy
    • Update the status stanza of the AuthPolicy about route selectors that failed to select any HTTPRouteRule
  • User-guide: Enforcing authentication & authorisation with Kuadrant AuthPolicy, for app developers and platform engineers
  • Docs: Kuadrant AuthPolicy spec
  • Document uncovered use-cases. E.g.:
    • Host already taken: 2+ AuthPolicies targeting network resources that list the exact same hostnames (strict subsets not included). E.g.:
      • 2 HTTPRoutes that declare the same hostname (or that declare no hostname at all and are attached to a common gateway); 1 AuthPolicy targeting each HTTPRoute
      • 1 HTTPRoute that repeats a hostname declared in the Gateway (or that declares no hostname at all); 1 AuthPolicy targeting the HTTPRoute + another targeting the Gateway
  • Document edge-cases ("exceptions to rules"). E.g.:
    • Top-level route rules and requests to ext-authz
      • Rule: For each AuthPolicy created, the policy controller creates an Istio AuthorizationPolicy resource that ensures that only requests directed to the targeted HTTPRouteRules – based on the declared top-level route selectors (if present), or all requests for which a matching HTTPRouteRule exists (otherwise) – will be checked with the authorisation service (Authorino). Authorino will lookup for the auth scheme (AuthConfig resource) to enforce from the provided hostname of the original request, and check again if the request matches at least one of the selected HTTPRouteRules, in which case it enforces the auth scheme.
      • Exception: The following patterns used in HTTPRouteMatches of top-level route selectors will not be included in the Istio AuthorizationPolicy rules that trigger the check request with Authorino: PathMatchRegularExpression, HeaderMatchRegularExpression, HTTPQueryParamMatch. As a consequence, requests that do not match these rules and otherwise would not be checked with Authorino will be checked with Authorino. Authorino nonetheless will still verify those patterns and ensure the policy is enforced only when it matches at least one of the selected HTTPRouteRules. Users of Kuadrant may observe an unnecessary call to the authorisation service in those cases where the request is out of the scope of the AuthPolicy and therefore always authorised. This is due to limitations of the Istio AuthorizationPolicy that do not support specifying rules for those patterns.
  • Gateway API gateway.networking.k8s.io/policy label at the AuthPolicy CRD #278
@alexsnaps alexsnaps added kind/epic Master issue tracking broken down work target/current labels Jul 6, 2023
@alexsnaps alexsnaps added this to the v0.4.0 milestone Sep 12, 2023
@guicassolato guicassolato changed the title Auth Policy API v2 AuthPolicy API v2 Oct 10, 2023
@alexsnaps alexsnaps modified the milestones: v0.4.0, v0.5.0 Nov 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/epic Master issue tracking broken down work
Projects
Status: Done
Status: To test
Development

No branches or pull requests

1 participant