-
Notifications
You must be signed in to change notification settings - Fork 365
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: SecurityPolicy #1845
Comments
@AliceProxy this looks overall good. I have a few questions:
Thanks. |
wanted to highlight that the usage of |
I'm sure this policy isn't exhaustive, but yes, I would like to use this resource for any authorization/authentication features and config knobs we would like to support in the future adding any additional top-level fields or expanding existing fields.
The filters is currently meant to reference our @arkodg was mentioning that if this resource is implemented and is successful, we might even deprecate the |
I incline to have a separate authorization policy, as Authn and Authz repsent two different facets of security considerations. In most systems, such as Kubernetes and Istio, these two aspects are managed separately.
IMO, it's a bit weird to put all other auth-related configurations in the |
thinking about this again, it makes sense to have a separate API for authn & authz instead of collapsing this into UpstreamTrafficPolicy to provide flexibility in authorship, allowing the platform admin persona to be split up into net admin and sec admin . Reg naming, prefer SecurityPolicy over AuthPolicy |
After discussion with @AliceProxy at this week's EG meeting, we agreed that the OIDCAuthenticationPolicy should be merged with this one to provide users a more unified auth AP. I would also like to suggest incorporating the kind: SecurityPolicy
metadata:
name: example-policy
spec:
# defaults and overrides will have the same configuration options.
# If there is an SecurityPolicy A attached to a Gateway, and an SecurityPolicy B
# attached to an xRoute, `overrides` from policy A win and `defaults` win for policy B
# This allows for global defaults, changing those defaults on a route to route basis and enforcing
# certain settings at a Gateway level.
defaults:
overrides:
connections: # optional
ipBlocking: # optional
mode: Enum(allow-list/deny-list) # required
ips: # required, minItems=1
- type: Enum(peer/remote) # required
value: string # required (example: 127.0.0.1 or 99.99.0.0/16)
cors: # optional
allowedOrigins: []string # required
allowedMethods: []string # optional
allowedHeaders: []string # optional
allowCredentials: bool # optional
exposedHeaders: []string # optional
maxAge: string # optional
authentication: # optional
bypassAuth: bool # optional
oidc: # oidc authentication configuration
provider: # the information of the OIDC identity provider
issuer: string # The OIDC identity provider's issuer identifier. It’s also an URL which can be used by EG to discover the provider’s AuthorizationEndpoint and TokenEndpoint. An example: "https://accounts.google.com"
AuthorizationEndpoint: string # optional The URL to which users are redirected in the authentication flow. If not provided,TEG will obtain it from the provider's Well-Known Configuration Endpoint through the OIDC discovery mechanism.
TokenEndpoint: The URL where your application exchanges the authorization code for an access token. It’s an optional field. If not provided,EG will obtain it from the provider's Well-Known Configuration Endpoint through the OIDC discovery mechanism.
clientID: string # This is an unique identifier assigned to your application by the OIDC identity provider. An Example "xxx.apps.googleusercontent.com"
clientSecret: The Kubernetes secret which contains the OIDC client secret, which is a confidential token shared between your application and the OIDC identity provider to authenticate your application.
name: "oidc-client-secret"
namespace: string # optional
scopes: []string # optional, if not specified, "openid" is used.
jwt: # jwt authentication configuration
issuer: # optional Issuer is the principal that issued the JWT and takes the form of a URL or email address.If not provided, the JWT issuer is not checked.
audiences: # optinal Audiences is a list of JWT audiences allowed access. If not provided, JWT audiences are not checked.
remoteJWKS: # RemoteJWKS defines how to fetch and cache JSON Web Key Sets (JWKS) from a remote HTTP/HTTPS endpoint.
uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/authn/jwks.json
claimToHeaders: # optinal A list of JWT claims that must be extracted into HTTP request headers
targetRef: # required
group: string
kind: string # must be a Gateway or xRoute object reference
name: string A few other things I'd like to bring up:
|
was chatting with @ZackButcher about this earlier today and summarizing some of our discussions
|
|
@zhaohuabing specifying OIDC and ext authz may make sense, if OIDC is being used for authn and ext authz is being used for authz (using OPA).
|
Maybe I missed something, but I didn't see any authz regarding RBAC in the SecurityPolicy. |
the openapi spec's security section https://spec.openapis.org/oas/v3.1.0#security-scheme-object is another good datapoint which has outlined all features mentioned in #1845 (comment) |
I would concur with removing the I think it probably makes sense to leave CORS in the SecurityPolicy: Ana is likely to care a lot about things like how to do load balancing for her specific workloads, but I'm not sure she's ever in a great position to be messing with CORS, IP blocking, etc. |
Relates to envoyproxy#1845 Signed-off-by: Arko Dasgupta <arko@tetrate.io>
* design: SecurityPolicy Relates to #1845 Signed-off-by: Arko Dasgupta <arko@tetrate.io> * update policy hierrachy Signed-off-by: Arko Dasgupta <arko@tetrate.io> --------- Signed-off-by: Arko Dasgupta <arko@tetrate.io> Signed-off-by: zirain <zirain2009@gmail.com> Co-authored-by: zirain <zirain2009@gmail.com>
Relates to
#1492
#1821
#1846
What is this?
SecurityPolicy is a proposal for a new policy attachment resource that can be applied to
Gateways
andxRoute
resources. It is meant to supplement a lot of config that Gateway API currently lacks while also providing a way to specify global defaults. It is similar to the proposal for anUpstreamTrafficPolicy
with the notable difference that this tackles authentication based features and will thus supportoverrides
anddefaults
.How would I use this resource?
You can attach an
SecurityPolicy
to aGateway
to set global defaults that will apply to all children xRoute objects of thatGateway
. You can also create anSecurityPolicy
to attach to an xRoute object to configure things on a route-to-route basis and override global defaults if needed.How will the
overrides
anddefaults
work?If there is an
SecurityPolicy
X attached to aGateway
, and anSecurityPolicy
Y attached to anHTTPRoute
:overrides
from policy X will win in a conflict withoverrides
from policy Y.defaults
from policy Y will win in a conflict withdefaults
from policy X.Gateway
level overrides in the above scenario)What if Gateway API implements a GEP that delivers the same functionality as some of the fields of this resource?
If Gateway improves any of their existing resources to deliver functionality that meets all of the needs of any of the below config,
then we will deprecate the field in this resource and use the Gateway API config instead. Ideally, a lot of this config can be
upstreamed into Gateway API in some form eventually since this resource only exists to solve areas where Gateway API is lacking for the needs of Envoy Gateway.
Can you use multiple
SecurityPolicy
resources at the same time?You may use multiple
AuthPolicies
that target different resources, but you may not attach multipleAuthPolicies
to the same resource. For example, it is invalid to attach two
AuthPolicies
to the sameGateway
. Merging config in this scenario would quickly become convoluted and confusing, and there are many edge-case scenarios that make supporting this undesirable.How will this be developed/implemented?
This issue serves as a proposal for the high-level design and fields of the API, but that does not mean that every field included below will be immediately available. My plan for the implementation is to add and implement one high-level field at a time until the whole resource is implemented.
API outline
Open questions
Gateway
, but you can configure multiple listeners on a singleGateway
. Realistically, this resource makes the most sense targeting listeners instead of forcing this to apply to the entire gateway. There should be a way to specify which listeners it applies to so that you can have different config for each listener.Gateway
and then adding in support for @zhaohuabing's SectionName to PolicyTargetReference enhancement when it lands and becomes available.Edits
AuthPolicy
toSecurityPolicy
The text was updated successfully, but these errors were encountered: