New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth: feature flag for authentication #26208
auth: feature flag for authentication #26208
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚢
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly LGTM with one small change.
@@ -2964,6 +2964,9 @@ sctp: | |||
|
|||
# Configuration for types of authentication for Cilium | |||
authentication: | |||
# -- Enable authentication processing and garbage collection. | |||
# Note that this doesn't affect auth policy enforcement. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this could use a little more explanation - maybe something about what happens when it's disabled? That is, what stops running, and what won't work?
As written, it sounds like disabling authentication won't affect that auth policy enforcement works properly, which doesn't seem right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@youngnick good point. i tried to come up with a better comment. PTAL
Up to this point, only the SPIRE installation & integration were put behind a feature flag. Authentication, re-authentication & garbage collection were always active. This commit introduces an additional feature flag to disable the auth module that is enabled by default. Cilium config: `auth-mesh-enabled` Helm value: `authentication.enabled` Be aware, that this doesn't affect the auth policy enforcement. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
cd95a7e
to
7075a7d
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the extra comment, that's excellent.
Up to this point, only the SPIRE installation & integration were put behind a feature flag. Authentication, re-authentication & garbage collection were always active.
This PR introduces an additional feature flag to be able to disable the auth module if necessary. It is enabled by default.
Cilium config:
auth-mesh-enabled
Helm value:
authentication.enabled
Note that if disabled, policy enforcement will still block requests that require authentication. But the resulting authentication requests for these requests will not be processed, therefore the requests not be allowed.