Delete gateway securitypolicy oidc from httproute

[kiaraly]

I have a security policy attached to my gateway with oidc auth enabled and want to attach a separate security policy to httproutes to opt out of this.

I know I can replace the gateway policy like this

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: oidc-optout
spec:
  targetSelectors:
    - kind: HTTPRoute
      matchLabels:
        oidc-optout: "true"
  authorization:
    defaultAction: Allow

but then I lose my authorization: block which I'd like to keep.

I've tried variations of

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: oidc-optout
spec:
  targetSelectors:
    - kind: HTTPRoute
      matchLabels:
        oidc-optout: "true"
  mergeType: StrategicMerge/JSONMerge
  oidc: null/{}

but it all fails validation. Giving an invalid config results in 500.

Is there a way to do this or do I need to change my architecture to be opt in?

[mg1986jp]

You can't really "delete" a gateway-level SecurityPolicy from an HTTPRoute — the inheritance model in Envoy Gateway means route-level policies override gateway-level ones, they don't remove them.

What you'd want is to attach a SecurityPolicy to your specific HTTPRoute that effectively disables OIDC. Something like:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: no-auth
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: my-public-route

If an empty SecurityPolicy doesn't work (it might not override cleanly), you could try attaching one with a different auth method that's basically a no-op, or use ExtAuth pointing to a service that always returns 200.

The cleanest approach is probably to restructure so that the gateway doesn't have OIDC attached globally, and instead attach it to individual HTTPRoutes that need it. That way public routes just don't get a SecurityPolicy.

[kiaraly]

You can't really "delete" a gateway-level SecurityPolicy from an HTTPRoute — the inheritance model in Envoy Gateway means route-level policies override gateway-level ones, they don't remove them.

Isn't that exactly what the mergeType is for? Per the docs

StrategicMerge	StrategicMerge indicates a strategic merge patch type
JSONMerge	JSONMerge indicates a JSON merge patch type
Replace	Replace type - ie no merging

Default is replacing, that works but also means I have to duplicate all settings from the gateway policy to the route policy. From the StrategicMerge docs (https://github.com/kubernetes/community/blob/main/contributors/devel/sig-api-machinery/strategic-merge-patch.md#delete-directive) this should be valid

One way to delete a map is using delete directive. Applying this patch will delete the rollingUpdate map.

rollingUpdate:
  $patch: delete

An equivalent way to delete this map is

rollingUpdate: null

which is exactly what I want to do but gets blocked by the API validation.

The cleanest approach is probably to restructure so that the gateway doesn't have OIDC attached globally, and instead attach it to individual HTTPRoutes that need it. That way public routes just don't get a SecurityPolicy.

I was afraid this would be the case. I'm not sure if I agree that an opt-in security policy is clean (forgetting that a route should be protected is a issue, forgetting that it shouldn't be is not) but it looks like there isn't another option.