-
Notifications
You must be signed in to change notification settings - Fork 536
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update the ext-authz extension provider and promote to alpha #1926
Conversation
🤔 🐛 You appear to be fixing a bug in Go code, yet your PR doesn't include updates to any test files. Did you forget to add a test? Courtesy of your friendly test nag. |
@louiscryan @smawson @nrjpoddar @linsun please take a look at these changes for promoting the ext-authz feature to alpha in 1.10, let me know if you have any questions, thank you. |
@yangminzhu we need to look at the string match API here as we are creating a divergence from other Networking APIs. |
@nrjpoddar I was trying to align with the AuthZ API but I do not have a strong preference here. I think either one does the job and it is probably more convenient to be consistent with the AuthZ as this provider is only used with AuthZ API. |
Yeah, I see it now. Can we link to https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule so that users know that API semantics are same between this and AuthZ policies? |
@nrjpoddar @howardjohn @smawson I have updated the PR to address comments so far. PTAL and let me know if you still have more comments, thanks. |
My concerns were met so deferring to @howardjohn and @nrjpoddar |
@yangminzhu I missed submitting my review yesterday. Updates look good. I have 2 minor comments:
|
I’m adding do-not-merge until I understand the duplicate headers behavior. |
@yangminzhu: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Talked offline with @yangminzhu. Removing the don’t merge label. Thanks for incorporating the suggestion! |
/test gencheck_api |
This PR makes necessary change to promote the ext-authz feature to alpha:
with_request_body
to support including body in the check request: This addresses user feedback: HTTP body missing from gRPC ExternalAuthorization provider CheckRequest istio#31182 (comment) and Better External Authorization support istio#27790 (comment)prefix
andsuffix
matching when including headers in the check request: This matches the syntax in the authorization policy, this is needed to simplify the configuration when there are large number of headers with same prefix (e.g.x-forwarded-access-token
,x-forwarded-user
,x-forwarded-email
, ...) need to be includedadd_headers_in_check
to support including extra headers in the check request: This is just another way to include more headers.timeout
to support configuring the timeout to the external service: This is needed as we have found that the timeout in DestinationRule does not cover the ext-authz filter usage because the ext-authz filer has its own timeout constraints. The current default value 600s is chosen to match the current workaround, we could change it to a lower value (e.g. 200ms) if needed.