You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, if I have cluster external ingress via a gateway, the traffic from the gateway to a waypoint enabled service does not go through the waypoint (but probably via ztunnel only).
Most L7 policies I can attach to the ingress gateway authzPol, however, I have one setup which does not work:
admin policy for "allow-nothing"
A CUSTOM policy on the gateway to initiate OIDC for requestAuthn
Now using requestPrincipals in the AuthzPol of the destination application does not work, because it does not go through the waypoint. Same applies to any other L7 policies like methods: GET.
Describe alternatives you've considered
I helped myself by creating an in-between haproxy being part of the ambient mesh just inelegantly mapping and forwarding requests to destination services which then would be captured by the waypoint, because it is mesh-to-mesh traffic
Affected product area (please put an X in all that apply)
[x] Ambient
[ ] Docs
[ ] Dual Stack
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Affected features (please put an X in all that apply)
[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane
Additional context
The text was updated successfully, but these errors were encountered:
Following this as it relates to kubernetes-sigs/gateway-api#1478 - this is undefined in the Gateway API spec currently, and default behavior differs between Istio (route from ingress directly to backends, bypassing mesh rules) and Linkerd (deploy sidecar next to in-cluster 3rd party N/S gateway, follow mesh rules). Additionally, most cluster-external N/S gateways (such as those offered by cloud vendors), would typically route directly from the ingress to backend pods to avoid an extra routing hop and due to the impracticality of deploying a sidecar next to them.
Describe the feature request
Currently, if I have cluster external ingress via a
gateway
, the traffic from thegateway
to awaypoint
enabled service does not go through thewaypoint
(but probably viaztunnel
only).Most L7 policies I can attach to the ingress gateway
authzPol
, however, I have one setup which does not work:requestAuthn
requestPrincipals
in theAuthzPol
of the destination application does not work, because it does not go through the waypoint. Same applies to any other L7 policies likemethods: GET
.Describe alternatives you've considered
I helped myself by creating an in-between
haproxy
being part of the ambient mesh just inelegantly mapping and forwarding requests to destination services which then would be captured by thewaypoint
, because it is mesh-to-mesh trafficAffected product area (please put an X in all that apply)
[x] Ambient
[ ] Docs
[ ] Dual Stack
[ ] Installation
[x] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Affected features (please put an X in all that apply)
[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane
Additional context
The text was updated successfully, but these errors were encountered: