Add default-authorization-mode feature flag (#7996)

Add default-authorization-mode feature flag

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>

config/core/configmaps/features.yaml

@@ -56,6 +56,12 @@ data:
   # For more details: https://github.com/knative/eventing/issues/7174
   authentication-oidc: "disabled"
 
+  # ALPHA feature: The default-authorization-mode flag allows you to change the default
+  # authorization mode for resources that have no EventPolicy associated with them.
+  #
+  # This feature flag is only used when "authentication-oidc" is enabled.
+  default-authorization-mode: "allow-same-namespace"
+
   # ALPHA feature: The cross-namespace-event-links flag allows you to use cross-namespace referencing for Eventing.
   # For more details: https://github.com/knative/eventing/issues/7739
   cross-namespace-event-links: "disabled"

pkg/apis/feature/features.go

@@ -45,6 +45,24 @@ const (
 	// - Addressables should advertise both HTTP and HTTPS endpoints
 	// - Producers should prefer to send events to HTTPS endpoints, if available
 	Permissive Flag = "Permissive"
+
+	// AuthorizationAllowAll is a value for AuthorizationDefaultMode that indicates to allow all
+	// OIDC subjects by default.
+	// This configuration is applied when there is no EventPolicy with a "to" referencing a given
+	// resource.
+	AuthorizationAllowAll Flag = "Allow-All"
+
+	// AuthorizationDenyAll is a value for AuthorizationDefaultMode that indicates to deny all
+	// OIDC subjects by default.
+	// This configuration is applied when there is no EventPolicy with a "to" referencing a given
+	// resource.
+	AuthorizationDenyAll Flag = "Deny-All"
+
+	// AuthorizationAllowSameNamespace is a value for AuthorizationDefaultMode that indicates to allow
+	// OIDC subjects with the same namespace as a given resource.
+	// This configuration is applied when there is no EventPolicy with a "to" referencing a given
+	// resource.
+	AuthorizationAllowSameNamespace Flag = "Allow-Same-Namespace"
 )
 
 // Flags is a map containing all the enabled/disabled flags for the experimental features.
@@ -53,15 +71,16 @@ type Flags map[string]Flag
 
 func newDefaults() Flags {
 	return map[string]Flag{
-		KReferenceGroup:     Disabled,
-		DeliveryRetryAfter:  Disabled,
-		DeliveryTimeout:     Enabled,
-		KReferenceMapping:   Disabled,
-		NewTriggerFilters:   Enabled,
-		TransportEncryption: Disabled,
-		OIDCAuthentication:  Disabled,
-		EvenTypeAutoCreate:  Disabled,
-		NewAPIServerFilters: Disabled,
+		KReferenceGroup:          Disabled,
+		DeliveryRetryAfter:       Disabled,
+		DeliveryTimeout:          Enabled,
+		KReferenceMapping:        Disabled,
+		NewTriggerFilters:        Enabled,
+		TransportEncryption:      Disabled,
+		OIDCAuthentication:       Disabled,
+		EvenTypeAutoCreate:       Disabled,
+		NewAPIServerFilters:      Disabled,
+		AuthorizationDefaultMode: AuthorizationAllowSameNamespace,
 	}
 }
 
@@ -103,6 +122,18 @@ func (e Flags) IsCrossNamespaceEventLinks() bool {
 	return e != nil && e[CrossNamespaceEventLinks] == Enabled
 }
 
+func (e Flags) IsAuthorizationDefaultModeAllowAll() bool {
+	return e != nil && e[AuthorizationDefaultMode] == AuthorizationAllowAll
+}
+
+func (e Flags) IsAuthorizationDefaultModeDenyAll() bool {
+	return e != nil && e[AuthorizationDefaultMode] == AuthorizationDenyAll
+}
+
+func (e Flags) IsAuthorizationDefaultModeSameNamespace() bool {
+	return e != nil && e[AuthorizationDefaultMode] == AuthorizationAllowSameNamespace
+}
+
 func (e Flags) String() string {
 	return fmt.Sprintf("%+v", map[string]Flag(e))
 }
@@ -142,10 +173,16 @@ func NewFlagsConfigFromMap(data map[string]string) (Flags, error) {
 			flags[sanitizedKey] = Disabled
 		} else if strings.EqualFold(v, string(Enabled)) {
 			flags[sanitizedKey] = Enabled
-		} else if k == TransportEncryption && strings.EqualFold(v, string(Permissive)) {
+		} else if sanitizedKey == TransportEncryption && strings.EqualFold(v, string(Permissive)) {
 			flags[sanitizedKey] = Permissive
-		} else if k == TransportEncryption && strings.EqualFold(v, string(Strict)) {
+		} else if sanitizedKey == TransportEncryption && strings.EqualFold(v, string(Strict)) {
 			flags[sanitizedKey] = Strict
+		} else if sanitizedKey == AuthorizationDefaultMode && strings.EqualFold(v, string(AuthorizationAllowAll)) {
+			flags[sanitizedKey] = AuthorizationAllowAll
+		} else if sanitizedKey == AuthorizationDefaultMode && strings.EqualFold(v, string(AuthorizationDenyAll)) {
+			flags[sanitizedKey] = AuthorizationDenyAll
+		} else if sanitizedKey == AuthorizationDefaultMode && strings.EqualFold(v, string(AuthorizationAllowSameNamespace)) {
+			flags[sanitizedKey] = AuthorizationAllowSameNamespace
 		} else if strings.Contains(k, NodeSelectorLabel) {
 			flags[sanitizedKey] = Flag(v)
 		} else {

pkg/apis/feature/features_test.go

@@ -56,6 +56,7 @@ func TestGetFlags(t *testing.T) {
 	require.True(t, flags.IsAllowed("my-enabled-flag"))
 	require.True(t, flags.IsAllowed("my-allowed-flag"))
 	require.False(t, flags.IsAllowed("non-disabled-flag"))
+	require.True(t, flags.IsAuthorizationDefaultModeSameNamespace())
 
 	nodeSelector := flags.NodeSelector()
 	expectedNodeSelector := map[string]string{"testkey": "testvalue", "testkey1": "testvalue1", "testkey2": "testvalue2"}

pkg/apis/feature/flag_names.go

@@ -28,4 +28,5 @@ const (
 	NodeSelectorLabel        = "apiserversources-nodeselector-"
 	CrossNamespaceEventLinks = "cross-namespace-event-links"
 	NewAPIServerFilters      = "new-apiserversource-filters"
+	AuthorizationDefaultMode = "default-authorization-mode"
 )

pkg/apis/feature/testdata/config-features.yaml

@@ -25,6 +25,7 @@ data:
     my-enabled-flag: "enabled"
     my-disabled-flag: "disabled"
     my-allowed-flag: "allowed"
+    default-authorization-mode: allow-same-namespace
     apiserversources-nodeselector-testkey: testvalue
     apiserversources-nodeselector-testkey1: testvalue1
     apiserversources-nodeselector-testkey2: testvalue2