-
Notifications
You must be signed in to change notification settings - Fork 443
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authorization HTTPFilter #532
Conversation
Welcome @jmprusi! |
Hi @jmprusi. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
// It is expected for the authorization server to implement the Envoy ExtAuthz HTTP protocol: | ||
// https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto | ||
// | ||
URL string `json:"url"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How does configuration of how to reach this URl work? For example, if we need authentication, TLS, etc.
if it were a k8s service it would be "easy" since existing APIs defined here like BackendPolicy would apply. For a generic URL, I am not sure its easy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that's a good point. Thinking out loud, perhaps splitting the URL into a service reference
and a type
or protocol
field to define the type of authorization (grpc/HTTP) could work?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That could potentially work, I think some sort of reference is probably more consistent with the rest of the API as well. FWIW we recently went through lots of debate with https://docs.google.com/document/d/1V4mCQCw7mlGp0zSQQXYoBdbKMDnkPOjeyUb85U07iSI/ about this exact topic in Istio.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @howardjohn! I will review that document and try to find a better API design.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just getting to review this one now, Contour added an ExtensionService to cover the "service reference" part of this (see https://projectcontour.io/docs/v1.12.0/config/api/#projectcontour.io/v1alpha1.ExtensionService), and then an AuthorizationServer struct that holds the ExtensionService reference. (https://projectcontour.io/docs/v1.12.0/config/api/#projectcontour.io/v1.AuthorizationServer). Both the ExtensionService and AuthorizationServer have places to put config.
I'm not suggesting doing the same thing, but I think the idea of a service reference and a type or protocol field would be great.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@youngnick It already has a protocol field, but for the service reference, we can follow the example of the other filters and replace URL with:
ServiceName *string `json:"serviceName,omitempty"`
BackendRef *LocalObjectReference `json:"backendRef,omitempty"`
Port *PortNumber `json:"port,omitempty"`
Or add a new structure that allows us to cross the namespace boundary, with additional information on how to connect to the external service, like for example a TLS client certificate to use.
Thanks for the work on this @jmprusi! Based on our conversation yesterday at the community meeting, it seems like there's broad support for an approach like this if we can make it portable. Ideally this filter should be usable with more than Envoy ExtAuthz. It seems like external auth is generally configured with the same approximate concepts:
That seems rather similar to what is already proposed here. I'm hesitant about specifying which underlying approach an implementation of this API should take, but if we can avoid that, I think this has the potential to be a valuable and portable filter. |
c356917
to
8bcfc88
Compare
I've updated the PR, but I think we should discuss a couple of fields:
Another interesting "common" field could be:
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jmprusi The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/ok-to-test |
// Support: Extended | ||
// | ||
// +optional | ||
Metadata map[string]string `json:"metadata,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AFAIK, only the envoy GRPC protocol can pass arbitrary key value pairs here. How do you indicate missing or partial support for this field?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is for the implementor to decide; for example, in Nginx, this could be implemented as a custom HTTP header sent to the authorization service. Perhaps we should put some validation in place to make that easier, like a max length and allowed characters.
If the implementation doesn't support this, it can reject the route and set the proper status condition.
// Support: Extended | ||
// | ||
// +optional | ||
// +kubebuilder:default=http |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add enum validation for allowed values?
// | ||
// +optional | ||
// +kubebuilder:default=http | ||
Protocol string `json:"protocol,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For protocols over TLS, is there a way to tweak the server certificate validation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that would great to have, but I don't see any example of this in the API. I looked at the HTTPRouteForwardTo
struct, and it doesn't seem to support any TLS settings. All the other TLS settings seem to be focused on the "listener side," not starting a connection.
Any suggestion on how can we add this to the filter?
(Looks like this got rebased a few weeks ago) |
@jmprusi: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I think it is unlikely that we will merge this. A custom filter would be the path forward here. |
I tend to agree with that. If there's a way we can provide some form of portability for authorization here that would be awesome, but we've got so many things on the go right now I'm not sure how soon we'll be able to tackle that. It's likely easiest to start as a custom filter. |
Let the community experiment for now. If there is convergence, we would love to get this into this API itself. |
@hbagdi: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind design
What this PR does / why we need it:
This PR shows a possible new Filter design, called RequestAuthorization, that would be used to authorize incoming HTTP requests with an external authorization component.
Design doc: Pluggable Access Control for HTTPRoute
Which issue(s) this PR fixes:
Fixes #114
Does this PR introduce a user-facing change?: