Authorization HTTPFilter #532
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
Welcome @jmprusi! |
|
Hi @jmprusi. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/M
| // It is expected for the authorization server to implement the Envoy ExtAuthz HTTP protocol: | ||
| // https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto | ||
| // | ||
| URL string `json:"url"` |
There was a problem hiding this comment.
How does configuration of how to reach this URl work? For example, if we need authentication, TLS, etc.
if it were a k8s service it would be "easy" since existing APIs defined here like BackendPolicy would apply. For a generic URL, I am not sure its easy.
There was a problem hiding this comment.
Yes, that's a good point. Thinking out loud, perhaps splitting the URL into a service reference and a type or protocol field to define the type of authorization (grpc/HTTP) could work?
There was a problem hiding this comment.
That could potentially work, I think some sort of reference is probably more consistent with the rest of the API as well. FWIW we recently went through lots of debate with https://docs.google.com/document/d/1V4mCQCw7mlGp0zSQQXYoBdbKMDnkPOjeyUb85U07iSI/ about this exact topic in Istio.
There was a problem hiding this comment.
Thanks, @howardjohn! I will review that document and try to find a better API design.
There was a problem hiding this comment.
Just getting to review this one now, Contour added an ExtensionService to cover the "service reference" part of this (see https://projectcontour.io/docs/v1.12.0/config/api/#projectcontour.io/v1alpha1.ExtensionService), and then an AuthorizationServer struct that holds the ExtensionService reference. (https://projectcontour.io/docs/v1.12.0/config/api/#projectcontour.io/v1.AuthorizationServer). Both the ExtensionService and AuthorizationServer have places to put config.
I'm not suggesting doing the same thing, but I think the idea of a service reference and a type or protocol field would be great.
There was a problem hiding this comment.
@youngnick It already has a protocol field, but for the service reference, we can follow the example of the other filters and replace URL with:
ServiceName *string `json:"serviceName,omitempty"`
BackendRef *LocalObjectReference `json:"backendRef,omitempty"`
Port *PortNumber `json:"port,omitempty"`Or add a new structure that allows us to cross the namespace boundary, with additional information on how to connect to the external service, like for example a TLS client certificate to use.
|
Thanks for the work on this @jmprusi! Based on our conversation yesterday at the community meeting, it seems like there's broad support for an approach like this if we can make it portable. Ideally this filter should be usable with more than Envoy ExtAuthz. It seems like external auth is generally configured with the same approximate concepts:
That seems rather similar to what is already proposed here. I'm hesitant about specifying which underlying approach an implementation of this API should take, but if we can avoid that, I think this has the potential to be a valuable and portable filter. |
jmprusi
force-pushed
the
auth_filter
branch
2 times, most recently
from
c356917
to
8bcfc88
Compare
I've updated the PR, but I think we should discuss a couple of fields:
Another interesting "common" field could be:
|
k8s-ci-robot
added
the
needs-rebase
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jmprusi The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
size/L
k8s-ci-robot
added
needs-rebase
k8s-ci-robot
added
size/M
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
| // Support: Extended | ||
| // | ||
| // +optional | ||
| Metadata map[string]string `json:"metadata,omitempty"` |
There was a problem hiding this comment.
AFAIK, only the envoy GRPC protocol can pass arbitrary key value pairs here. How do you indicate missing or partial support for this field?
There was a problem hiding this comment.
I think this is for the implementor to decide; for example, in Nginx, this could be implemented as a custom HTTP header sent to the authorization service. Perhaps we should put some validation in place to make that easier, like a max length and allowed characters.
If the implementation doesn't support this, it can reject the route and set the proper status condition.
| // Support: Extended | ||
| // | ||
| // +optional | ||
| // +kubebuilder:default=http |
There was a problem hiding this comment.
Can we add enum validation for allowed values?
| // | ||
| // +optional | ||
| // +kubebuilder:default=http | ||
| Protocol string `json:"protocol,omitempty"` |
There was a problem hiding this comment.
For protocols over TLS, is there a way to tweak the server certificate validation?
There was a problem hiding this comment.
Yes, that would great to have, but I don't see any example of this in the API. I looked at the HTTPRouteForwardTo struct, and it doesn't seem to support any TLS settings. All the other TLS settings seem to be focused on the "listener side," not starting a connection.
Any suggestion on how can we add this to the filter?
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
|
(Looks like this got rebased a few weeks ago) |
|
@jmprusi: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-rebase
|
I think it is unlikely that we will merge this. A custom filter would be the path forward here. |
|
I tend to agree with that. If there's a way we can provide some form of portability for authorization here that would be awesome, but we've got so many things on the go right now I'm not sure how soon we'll be able to tackle that. It's likely easiest to start as a custom filter. |
|
Let the community experiment for now. If there is convergence, we would love to get this into this API itself. |
|
@hbagdi: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind design
What this PR does / why we need it:
This PR shows a possible new Filter design, called RequestAuthorization, that would be used to authorize incoming HTTP requests with an external authorization component.
Design doc: Pluggable Access Control for HTTPRoute
Which issue(s) this PR fixes:
Fixes #114
Does this PR introduce a user-facing change?: