Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feautre: support ext-authz by annotation #263

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

zhangcly
Copy link
Contributor

Ⅰ. Describe what this PR did

parse higress anno and transfer to envoyfilter(ext-authz and rbac http filter) .
test cases added.
the issue haven't been resloved yet.

Ⅱ. Does this pull request fix one issue?

#207

Ⅲ. Why don't you add test cases (unit test/integration test)?

Ⅳ. Describe how to verify it

Ⅴ. Special notes for reviews

@codecov-commenter
Copy link

Codecov Report

Merging #263 (e11ff89) into main (7fd3f43) will increase coverage by 0.63%.
The diff coverage is 50.54%.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #263      +/-   ##
==========================================
+ Coverage   44.45%   45.08%   +0.63%     
==========================================
  Files          32       33       +1     
  Lines        5289     5647     +358     
==========================================
+ Hits         2351     2546     +195     
- Misses       2770     2911     +141     
- Partials      168      190      +22     
Impacted Files Coverage Δ
pkg/ingress/kube/annotations/annotations.go 25.00% <0.00%> (-0.31%) ⬇️
pkg/ingress/config/ingress_config.go 26.11% <50.17%> (+8.25%) ⬆️
pkg/ingress/kube/annotations/authz.go 52.56% <52.56%> (ø)

... and 2 files with indirect coverage changes

@SpecialYang
Copy link
Collaborator

SpecialYang commented Apr 4, 2023

It is cool 👍🏻.

But I want to know how you control the route match order. Given one request /api/test, if we have two ingress, /api with prefix matching and /api/test with exact matching, how you control this request matching the right rbac and external authz policy because these resources have their own matching list.

@Xunzhuo
Copy link
Collaborator

Xunzhuo commented Apr 4, 2023

But I want to know how you control the route match order. Given one request /api/test, if we have two ingress, /api with prefix matching and /api/test with exact matching, how you control this request matching the right rbac and external authz policy because these resources have their own matching list.

suggest refering to kubernetes-sigs/gateway-api#1855.

@SpecialYang
Copy link
Collaborator

Aha. Here I'm not addressing on the route order for route tables.
I mean how we control the matching order in the matching list of rbac. So we can found the right rbac policy for the target request.

@johnlanni
Copy link
Collaborator

johnlanni commented Apr 4, 2023

It is cool 👍🏻.

But I want to know how you control the route match order. Given one request /api/test, if we have two ingress, /api with prefix matching and /api/test with exact matching, how you control this request matching the right rbac and external authz policy because these resources have their own matching list.

You are right, this design to implement ext-authz via ingress annotation was my mistake, it seems we need a CRD to do this.
And there is another option if it‘s still via ingress annotation: it can be extended based on envoy rbac permission matcher to achieve matching based on route name

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants