mt-broker ingress: Reject unauthorized requests #7980
Assignees
Labels
good first issue
Denotes an issue ready for a new contributor, according to the "help wanted" guidelines.
help wanted
Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
triage/accepted
Issues which should be fixed (post-triage)
Comments
creydr
added
good first issue
creydr
changed the title
|
/assign |
|
@joyxxi Are there anything I can help you with? |
|
@Leo6Leo Hi Leo, thank you for your message. I haven’t encountered any blockers so far, but I’ll definitely reach out if I need any help! |
5 tasks
This issue was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We need to verify in the mt-broker ingress, that an request is authorized. Therefor we should do the following in the mt-broker ingress handler:
.status.policiesis set:EventPolicies(in their.status.from[]).403status code.status.policiesis empty:default-authorization-modeand do the following depending on its value:allow-all: Continue with the requestdeny-all: reject the request with a403status codeallow-same-namespace: check, if the senders identity is from the same namespace, as the Broker. If so, continue with the request, otherwise reject with a403We should also add an e2e test for the above scenarios
Prerequisites:
default-authorization-modefeature flag #7974.status.policies#7976Additional context:
Additional hints for new contributors before starting with this issue:
Draftstatus, the issue is subject to change and thus should not be started to be worked on/assign). Please be aware that we might unassign you, if we don't see any progress from your side to give other contributors also a chance to work on this issue.The text was updated successfully, but these errors were encountered: