Skip to content

Commit

Permalink
chore: upstream our authorization changes for oauth2-proxy (#11347)
Browse files Browse the repository at this point in the history
Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>
  • Loading branch information
juliusvonkohout authored Nov 1, 2024
1 parent c5b787a commit 60a8865
Showing 1 changed file with 14 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,21 @@ spec:
matchLabels:
app: ml-pipeline-ui
rules:
# Allow all requests from the ingress gateway
- from:
- source:
namespaces:
- istio-system
principals:
- cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account

# Allow all requests with an `authorization` header but NOT a `kubeflow-userid` header.
# This is needed to allow Kubernetes JWTs to be passed to the KFP API.
- when:
- key: request.headers[authorization]
values:
- "*"
- key: request.headers[kubeflow-userid]
notValues:
- "*"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
Expand All @@ -32,7 +43,7 @@ spec:
- cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow
- cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account
- cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache
# For user workloads, which cannot user http headers for authentication
# Allow all requests that dont have a `kubeflow-userid` header.
- when:
- key: request.headers[kubeflow-userid]
notValues: ['*']
Expand Down

0 comments on commit 60a8865

Please sign in to comment.