design: add initial external authorization proposal #2643
Conversation
Codecov Report
@@ Coverage Diff @@
## master #2643 +/- ##
=======================================
Coverage 76.88% 76.88%
=======================================
Files 72 72
Lines 5702 5702
=======================================
Hits 4384 4384
Misses 1227 1227
Partials 91 91
|
|
Another thought I had was adding auth to |
I'm not really following this, can you explain this a bit more? |
There's some relevant sequence diagrams in #2459. I can reproduce them here for context.
You would create a
If you used an ExternalName Service to back the SupportService CRD, then you could have an auth server outside the cluster. Not sure if that will need special code to support, or whether we would get it for free from Contour's existing Service support. |
|
xref #1922 |
jpeach
force-pushed
the
external-auth-design
branch
2 times, most recently
from
37697bb
to
49dc967
Compare
|
FYI, @pims convinced me that being able to toggle the fail-open or fail-closed behavior is needed when migrating from internal application auth to external auth, so I'm planning to add that flag to the API. |
jpeach
force-pushed
the
external-auth-design
branch
2 times, most recently
from
5f782c3
to
7c613d1
Compare
|
@jpeach Note to self ... consider what happens to headers injected by the external auth server on routes that have auth disabled. A client request could still present those headers, causing an application to become confused (a request could accidentally be performed as an authorized identity). So perhaps we need to add API to ensure that any injected auth headers are scrubbed from the incoming client request. Envoy has the concept of internal headers, which aligns fairly closely, but that (and the API for removing headers) requires listing specific headers (would be more robust to pattern match IMHO). The Envoy concept on internal requests is also a bit hard to understand and it's not obvious that it would be the right choice in all deployments. |
jpeach
force-pushed
the
external-auth-design
branch
from
7c613d1
to
9c62844
Compare
There was a problem hiding this comment.
I think at this point any concerns I have are squarely in 'implementation detail' territory. This LGTM, but I'd like to see @stevesloka's thoughts as well.
There was a problem hiding this comment.
Looking good @jpeach, just some more questions on bits that aren't clear to me.
|
Also don't want to loose context from a Slack conversation about renaming s/SupportService/ExtensionService: https://kubernetes.slack.com/archives/C8XRH2R4J/p1594707008255100 |
jpeach
force-pushed
the
external-auth-design
branch
from
9c62844
to
8110819
Compare
jpeach
force-pushed
the
external-auth-design
branch
from
8110819
to
b641eae
Compare
|
I'm pretty sure I addressed all the comments, but I'll leave this until next week to give a change for additional feedback. I added a new "Compatibility" section to make it more obvious how auth will interact with existing features. Also |
jpeach
force-pushed
the
external-auth-design
branch
from
b641eae
to
81d02a4
Compare
If the goal of this CRD is to re-use for other bits other than just auth. How does Contour understand that context? For instance, if we use this for rate limiting and features of the spec aren't valid to be set, how could that be implemented? |
The context can be understood from where the CRD is referenced. In this design, Contour can do the right thing because the CRD is referenced from an authorization policy. In logging and rate limiting, there would be a similar context in the
Hard to answer this hypothetical, but since the extension service CRD is basically scoped to generate an Envoy cluster, that's sufficient for the rate limiting and logging cases that we know about. Maybe there could be conflicting use cases in the future, but I expect we could address them by revving the CRD, adding another CRD, or in some other way. |
Ahh ok that could work looking at where it's referenced from. =) |
jpeach
force-pushed
the
external-auth-design
branch
from
81d02a4
to
13ee1f7
Compare
|
| - Most HTTP authorization protocols depend on HTTPS to keep headers and URL query parameters private. | ||
| Supporting only authorization on HTTPS, Contour reduces the changes of misconfiguring this. | ||
| - HTTPS sessions between Envoy and the authorization server are required. | ||
| TLS validation can be configured if necessary (should be recommended), |
There was a problem hiding this comment.
Just a note for future: preferably the Envoy <-> Authorization server connection would be mutually authenticated (related to #2338).
There was a problem hiding this comment.
Yeh that should be doable eventually.
This updates projectcontour#432. This updates projectcontour#2459. This updates projectcontour#2325. Signed-off-by: James Peach <jpeach@vmware.com>
jpeach
force-pushed
the
external-auth-design
branch
from
13ee1f7
to
3ed4de8
Compare
|
Thinking out loud but as this design doc i ntroduces the concept of
ExtensionService, have you considered the idea of using WASM based
extension services instead of just those based on gRPC?
It’s problably premature to take even into consideration but I would like
to put it on the table to see if the new spec definitions can absorb them
in the future.
…On Wed, 22 Jul 2020 at 02:23, James Peach ***@***.***> wrote:
Merged #2643 <#2643> into
master.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#2643 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AARA7FREL5OJQJVWTIFSIYTR4YWQPANCNFSM4OMCA73A>
.
|
In principle the extensionRef field in the |
This updates #432.
This updates #2459.
Signed-off-by: James Peach jpeach@vmware.com