I'd like to propose an exercise to put this to proof.
First, of course, we'd need to agree on the exact set of use cases to cover. IMO, the following one seems "real" enough. At the same time, it's simple (with only 2 Gateways, 2 HTTPRoutes, not too many matching rules) and yet possibly intricate enough.
What are the set of policies (RLP and KAP) and possibly required changes to the network resources to implement the following use cases?
RLP override500 rps on all routes matching *.acme.com.
RLP default100 rps on POST requests to all routes matching *.acme.com.
KAP overrideIP deny-list on all requests to *.acme.com.
KAP defaultX.509 certificate authentication on all requests to *.acme.internal.
RLP default150 rps on all requests to toys.acme.(com|internal).
RLP default50 rps on all requests to toys.acme.(com|internal) containing X-Env: canary request header.
RLP overrideunlimited rps on all requests to toys.acme.internal/admin/*.
KAP overrideAPI key authentication on all requests to toys.acme.com.
KAP overrideDELETE requests forbidden at toys.acme.com.
KAP override all requests forbidden at toys.acme.com/admin/*.
KAP overrideJSON pattern-matching authorisation to check path param {org_name} matches value stored in API key or X.509 cert on all requests to toys.acme.(com|internal)/[^admin/]orgs/{org_name}/*.
KAP overrideK8s SAR authorisation on all requests to toys.acme.internal/admin/*.
KAP defaultOIDC/JWT authentication on all endpoints matching *.telemetry.acme.internal.
KAP override additional API key authentication to all requests to foo.telemetry.acme.internal.
I'd like to propose an exercise to put this to proof.
First, of course, we'd need to agree on the exact set of use cases to cover. IMO, the following one seems "real" enough. At the same time, it's simple (with only 2 Gateways, 2 HTTPRoutes, not too many matching rules) and yet possibly intricate enough.
Exercise
Given the following initial network resources:
What are the set of policies (RLP and KAP) and possibly required changes to the network resources to implement the following use cases?
*.acme.com
.*.acme.com
.*.acme.com
.*.acme.internal
.toys.acme.(com|internal)
.toys.acme.(com|internal)
containingX-Env: canary
request header.toys.acme.internal/admin/*
.toys.acme.com
.toys.acme.com
.toys.acme.com/admin/*
.toys.acme.(com|internal)/[^admin/]orgs/{org_name}/*
.toys.acme.internal/admin/*
.*.telemetry.acme.internal
.foo.telemetry.acme.internal
.