Closed rahulanand16nov closed 2 years ago
I wonder in the future whether Istio's
EnvoyFilter
resource won't be a better fit for us compared to (more limited)AuthorizationPolicy
. (Consider, e.g., the use case for host override via context extension.)
We had earlier implemented extAuthz API in the wasm-shim
as well, but it was later removed. We can support all the cases with just one wasm module, i.e., pre-auth RL, auth (with context extension), and post-auth RL. Since context extension is per route thing, we come to the same problem of having an ID on the rules to match upon by EnvoyFilter
, which to me is a bad UX.
@guicassolato If you think it's something desirable then we can talk about it more during the tech discussion like how will the design of AuthPolicy
change to allow users to specify context extensions.
155
Verification Steps:
make local-setup
kubectl apply -f examples/toystore/toystore.yaml
kubectl apply -f examples/toystore/httproute.yaml
kubectl apply -f config/samples/apim_v1alpha1_authpolicy.yaml
kubectl get authconfig -A NAMESPACE NAME READY kuadrant-system ap-default-toystore-1 true
kubectl get authorizationpolicy -n kuadrant-system No resources found in kuadrant-system namespace.