Story: As an API Provider, I want to ensure that the upstream service (API) is only configured for my Gateway and not for others, so that I have assurance that there is no unauthorized access to my API.
Some data planes will have an increased level of security where we want tighter controls on which routes can go to which upstreams.
A/C:
Implement a new Gateway attribute perm-upstreams where it will be a list of Openshift projects (<PROJECT>) that will be expected in either the format of <SERVICE>.<PROJECT>.svc or <SERVICE>.<PROJECT>.svc.cluster.local. Any other Service.host values will be rejected.
The enforcement of this validation will be configurable for a data plane, by adding a boolean attribute validate-upstreams to the data_planes_config.json. The gatewayApi code will be updated to perform the validation and return an error if it fails the check.
Considerations:
The perm-upstreams will be updated manually by the gwa-api Gateway platform owner at the time the perm-data-plane is updated. The platform owner should perform suitable manual verification that the Gateway administrators have suitable permission to the Openshift project where the upstream service (API) is deployed.
Story: As an API Provider, I want to ensure that the upstream service (API) is only configured for my Gateway and not for others, so that I have assurance that there is no unauthorized access to my API.
Some data planes will have an increased level of security where we want tighter controls on which routes can go to which upstreams.
A/C:
perm-upstreamswhere it will be a list of Openshift projects (<PROJECT>) that will be expected in either the format of<SERVICE>.<PROJECT>.svcor<SERVICE>.<PROJECT>.svc.cluster.local. Any otherService.hostvalues will be rejected.validate-upstreamsto thedata_planes_config.json. ThegatewayApicode will be updated to perform the validation and return an error if it fails the check.Considerations:
perm-upstreamswill be updated manually by the gwa-api Gateway platform owner at the time theperm-data-planeis updated. The platform owner should perform suitable manual verification that the Gateway administrators have suitable permission to the Openshift project where the upstream service (API) is deployed.