Open jisaacks opened 1 month ago
istio may not be able to intercept web-socket traffic easily. Wonder if it would be reasonable to have the client connected to istio and istio also connected to the main container as a middle man. That way istio receives the web-socket messages, can process them, then forward them to the main service on the second socket.
Describe the feature request
I am using istio for request authentication.
The problem is, my server also supports web socket connections as graphql subscriptions (via apollo)
This is the general flow at the network level.
I think to make istio able to authorize this, we would need a way to specify something like
fromSocketMessage
and then we would need a way to drill into the message to access the property (similar tofromHeaders
) like so:This would change the payload from:
to:
Then maybe the AuthorizationPolicy could have support for something like this:
Meaning when a websocket message is sent, and the data contains the key
payload.type
and the value is "connection_init"I am trying to do this in an agnostic way that could work with any type of web sockets, to authenticate based on the socket payload.
Affected product area (please put an X in all that apply)
[ X] Security