search

pomerium / ingress-controller

Pomerium Kubernetes Ingress Controller
https://pomerium.com
Apache License 2.0
22 stars 11 forks source link

Support for rego policy over PPL #1018

Closed Dev25 closed 1 month ago

Dev25 commented 1 month ago

Pomerium has rego support as a alternative to PPL. There is no explicit mention to if this is supported via the existing or new annotation for ingress-controller

https://www.pomerium.com/docs/capabilities/authorization#rego-support https://www.pomerium.com/docs/reference/routes/policy https://www.pomerium.com/docs/k8s/ingress#set-authorization-policy

Trying to define a rego policy using the existing annotation has a error with the latest main build of ingress-controller e.g.


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: rego-test
  annotations:
    ingress.pomerium.io/policy: |
      package pomerium.policy
      allow := true
    ingress.pomerium.io/pass_identity_headers: "true"
spec:
  ingressClassName: pomerium
  rules:
    - host: "verify.localhost"
      http:
        paths:
          - pathType: Prefix
            path: /
            backend:
              service:
                name: verify
                port:
                  number: 8000
Events:
  Type     Reason       Age                From              Message
  ----     ------       ----               ----              -------
  Warning  UpdateError  3s (x19 over 18m)  pomerium-ingress  parsing ingress: annotations: applying policy annotations: parsing policy: invalid rules in policy: unsupported type for rule: parser.String
kenjenkins commented 1 month ago

Hi @Dev25, thanks for the question. Custom Rego policies are supported only for Pomerium Enterprise. We're working on updating the documentation to make this clearer.