diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go index 4a85f726a7f..24604b4b4e7 100644 --- a/internal/gatewayapi/securitypolicy.go +++ b/internal/gatewayapi/securitypolicy.go @@ -854,6 +854,7 @@ func (t *Translator) buildExtAuth( extAuth := &ir.ExtAuth{ Name: name, HeadersToExtAuth: policy.Spec.ExtAuth.HeadersToExtAuth, + FailOpen: policy.Spec.ExtAuth.FailOpen, } if http != nil { diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.in.yaml index 91b51dbf237..4a6ba7412f4 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.in.yaml @@ -63,3 +63,4 @@ securityPolicies: headersToBackend: - header1 - header2 + failOpen: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml index 0868f2ae76d..20a44008251 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml @@ -103,6 +103,7 @@ securityPolicies: namespace: default spec: extAuth: + failOpen: false http: backendRef: name: http-backend diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.in.yaml index 1f38853fbe1..cec6e9ce285 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.in.yaml @@ -62,3 +62,4 @@ securityPolicies: headersToBackend: - header1 - header2 + failOpen: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml index 115a3ba7436..4ade06fec09 100755 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml @@ -103,6 +103,7 @@ securityPolicies: namespace: default spec: extAuth: + failOpen: false http: backendRef: name: http-backend diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.in.yaml index 64b15b558b4..f713a1dc730 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.in.yaml @@ -63,3 +63,4 @@ securityPolicies: headersToBackend: - header1 - header2 + failOpen: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml index 1e547408f25..82fc12d534c 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml @@ -103,6 +103,7 @@ securityPolicies: namespace: default spec: extAuth: + failOpen: false http: backendRef: name: http-backend diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.in.yaml index 2ab00957c3f..eb02ed446ac 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.in.yaml @@ -54,3 +54,4 @@ securityPolicies: headersToBackend: - header1 - header2 + failOpen: false diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml index 47720b9bbb0..980d29cce01 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml @@ -103,6 +103,7 @@ securityPolicies: namespace: default spec: extAuth: + failOpen: false http: backendRef: name: http-backend diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml index a088e08d16d..b7769b524bd 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml @@ -210,6 +210,7 @@ securityPolicies: headersToBackend: - header1 - header2 + failOpen: false - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy metadata: @@ -229,3 +230,4 @@ securityPolicies: backendRef: name: grpc-backend port: 9000 + failOpen: true diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml index b3dc1299f34..5e557abb08c 100755 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml @@ -207,6 +207,7 @@ securityPolicies: namespace: default spec: extAuth: + failOpen: true grpc: backendRef: name: grpc-backend @@ -242,6 +243,7 @@ securityPolicies: namespace: default spec: extAuth: + failOpen: false http: backendRef: name: http-backend @@ -305,6 +307,7 @@ xdsIR: protocol: HTTP weight: 1 extAuth: + failOpen: true grpc: authority: grpc-backend.default:9000 destination: @@ -345,6 +348,7 @@ xdsIR: protocol: HTTP weight: 1 extAuth: + failOpen: false http: authority: http-backend.envoy-gateway:80 destination: diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml index a451b576774..3d9382a95ea 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml @@ -150,6 +150,7 @@ securityPolicies: headersToBackend: - header1 - header2 + failOpen: false - apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy metadata: @@ -169,3 +170,4 @@ securityPolicies: backendRef: name: grpc-backend port: 9000 + failOpen: true diff --git a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml index 25a291a8ca3..066e9ad2f9f 100644 --- a/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml +++ b/internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml @@ -147,6 +147,7 @@ securityPolicies: namespace: default spec: extAuth: + failOpen: true grpc: backendRef: name: grpc-backend @@ -182,6 +183,7 @@ securityPolicies: namespace: default spec: extAuth: + failOpen: false http: backendRef: name: http-backend @@ -245,6 +247,7 @@ xdsIR: protocol: HTTP weight: 1 extAuth: + failOpen: true grpc: authority: grpc-backend.default:9000 destination: @@ -280,6 +283,7 @@ xdsIR: protocol: HTTP weight: 1 extAuth: + failOpen: true grpc: authority: grpc-backend.default:9000 destination: @@ -315,6 +319,7 @@ xdsIR: protocol: HTTP weight: 1 extAuth: + failOpen: false http: authority: http-backend.envoy-gateway:80 destination: diff --git a/internal/ir/xds.go b/internal/ir/xds.go index d2194fb95e8..4f6ed8ac00d 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -599,6 +599,14 @@ type ExtAuth struct { // in HeadersToExtAuth or not. // +optional HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"` + + // FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained. + // If FailOpen is set to true, the system allows the traffic to pass through. + // Otherwise, if it is set to false or not set (defaulting to false), + // the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach. + // This setting determines whether to prioritize accessibility over strict security in case of authorization service failure. + // +optional + FailOpen *bool `json:"failOpen,omitempty"` } // HTTPExtAuthService defines the HTTP External Authorization service diff --git a/internal/ir/zz_generated.deepcopy.go b/internal/ir/zz_generated.deepcopy.go index ec9a1ca2bad..e11220e3222 100644 --- a/internal/ir/zz_generated.deepcopy.go +++ b/internal/ir/zz_generated.deepcopy.go @@ -461,6 +461,11 @@ func (in *ExtAuth) DeepCopyInto(out *ExtAuth) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.FailOpen != nil { + in, out := &in.FailOpen, &out.FailOpen + *out = new(bool) + **out = **in + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtAuth. diff --git a/internal/xds/translator/extauth.go b/internal/xds/translator/extauth.go index 28e509253aa..102497633e0 100644 --- a/internal/xds/translator/extauth.go +++ b/internal/xds/translator/extauth.go @@ -102,7 +102,10 @@ func extAuthFilterName(extAuth *ir.ExtAuth) string { func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz { config := &extauthv3.ExtAuthz{ TransportApiVersion: corev3.ApiVersion_V3, - FailureModeAllow: false, + } + + if extAuth.FailOpen != nil { + config.FailureModeAllow = *extAuth.FailOpen } var headersToExtAuth []*matcherv3.StringMatcher diff --git a/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml b/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml index e8dd3181425..3ed7a397f0c 100644 --- a/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml @@ -35,6 +35,7 @@ http: port: 80 protocol: HTTP weight: 1 + failOpen: false - name: httproute/default/httproute-1/rule/1/match/0/www_example_com hostname: "*" pathMatch: @@ -62,6 +63,7 @@ http: port: 80 protocol: HTTP weight: 1 + failOpen: false - name: httproute/default/httproute-2/rule/0/match/0/www_example_com hostname: "*" pathMatch: @@ -88,3 +90,4 @@ http: headersToExtAuth: - header1 - header2 + failOpen: true diff --git a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml index 1fa830a1f83..35a8b7f7ab5 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml @@ -37,6 +37,7 @@ patterns: - exact: header1 - exact: header2 + failureModeAllow: true grpcService: envoyGrpc: authority: grpc-backend.default:9000