Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support failOpen in ext auth #2948

Merged
merged 2 commits into from
Mar 18, 2024
Merged

feat: support failOpen in ext auth #2948

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
24bb02d
feat: support failOpen in ext auth
deszhou Mar 17, 2024
0708c71
fix test
deszhou Mar 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions internal/gatewayapi/securitypolicy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -854,6 +854,7 @@ func (t *Translator) buildExtAuth(
extAuth := &ir.ExtAuth{
Name: name,
HeadersToExtAuth: policy.Spec.ExtAuth.HeadersToExtAuth,
FailOpen: policy.Spec.ExtAuth.FailOpen,
}

if http != nil {
Expand Down
1 change: 1 addition & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.in.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,3 +63,4 @@ securityPolicies:
headersToBackend:
- header1
- header2
failOpen: false
1 change: 1 addition & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-matching-port.out.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ securityPolicies:
namespace: default
spec:
extAuth:
failOpen: false
http:
backendRef:
name: http-backend
Expand Down
1 change: 1 addition & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.in.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,3 +62,4 @@ securityPolicies:
headersToBackend:
- header1
- header2
failOpen: false
1 change: 1 addition & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-port.out.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ securityPolicies:
namespace: default
spec:
extAuth:
failOpen: false
http:
backendRef:
name: http-backend
Expand Down
1 change: 1 addition & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.in.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,3 +63,4 @@ securityPolicies:
headersToBackend:
- header1
- header2
failOpen: false
1 change: 1 addition & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-reference-grant.out.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ securityPolicies:
namespace: default
spec:
extAuth:
failOpen: false
http:
backendRef:
name: http-backend
Expand Down
1 change: 1 addition & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.in.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,3 +54,4 @@ securityPolicies:
headersToBackend:
- header1
- header2
failOpen: false
1 change: 1 addition & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-extauth-invalid-no-service.out.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ securityPolicies:
namespace: default
spec:
extAuth:
failOpen: false
http:
backendRef:
name: http-backend
Expand Down
2 changes: 2 additions & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.in.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,7 @@ securityPolicies:
headersToBackend:
- header1
- header2
failOpen: false
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
Expand All @@ -229,3 +230,4 @@ securityPolicies:
backendRef:
name: grpc-backend
port: 9000
failOpen: true
4 changes: 4 additions & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-extauth-with-backendtlspolicy.out.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,7 @@ securityPolicies:
namespace: default
spec:
extAuth:
failOpen: true
grpc:
backendRef:
name: grpc-backend
Expand Down Expand Up @@ -242,6 +243,7 @@ securityPolicies:
namespace: default
spec:
extAuth:
failOpen: false
http:
backendRef:
name: http-backend
Expand Down Expand Up @@ -305,6 +307,7 @@ xdsIR:
protocol: HTTP
weight: 1
extAuth:
failOpen: true
grpc:
authority: grpc-backend.default:9000
destination:
Expand Down Expand Up @@ -345,6 +348,7 @@ xdsIR:
protocol: HTTP
weight: 1
extAuth:
failOpen: false
http:
authority: http-backend.envoy-gateway:80
destination:
Expand Down
2 changes: 2 additions & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-extauth.in.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,7 @@ securityPolicies:
headersToBackend:
- header1
- header2
failOpen: false
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
Expand All @@ -169,3 +170,4 @@ securityPolicies:
backendRef:
name: grpc-backend
port: 9000
failOpen: true
5 changes: 5 additions & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-extauth.out.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,7 @@ securityPolicies:
namespace: default
spec:
extAuth:
failOpen: true
grpc:
backendRef:
name: grpc-backend
Expand Down Expand Up @@ -182,6 +183,7 @@ securityPolicies:
namespace: default
spec:
extAuth:
failOpen: false
http:
backendRef:
name: http-backend
Expand Down Expand Up @@ -245,6 +247,7 @@ xdsIR:
protocol: HTTP
weight: 1
extAuth:
failOpen: true
grpc:
authority: grpc-backend.default:9000
destination:
Expand Down Expand Up @@ -280,6 +283,7 @@ xdsIR:
protocol: HTTP
weight: 1
extAuth:
failOpen: true
grpc:
authority: grpc-backend.default:9000
destination:
Expand Down Expand Up @@ -315,6 +319,7 @@ xdsIR:
protocol: HTTP
weight: 1
extAuth:
failOpen: false
http:
authority: http-backend.envoy-gateway:80
destination:
Expand Down
8 changes: 8 additions & 0 deletions internal/ir/xds.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -599,6 +599,14 @@ type ExtAuth struct {
// in HeadersToExtAuth or not.
// +optional
HeadersToExtAuth []string `json:"headersToExtAuth,omitempty"`

// FailOpen is a switch used to control the behavior when a response from the External Authorization service cannot be obtained.
// If FailOpen is set to true, the system allows the traffic to pass through.
// Otherwise, if it is set to false or not set (defaulting to false),
// the system blocks the traffic and returns a HTTP 5xx error, reflecting a fail-closed approach.
// This setting determines whether to prioritize accessibility over strict security in case of authorization service failure.
// +optional
FailOpen *bool `json:"failOpen,omitempty"`
}

// HTTPExtAuthService defines the HTTP External Authorization service
Expand Down
5 changes: 5 additions & 0 deletions internal/ir/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 4 additions & 1 deletion internal/xds/translator/extauth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,10 @@ func extAuthFilterName(extAuth *ir.ExtAuth) string {
func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz {
config := &extauthv3.ExtAuthz{
TransportApiVersion: corev3.ApiVersion_V3,
FailureModeAllow: false,
}

if extAuth.FailOpen != nil {
config.FailureModeAllow = *extAuth.FailOpen
}

var headersToExtAuth []*matcherv3.StringMatcher
Expand Down
3 changes: 3 additions & 0 deletions internal/xds/translator/testdata/in/xds-ir/ext-auth.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ http:
port: 80
protocol: HTTP
weight: 1
failOpen: false
- name: httproute/default/httproute-1/rule/1/match/0/www_example_com
hostname: "*"
pathMatch:
Expand Down Expand Up @@ -62,6 +63,7 @@ http:
port: 80
protocol: HTTP
weight: 1
failOpen: false
- name: httproute/default/httproute-2/rule/0/match/0/www_example_com
hostname: "*"
pathMatch:
Expand All @@ -88,3 +90,4 @@ http:
headersToExtAuth:
- header1
- header2
failOpen: true
1 change: 1 addition & 0 deletions internal/xds/translator/testdata/out/xds-ir/ext-auth.listeners.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
patterns:
- exact: header1
- exact: header2
failureModeAllow: true
grpcService:
envoyGrpc:
authority: grpc-backend.default:9000
Expand Down