hosts field not exposed in the AuthPolicy

[eguzki]

Motivation

Authorino will reject (with 404 Not Found) any request for which there is no matching authconfig object. Exposing the hosts in the spec.authScheme object can lead to unwanted scenarios for the end user and it is, at the very least, error prone. One example to illustrate:

kind: HTTPRoute:
spec:
  hostnames: [`*.company.com`]
---
kind: AuthPolicy
spec:
  authScheme:
    hosts: ["api.petstore.company.com"]

The route allows traffic for *.company.com, but the authconfig object have rules only for api.petstore.company.com, then a request for other.company.com will hit authorino and authorino will reject that traffic. Something clearly unwanted.

Kuadrant core should provide means to configure automatically the authorization process to only protect the wanted domains and pass through the remaining ones.

What

1. Regarding managed AuthConfig

The proposal is to remove hosts from spec.authScheme. The Authconfig object still needs a hosts field, so it will be the kuadrant core, the owner of the authconfig object, who will be filling the hosts field.

The hosts field will be computed in the following way:

• When there are no rules, authconfig's hosts field will be read from the network resource (HTTPRoute or Gateway).
• When there is at least one rule with the hosts field empty/missing, authconfig's hosts field will be read from the network resource (HTTPRoute or Gateway).
• authconfig's hosts field will be the list of hosts appearing in the authpolicy rules

For example:

kind: HTTPRoute:
spec:
  hostnames: [`*.petstore.com`]
----
kind: AuthPolicy
spec:
  rules:
  - hosts: ["api.petstore.com"]
    methods: ["GET"]
  - methods: ["POST"]

in this example, there is a rule with the hosts missing. Then the authconfig's hosts field will be [*.petstore.com]

For example:

kind: HTTPRoute:
spec:
  hostnames: [`*.petstore.com`]
----
kind: AuthPolicy
spec:
  rules:
  - hosts: ["api.petstore.com"]
    methods: ["GET"]
  - hosts: ["admin.petstore.com"]
    paths: ["/admin*"]

in this example, there is a rule with the hosts missing. Then the authconfig's hosts field will be [api.petstore.com, admin.petstore.com]

2. Regarding managed Istio's AuthorizationPolicy

If there is a rule in the kuadrant's auth that does not have hosts specified, kuadrant will add the hostnames from the network resource when reconciling the AuthorizationPolicy.

For example:

kind: AuthPolicy
spec:
  rules:
  - paths: ["/toy*"]

The reconciled Istio's AuthorizationPolicy will include the network resource's (route) hostnames

piVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
spec:
  action: CUSTOM
  provider:
    name: kuadrant-authorization
  rules:
  - to:
    - operation:
        hosts:
        - '*.toystore.com'
        paths:
        - /toy*
  selector: {}

The Istio's authorization policies configure a common (shared) envoy's authorization filter. The rules coming from a kuadrant's policy targeting a given route should all be scoped to the route's traffic workloads.

[eguzki]

@Kuadrant/engineering looking for comments / feedback.

[didierofrivia]

I know there's already a PR ready for review, but wanted to ask whether would make sense or not to reflect the list of hosts targeted by the AuthPolicy within its Status ?

[eguzki]

For completeness, I think it is valid.