[Investigation] Exposing an AuthPolicy from Kuadrant that uses the policy attachment ideas

[maleck13]

What

Isito offers an AuthorizationPolicy resource. Unfortunately it cannot target a HTTProute. We want to be able to offer the capabilities in the AuthorizationPolicy but allow it to use the policy attachment principles to bring it inline with what we are doing with the rate limit policy.

We can mirror this API into a Kuadrant API that layers on the target ref capabilities. Additionally we should think about any properties we don't want to expose as we will want to default them (host) or because they will not work in the context of an NorthSouth request (source)

• New API exposed via Kuadrant AuthPolicy that uses target ref concept #133
• Demo that shows using the new AuthPolicy uploaded to youtube kuadrant-operator#82
• Put together a proposal based on our investigation and discussions into AuthPolicy #151

[markmc]

Isito offers an AuthorizationPolicy resource. Unfortunately it cannot target a HTTProute. We want to be able to offer the capabilities in the AuthorizationPolicy but allow it to use the policy attachment principles

This sounds like it would be a super useful addition to Istio itself. Have you considered opening an istio issue and linking to this work?

[eguzki]

How about "forking" istio and implementing ourselves? Is it reasonable in terms of development effort needed to implement such change?

[markmc]

Improving Istio's Gateway API support and capabilities is in the interest of all Istio users. So it's probably safe to assume that Istio will eventually have an API like this and that a Kuadrant-specific resource and controller like this will eventually be deprecated and transitioned to the Istio version. So, you can think of it like technical debt. Definitely better to do it this way rather than forking Istio though!

It's always better to get the upstreaming process moving earlier - just filing an Istio issue with this enhancement request and rough proposal at least would raise awareness of the gap and might result in some helpful feedback or collaboration on it.

[maleck13]

@markmc we have been working with Daniel Grimm @dgn . There is an open proposal to support Gateway API with AuthorizationPolicy https://docs.google.com/document/d/1sCA6ReTnAR5tyKwuc7KPMygv2UPOlxL6IEU8Og0nQm0 . However they are reluctant to change their APIs to use policy attachment currently. This is why we have a mirror of AuthorizationPolicy that adds Gateway API support.
Ultimately I think you are correct, Istio will support it (eventually) and we will be able to depreciate this API.

[markmc]

@markmc we have been working with Daniel Grimm @dgn . There is an open proposal to support Gateway API with AuthorizationPolicy https://docs.google.com/document/d/1sCA6ReTnAR5tyKwuc7KPMygv2UPOlxL6IEU8Og0nQm0 .

Excellent! So I guess istio/istio#35698 is the closest thing to an upstream tracker for this

However they are reluctant to change their APIs to use policy attachment currently. This is why we have a mirror of AuthorizationPolicy that adds Gateway API support. Ultimately I think you are correct, Istio will support it (eventually) and we will be able to depreciate this API.

Thanks for the update 👍

[maleck13]

We moved away from this implementation and towards an implementation that more specifically targeted using Authorino. Using AuthPolicy directly meant somethings around auth would be handled in Istio and some things in Authorino. This could lead to confusion and difficulty sharing context between the two. Design for AuthPolicy focused on Authorino https://hackmd.io/GQAOxDRdQTudSlsWdhtiUg