AuthPolicy API v2

[alexsnaps]

• AuthConfig v1beta2 authorino#400
• Bump Authorino to v0.15.0 #262
• Upgrade AuthPolicy inner types to AuthConfig v1beta2 #247
  • Straight port AuthPolicy's AuthScheme types to be based on AuthConfig v1beta2 types #253
  • Add routeSelectors fields to the AuthPolicy #248
• Bump Authorino Operator to v0.9.0 #263
• Enable superseding of strict host subsets between AuthConfigs #264
• Use Well-known attributes in the generated AuthConfig #265
  • Requires Well known attributes authorino#428
• AuthPolicy status #290
  • Implementation of RFC 0004 for the AuthPolicy
  • Update the status stanza of the AuthPolicy about route selectors that failed to select any HTTPRouteRule
• User-guide: Enforcing authentication & authorisation with Kuadrant AuthPolicy, for app developers and platform engineers
• Docs: Kuadrant AuthPolicy spec
• Document uncovered use-cases. E.g.:
  • Host already taken: 2+ AuthPolicies targeting network resources that list the exact same hostnames (strict subsets not included). E.g.:
    • 2 HTTPRoutes that declare the same hostname (or that declare no hostname at all and are attached to a common gateway); 1 AuthPolicy targeting each HTTPRoute
    • 1 HTTPRoute that repeats a hostname declared in the Gateway (or that declares no hostname at all); 1 AuthPolicy targeting the HTTPRoute + another targeting the Gateway
• Document edge-cases ("exceptions to rules"). E.g.:
  • Top-level route rules and requests to ext-authz
    • Rule: For each AuthPolicy created, the policy controller creates an Istio AuthorizationPolicy resource that ensures that only requests directed to the targeted HTTPRouteRules – based on the declared top-level route selectors (if present), or all requests for which a matching HTTPRouteRule exists (otherwise) – will be checked with the authorisation service (Authorino). Authorino will lookup for the auth scheme (AuthConfig resource) to enforce from the provided hostname of the original request, and check again if the request matches at least one of the selected HTTPRouteRules, in which case it enforces the auth scheme.
    • Exception: The following patterns used in HTTPRouteMatches of top-level route selectors will not be included in the Istio AuthorizationPolicy rules that trigger the check request with Authorino: PathMatchRegularExpression, HeaderMatchRegularExpression, HTTPQueryParamMatch. As a consequence, requests that do not match these rules and otherwise would not be checked with Authorino will be checked with Authorino. Authorino nonetheless will still verify those patterns and ensure the policy is enforced only when it matches at least one of the selected HTTPRouteRules. Users of Kuadrant may observe an unnecessary call to the authorisation service in those cases where the request is out of the scope of the AuthPolicy and therefore always authorised. This is due to limitations of the Istio AuthorizationPolicy that do not support specifying rules for those patterns.
• Gateway API gateway.networking.k8s.io/policy label at the AuthPolicy CRD #278