istio.io icon indicating copy to clipboard operation
istio.io copied to clipboard

Published 20 hours ago verified publisher icon istio

Need doc on authorization policy

Open linsun opened this issue 1 year ago • 3 comments

This is very tricky to get it right for ambient, I expect the doc to cover:

L4 authz policy L7 authz policy Strategy moving from L4 authz policy to L7 authz policy Various scenarios on if authz policy is enforces:

  • with waypoint or without
  • use workload selector or targetRef(s)
  • client is out of mesh or sidecar or ingress gw.
  • does destination ztunnel always trust the destination waypoint?

cc @louiscryan if you have other thoughts.

linsun avatar May 01 '24 01:05 linsun

I can probably tackle/repurpose the L4 authZ policy doc. It may also be helpful to have a doc about how to reason about authorization generally in Ambient

keithmattix avatar May 08 '24 19:05 keithmattix

Thanks Keith! Agreed, a doc on understanding authz in general for ambient would be good.

linsun avatar May 08 '24 20:05 linsun

Looking into creating something for "Various scenarios on if authz policy is enforces"

ilrudie avatar May 09 '24 20:05 ilrudie