kyma icon indicating copy to clipboard operation
kyma copied to clipboard

Published 20 hours ago verified publisher icon kyma-project

API Rule with mutators section set to Allow does not work

Open mjakobczyk opened this issue 4 years ago • 11 comments

Description

According to the current API Gateway documentation in order to expose a service by creating an APIRule CR we can make use of an yaml example that is presented in this section - https://kyma-project.io/docs/components/api-gateway#tutorials-expose-a-service Unfortunately, it turns out that if you set an Allow in mutators section then APIRule will not be applied properly and results in Resource not found error after trying to access the exposed resource.

Found in the latest Kyma v1.18 release.

Expected result

  • including mutators section with Allow set should not crash API Rule
  • hint in documentation should be present to inform not to use mutators section when using Allow access strategy

Actual result

For now such error is presented: {"error":{"code":404,"status":"Not Found","request":"(code)","message":"The requested resource could not be found"}}

Steps to reproduce

Try to apply a new API Rule using following schema: (example is being taken straight from docs, please check the link above)

apiVersion: gateway.kyma-project.io/v1alpha1
kind: APIRule
metadata:
  name: httpbin
spec:
  service:
    host: httpbin.$DOMAIN
    name: httpbin
    port: 8000
  gateway: kyma-gateway.kyma-system.svc.cluster.local
  rules:
    - path: /.*
      methods: ["GET"]
      accessStrategies:
        - handler: allow
      mutators:
        - handler: allow
    - path: /post
      methods: ["POST"]
      accessStrategies:
        - handler: allow
      mutators:
        - handler: allow

Troubleshooting

It looks like Allow access strategy is not being supported by the Oathkeeper under the hood - it does not recognise Removing mutators section completely makes the API Rule work. On basis of example present before, this should work:

apiVersion: gateway.kyma-project.io/v1alpha1
kind: APIRule
metadata:
  name: httpbin
spec:
  service:
    host: httpbin.$DOMAIN
    name: httpbin
    port: 8000
  gateway: kyma-gateway.kyma-system.svc.cluster.local
  rules:
    - path: /.*
      methods: ["GET"]
      accessStrategies:
        - handler: allow
    - path: /post
      methods: ["POST"]
      accessStrategies:
        - handler: allow

mjakobczyk avatar Jan 13 '21 15:01 mjakobczyk

One comment from my side:

accessStrategy named Allow is different than other accessStrategies because it exposes the service directly via Istio VirtualService bypassing the Oathkeeper proxy. As mutators are a feature of Oathkeeper, there is no possibility to use them while using Allow accessStrategy. I agree with Michał that we should mention it in the documentation. IMO APIGateway should simply ignore the mutator in this case, whereas currently when it sees that mutator is configured, it treats the whole configuration like it was configured with other accessStrategy than Allow (it creates an Oathkeeper rule with AllowaccessStrategy, which is not valid in Oathkeeper).

kubadz avatar Jan 13 '21 16:01 kubadz

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

kyma-stale-bot[bot] avatar May 13 '21 15:05 kyma-stale-bot[bot]

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

kyma-stale-bot[bot] avatar Jul 16 '21 09:07 kyma-stale-bot[bot]

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

kyma-stale-bot[bot] avatar Sep 25 '21 14:09 kyma-stale-bot[bot]

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

kyma-stale-bot[bot] avatar Nov 27 '21 08:11 kyma-stale-bot[bot]

This issue has been automatically closed due to the lack of recent activity.

kyma-stale-bot[bot] avatar Dec 04 '21 09:12 kyma-stale-bot[bot]

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

kyma-stale-bot[bot] avatar Feb 06 '22 09:02 kyma-stale-bot[bot]

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

kyma-stale-bot[bot] avatar Apr 10 '22 09:04 kyma-stale-bot[bot]

/remove-lifecycle stale

werdes72 avatar Apr 13 '22 07:04 werdes72

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

kyma-stale-bot[bot] avatar Jul 01 '22 11:07 kyma-stale-bot[bot]

This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Oct 13 '22 04:10 github-actions[bot]

This issue or PR has been automatically marked as stale due to the lack of recent activity. Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Close this issue or PR with /close

If you think that I work incorrectly, kindly raise an issue with the problem.

/lifecycle stale

kyma-bot avatar Dec 18 '22 10:12 kyma-bot

This issue or PR has been automatically closed due to the lack of activity. Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle stale

If you think that I work incorrectly, kindly raise an issue with the problem.

/close

kyma-bot avatar Dec 25 '22 10:12 kyma-bot

@kyma-bot: Closing this issue.

In response to this:

This issue or PR has been automatically closed due to the lack of activity. Thank you for your contributions.

This bot triages issues and PRs according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 7d of inactivity since lifecycle/stale was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle stale

If you think that I work incorrectly, kindly raise an issue with the problem.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

kyma-bot avatar Dec 25 '22 10:12 kyma-bot