contour icon indicating copy to clipboard operation
contour copied to clipboard

Published 20 hours ago verified publisher icon projectcontour

Can not disable Global External Authorization by default using authPolicy.disabled

Open SamMHD opened this issue 1 year ago • 2 comments
trafficstars

What steps did you take and what happened: We have been trying to setup GlobalExtAuth in our Contour deployment and we wanted to disabled it on all routes by default and ask our clients to enable it if they need to use it on their HTTPProxies.

But, when we configured globalExtAuth and set globalExtAuth.authPolicy.disabled to true the External Authorization is still applied to all HTTPProxies even though they didn't asked for it.

What did you expect to happen: We expected (according to contour GlobalAuthorizationPolicy API Specification) that when we set globalExtAuth.authPolicy.disabled to true the external authorization is not applied to any routes unless it is specifically configured to be used by either virtualhost.authorization.authPolicy.disabled or route.authPolicy.disabled.

Environment:

  • Contour version: 1.29
  • Kubernetes version: (use kubectl version): 1.27

How to replicate this: Use the following configs:

in ContourConfiguration:

apiVersion: projectcontour.io/v1alpha1
kind: ContourConfiguration
metadata:
  ...
  name: contour-config
  namespace: contour
spec:
  ...
  globalExtAuth:
    authPolicy:
      disabled: true
    extensionRef:
      name: cerberus-auth
      namespace: cerberus-operator-system
    failOpen: false
    responseTimeout: 1s
  ...

in sample HTTPProxy:

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: test-proxy
spec:
  routes:
  - conditions:
    - exact: /
    permitInsecure: true
    services:
    - name: echo
      port: 80
      weight: 100
  virtualhost:
    fqdn: test-route.example.com
    tls:
      minimumProtocolVersion: "1.2"
      secretName: <certificate-secret>

then if you call test-route.example.com envoy will try to authorize using the authorization service specified in ContourConfiguration

SamMHD avatar Aug 18 '24 19:08 SamMHD

@sunjayBhatia Can I have your comment on this please?

SamMHD avatar Aug 18 '24 20:08 SamMHD

if you think we should fix it let us know so we start the merge request. @skriss @sunjayBhatia @stevesloka @tsaarni

SamMHD avatar Aug 28 '24 10:08 SamMHD

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

github-actions[bot] avatar Oct 28 '24 00:10 github-actions[bot]

thank you @tsaarni for the labels

SamMHD avatar Oct 29 '24 05:10 SamMHD