The AuthPolicy Custom Resource Definition (CRD)¶
- AuthPolicy
- AuthPolicySpec
- AuthScheme
- NamedPattern
- AuthPolicyCommonSpec
- AuthPolicyStatus
- ConditionSpec
AuthPolicy¶
| Field | Type | Required | Description |
|---|---|---|---|
spec |
AuthPolicySpec | Yes | The specification for AuthPolicy custom resource |
status |
AuthPolicyStatus | No | The status for the custom resource |
AuthPolicySpec¶
| Field | Type | Required | Description |
|---|---|---|---|
targetRef |
PolicyTargetReference | Yes | Reference to a Kuberentes resource that the policy attaches to |
rules |
AuthScheme | No | Implicit default authentication/authorization rules |
routeSelectors |
[]RouteSelector | No | List of implicit default selectors of HTTPRouteRules whose matching rules activate the policy. At least one HTTPRouteRule must be selected to activate the policy. If omitted, all HTTPRouteRules of the targeted HTTPRoute activate the policy. Do not use it in policies targeting a Gateway. |
patterns |
Map |
No | Implicit default named patterns of lists of selector, operator and value tuples, to be reused in when conditions and pattern-matching authorization rules. |
when |
[]PatternExpressionOrRef | No | List of implicit default additional dynamic conditions (expressions) to activate the policy. Use it for filtering attributes that cannot be expressed in the targeted HTTPRoute's spec.hostnames and spec.rules.matches fields, or when targeting a Gateway. |
defaults |
AuthPolicyCommonSpec | No | Explicit default definitions. This field is mutually exclusive with any of the implicit default definitions: spec.rules, spec.routeSelectors, spec.patterns, spec.when |
overrides |
AuthPolicyCommonSpec | No | Atomic overrides definitions. This field is mutually exclusive with any of the implicit or explicit default definitions: spec.rules, spec.routeSelectors, spec.patterns, spec.when, spec.default |
AuthPolicyCommonSpec¶
| Field | Type | Required | Description |
|---|---|---|---|
rules |
AuthScheme | No | Authentication/authorization rules |
routeSelectors |
[]RouteSelector | No | List of selectors of HTTPRouteRules whose matching rules activate the policy. At least one HTTPRouteRule must be selected to activate the policy. If omitted, all HTTPRouteRules of the targeted HTTPRoute activate the policy. Do not use it in policies targeting a Gateway. |
patterns |
Map |
No | Named patterns of lists of selector, operator and value tuples, to be reused in when conditions and pattern-matching authorization rules. |
when |
[]PatternExpressionOrRef | No | List of additional dynamic conditions (expressions) to activate the policy. Use it for filtering attributes that cannot be expressed in the targeted HTTPRoute's spec.hostnames and spec.rules.matches fields, or when targeting a Gateway. |
AuthScheme¶
| Field | Type | Required | Description |
|---|---|---|---|
authentication |
Map |
No | Authentication rules. At least one config MUST evaluate to a valid identity object for the auth request to be successful. If omitted or empty, anonymous access is assumed. |
metadata |
Map |
No | Rules for fetching auth metadata from external sources. |
authorization |
Map |
No | Authorization rules. All policies MUST allow access for the auth request be successful. |
response |
ResponseSpec | No | Customizations to the response to the authorization request. Use it to set custom values for unauthenticated, unauthorized, and/or success access request. |
callbacks |
Map |
No | Rules for post-authorization callback requests to external services. Triggered regardless of the result of the authorization request. |
AuthRuleCommon¶
| Field | Type | Required | Description |
|---|---|---|---|
routeSelectors |
[]RouteSelector | No | List of selectors of HTTPRouteRules whose matching rules activate the auth rule. At least one HTTPRouteRule must be selected to activate the auth rule. If omitted, the auth rule is activated at all requests where the policy is enforced. Do not use it in policies targeting a Gateway. |
when |
[]PatternExpressionOrRef | No | List of additional dynamic conditions (expressions) to activate the auth rule. Use it for filtering attributes that cannot be expressed in the targeted HTTPRoute's spec.hostnames and spec.rules.matches fields, or when targeting a Gateway. |
cache |
Caching spec | No | Caching options for the resolved object returned when applying this auth rule. (Default: disabled) |
priority |
Integer | No | Priority group of the auth rule. All rules in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. (Default: 0) |
metrics |
Boolean | No | Whether the auth rule emits individual observability metrics. (Default: false) |
AuthenticationRule¶
| Field | Type | Required | Description |
|---|---|---|---|
apiKey |
API Key authentication spec | No | Authentication based on API keys stored in Kubernetes secrets. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous. |
kubernetesTokenReview |
KubernetesTokenReview spec | No | Authentication by Kubernetes token review. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous. |
jwt |
JWT verification spec | No | Authentication based on JSON Web Tokens (JWT). Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous. |
oauth2Introspection |
OAuth2 Token Introscpection spec | No | Authentication by OAuth2 token introspection. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous. |
x509 |
X.509 authentication spec | No | Authentication based on client X.509 certificates. The certificates presented by the clients must be signed by a trusted CA whose certificates are stored in Kubernetes secrets. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous. |
plain |
Plain identity object spec | No | Identity object extracted from the context. Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous. |
anonymous |
Anonymous access | No | Anonymous access. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous. |
credentials |
Auth credentials spec | No | Customizations to where credentials are required to be passed in the request for authentication based on this auth rule. Defaults to HTTP Authorization header with prefix "Bearer". |
overrides |
Identity extension spec | No | JSON overrides to set to the resolved identity object. Do not use it with identity objects of other JSON types (array, string, etc). |
defaults |
Identity extension spec | No | JSON defaults to set to the resolved identity object. Do not use it with identity objects of other JSON types (array, string, etc). |
| (inline) | AuthRuleCommon | No |
MetadataRule¶
| Field | Type | Required | Description |
|---|---|---|---|
http |
HTTP GET/GET-by-POST external metadata spec | No | External source of auth metadata via HTTP request. Use one of: http, userInfo, uma. |
userInfo |
OIDC UserInfo spec | No | OpendID Connect UserInfo linked to an OIDC authentication rule declared in this same AuthPolicy. Use one of: http, userInfo, uma. |
uma |
UMA metadata spec | No | User-Managed Access (UMA) source of resource data. Use one of: http, userInfo, uma. |
| (inline) | AuthRuleCommon | No |
AuthorizationRule¶
| Field | Type | Required | Description |
|---|---|---|---|
patternMatching |
Pattern-matching authorization spec | No | Pattern-matching authorization rules. Use one of: patternMatching, opa, kubernetesSubjectAccessReview, spicedb. |
opa |
OPA authorization spec | No | Open Policy Agent (OPA) Rego policy. Use one of: patternMatching, opa, kubernetesSubjectAccessReview, spicedb. |
kubernetesSubjectAccessReview |
Kubernetes SubjectAccessReview spec | No | Authorization by Kubernetes SubjectAccessReview. Use one of: patternMatching, opa, kubernetesSubjectAccessReview, spicedb. |
spicedb |
SpiceDB authorization spec | No | Authorization decision delegated to external Authzed/SpiceDB server. Use one of: patternMatching, opa, kubernetesSubjectAccessReview, spicedb. |
| (inline) | AuthRuleCommon | No |
ResponseSpec¶
| Field | Type | Required | Description |
|---|---|---|---|
unauthenticated |
Custom denial status spec | No | Customizations on the denial status and other HTTP attributes when the request is unauthenticated. (Default: 401 Unauthorized) |
unauthorized |
Custom denial status spec | No | Customizations on the denial status and other HTTP attributes when the request is unauthorized. (Default: 403 Forbidden) |
success |
SuccessResponseSpec | No | Response items to be included in the auth response when the request is authenticated and authorized. |
SuccessResponseSpec¶
| Field | Type | Required | Description |
|---|---|---|---|
headers |
Map |
No | Custom success response items wrapped as HTTP headers to be injected in the request. |
dynamicMetadata |
Map |
No | Custom success response items wrapped as Envoy Dynamic Metadata. Use it to pass data along to other proxy filters, such as the rate-limit filter. |
SuccessResponseItem¶
| Field | Type | Required | Description |
|---|---|---|---|
plain |
Plain text response item | No | Plain text content. Use one of: plain, json, wristband. |
json |
JSON injection response item | No | Specification of a JSON object. Use one of: plain, json, wristband. |
wristband |
Festival Wristband token response item | No | Specification of a JSON object. Use one of: plain, json, wristband. |
key |
String | No | The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object). Defaults to the name of the response item if omitted. |
CallbackRule¶
| Field | Type | Required | Description |
|---|---|---|---|
http |
HTTP endpoints callback spec | No | HTTP endpoint settings to build the callback request (webhook). |
| (inline) | AuthRuleCommon | No |
NamedPattern¶
| Field | Type | Required | Description |
|---|---|---|---|
selector |
String | Yes | A valid Well-known attribute whose resolved value in the data plane will be compared to value, using the operator. |
operator |
String | Yes | The binary operator to be applied to the resolved value specified by the selector. One of: eq (equal to), neq (not equal to), incl (includes; for arrays), excl (excludes; for arrays), matches (regex). |
value |
String | Yes | The static value to be compared to the one resolved from the selector. |
AuthPolicyStatus¶
| Field | Type | Description |
|---|---|---|
observedGeneration |
String | Number of the last observed generation of the resource. Use it to check if the status info is up to date with latest resource spec. |
conditions |
[]ConditionSpec | List of conditions that define that status of the resource. |
ConditionSpec¶
- The lastTransitionTime field provides a timestamp for when the entity last transitioned from one status to another.
- The message field is a human-readable message indicating details about the transition.
- The reason field is a unique, one-word, CamelCase reason for the condition’s last transition.
- The status field is a string, with possible values True, False, and Unknown.
- The type field is a string with the following possible values:
- Available: the resource has successfully configured;
| Field | Type | Description |
|---|---|---|
type |
String | Condition Type |
status |
String | Status: True, False, Unknown |
reason |
String | Condition state reason |
message |
String | Condition state description |
lastTransitionTime |
Timestamp | Last transition timestamp |