Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable/disable host name collision prevention #433

Closed
guicassolato opened this issue Sep 28, 2023 · 1 comment · Fixed by #434
Closed

Enable/disable host name collision prevention #433

guicassolato opened this issue Sep 28, 2023 · 1 comment · Fixed by #434
Assignees

Comments

@guicassolato
Copy link
Collaborator

Authorino currently does not allow AuthConfigs to take control over the security scheme of hosts already protected by other AuthConfigs created previously. The behavior is described at Avoiding host name collision in the docs, and it is in general a good safe default.

There are use cases nonetheless where host ownership can be managed upfront by other means, such as by validating the AuthConfig CRs beforehand, at the level of the kube API requests (e.g. via a validating webhook, or by enforcing more strict RBAC that constricts write permissions over the CRs to highly privileged cluster users only, amongst others), or when the host information and corresponding auth scheme association is known to be reconciled always from a known trusted source of truth. For such cases, disabling the prevention of host name collision mechanism may be desirable.

A concrete use case is Kuadrant. The Kuadrant Operator manages Authorino AuthConfigs created out of its watched AuthPolicy CRs. Often, an AuthPolicy resource that targets a more generic network structure (e.g. a Kubernetes Gateway resource, or a wildcard HTTPRoute) is followed by a more specific one with a different auth scheme. Leveraging Authorino's "most specific host wins" policy, both schemes can live side-by-side, but only if the more specific AuthConfig is created first. Otherwise, the more specific hosts in the AuthConfig created after will be rejected, causing this resource to be reported as not ready.

To enable such use cases, Authorino could put the mechanism that prevents host name collisions behind a switch.

The switch could be set at the level of the Authorino instance or for each individual AuthConfig, and would effectively allow an AuthConfig to take control over the auth scheme (i.e. to be "indexed") for hosts already protected by other AuthConfigs created previously.

Instead of a simple ON/OFF switch, it could be set at levels:

  • Level 0 - No override
  • Level 1 - Partial overrides only (hosts that are strict subsets of the ones already protected by other AuthConfigs)
  • Level 2 - Full overrides (including identical hosts)

For level 2 in particular, one caveat to take into consideration is the status update of the resources that are fully overridden by other AuthConfigs created after. This is currently not a concern due to the assurance that the resource with the earliest creation timestamp always prevails, even in the cases of (re)building the index from preexisting AuthConfig stored in etcd. By allowing full overrides, some (older) AuthConfigs will be de-indexed. Their status stanzas should reflect that, including for the sake of reliable readiness check.

@guicassolato
Copy link
Collaborator Author

Just realised we should avoid using "override" for describing the behaviour associated with this proposed switch, to prevent any confusion with the concept of overriding hosts via context extensions.

I'll try to favour "supersede" instead, thus sticking with the terminology employed in the docs associated specifically with the prevention of host name collisions.

@guicassolato guicassolato self-assigned this Sep 29, 2023
guicassolato added a commit that referenced this issue Sep 29, 2023
Adds a new command-line flag `--allow-superseding-host-subsets` that disables the host name collision prevention for strict subsets of hosts attempted to be linked after a superset already taken.

Closes #433 under a more conservative approach where the switch for the host name collision mechanism does not come in levels, but as a simple ON/OFF switch, whose semantics is limited to strict subsets. I reckon this is a reasonable compromise as there are only few use cases I can think of for fully superseding the auth scheme a given host is linked to, based only on the order of creation of the resources.

Moreover, this approach exempts us from having to update the status of the (partially) superseded AuthConfigs, consistently with the current behaviour, when the order of creation goes: more specific first, then more generic host. The status of the more generic (wider) AuthConfig has never reflected that a subset of its hosts was actually under another auth scheme declared first.
@github-project-automation github-project-automation bot moved this from In Progress to To test in Kuadrant Service Protection Sep 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
No open projects
Status: To test
Development

Successfully merging a pull request may close this issue.

1 participant