Skip to content

Commit

Permalink
UPDATE: bump authPolicy to v1beta3 in guides (#949)
Browse files Browse the repository at this point in the history
Signed-off-by: Jim Fitzpatrick <[email protected]>
  • Loading branch information
Boomatang authored Oct 29, 2024
1 parent 76d6ef4 commit 4affe40
Show file tree
Hide file tree
Showing 9 changed files with 16 additions and 43 deletions.
24 changes: 4 additions & 20 deletions doc/auth.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ The `AuthPolicy` spec includes the following parts:

* A reference to an existing Gateway API resource (`spec.targetRef`)
* Authentication/authorization scheme (`spec.rules`)
* Top-level route selectors (`spec.routeSelectors`)
* Top-level additional conditions (`spec.when`)
* List of named patterns (`spec.patterns`)

Expand All @@ -38,14 +37,14 @@ The auth scheme specify rules for:
* Custom response items (`spec.rules.response`)
* Callbacks (`spec.rules.callbacks`)

Each auth rule can declare specific `routeSelectors` and `when` conditions for the rule to apply.
Each auth rule can declare specific `when` conditions for the rule to apply.

The auth scheme (`rules`), as well as conditions and named patterns can be declared at the top-level level of the spec (with the semantics of _defaults_) or alternatively within explicit `defaults` or `overrides` blocks.

#### High-level example and field definition

```yaml
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: AuthPolicy
metadata:
name: my-auth-policy
Expand All @@ -58,18 +57,6 @@ spec:
kind: HTTPRoute / Gateway
name: myroute / mygateway

# Selectors of HTTPRouteRules within the targeted HTTPRoute that activate the AuthPolicy.
# Each element contains a HTTPRouteMatch object that will be used to select HTTPRouteRules that include at least
# one identical HTTPRouteMatch.
# The HTTPRouteMatch part does not have to be fully identical, but the what's stated in the selector must be
# identically stated in the HTTPRouteRule.
# Do not use it on AuthPolicies that target a Gateway.
routeSelectors:
- matches:
- path:
type: PathPrefix
value: "/admin"

# Additional dynamic conditions to trigger the AuthPolicy.
# Use it for filtering attributes not supported by HTTPRouteRule or with AuthPolicies that target a Gateway.
# Check out https://github.com/Kuadrant/architecture/blob/main/rfcs/0002-well-known-attributes.md to learn more
Expand Down Expand Up @@ -100,9 +87,6 @@ spec:
authorizationHeader:
prefix: APIKEY

# Rule-level route selectors.
routeSelectors: […]

# Rule-level additional conditions.
when: […]

Expand Down Expand Up @@ -194,7 +178,7 @@ The targeted HTTPRoute's rules and/or hostnames to which the policy must be enfo
Target a HTTPRoute by setting the `spec.targetRef` field of the AuthPolicy as follows:

```yaml
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: AuthPolicy
metadata:
name: my-route-auth
Expand Down Expand Up @@ -254,7 +238,7 @@ Inversely, a gateway policy that specify _overrides_ declares a set of rules to
Target a Gateway HTTPRoute by setting the `spec.targetRef` field of the AuthPolicy as follows:
```yaml
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: AuthPolicy
metadata:
name: my-gw-auth
Expand Down
4 changes: 2 additions & 2 deletions doc/reference/authpolicy.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,8 @@
| `rules` | [AuthScheme](#authscheme) | No | Implicit default authentication/authorization rules |
| `patterns` | Map<String: [NamedPattern](#namedpattern)> | No | Implicit default named patterns of lists of `selector`, `operator` and `value` tuples, to be reused in `when` conditions and pattern-matching authorization rules. |
| `when` | [][PatternExpressionOrRef](https://docs.kuadrant.io/latest/authorino/docs/features/#common-feature-conditions-when) | No | List of implicit default additional dynamic conditions (expressions) to activate the policy. Use it for filtering attributes that cannot be expressed in the targeted HTTPRoute's `spec.hostnames` and `spec.rules.matches` fields, or when targeting a Gateway. |
| `defaults` | [AuthPolicyCommonSpec](#authPolicyCommonSpec) | No | Explicit default definitions. This field is mutually exclusive with any of the implicit default definitions: `spec.rules`, `spec.routeSelectors`, `spec.patterns`, `spec.when` |
| `overrides` | [AuthPolicyCommonSpec](#authPolicyCommonSpec) | No | Atomic overrides definitions. This field is mutually exclusive with any of the implicit or explicit default definitions: `spec.rules`, `spec.routeSelectors`, `spec.patterns`, `spec.when`, `spec.default` |
| `defaults` | [AuthPolicyCommonSpec](#authPolicyCommonSpec) | No | Explicit default definitions. This field is mutually exclusive with any of the implicit default definitions: `spec.rules`, `spec.patterns`, `spec.when` |
| `overrides` | [AuthPolicyCommonSpec](#authPolicyCommonSpec) | No | Atomic overrides definitions. This field is mutually exclusive with any of the implicit or explicit default definitions: `spec.rules`, `spec.patterns`, `spec.when`, `spec.default` |


## AuthPolicyCommonSpec
Expand Down
9 changes: 2 additions & 7 deletions doc/user-guides/auth-for-app-devs-and-platform-engineers.md
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ Create the AuthPolicy to enforce the following auth rules:

```sh
kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: AuthPolicy
metadata:
name: toystore
Expand All @@ -168,11 +168,6 @@ spec:
rego: |
groups := split(object.get(input.auth.identity.metadata.annotations, "kuadrant.io/groups", ""), ",")
allow { groups[_] == "admins" }
routeSelectors:
- matches:
- path:
type: PathPrefix
value: "/admin"
EOF
```

Expand Down Expand Up @@ -232,7 +227,7 @@ Create the policy:

```sh
kubectl -n gateway-system apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: AuthPolicy
metadata:
name: gw-auth
Expand Down
2 changes: 1 addition & 1 deletion doc/user-guides/authenticated-rl-for-app-developers.md
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ Create a Kuadrant `AuthPolicy` to configure the authentication:
```sh
kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: AuthPolicy
metadata:
name: toystore
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ Create a Kuadrant `AuthPolicy` to configure authentication and authorization:

```sh
kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: AuthPolicy
metadata:
name: toystore-protection
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -231,7 +231,7 @@ Set a default, deny-all `AuthPolicy` for your Gateway as follows:

```bash
kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: AuthPolicy
metadata:
name: ${gatewayName}-auth
Expand Down
4 changes: 2 additions & 2 deletions doc/user-guides/secure-protect-connect.md
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,7 @@ Communication is secured and we have some protection for our infrastructure, but

```sh
kubectl --context $KUBECTL_CONTEXT apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: AuthPolicy
metadata:
name: deny-all
Expand Down Expand Up @@ -407,7 +407,7 @@ Now, we will override the AuthPolicy to start accepting the API keys:

```sh
kubectl --context $KUBECTL_CONTEXT apply -f - <<EOF
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: AuthPolicy
metadata:
name: toystore
Expand Down
10 changes: 2 additions & 8 deletions examples/toystore/authpolicy.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: AuthPolicy
metadata:
name: toystore
Expand All @@ -8,12 +8,6 @@ spec:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: toystore
routeSelectors:
- matches:
- path:
type: Exact
value: "/admin/toy"
method: DELETE
rules:
authentication:
"apikey":
Expand All @@ -33,7 +27,7 @@ spec:
"user-id":
selector: auth.identity.metadata.annotations.secret\.kuadrant\.io/user-id
---
apiVersion: kuadrant.io/v1beta1
apiVersion: kuadrant.io/v1beta3
kind: AuthPolicy
metadata:
name: toystore
Expand Down
2 changes: 1 addition & 1 deletion examples/toystore/authpolicy_jwt-k8s-authnz.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# A Kuadrant AuthPolicy to protect an API with authentication based on OpenId Connect (OIDC) ID tokens (signed JWTs)
# and Kubernetes Service Account tokens combined, and authorization with permissions (bindings) stored in the
# Kubernetes RBAC, enforced by Authorino, Kuadrant's authorization service.
apiVersion: kuadrant.io/v1beta2
apiVersion: kuadrant.io/v1beta3
kind: AuthPolicy
metadata:
name: toystore-protection
Expand Down

0 comments on commit 4affe40

Please sign in to comment.