About

By default, the Gloo external auth service is enabled to use an OPA module. You can create your Rego rules as Kubernetes config maps in the cluster for more fine-grained access control. Then, you use an AuthConfig resource to tell the Gloo external auth service to load these rules via the OPA module.

Typically, you start with this approach, which is convenient for basic environments, quick testing, and small OPA use cases. For more information, see .

Before you begin

  1. Follow the Get started guide to install Gloo Gateway, set up a gateway resource, and deploy the httpbin sample app.

  2. Get the external address of the gateway and save it in an environment variable.

    • Cloud Provider LoadBalancer

        export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system gloo-proxy-http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
echo $INGRESS_GW_ADDRESS

    • Port-forward for local testing

        kubectl port-forward deployment/gloo-proxy-http -n gloo-system 8080:8080

Setup

  1. Create a Rego rule.

      cat <<EOF > policy.rego
package test

default allow = false
allow {
    startswith(input.http_request.path, "/anything")
    input.http_request.method == "GET"
}
allow {
    input.http_request.path == "/status/200"
    any({input.http_request.method == "GET",
        input.http_request.method == "DELETE"
    })
}
EOF

    Review the following table to understand this configuration.

    SettingDescription
    default allow = falseDenies all requests by default.
    allow {...}Allows requests that match two conditions as follows: 1) The path starts with /anything AND the HTTP method is GET; or, 2) the path is exactly /status/200 AND the HTTP method is either GET or DELETE.

  2. Store the OPA policy in a Kubernetes config map.

      kubectl -n httpbin create configmap allow-get-users --from-file=policy.rego

  3. Create an AuthConfig resource and add your external authentication rules. The following example configures OPA authentication with the Rego rules that you created earlier.

      kubectl apply -f - <<EOF
apiVersion: enterprise.gloo.solo.io/v1
kind: AuthConfig
metadata:
  name: opa-auth
  namespace: httpbin
spec:
  configs:
  - opaAuth:
      modules:
      - name: allow-get-users
        namespace: httpbin
      query: "data.test.allow == true"
EOF

    Review the following table to understand this configuration.

    SettingDescription
    opaAuthConfigure the OPA authentication details.
    modulesRefer to the name and namespace of the config map that has the OPA policy. Then, Gloo Gateway can use the OPA policy to use to resolve the query. This example uses the config map that you previously created.
    queryThe query that determines the authentication decision. The result of this query must be either a boolean or an array with a boolean as the first element. A value of true means that the request is authorized. Any other value or error means that the request is denied. In this example, data.test.allow is set to true. data is the section in the config map. test.allow are part of the OPA policy that you previously created. Access is allowed only if the response meets the allow conditions in the policy.

  4. Create a RouteOption resource that refers to the AuthConfig resource that you just created.

      kubectl apply -f- <<EOF
apiVersion: gateway.solo.io/v1
kind: RouteOption
metadata:
  name: opa-auth
  namespace: httpbin
spec:
  options:
    extauth:
      configRef:
        name: opa-auth
        namespace: httpbin
EOF

  5. Create an HTTPRoute resource for the httpbin app that requires authentication for requests on the extauth.example domain.

      kubectl apply -f- <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: httpbin-opa-auth
  namespace: httpbin
spec:
  parentRefs:
  - name: http
    namespace: gloo-system
  hostnames:
    - extauth.example
  rules:
    - filters:
        - type: ExtensionRef
          extensionRef:
            group: gateway.solo.io
            kind: RouteOption
            name: opa-auth
      backendRefs:
        - name: httpbin
          port: 8000
EOF

  6. Send a request to the httpbin app on the extauth.example domain for a path that is not allowed by the OPA policy. Verify that your request is denied and that you get back a 403 HTTP response code.

    • LoadBalancer IP address or hostname:

        curl -v http://$INGRESS_GW_ADDRESS:8080/headers -H "host: extauth.example:8080"

    • Port-forward for local testing:

        curl -v localhost:8080/headers -H "host: extauth.example"

    Example output:

      * Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< date: Wed, 05 Jun 2024 14:12:36 GMT
< server: envoy
< content-length: 0
Rejected

  7. Send another request to the httpbin app. This time, you include the /status/200 path that is allowed in the OPA policy. Verify that the request succeeds and that you get back a 200 HTTP response code.

    • LoadBalancer IP address or hostname:

        curl -v http://$INGRESS_GW_ADDRESS:8080/status/200 -H "host: extauth.example:8080"

    • Port-forward for local testing:

        curl -v localhost:8080/status/200 -H "host: extauth.example"

    Example output:

      * Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< access-control-allow-credentials: true
< access-control-allow-origin: *
< date: Wed, 05 Jun 2024 14:18:28 GMT
< content-length: 0
< x-envoy-upstream-service-time: 1
< server: envoy

Cleanup

You can optionally remove the resources that you set up as part of this guide.
  kubectl delete authconfig opa-auth -n httpbin
kubectl delete routeoption opa-auth -n httpbin
kubectl delete httproute httpbin-opa-auth -n httpbin
kubectl delete configmap allow-get-users -n httpbin
rm policy.rego