ExtAuthPolicy
ExtAuthPolicy API reference.
Proto: ext_auth_policy.proto
Package: security.policy.gloo.solo.io
Set up an external authentication and authorization to protect the workloads in your cluster. For example, you can set up basic, passthrough, API key, OAuth, OPA, or LDAP authentication.
To enforce external auth, each workspace must have an external auth server. You can select which external auth service is used to enforce the policy by configuring an ExtAuthServer resource. If you don’t configure this resource, then the policy uses the default ext-auth-service that was created for you at installation. If you did not enable the external-auth-service during installation, the policy cannot be enforced. For more information, see the ExtAuthServer API reference.
The external auth policies tell the ext-auth-service how to enforce authentication and authorization of matching traffic.
You can match traffic by selecting routes or destinations.
If you don’t select any routes or destinations, an external auth policy is applied to all destinations by default.
You cannot apply more than one external auth policy to the same route or destination.
Note that when you create the policy with a destination selector, only Kubernetes services can be specified in the
applyToDestination
section. Virtual destinations or external services are not supported.
For more information, see the external auth guides.
Example: The following basic example refers to the Kubernetes service of the default ext-auth-service that you got during installation, but you can also use a virtual destination that points to an external auth service instead.
apiVersion: security.policy.gloo.solo.io/v2
kind: ExtAuthPolicy
metadata:
annotations:
cluster.solo.io/cluster: ""
name: basic-auth
namespace: bookinfo
spec:
applyToDestinations:
- port:
number: 9080
selector:
labels:
app: ratings
config:
glooAuth:
configs:
- basicAuth:
apr:
users:
user:
hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1
salt: TYiryv0/
server:
name: default-server
---
apiVersion: admin.gloo.solo.io/v2
kind: ExtAuthServer
metadata:
annotations:
cluster.solo.io/cluster: ""
name: default-server
namespace: bookinfo
spec:
destinationServer:
port:
number: 8083
ref:
cluster: cluster-1
name: ext-auth-service
namespace: gloo-mesh
For more complex examples, see the guide for the type of external auth policy that you want to apply.
ExtAuthPolicyReport
Field | Description |
---|---|
workspaces | (repeated ExtAuthPolicyReport.WorkspacesEntry )The status of the resource in each workspace that it exists in. |
selectedDestinationPorts | (repeated common.gloo.solo.io.DestinationReference )A list of destination ports selected by the policy. |
selectedRoutes | (repeated common.gloo.solo.io.RouteReference )A list of references to all route selected by the policy. |
ExtAuthPolicyReport.WorkspacesEntry
Field | Description |
---|---|
key | (string ) |
value | (common.gloo.solo.io.Report ) |
ExtAuthPolicySpec
Specifications for the policy.
Field | Description |
---|---|
applyToRoutes | (repeated common.gloo.solo.io.RouteSelector )Routes to apply the policy to. If empty, the policy does not apply to any routes in the workspace. Configuration constraints: Only one external auth policy can apply to a route. Subsequent policies (sorted by creation time) are ignored and put into a FAILED state. |
applyToDestinations | (repeated common.gloo.solo.io.DestinationSelector )Destinations to apply the policy to. Implementation notes: applyToRoutes is unset, the policy applies to all destinations in the workspace.applyToRoutes is set, the policy does not apply to any destinations in the workspace.Configuration constraints: Only one external auth policy can apply to a destination. Subsequent policies (sorted by creation time) are ignored and put into a FAILED state. |
config | (ExtAuthPolicySpec.Config )The details of the external auth policy to apply to the selected routes and/or destinations. |
ExtAuthPolicySpec.Config
Make sure to select the appropriate ExtAuthServer to use, which might be in a different cluster and namespace than the ExtAuthPolicy. For auth configurations that require a client secret from the identity provider issuer, the secret must be in the same cluster as the ExtAuthServer resource.
Field | Description |
---|---|
disable | (bool )Set to true to disable auth on the route. |
glooAuth | (enterprise.gloo.solo.io.AuthConfigSpec )Configure the selected route or destination with auth options provided by the Gloo Mesh Ext Auth service. The Ext Auth Service can be specified must be configured to use a Gloo Ext Auth service via a ExtAuthDestinationPolicy. |
customAuth | (ExtAuthPolicySpec.Config.CustomAuth )Configure the selected route or destination with auth options provided by your own custom external auth server. |
server | (common.gloo.solo.io.ObjectReference )Reference to the ExtAuthServer to use for this policy. To create an ExtAuthServer resource, see External auth server setup. Implementation notes:
Configuration constraints:
|
ExtAuthPolicySpec.Config.CustomAuth
Configure the selected route or destination with auth options provided by your own external auth server.
Field | Description |
---|---|
contextExtensions | (repeated ExtAuthPolicySpec.Config.CustomAuth.ContextExtensionsEntry )Add context extensions to the request that matches on the route or destination and is sent to the external auth server. This allows the server to base the auth decision on metadata that you define on the source of the request. This attribute is analogous to Envoy’s config.filter.http.ext_authz.v2.CheckSettings. For more info, see the Envoy documentation. |
ExtAuthPolicySpec.Config.CustomAuth.ContextExtensionsEntry
Field | Description |
---|---|
key | (string ) |
value | (string ) |
ExtAuthPolicyStatus
The status of the policy after it is applied to your Gloo environment.
Field | Description |
---|---|
common | (common.gloo.solo.io.Status )The state and workspace conditions of the applied resource. |
numSelectedDestinationPorts | (uint32 )The number of destination ports selected by the policy. |
numSelectedRoutes | (uint32 )The number of routes selected by the policy. |