Proto: ext_auth_policy.proto

Package: security.policy.gloo.solo.io

Set up an external authentication and authorization to protect the workloads in your cluster. For example, you can set up basic, passthrough, API key, OAuth, OPA, or LDAP authentication.

To enforce external auth, each workspace must have an external auth server. You can select which external auth service is used to enforce the policy by configuring an ExtAuthServer resource. If you don’t configure this resource, then the policy uses the default ext-auth-service that was created for you at installation. If you did not enable the external-auth-service during installation, the policy cannot be enforced. For more information, see the ExtAuthServer API reference.

The external auth policies tell the ext-auth-service how to enforce authentication and authorization of matching traffic. You can match traffic by selecting routes or destinations. If you don’t select any routes or destinations, an external auth policy is applied to all destinations by default. You cannot apply more than one external auth policy to the same route or destination. Note that when you create the policy with a destination selector, only Kubernetes services can be specified in the applyToDestination section. Virtual destinations or external services are not supported.

For more information, see the external auth guides.


Example: The following basic example refers to the Kubernetes service of the default ext-auth-service that you got during installation, but you can also use a virtual destination that points to an external auth service instead.

  apiVersion: security.policy.gloo.solo.io/v2
kind: ExtAuthPolicy
metadata:
  annotations:
    cluster.solo.io/cluster: ""
  name: basic-auth
  namespace: bookinfo
spec:
  applyToDestinations:
  - port:
      number: 9080
    selector:
      labels:
        app: ratings
  config:
    glooAuth:
      configs:
      - basicAuth:
          apr:
            users:
              user:
                hashedPassword: 8BvzLUO9IfGPGGsPnAgSu1
                salt: TYiryv0/
    server:
      name: default-server
---
apiVersion: admin.gloo.solo.io/v2
kind: ExtAuthServer
metadata:
  annotations:
    cluster.solo.io/cluster: ""
  name: default-server
  namespace: bookinfo
spec:
  destinationServer:
    port:
      number: 8083
    ref:
      cluster: cluster-1
      name: ext-auth-service
      namespace: gloo-mesh-addons
  

For more complex examples, see the guide for the type of external auth policy that you want to apply.

ExtAuthPolicyReport

FieldDescription
workspaces(repeated ExtAuthPolicyReport.WorkspacesEntry)

The status of the resource in each workspace that it exists in.
selectedDestinationPorts(repeated common.gloo.solo.io.DestinationReference)

A list of destination ports selected by the policy.
selectedRoutes(repeated common.gloo.solo.io.RouteReference)

A list of references to all route selected by the policy.

ExtAuthPolicyReport.WorkspacesEntry

FieldDescription
key(string)

value(common.gloo.solo.io.Report)

ExtAuthPolicySpec

Specifications for the policy.

FieldDescription
applyToRoutes(repeated common.gloo.solo.io.RouteSelector)

Routes to apply the policy to. If empty, the policy does not apply to any routes in the workspace.

Configuration constraints: Only one external auth policy can apply to a route. Subsequent policies (sorted by creation time) are ignored and put into a FAILED state.
applyToDestinations(repeated common.gloo.solo.io.DestinationSelector)

Destinations to apply the policy to.

Implementation notes:
  • Only Kubernetes services can be specified. Virtual destinations or external services are not supported.
  • If empty and applyToRoutes is unset, the policy applies to all destinations in the workspace.
  • If empty and applyToRoutes is set, the policy does not apply to any destinations in the workspace.


  • Configuration constraints: Only one external auth policy can apply to a destination. Subsequent policies (sorted by creation time) are ignored and put into a FAILED state.
    config(ExtAuthPolicySpec.Config)

    The details of the external auth policy to apply to the selected routes and/or destinations.

    ExtAuthPolicySpec.Config

    Make sure to select the appropriate ExtAuthServer to use, which might be in a different cluster and namespace than the ExtAuthPolicy. For auth configurations that require a client secret from the identity provider issuer, the secret must be in the same cluster as the ExtAuthServer resource.

    FieldDescription
    disable(bool)

    Set to true to disable auth on the route.
    glooAuth(enterprise.gloo.solo.io.AuthConfigSpec)

    Configure the selected route or destination with auth options provided by the Gloo Mesh Ext Auth service. The Ext Auth Service can be specified must be configured to use a Gloo Ext Auth service via a ExtAuthDestinationPolicy.
    customAuth(ExtAuthPolicySpec.Config.CustomAuth)

    Configure the selected route or destination with auth options provided by your own custom external auth server.
    server(common.gloo.solo.io.ObjectReference)

    Reference to the ExtAuthServer to use for this policy. To create an ExtAuthServer resource, see [External auth server setup](
    /gloo-mesh-gateway/latest//security/external-auth/server/#setup).

    Implementation notes:
    • The ExtAuthServer must be in the same workspace as this ExtAuthPolicy. Be sure to select the appropriate ExtAuthServer to use, which might be in a different cluster and namespace than the policy.
    • If omitted, this value defaults to the default ext-auth-service in the gloo-mesh namespace.


    Configuration constraints:
    • Routes on a single gateway must share a single ExtAuthServer.
    • If glooAuth is used, the server must reference an ExtAuthServer that is backed by one or more Gloo ext-auth-service Kubernetes services.
    • If customAuth is used, the server must reference an ExtAuthServer that is backed by your own custom external auth server.
    • For auth configurations that require a client secret from the identity provider issuer, the secret must be in the same cluster as the ExtAuthServer resource.

    ExtAuthPolicySpec.Config.CustomAuth

    Configure the selected route or destination with auth options provided by your own external auth server.

    FieldDescription
    contextExtensions(repeated ExtAuthPolicySpec.Config.CustomAuth.ContextExtensionsEntry)

    Add context extensions to the request that matches on the route or destination and is sent to the external auth server. This allows the server to base the auth decision on metadata that you define on the source of the request.
    This attribute is analogous to Envoy’s config.filter.http.ext_authz.v2.CheckSettings. For more info, see the Envoy documentation.

    ExtAuthPolicySpec.Config.CustomAuth.ContextExtensionsEntry

    FieldDescription
    key(string)

    value(string)

    ExtAuthPolicyStatus

    The status of the policy after it is applied to your Gloo environment.

    FieldDescription
    common(common.gloo.solo.io.Status)

    The state and workspace conditions of the applied resource.
    numSelectedDestinationPorts(uint32)

    The number of destination ports selected by the policy.
    numSelectedRoutes(uint32)

    The number of routes selected by the policy.