Support fined-grained access control in SecurityPolicy

[zhaohuabing]

Relates to

#1845

What is this?

EG can leverage RBAC for implementing fine-grained access control, at both the Gateway and xRoute level.

The principal, obtained through the authentication process (such as OIDC, JWT, etc.), serves as the basis for defining access control policies. Source IP-based access control can also be supported in this model.

The below is roughly how API will look like, but it's just an initial idea and definitely needs more input.

API outline

kind: SecurityPolicy
metadata:
  name: rbac-example
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: http-route
  jwt:   # a jwt or oidc configuration is needed to obtain the principal
  ......  
  authorization:
  - principals: ["john"]
    permissions:
      methods: ["GET", "POST"]
      paths: ["/foo", "/bar"]

Reference:envoyproxy/envoy#7913

• Allow/Deny IP Subnets
• Authorization based on JWT claim
• Authorization based on Basic Auth Username Extract username from basic auth and forward it to backends #2947
• Authorization based on client cert
• Authorization based on identity extracted from an arbitrary HTTP header

[arkodg]

@zhaohuabing

• can't the paths and methods be limited by the HTTPRoute match fields ?
• can't the principal be limited by the issuer field in JWT https://gateway.envoyproxy.io/v0.6.0/api/extension_types/#jwtprovider ?

[zhaohuabing]

• can't the paths and methods be limited by the HTTPRoute match fields ?

We probably shouldn't go this route because:

• It could get tricky, especially when the policy targets a gateway.
• Separate of concerns: SecurityPolicy and HTTPRoute may be created by different roles, such as app developers and administrators.

We can just remove the path out of the API because SecurityPolicy can target a xRoute.

• can't the principal be limited by the issuer field in JWT https://gateway.envoyproxy.io/v0.6.0/api/extension_types/#jwtprovider ?

Yes, we can. As the below links show, the Envoy RBAC filter can retrieve claims such as sub from the metadata generated by the JWT filter and use them as principals.

envoyproxy/envoy#7913 (comment)
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/jwt_authn/v3/config.proto#envoy-v3-api-field-extensions-filters-http-jwt-authn-v3-jwtprovider-payload-in-metadata

[zetaab]

@zhaohuabing if you use api outline that is mentioned in first post, it does not support "action" mentioned in https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto#config-rbac-v3-rbac

so instead the api spec should be something like

kind: SecurityPolicy
metadata:
  name: rbac-example
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: http-route
  jwt:   # a jwt or oidc configuration is needed to obtain the principal
  ......  
  authorization:
  - action: ALLOW # possible values ALLOW, DENY, LOG
    policies:
      policy1:
        principals:
        - <array of https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto#envoy-v3-api-msg-config-rbac-v3-policy >
        permissions:
        - <array of https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto#envoy-v3-api-msg-config-rbac-v3-permission >
        condition: # is this needed?