Potential Security Risk when SecurityPolicy fails for a Route

[sam-burrell]

Description:

Our use case is to use the SecurityPolicy to define OIDC auth for public routes and we are attaching a SecurityPolicy to any type of Route (HTTPRoute, GRPCRoute)

• If the SecurityPolicy fails for any reason the default behaviour is for the route to have no SecurityPolicy and be public - for us this feels like a security risk.
• Is there a way for use to ensure that if a SecurityPolicy fails the HTTPRoute fails?

[arkodg]

this makes sense, it should not be very hard to implement, we already add a direct response of 500 in case any of the filters attached to a route cannot be resolved
what should the UX here be

• knob on SecurityPolicy or
• global knob in the startup config

or default to returning 5XX for any routes (rules) being affected by this failed policy

[levsha]

TIL the SecurityPolicy may also fail on completely external issues like a (temporary) misconfiguration of the OIDC issuer, with an error like 'Error fetching endpoints from issuer: Get "https://auth.internal.XXXXXX": stopped after 10 redirects. I guess temporary connectivity problems to the issuer may also cause the gateway to fail open.
It means that this behavior is clearly security vulnerability: the gateway can fail open on issues that can be completely out of control of the cluster administrator. This makes the current implementation of SecurityPolicy just useless as no one would want to have an authentication system that fails open ...

[arkodg]

if a BackendTrafficPolicy or a SecurityPolicy has not been Accepted , my preference is to return a direct response of 5XX (500/503) for all routes tied to the policies
wdyt @envoyproxy/gateway-maintainers

[zhaohuabing]

if a BackendTrafficPolicy or a SecurityPolicy has not been Accepted , my preference is to return a direct response of 5XX (500/503) for all routes tied to the policies wdyt @envoyproxy/gateway-maintainers

+1 on return 500 whenever SecurityPolicy fails as this allows authorized access, which is a security risk.

The current behavior of translation is in a best-effort manner, which means that the failed xPolicy will not be accepted but the targeted xRoute will be translated to xDS and sent to the Envoy fleet anyway.

However, I'm unsure if we should also fail the xRoute for BackendTrafficPolicies or keep the current best-effort manner. Client traffic can still be functional when BackendTrafficPolicy translation fails. This could be a failopen/failclose knob on each policy or a global knob if people ask for it.