Enable Authservice at the Gateway
As an owner of a multi tenant cluster, I would like to enforce authservice for all applications exposed by an ingress gateway.
/cc @blake.burkhart @adam.toy
New design is like in https://repo1.dso.mil/platform-one/big-bang/apps/core/authservice/-/merge_requests/21, but with some additional changes for more customization and backwards compatibility:
Token acquisition (Authservice) → AuthN RequestAuthentication → AuthZ AuthorizationPolicy → app or gateway (selected based on new labels)
Actual policy enforcement (AuthZ) is shifted to Istio instead of Authservice. Should there be any way to bypass authservice, the AuthZ policy will require a JWT and fail the request. Authservice's role is reduced to only acquiring a JWT by redirecting the user and injecting the JWT into the request. This reduces the impact of a vulnerability or misconfiguration in Authservice. IL and group protection based on Keycloak clients will still function the same.
Some customers (Party Bus) want to enforce Authservice for all applications behind a specific ingressGateway. The new configuration will support this mode by applying a label to the ingressGateway. There are some security implications: network ingress to each workload must be restricted, or an in-cluster HTTP request from one namespace to another could bypass authservice (e.g. an SSRF attack). PB is already configured to restrict cross namespace communication. This will be an optional configuration, cluster administrators must apply a label to an ingress gateway.
Big Bang core apps using Authservice will continue to be applied at the sidecar (or haproxy). Iron Bank will continue to run Authservice on mission apps enforced at the sidecar. The updated Helm chart will be backwards compatible with apps already deployed this way.
Neither the gateway or sidecar is strictly better than the other. Putting everything behind one gateway is easier for PB who does not control all of each mission apps' manifests. Sidecar policies are easier to make secure, but both can be safe. Sidecar policies can allow customized per-app AuthZ configuration.