Skip to content

ExtAuthZ Extension support for clear_route_cacheΒ #53555

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
ExtAuthZ Extension support for clear_route_cache#53555
Labels
area/extensions and telemetryarea/security
@bvandewalle

Description

@bvandewalle
bvandewalle
opened on Oct 16, 2024

Describe the feature request

The ExtAuthZ Extension is awesome and is super easy to configure to use in an AuthorizationPolicy.

However it supports a limited amount of fields. As was initially documented in the design doc over here:

https://docs.google.com/document/d/1V4mCQCw7mlGp0zSQQXYoBdbKMDnkPOjeyUb85U07iSI/edit#heading=h.w36z51n1c48w

One key parameter that we are missing is the boolean clear_route_cache, which allows the extension to force a recalculation of the routes based on the new headers added/removed from ExtAuthZ.

We are currently directly using a filter as follow:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: extauthz-filter
  namespace: istio-system
spec:
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: envoy.filters.network.http_connection_manager
            subFilter:
              name: envoy.filters.http.router
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.ext_authz
        typed_config:
          '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
          clear_route_cache: true
          grpc_service:
            envoy_grpc:
              cluster_name: "COMPLICATED ISTIO NAME"
            timeout: 5s
          status_on_error:
            code: ServiceUnavailable
          transport_api_version: V3

It would be great to be able to configure this direcly on the extensionProvider.

In the past years, new parameters have been successfully added to the ExtensionProvider. For example, the BodyRequest as documented here:

I hope we can do the same thing for that parameter.

Describe alternatives you've considered

Currently the alternative is to use an EnvoyFilter (which is what we are currently doing), which require some shenanigans to guess the correct destination cluster name on istio.

Affected product area (please put an X in all that apply)

[ ] Ambient
[ ] Docs
[ ] Dual Stack
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[X] Extensions and Telemetry
[X] Security
[ ] Test and Release
[X] User Experience
[ ] Developer Infrastructure

Affected features (please put an X in all that apply)

[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane

Additional context

Happy to get a PR for this field in if we decide it is a good addition.

Metadata

Assignees

No one assigned

    Labels

    area/extensions and telemetryarea/security

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions