Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-3327

Offload resource authorization to Istio

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Obsolete
    • Icon: Undefined Undefined
    • None
    • None
    • RHODS
    • False
    • None
    • False

      The proxy sidecar delegates certain authorization requests to Openshift.

      • It delegates authorization checks for specific resources (identified by name) using the --openshift-delegate-urls option (this is defined as static per host). For example:

      --openshift-delegate-urls ={"/": {"resource": "services", "verb": "get", "name": "odh-dashboard" } }

      * For each newly created notebook namespace, the injected oauth-proxy defines SARs (SubjectAccessReviews) to ensure that a given user can perform certain actions on a particular resource, for example:

      --openshift-sar= {"verb":"get","resource":"notebooks","resourceAPIGroup":"kubeflow.org", + "resourceName":" + notebook.Name + ","namespace":"$(NAMESPACE)" }

      With offloading it to the mesh we have to find a way to provide those checks.

      See Kubernetes docs about authentication and authorization for more details.

        1.
        		 Integrate Authorino Sub-task Code Review Undefined Bartosz Majsak
        2.
        		 Bug: logout button not working correctly Sub-task Closed Undefined Cameron Garrison
        3.
        		 Bug: logout from notebook not working Sub-task Closed Undefined Bartosz Majsak
        4.
        		 Apply CSRF Envoy filter Sub-task New Undefined Unassigned

            bartosz-1 Bartosz Majsak
            bartosz-1 Bartosz Majsak
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: