[data-plane] Receiver: Reject unauthorized requests #4043
Labels
area/data-plane
help wanted
Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
triage/accepted
Issues which should be fixed (post-triage)
Comments
|
/help |
|
@creydr: Please ensure the request meets the requirements listed here. If this request no longer meets these requirements, the label can be removed In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
knative-prow
bot
added
triage/accepted
|
/area data-plane |
|
Putting back in "Draft" status, as this maybe could be included in #4042 already |
github-project-automation
bot
moved this from 📝 Draft
to ✅ Done
in Eventing Authorization
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We need to verify in the receiver (ingress), that an request is authorized. Therefor we should do the following in the receiver:
.status.policiesis set:EventPolicies(in their.status.from[]).403status code.status.policiesis empty:default-authorization-modeand do the following depending on its value:allow-all: Continue with the requestdeny-all: reject the request with a403status codeallow-same-namespace: check, if the senders identity is from the same namespace, as the resource. If so, continue with the request, otherwise reject with a403We should also add an e2e test for the above scenarios.
Additional context:
Additional hints for new contributors before starting with this issue:
Draftstatus, the issue is subject to change and thus should not be started to be worked on/assign). Please be aware that we might unassign you, if we don't see any progress from your side to give other contributors also a chance to work on this issue.The text was updated successfully, but these errors were encountered: