[data-plane] Receiver: Reject unauthorized requests

Question

[data-plane] Receiver: Reject unauthorized requests

creydr opened this issue 5 months ago · 5 comments

We need to verify in the receiver (ingress), that an request is authorized. Therefor we should do the following in the receiver:

Get the OIDC identity of the sender
In case the resources (Broker/KafkaChannel/KafkaSink) .status.policies is set:
- check, if the senders identity is subject of any of the linked EventPolicies (in their .status.from[]).
  - If it is present: continue with the request
  - If not: reject the request with a 403 status code
In case the resources .status.policies is empty:
- Check the default-authorization-mode and do the following depending on its value:
  - allow-all: Continue with the request
  - deny-all: reject the request with a 403 status code
  - allow-same-namespace: check, if the senders identity is from the same namespace, as the resource. If so, continue with the request, otherwise reject with a 403

We should also add an e2e test for the above scenarios.

Additional context:

Feature track document
#4042 should help by providing the "verify methods"

Additional hints for new contributors before starting with this issue:

When the issue has the Draft status, the issue is subject to change and thus should not be started to be worked on
Make sure you've read and understood the CONTRIBUTING.md guidelines
Make sure you're able to run Knative Eventing locally with Knative Eventing Kafka and run at least the unit tests.
Feel free to raise any questions you have either directly here in the issue, in the #knative-eventing Slack channel or join the Eventing Workgroup Meeting / Office Hours
When you feel comfortable with this issue, feel free to assign it to you (e.g. by commenting /assign). Please be aware that we might unassign you, if we don't see any progress from your side to give other contributors also a chance to work on this issue.

Answer 1 · 2024-08-07T13:43:28.000Z

/help
/triage accepted

Answer 2 · 2024-08-07T13:43:31.000Z

@creydr:
This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/help
/triage accepted

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Answer 3 · 2024-08-12T14:10:31.000Z

/area data-plane

Answer 4 · 2024-08-15T06:30:45.000Z

Putting back in "Draft" status, as this maybe could be included in #4042 already

Answer 5 · 2024-08-26T14:18:00.000Z

Done in #4041 / #4061