Skip to content

Basic rbac api #11441

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

Basic rbac api #11441

wants to merge 6 commits into from

Conversation

npolshakova
Copy link
Contributor

@npolshakova npolshakova commented Jun 17, 2025
edited
Loading

Description

Define a basic RBAC policy to support configuration of Envoy-based proxies and agentgateway. #11192

Motivation:

We would like to add support for JWT in kgateway for configuring both the upstream
Envoy RBAC filter
and configuring agentgateway JWT rbac.

What changed:

  • Adds new RBAC API with JWT Authorization API on TrafficPolicy

Change Type

/kind new_feature

Changelog

Added RBAC configuration to the TrafficPolicy for JWT claim based authorization

Additional Notes

See the Enhancement Proposal: #11194

Test locally:

  1. Setup cluster with ./hack/kind/setup-kind.sh
  2. Install kgateway
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml

helm upgrade -i -n kgateway-system kgateway-crds ./_test/kgateway-crds-1.0.0-ci1.tgz --create-namespace

helm upgrade -i -n kgateway-system kgateway ./_test/kgateway-1.0.0-ci1.tgz --create-namespace
  1. Apply config
 k apply -f kgateway/test/kubernetes/e2e/features/jwt/testdata/setup.yaml
 k apply -f kgateway/test/kubernetes/e2e/features/jwt/testdata/jwt-rbac.yaml
  1. Setup jwt:
export DEV1=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2Rldi5leGFtcGxlLmNvbSIsImV4cCI6NDgwNDMyNDczNiwiaWF0IjoxNjQ4NjUxMTM2LCJvcmciOiJpbnRlcm5hbCIsImVtYWlsIjoiZGV2MUBrZ2F0ZXdheS5pbyI
sImdyb3VwIjoiZW5naW5lZXJpbmciLCJzY29wZSI6ImlzOmRldmVsb3BlciJ9.pqzk87Gny6mT8Gk7CVfkminm3u9CrNPhRt0oElwmfwZ7Jak1Ss4iOZ7MSZEgZFPxGiaz3DQyvos65dqbM_e4RaLYXb9fFYylaBl8kE8bhqMnXfPBNp9C4XTsSz4mR-eUvnkXXZ31dhMkoZvwIswWXR50wZ0rC6NF60Tye0sHJRdDcwL5778wDzLnualvtIiL-CbhWzXgRmjcrK3sbikLCHBjQiTEyBMPOVqS5NqJBgd7ZW1UASoxuxjCLsN8tBIaAFSACf8FZggAh9vEUJ_uc39kvOKQ0vs0pxvoYtsMPcndBYhws6IUhx_iF__qs_zz9mDNp8aMbXSlEdJG30wiRA

 export DEV2=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2Rldi5leGFtcGxlLmNvbSIsImV4cCI6NDgwNDMyNDczNiwiaWF0IjoxNjQ4NjUxMTM2LCJvcmciOiJpbnRlcm5hbCIsImVtYWlsIjoiZGV2MkBrZ2F0ZXdheS5pbyIsImdyb3VwIjoiZW5naW5lZXJpbmciLCJzY29wZSI6ImlzOmRldmVsb3BlciJ9.S0a_Lu2y0gaXBCnO3ydGJCnXt5R-QMxBvJOjYOTzorcnUOcaOTMOd3fUBY8ojZR-f0xTEy6M6K1V0yKxeq6Mys9Le9SE6oabP6gttktnwL5c9e9rzMcmGz1NVyUBav2N8Yiuw7Va8gyIod02vJrllQteMfZSqoAUmDLmpFs3bvkIgMlWDtVAWPqoGJ4ZI-yf0WfTSmW-kFbaiIz4pQNm03Q9M_ZMiHyOTtCDZuc0pSQ0_uvjnqHrefBgJJkFEv58pVqZVJphEOAfl7CpWlT9dXiPVoMhy4RTezkfrjuCqvW7dDwGZGSUqLYDZsOJ8yeIdeW9LKMaGcPag1AbRCe4HQ
  1. Send request:

RBAC: access denied:

curl localhost:8080/get -v \
  -H "Host: httpbin" \
  -H "Authorization: Bearer $DEV1"

Works:

 curl localhost:8080/get -v \
  -H "Host: httpbin" \
  -H "Authorization: Bearer $DEV2"

@github-actions github-actions bot added kind/feature Categorizes issue or PR as related to a new feature. release-note labels Jun 17, 2025
@npolshakova npolshakova mentioned this pull request Jun 17, 2025
Closed
@npolshakova
initial jwt api
d13ec71 
Signed-off-by: npolshakova <[email protected]>
@npolshakova
fix fmt
8e35fa9 
Signed-off-by: npolshakova <[email protected]>
@npolshakova
initial jwt api
9fe9b8a 
Signed-off-by: npolshakova <[email protected]>
@npolshakova
fix fmt
d405ebf 
Signed-off-by: npolshakova <[email protected]>
@npolshakova
initial rbac
35a5188 
Signed-off-by: npolshakova <[email protected]>
@npolshakova npolshakova requested review from yuval-k and lgadban June 17, 2025 18:24
@npolshakova npolshakova mentioned this pull request Jun 18, 2025
Open
@npolshakova npolshakova mentioned this pull request Jun 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuval-k yuval-k Awaiting requested review from yuval-k

@lgadban lgadban Awaiting requested review from lgadban

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. release-note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@npolshakova