From a00c6e2e61b0b3db670c237f9f633f110706382c Mon Sep 17 00:00:00 2001 From: Bo-Cheng Chu Date: Mon, 24 Apr 2023 16:17:24 -0700 Subject: [PATCH] add ext-authz route example --- .../authorization/authz-custom/index.md | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/content/en/docs/tasks/security/authorization/authz-custom/index.md b/content/en/docs/tasks/security/authorization/authz-custom/index.md index 0c02278de64f..26145d7cb44d 100644 --- a/content/en/docs/tasks/security/authorization/authz-custom/index.md +++ b/content/en/docs/tasks/security/authorization/authz-custom/index.md @@ -232,6 +232,56 @@ The external authorizer is now ready to be used by the authorization policy. You can now apply another authorization policy for the sample `ext-authz` server to control who is allowed to access it. +## Route with external authorization +You can create a VirtualService to route your service based on external authorization headers. + +1. Deploy a VirtualService `ext-authz-route`: + + The following command applies a VirtualService that route all traffic to `/headers` containing a `x-ext-authz` header with value `allow` to a route, and route the rest of the traffic to `/headers` to another route. + + {{< text bash >}} + $ kubectl apply -n foo -f - <}} + +1. Verify a request to path `/headers` with header `x-ext-authz: allow` routes to `/base64/cm91dGUtYWxsb3c=`: + + {{< text bash >}} + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -H "x-ext-authz: allow" -s + route-allow + {{< /text >}} + +1. Verify a request to path `/headers` with header `x-ext-authz: deny` routes to `/base64/cm91dGUtZGVueQ==`: + + {{< text bash >}} + $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -H "x-ext-authz: deny" -s + route-deny + {{< /text >}} + ## Clean up 1. Remove the namespace `foo` from your configuration: