Pluggable access control #114
Description
What would you like to be added:
A standardized mechanism to call an external service to authorize request forwarding to a selected destination (backend).
Why is this needed:
User Story
- As an application developer, I want to extract authentication and authorization requirements from an application to a common infrastructure component. The authentication and authorization function should have access to request headers and optionally the request body up to some limit.
- As a cluster operator, using an external call (akin in spirit to Kubernetes' ValidatingWebhooks) rather than a proxying service allows me to control the following policies:
- Ability to separately measure latency/error rate
- Ability to fail-open as well as fail-closed on error
- Reduced complexity of authorization webhook
Usage examples
- Cloud Foundry UAA for OAuth token verification would be one example, as would a SAML implementation.
- If TLS information is provided in the request, this might provide an implementation for TLS: enforce validation policy for an application #93 (enforce TLS validation for an application)
- Access control could also be used to implement a rate-limiting mechanism or load-shedding mechanism to prevent overloading backend services like a SQL database.
- Application services could also provide validation on other header fields; Knative event delivery (CloudEvents over HTTP) might want to be able to limit delivery to only certain event types (CE-Type header).