Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce a Backend SecurityPolicy #4953

Open
aabchoo opened this issue Dec 19, 2024 · 3 comments
Open

Introduce a Backend SecurityPolicy #4953

aabchoo opened this issue Dec 19, 2024 · 3 comments
Labels
area/policy kind/decision A record of a decision made by the community. kind/feature new feature

Comments

@aabchoo
Copy link

aabchoo commented Dec 19, 2024
edited
Loading

Description:

Describe the desired behavior, what scenario it enables and how it
would be used.

The envoy gateway SecurityPolicy is meant for traffic entering the gateway from a client. It would be helpful to have a new dedicated Backend SecurityPolicy for traffic exiting the gateway to a backend.

Add an API definition to hold settings for configuring authentication and authorization rules on the traffic exiting the gateway to a service/backend/provider.

Some use cases include:

  • Setting the APIKey as part of the header when communicating with external backend
  • Obtaining OIDC tokens and using that to auth with cloud providers

[optional Relevant Links:]

Any extra documentation required to understand the issue.
@aabchoo aabchoo added the triage label Dec 19, 2024
@zhaohuabing
Copy link
Member

zhaohuabing commented Dec 20, 2024
edited
Loading

Will the proposedBackendSecurityPolicy include any other features beyond authentication? If not, BackendAuthenticationPolicy might be a more accurate name.

@zhaohuabing zhaohuabing added kind/feature new feature area/policy kind/decision A record of a decision made by the community. and removed triage labels Dec 20, 2024
@aabchoo
Copy link
Author

aabchoo commented Dec 20, 2024
edited
Loading

For the time being, authentication is the priority, so I'm fine with it being BackendAuthenticationPolicy

@zhaohuabing
Copy link
Member

I'm +1 for this.

As the firt iteration, we can consider supporting generic credentials and the oauth2 client grant with the credential injector filter

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/policy kind/decision A record of a decision made by the community. kind/feature new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zhaohuabing @aabchoo