From 60a88654d4064b680a112bb49ff80091cacff909 Mon Sep 17 00:00:00 2001
From: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
Date: Fri, 1 Nov 2024 19:00:13 +0100
Subject: [PATCH] chore: upstream our authorization changes for oauth2-proxy
 (#11347)

Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com>
---
 .../multi-user/istio-authorization-config.yaml  | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/manifests/kustomize/base/installs/multi-user/istio-authorization-config.yaml b/manifests/kustomize/base/installs/multi-user/istio-authorization-config.yaml
index a9a45e5eb1b..6a773281045 100644
--- a/manifests/kustomize/base/installs/multi-user/istio-authorization-config.yaml
+++ b/manifests/kustomize/base/installs/multi-user/istio-authorization-config.yaml
@@ -8,10 +8,21 @@ spec:
     matchLabels:
       app: ml-pipeline-ui
   rules:
+  # Allow all requests from the ingress gateway
   - from:
     - source:
-        namespaces:
-        - istio-system
+        principals:
+        - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
+
+  # Allow all requests with an `authorization` header but NOT a `kubeflow-userid` header.
+  # This is needed to allow Kubernetes JWTs to be passed to the KFP API.
+  - when:
+    - key: request.headers[authorization]
+      values:
+      - "*"
+    - key: request.headers[kubeflow-userid]
+      notValues:
+      - "*"
 ---
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -32,7 +43,7 @@ spec:
         - cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow
         - cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account
         - cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache
-  # For user workloads, which cannot user http headers for authentication
+  # Allow all requests that dont have a `kubeflow-userid` header.
   - when:
     - key: request.headers[kubeflow-userid]
       notValues: ['*']