Skip to content

The AuthPolicy Custom Resource Definition (CRD)

AuthPolicy

Field Type Required Description
spec AuthPolicySpec Yes The specification for AuthPolicy custom resource
status AuthPolicyStatus No The status for the custom resource

AuthPolicySpec

Field Type Required Description
targetRef LocalPolicyTargetReference Yes Reference to a Kubernetes resource that the policy attaches to
rules AuthScheme No Implicit default authentication/authorization rules
patterns MapNamedPattern> No Implicit default named patterns of lists of selector, operator and value tuples, to be reused in when conditions and pattern-matching authorization rules.
when []PatternExpressionOrRef No List of implicit default additional dynamic conditions (expressions) to activate the policy. Use it for filtering attributes that cannot be expressed in the targeted HTTPRoute's spec.hostnames and spec.rules.matches fields, or when targeting a Gateway.
defaults AuthPolicyCommonSpec No Explicit default definitions. This field is mutually exclusive with any of the implicit default definitions: spec.rules, spec.patterns, spec.when
overrides AuthPolicyCommonSpec No Atomic overrides definitions. This field is mutually exclusive with any of the implicit or explicit default definitions: spec.rules, spec.patterns, spec.when, spec.default

AuthPolicyCommonSpec

Field Type Required Description
rules AuthScheme No Authentication/authorization rules
patterns MapNamedPattern> No Named patterns of lists of selector, operator and value tuples, to be reused in when conditions and pattern-matching authorization rules.
when []PatternExpressionOrRef No List of additional dynamic conditions (expressions) to activate the policy. Use it for filtering attributes that cannot be expressed in the targeted HTTPRoute's spec.hostnames and spec.rules.matches fields, or when targeting a Gateway.

AuthScheme

Field Type Required Description
authentication MapAuthenticationRule> No Authentication rules. At least one config MUST evaluate to a valid identity object for the auth request to be successful. If omitted or empty, anonymous access is assumed.
metadata MapMetadataRule> No Rules for fetching auth metadata from external sources.
authorization MapAuthorizationRule> No Authorization rules. All policies MUST allow access for the auth request be successful.
response ResponseSpec No Customizations to the response to the authorization request. Use it to set custom values for unauthenticated, unauthorized, and/or success access request.
callbacks MapCallbackRule> No Rules for post-authorization callback requests to external services. Triggered regardless of the result of the authorization request.

AuthRuleCommon

Field Type Required Description
when []PatternExpressionOrRef No List of additional dynamic conditions (expressions) to activate the auth rule. Use it for filtering attributes that cannot be expressed in the targeted HTTPRoute's spec.hostnames and spec.rules.matches fields, or when targeting a Gateway.
cache Caching spec No Caching options for the resolved object returned when applying this auth rule. (Default: disabled)
priority Integer No Priority group of the auth rule. All rules in the same priority group are evaluated concurrently; consecutive priority groups are evaluated sequentially. (Default: 0)
metrics Boolean No Whether the auth rule emits individual observability metrics. (Default: false)

AuthenticationRule

Field Type Required Description
apiKey API Key authentication spec No Authentication based on API keys stored in Kubernetes secrets. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
kubernetesTokenReview KubernetesTokenReview spec No Authentication by Kubernetes token review. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
jwt JWT verification spec No Authentication based on JSON Web Tokens (JWT). Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
oauth2Introspection OAuth2 Token Introscpection spec No Authentication by OAuth2 token introspection. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
x509 X.509 authentication spec No Authentication based on client X.509 certificates. The certificates presented by the clients must be signed by a trusted CA whose certificates are stored in Kubernetes secrets. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
plain Plain identity object spec No Identity object extracted from the context. Use this method when authentication is performed beforehand by a proxy and the resulting object passed to Authorino as JSON in the auth request. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
anonymous Anonymous access No Anonymous access. Use one of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
credentials Auth credentials spec No Customizations to where credentials are required to be passed in the request for authentication based on this auth rule. Defaults to HTTP Authorization header with prefix "Bearer".
overrides Identity extension spec No JSON overrides to set to the resolved identity object. Do not use it with identity objects of other JSON types (array, string, etc).
defaults Identity extension spec No JSON defaults to set to the resolved identity object. Do not use it with identity objects of other JSON types (array, string, etc).
(inline) AuthRuleCommon No

MetadataRule

Field Type Required Description
http HTTP GET/GET-by-POST external metadata spec No External source of auth metadata via HTTP request. Use one of: http, userInfo, uma.
userInfo OIDC UserInfo spec No OpendID Connect UserInfo linked to an OIDC authentication rule declared in this same AuthPolicy. Use one of: http, userInfo, uma.
uma UMA metadata spec No User-Managed Access (UMA) source of resource data. Use one of: http, userInfo, uma.
(inline) AuthRuleCommon No

AuthorizationRule

Field Type Required Description
patternMatching Pattern-matching authorization spec No Pattern-matching authorization rules. Use one of: patternMatching, opa, kubernetesSubjectAccessReview, spicedb.
opa OPA authorization spec No Open Policy Agent (OPA) Rego policy. Use one of: patternMatching, opa, kubernetesSubjectAccessReview, spicedb.
kubernetesSubjectAccessReview Kubernetes SubjectAccessReview spec No Authorization by Kubernetes SubjectAccessReview. Use one of: patternMatching, opa, kubernetesSubjectAccessReview, spicedb.
spicedb SpiceDB authorization spec No Authorization decision delegated to external Authzed/SpiceDB server. Use one of: patternMatching, opa, kubernetesSubjectAccessReview, spicedb.
(inline) AuthRuleCommon No

ResponseSpec

Field Type Required Description
unauthenticated Custom denial status spec No Customizations on the denial status and other HTTP attributes when the request is unauthenticated. (Default: 401 Unauthorized)
unauthorized Custom denial status spec No Customizations on the denial status and other HTTP attributes when the request is unauthorized. (Default: 403 Forbidden)
success SuccessResponseSpec No Response items to be included in the auth response when the request is authenticated and authorized.
SuccessResponseSpec
Field Type Required Description
headers Map<string:SuccessResponseItem> No Custom success response items wrapped as HTTP headers to be injected in the request.
filters Map<string:SuccessResponseItem> No Custom success response items made available to other filters managed by Kuadrant (i.e. Rate Limit).
SuccessResponseItem
Field Type Required Description
plain Plain text response item No Plain text content. Use one of: plain, json, wristband.
json JSON injection response item No Specification of a JSON object. Use one of: plain, json, wristband.
wristband Festival Wristband token response item No Specification of a JSON object. Use one of: plain, json, wristband.
key String No The key used to add the custom response item (name of the HTTP header or root property of the Dynamic Metadata object). Defaults to the name of the response item if omitted.

CallbackRule

Field Type Required Description
http HTTP endpoints callback spec No HTTP endpoint settings to build the callback request (webhook).
(inline) AuthRuleCommon No

NamedPattern

Field Type Required Description
selector String Yes A valid Well-known attribute whose resolved value in the data plane will be compared to value, using the operator.
operator String Yes The binary operator to be applied to the resolved value specified by the selector. One of: eq (equal to), neq (not equal to), incl (includes; for arrays), excl (excludes; for arrays), matches (regex).
value String Yes The static value to be compared to the one resolved from the selector.

AuthPolicyStatus

Field Type Description
observedGeneration String Number of the last observed generation of the resource. Use it to check if the status info is up to date with latest resource spec.
conditions []ConditionSpec List of conditions that define that status of the resource.

ConditionSpec

  • The lastTransitionTime field provides a timestamp for when the entity last transitioned from one status to another.
  • The message field is a human-readable message indicating details about the transition.
  • The reason field is a unique, one-word, CamelCase reason for the condition’s last transition.
  • The status field is a string, with possible values True, False, and Unknown.
  • The type field is a string with the following possible values:
  • Available: the resource has successfully configured;
Field Type Description
type String Condition Type
status String Status: True, False, Unknown
reason String Condition state reason
message String Condition state description
lastTransitionTime Timestamp Last transition timestamp

High-level example

apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
  name: my-auth-policy
spec:
  # Reference to an existing networking resource to attach the policy to. REQUIRED.
  # It can be a Gateway API HTTPRoute or Gateway resource.
  # It can only refer to objects in the same namespace as the AuthPolicy.
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute / Gateway
    name: myroute / mygateway

  # Additional dynamic conditions to trigger the AuthPolicy.
  # Use it for filtering attributes not supported by HTTPRouteRule or with AuthPolicies that target a Gateway.
  # Check out https://github.com/Kuadrant/architecture/blob/main/rfcs/0002-well-known-attributes.md to learn more
  # about the Well-known Attributes that can be used in this field.
  # Equivalent to if otherwise declared within `defaults`.
  when: []

  # Sets of common patterns of selector-operator-value triples, to be referred by name in `when` conditions
  # and pattern-matching rules. Often employed to avoid repetition in the policy.
  # Equivalent to if otherwise declared within `defaults`.
  patterns: {  }

  # The auth rules to apply to the network traffic routed through the targeted resource.
  # Equivalent to if otherwise declared within `defaults`.
  rules:
    # Authentication rules to enforce.
    # At least one config must evaluate to a valid identity object for the auth request to be successful.
    # If omitted or empty, anonymous access is assumed.
    authentication:
      "my-authn-rule":
        # The authentication method of this rule.
        # One-of: apiKey, jwt, oauth2Introspection, kubernetesTokenReview, x509, plain, anonymous.
        apiKey: {  }

        # Where credentials are required to be passed in the request for authentication based on this rule.
        # One-of: authorizationHeader, customHeader, queryString, cookie.
        credentials:
          authorizationHeader:
            prefix: APIKEY

        # Rule-level additional conditions.
        when: []

        # Configs for caching the resolved object returned out of evaluating this auth rule.
        cache: {  }

    # Rules for fetching auth metadata from external sources.
    metadata:
      "my-external-source":
        # The method for fetching metadata from the external source.
        # One-of: http: userInfo, uma.
        http: {  }

    # Authorization rules to enforce.
    # All policies must allow access for the auth request be successful.
    authorization:
      "my-authz-rule":
        # The authorization method of this rule.
        # One-of: patternMatching, opa, kubernetesSubjectAccessReview, spicedb.
        opa: {  }

    # Customizations to the authorization response.
    response:
      # Custom denial status and other HTTP attributes for unauthenticated requests.
      unauthenticated: {  }

      # Custom denial status and other HTTP attributes for unauhtorized requests.
      unauthorized: {  }

      # Custom response items when access is granted.
      success:
        # Custom response items wrapped as HTTP headers to be injected in the request
        headers:
          "my-custom-header":
            # One-of: plain, json, wristband.
            plain: {  }

        # Custom response items wrapped as envoy dynamic metadata.
        dynamicMetadata:
          # One-of: plain, json, wristband.
          "my-custom-dyn-metadata":
            json: {  }

    # Rules for post-authorization callback requests to external services.
    # Triggered regardless of the result of the authorization request.
    callbacks:
      "my-webhook":
        http: {  }

    # Explicit defaults. Used in policies that target a Gateway object to express default rules to be enforced on
    # routes that lack a more specific policy attached to.
    # Mutually exclusive with `overrides` and with declaring the `rules`, `when` and `patterns` at the top-level of
    # the spec.
    defaults:
      rules:
        authentication: {  }
        metadata: {  }
        authorization: {  }
        response: {  }
        callbacks: {  }
      when: []
      patterns: {  }

    # Overrides. Used in policies that target a Gateway object to be enforced on all routes linked to the gateway,
    # thus also overriding any more specific policy occasionally attached to any of those routes.
    # Mutually exclusive with `defaults` and with declaring `rules`, `when` and `patterns` at the top-level of
    # the spec.
    overrides:
      rules:
        authentication: {  }
        metadata: {  }
        authorization: {  }
        response: {  }
        callbacks: {  }
      when: []
      patterns: {  }