Skip to content

W.I.P. configure external authorization policy#676

Draft
ensonic wants to merge 1 commit into
mainfrom
ensonic/istio
Draft

W.I.P. configure external authorization policy#676
ensonic wants to merge 1 commit into
mainfrom
ensonic/istio

Conversation

@ensonic
Copy link
Copy Markdown
Contributor

@ensonic ensonic commented May 12, 2026
edited
Loading

Try to configure the AuthorizationPolicy for token vendor.

This requires us to lift the constraint on chart assignments and we
need to allow to deploy into the "defaul"t namespec as well.

Tested:

istioctl x authz check $(kubectl get pods -n default -l gateway.networking.k8s.io/gateway-name=crc-gateway -o name | cut -d'/' -f2) -n default
istioctl proxy-config listener $(kubectl get pods -n default -l gateway.networking.k8s.io/gateway-name=crc-gateway -o name | cut -d'/' -f2) -n default --port 443 -o json | more

@ensonic ensonic marked this pull request as draft May 12, 2026 09:00
@ensonic ensonic force-pushed the ensonic/istio branch 7 times, most recently from b75ea23 to 2c4aaf3 Compare May 18, 2026 14:04
@ensonic ensonic changed the title W.I.P. configure authorization policy W.I.P. configure external authorization policy May 18, 2026
@ensonic ensonic force-pushed the ensonic/istio branch 2 times, most recently from 34e7c1e to b395459 Compare May 19, 2026 12:57
ensonic added a commit that referenced this pull request May 19, 2026
@ensonic
Move sync namespace check to helper.
9147f80 
This will let us add extra namespaces as needed.
See PR #676
@ensonic ensonic mentioned this pull request May 19, 2026
Merged
ensonic added a commit that referenced this pull request May 19, 2026
@ensonic
Move sync namespace check to helper.
10a810b 
This will let us add extra namespaces as needed.
See PR #676
ensonic added a commit that referenced this pull request May 19, 2026
@ensonic
Move sync namespace check to helper.
3c858f3 
This will let us add extra namespaces as needed.
See PR #676
ensonic added a commit that referenced this pull request May 19, 2026
@ensonic
Move sync namespace check to helper.
ab291fb 
This will let us add extra namespaces as needed.
See PR #676
ensonic added a commit that referenced this pull request May 19, 2026
@ensonic
Move sync namespace check to helper.
bad8c0d 
This will let us add extra namespaces as needed.
See PR #676
ensonic added a commit that referenced this pull request May 19, 2026
@ensonic
Move sync namespace check to helper. (#685)
6da4f4d 
This will let us add extra namespaces as needed.
See PR #676
@ensonic
W.I.P. configure authorization policy
356136f 
Try to configure the AuthorizationPolicy for token vendor.

This requires us to lift the constraint on chart assignments and we
need to allow to deploy into the "defaul"t namespec as well.

Tested:
```shell
istioctl x authz check $(kubectl get pods -n default -l gateway.networking.k8s.io/gateway-name=crc-gateway -o name | cut -d'/' -f2) -n default
istioctl proxy-config listener $(kubectl get pods -n default -l gateway.networking.k8s.io/gateway-name=crc-gateway -o name | cut -d'/' -f2) -n default --port 443 -o json | more
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ensonic