Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

guides: auth anonymous access #1038

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

guides: auth anonymous access #1038

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
cb94b29
guides: auth anonymous access
KevFan Nov 20, 2024
8c1a3b1
refactor: layout and setup
KevFan Dec 4, 2024
2d3fa67
refactor: remove unicode numbers from guide
KevFan Dec 4, 2024
983490d
refactor: include gateway creation as part of guide
KevFan Dec 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
180 changes: 180 additions & 0 deletions doc/user-guides/auth/anonymous-access.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,180 @@
# Enforcing anonymous access with Kuadrant AuthPolicy

Learn how to allow anonymous access to certain endpoints using Kuadrant's `AuthPolicy`

## Prerequisites

You have installed Kuadrant in a [kubernetes](https://docs.kuadrant.io/latest/kuadrant-operator/doc/install/install-kubernetes/) or [OpenShift](https://docs.kuadrant.io/latest/kuadrant-operator/doc/install/install-openshift/) cluster with a Gateway provider.

### Create Gateway
Create a `Gateway` resource for this guide:

```sh
kubectl apply -f -<<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: kuadrant-ingressgateway
spec:
gatewayClassName: istio
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: Same
EOF
```
The `Gateway` resource created above uses Istio as the gateway provider. For Envoy Gateway, use the Envoy Gateway `GatewayClass` as the `gatewayClassName`.

### Deploy Toy Store application

Deploy a simple HTTP application service that echoes back the request data:

```sh
kubectl apply -f https://raw.githubusercontent.com/Kuadrant/kuadrant-operator/refs/heads/main/examples/toystore/toystore.yaml
```

### Expose the Application

Create an `HTTPRoute` to expose an `/cars` and `/public` path to the application:

```sh
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: toystore
spec:
parentRefs:
- name: kuadrant-ingressgateway
KevFan marked this conversation as resolved.
Show resolved Hide resolved
namespace: default
hostnames:
- api.toystore.com
rules:
- matches: # rule-1
- method: GET
path:
type: PathPrefix
value: "/cars"
backendRefs:
- name: toystore
port: 80
- matches: # rule-2
- method: GET
path:
type: PathPrefix
value: "/public"
backendRefs:
- name: toystore
port: 80
EOF
```

Export the gateway hostname and port for testing:

```sh
export INGRESS_HOST=$(kubectl get gtw kuadrant-ingressgateway -n default -o jsonpath='{.status.addresses[0].value}')
export INGRESS_PORT=$(kubectl get gtw kuadrant-ingressgateway -n default -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
```

### Test the Unprotected Application
Test requests to the unprotected application:

```sh
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/cars -i
# HTTP/1.1 200 OK
```

```sh
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/public -i
# HTTP/1.1 200 OK
```

### Deny All Traffic with AuthPolicy

Apply an `AuthPolicy` to deny all traffic to the `HTTPRoute`:

```sh
kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
name: route-auth
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: toystore
defaults:
strategy: atomic
rules:
authorization:
deny-all:
opa:
rego: "allow = false"
EOF
```

### Test the Protected Application

```sh
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/cars -i
# HTTP/1.1 403 Forbidden
```

```sh
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/public -i
# HTTP/1.1 403 Forbidden
```

### Allow Anonymous Access to /public
Create an `AuthPolicy` to allow anonymous access to the `/public` endpoint:

```sh
kubectl apply -f - <<EOF
apiVersion: kuadrant.io/v1
kind: AuthPolicy
metadata:
name: rule-2-auth
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: toystore
sectionName: rule-2
defaults:
rules:
authentication:
"public":
anonymous: {}
EOF
```

The example above enables anonymous access (i.e. removes authentication) to the `/public` rule of the `HTTPRoute`.

### Test the Application with Anonymous Access

Test requests to the application protected by Kuadrant:

```sh
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/cars -i
# HTTP/1.1 403 Forbidden
```

```sh
curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/public -i
# HTTP/1.1 200 OK
```

## Cleanup

```sh
kubectl delete -f https://raw.githubusercontent.com/Kuadrant/kuadrant-operator/refs/heads/main/examples/toystore/toystore.yaml
kubectl delete httproute toystore
kubectl delete authpolicy route-auth
kubectl delete authpolicy rule-2-auth
kubectl delete gateway kuadrant-ingressgateway
```
Loading