This is a tracking issue of Authorization v2.

• API:

  • Add authorization policy v1beta1

• Pilot:

  • Remove code for outdated previous policy
  • Support authorization policy v1beta1
  • Deprecate ClusterRbacConfig in favor of implicit enablement
  • Add additional fields for ServiceRole (Add additional fields for ServiceRole, issue: #11516 (#11712) #12299)
  • Add additional fields for ServiceRoleBinding ([Authz v2] Add additional fields for bindings and validation. (#11800) #12460)
  • Add CRD AuthorizationPolicy for authorization v2 API (Add CRD AuthorizationPolicy for authorization v2 API #12318, Implement AuthorizationPolicy with workload selector. (#12050) #12667)
  • Support enforcement on Ingress/Egress (rbac: support authorization policy on gateway #12415)
  • Implement role in ServiceRoleBinding in AuthorizationPolicy (Implement role field in AuthorizationPolicy  #13181)

• Migration

  • Provide offline tool to covert v1alpha1 to AuthorizationPolicy

• Test:

  • Add e2e tests for AuthorizationPolicy (Fix RBAC integration tests + refactor test framework #13384)
  • Refactor the rbac_test.go unit tests

• Document:

  • Update security page, tasks and examples for AuthorizationPolicy
    • Concept page
    • Tasks
    • Reference page
    • Debugging page

• Deprecate:

  • Deprecate v1alpha1 in Pilot and documents

• Development

  • Create separate feature branch (authz-v2) and enable e2e tests on it (master is blocked due to 1.1 delayed)
  • Inline Role Definition (Support inline role definition in AuthorizationPolicy #12849)
  • GlobalServiceRole and GlobalAuthorizationPolicy (Implement role field in AuthorizationPolicy  #13181?)