update authz concept page for the new v1beta1 policy #5165
Conversation
|
/cc @liminw |
|
/test lint_istio.io |
|
@rcaballeromx Could you review the PR? it's needed for the 1.4 release. thanks. |
| updated authorization policies if it sees any changes. Pilot distributes Istio | ||
| authorization policies to the Envoy proxies that are co-located with the | ||
| service instances. | ||
| Galley watches for changes to Istio authorization policies. It fetches the |
There was a problem hiding this comment.
I think we should remove this paragraph, or move it to the architecture document. In general, we want to be talking about the features and not how the features are implemented.
There was a problem hiding this comment.
@geeknoid I agree. This information doesn't belong here and we should move it to, at the very least an architecture section, or ideally the Architecture page under reference.
|
@rcaballeromx ping |
|
One more thing, I think we also need to mention that the policy can be applied to Ingress and Egress, and give an example about it. This is a new feature that should be highlighted. Ideally, we should have a task demonstrating ingress/egress authorization. |
|
@liminw updated the doc for your comments, for the |
|
@liminw Done, I think we had a bug for the support of "*" for presence match. Currently I'm afraid it matches on any instead of non-empty, will verify and fix soon. |
Thanks @yangminzhu Yes. we need to fix it. |
|
@yangminzhu Let's also clearly document "implicit enablement" behavior. See design doc. It is a big behavior change from alpha policy. |
I updated to the |
|
@nrjpoddar @zjory Thank you very much for helping to review the PR. I have updated the PR for your comments, hope we can get it in before the 1.4 release :) |
content/en/docs/reference/config/authorization/conditions/index.md
Outdated
Show resolved
Hide resolved
content/en/docs/reference/config/authorization/conditions/index.md
Outdated
Show resolved
Hide resolved
content/en/docs/reference/config/authorization/conditions/index.md
Outdated
Show resolved
Hide resolved
content/en/docs/reference/config/authorization/conditions/index.md
Outdated
Show resolved
Hide resolved
Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
…x.md Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
…x.md Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
…x.md Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
…-properties/index.md Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
Co-Authored-By: Martin Taillefer <geeknoid@users.noreply.github.com>
|
@geeknoid Updated for the comments, PTAL, thanks! |
For istio/istio#12394
Please provide a description for what this PR is for.
And to help us figure out who should review this PR, please
put an X in all the areas that this PR affects.
[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[X] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure