Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Git as a repository for access rules & granularity: check against specific ingress against specific accessrule files #1154

Open
4 of 5 tasks
qdrddr opened this issue Mar 11, 2024 · 2 comments
Labels
feat New feature or request.

Comments

@qdrddr
Copy link

qdrddr commented Mar 11, 2024

Preflight checklist

Ory Network Project

No response

Describe your problem

  1. Having oathkeeper access rules in files or CRDs for k8s has concerns; having too many Rules might slow down etcd. Having accessrule files stored in the Git repository (folder) will allow better alignment with the popular GitOps approach.

  2. Access Rule Files Granularity: Allow the provision of a URL path or some other way to pass file path(s) / folder(s) with accessrules against which the request will be checked instead of searching through all the files with all the accessrules. This can be useful with ingress annotations; each website can have its own set of rules stored in file(s) / folder(s) and checked only against provided accessrules for this ingress.

Re-scanning the folder for other JSON files with the accessrules and caching is needed for these features to work.

Describe your ideal solution

  1. Pulling files from a Git repo folder with subfolders periodically, similar to ArgoCD. Git notifies the oathkeeper via webhook of changes to re-scan rules and caches them locally.

  2. Specify the accessrule path to the file(s) / folder(s) in ingress annotations, which will be used to check against a given ingress.

Workarounds or alternatives

CRDs or add new files to the config and reload oathkeeper pod instances. Or you are storing access rules in yaml format and appending and reloading pods.

Version

0.40.7

Additional Context

Reasoning: This helps manage accessrules GitOps-way: persistence is held in the Git repo; this is also easy to manage. Simplify configuration & architecture: no DB needed. Increasing performance by checking only a subset of rules predefined in ingress annotations can help scale this solution: no searching across all the rules.

No response

@qdrddr qdrddr added the feat New feature or request. label Mar 11, 2024
@qdrddr qdrddr changed the title Git as a repository for access rules. Git as a repository for access rules & granularity: check against specific ingress against specific accessrule files Mar 12, 2024
@qdrddr
Copy link
Author

qdrddr commented May 1, 2024

Hope it'll not be closed

@pi-kei
Copy link

pi-kei commented Jul 13, 2024

Notification for oathkeeper when access rules changed via webhook is a nice idea.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feat New feature or request.
Projects
None yet
Development

No branches or pull requests

2 participants