Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support enable_google_cloud_serverless_authentication in Ingress annotation #944

Open
0anton opened this issue Apr 27, 2024 · 0 comments
Open

Support enable_google_cloud_serverless_authentication in Ingress annotation #944

0anton opened this issue Apr 27, 2024 · 0 comments
Assignees
@desimone

Comments

@0anton
Copy link

0anton commented Apr 27, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

Pomerium perfectly supports serverless backends in the standalone setup (docker). For some reason option enable_google_cloud_serverless_authentication is not allowed Ingress controller specification. This limits the ability of using Pomerium gateway operated in Kubernetes cluster to server serverless backends. The unique value proposition of the gateway to support serverless backends is therefore not realized through this limitation.

Describe the solution you'd like

I'd like to be able to enable passing over the serverless JWT token to configured destinations like I can do it in the standalone Pomerium.
ingress.pomerium.io/enable_google_cloud_serverless_authentication: 'true'

This can be realized by allowing the annotation ingress.pomerium.io/enable_google_cloud_serverless_authentication in the Ingress context:

apiVersion: v1
kind: Service
metadata:
  name: verify
  namespace: prod
spec:
  type: ExternalName
  externalName: verify-jigroeji-eq.run.app


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: verify
  annotations:
    ingress.pomerium.io/pass_identity_headers: 'true'
    ingress.pomerium.io/enable_google_cloud_serverless_authentication: 'true'
spec:
  ingressClassName: pomerium
  rules:
    - host: 'verify.localhost.pomerium.io'
      http:
        paths:
          - pathType: Prefix
            path: /
            backend:
              service:
                name: verify
                port:
                  number: 443

Describe alternatives you've considered

Re-implementing Envoy custom path filter, which injects the serverless Bearer token in conjuction with other products, like Istio.

Explain any additional use-cases

Passing over Google JWT Bearer token enables wide set of hybrid backend scenaries / microservice architectures with the strong RBAC backend authentication/authorization. Not supporting authenticated backend calls forces leaving them unprotected, leading to worse security profiles.

Related to this.
@desimone desimone self-assigned this May 1, 2024
@desimone desimone added the NeedsMoreData Waiting for additional user feedback or case studies label May 1, 2024
@desimone desimone removed the NeedsMoreData Waiting for additional user feedback or case studies label May 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@desimone desimone

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@desimone @0anton