Giters

dadrus / heimdall

A cloud native Identity Aware Proxy and Access Control Decision service

Home Page:https://dadrus.github.io/heimdall/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Kubernetes RuleSet resource is not unloaded by heimdall on `authClassName` change

dadrus opened this issue · comments

commented

Preflight checklist

  • I agree to follow this project's Code of Conduct.
  • I have read and am following this repository's Contribution Guidelines."
  • I could not find a solution in the existing issues, docs, nor discussions.

Describe the bug

Background:

There is an option to define a class_name in heimdall's kubernetes provider configuration. This option allows operating multiple heimdall deployments in a cluster responsible for different RuleSets. To make use of this option, a RuleSet must have an authClassName set. This way only those RuleSets will be loaded/used by a heimdall instance, which authClassName matches the configured auth_class.

Issue Description:

If a RuleSet has been loaded by a heimdall instance (thanks to the matching option described above), it will not be unloaded/dropped if a new version/generation of the RuleSet with a different authClassName is deployed. That update is ignored.

The expected behavior is: heimdall should unload/drop the previously loaded RuleSet if it doesn't feel responsible for it (based on the authClassName mismatch) anymore.

Criticality

Since multiple heimdall deployments make only sense, if

  1. There are multiple ingress controller integrated with heimdall
  2. heimdall is used in proxy mode in front of an application

that issues should practically not be an issue at all in sense of overall functionality as in both cases these heimdall instances would receive traffic for completely different routes. And that means, the still loaded RuleSet would not be used as it would never be matched.

How can the bug be reproduced

  1. Deploy a RuleSet with an authClassName matching the auth_class of a heimdall deployment. You can see in the logs, that heimdall has loaded it.
  2. Change the authClassName in the RuleSet from step 1 to some value, which should not match the auth_class of the heimdall deployment.
  3. Deploy the RuleSet again
  4. Observe the logs of heimdall. You'll see a log statement, that the RuleSet has been ignored but there is not log statement that the previously loaded version has been dropped.
  5. Send a request which would result in a rule match from that changed RuleSet and take a look into the heimdall logs. you'll see, the rule is executed. If it were unloaded/dropped, there would be no match.

Relevant log output

No response

Relevant configuration

No response

Version

v0.11.1-alpha

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes

Additional Context

No response