SID and NS when using AUTH

Question

SID and NS when using AUTH

davidhadas opened this issue a year ago · comments

David Hadas commented a year ago

When NoAUTH is used,

gauard-gate gets SID and NS from env
guard-service uses SID and NS sent from gauard-gate.
Hence two sides are in sync and it is up to the service yaml env to define the correct sid and ns

When AUTH is used,

guard-gate gets SID and NS from env
The guard-service concludes SID and NS from AUTH Token.
Hence the two sides are not necessarily in sync!
Since guard-gate should work even when guard-service is down, we can't rely on guard-service to profile the SID and NS.
Analyze what should we do.
Some options:

have service confirm gate's sid and ns and send error when not in line
have gate use KubeAPI to confirm sid and ns (... may need to add more permissions... )
??

David Hadas · Answer 1 · Tue May 30 2023 13:20:12 GMT+0800 (China Standard Time)

One option to solve this is to always use TLS and AUTH in production and make it the default for Guard.

github-actions · Answer 2 · Tue Aug 29 2023 09:21:14 GMT+0800 (China Standard Time)

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

David Hadas · Answer 3 · Mon Sep 11 2023 23:47:56 GMT+0800 (China Standard Time)

/remove-lifecycle stale

github-actions · Answer 4 · Mon Dec 11 2023 09:24:57 GMT+0800 (China Standard Time)

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.