Skip to content

fix(manifests): upstream Istio AuthorizationPolicy from kubeflow/manifests#2708

Closed
jonburdo wants to merge 1 commit into
kubeflow:mainfrom
jonburdo:fix/upstream-istio-authz-policy
Closed

fix(manifests): upstream Istio AuthorizationPolicy from kubeflow/manifests#2708
jonburdo wants to merge 1 commit into
kubeflow:mainfrom
jonburdo:fix/upstream-istio-authz-policy

Conversation

@jonburdo
Copy link
Copy Markdown
Member

@jonburdo jonburdo commented May 13, 2026

Port the AuthorizationPolicy rules added in kubeflow/manifests#3318 back to this repo so future manifest syncs don't regress the fix.

Replaces the permissive allow-all rule with proper Kubeflow-aware rules:

  • Allow requests from the Istio ingress gateway (authenticated by oauth2-proxy)
  • Allow internal requests with a valid K8s JWT but block identity spoofing via kubeflow-userid header

Relates-to: kubeflow/manifests#3457
Relates-to: kubeflow/manifests#3318

Description

How Has This Been Tested?

Merge criteria:

  • All the commits have been signed-off (To pass the DCO check)
  • The commits have meaningful messages
  • Automated tests are provided as part of the PR for major new functionalities; testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work.
  • Code changes follow the kubeflow contribution guidelines.
  • For first time contributors: Please reach out to the Reviewers to ensure all tests are being run, ensuring the label ok-to-test has been added to the PR.

If you have UI changes

  • The developer has added tests or explained why testing cannot be added.
  • Included any necessary screenshots or gifs if it was a UI change.
  • Verify that UI/UX changes conform the UX guidelines for Kubeflow.

@jonburdo @claude
fix(manifests): upstream Istio AuthorizationPolicy from kubeflow/mani…
582052b 
…fests

Port the AuthorizationPolicy rules added in kubeflow/manifests#3318 back
to this repo so future manifest syncs don't regress the fix.

Replaces the permissive allow-all rule with proper Kubeflow-aware rules:
- Allow requests from the Istio ingress gateway (authenticated by oauth2-proxy)
- Allow internal requests with a valid K8s JWT but block identity spoofing
  via kubeflow-userid header

Relates-to: kubeflow/manifests#3457
Relates-to: kubeflow/manifests#3318

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jon Burdo <jon@jonburdo.com>
@google-oss-prow google-oss-prow Bot requested a review from rareddy May 13, 2026 13:46
@google-oss-prow
Copy link
Copy Markdown
Contributor

google-oss-prow Bot commented May 13, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from jonburdo. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow Bot requested a review from tarilabs May 13, 2026 13:46
@jonburdo
Copy link
Copy Markdown
Member Author

jonburdo commented May 13, 2026

I didn't realize, there was already a PR for this 😄
Closing as a duplicate of #2706

@jonburdo jonburdo closed this May 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rareddy rareddy Awaiting requested review from rareddy

@tarilabs tarilabs Awaiting requested review from tarilabs

Assignees

No one assigned

Labels

Area/Manifests size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jonburdo