Description
Extend API Gateway with possibility to enable service to control access based on location of a caller. The decision is made based on caller IP address. The call can be denied if caller IP is on the list of forbidden IPs.
API Gateway module should be extended with service that will be able to allow a call based on caller IP comparing it to list of forbidden IPs. There should be possibility to plug in service into Istio and configure it as decision maker in front.
In order to plug it into Istio it was decided to use external authorizer mechanism. the service should implement interface that is accepted by Istio external authorizer. Service can be configured in 2 ways: based on a list of IPs coming from static configuration and list of IPs obtained from REST call.
The list of IPs should be cached in memory. Geoblocking service should implement heartbeat to assure that the list is up to date. Properly configured service can be registered as external authorizer in Istio and then can be used in APIRule to make sure that calls from restricted IPs are blocked.
Placeholder tasks:
- concept
- ADR
- implementation
- rollout
Description
Extend API Gateway with possibility to enable service to control access based on location of a caller. The decision is made based on caller IP address. The call can be denied if caller IP is on the list of forbidden IPs.
API Gateway module should be extended with service that will be able to allow a call based on caller IP comparing it to list of forbidden IPs. There should be possibility to plug in service into Istio and configure it as decision maker in front.
In order to plug it into Istio it was decided to use external authorizer mechanism. the service should implement interface that is accepted by Istio external authorizer. Service can be configured in 2 ways: based on a list of IPs coming from static configuration and list of IPs obtained from REST call.
The list of IPs should be cached in memory. Geoblocking service should implement heartbeat to assure that the list is up to date. Properly configured service can be registered as external authorizer in Istio and then can be used in APIRule to make sure that calls from restricted IPs are blocked.
Placeholder tasks: