Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify ingress controller vs api gateway #53

Merged
merged 1 commit into from
Jan 13, 2025
Merged

Clarify ingress controller vs api gateway #53

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions docs/design/components/policy-enforcement/apisix.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,12 @@ Policy enforcement describes the process of enforcing a policy by routing all tr
As all traffic to and from the BB must go through the PEP, the PEP can inspect it, redirect requests and effectively block unauthorized requests.
The PEP is part of or closely tied to the BB or the component it is protecting to make sure that no traffic can circumvent it, which is not easily done from outside the protected environment. This implies that the IAM BB is not able to provide a central PEP that other BBs could use, but it can provide central interfaces that the PEPs can use to outsource tasks related to authentication and authorization.

For the IAM BB, the APISIX Ingress Controller along with the APISIX API Gateway is using and act as reverse proxy because it is better optimized for traffic control, low latencies and has great support for authentication and authorization (including a dedicated interface module for OPA) and supports separation of authentication and authorization. So it provides some more flexibility regarding IAM than most other solutions.
For the IAM BB, the APISIX Ingress Controller is combined with an APISIX API Gateway, which is optimized for traffic control, low latencies and has great support for authentication and authorization (including a dedicated interface module for OPA) and supports separation of authentication and authorization.

## APISIX

The IAM BB uses an APISIX Ingress Controller as its Policy Enforcement Point. As an additional use, this PEP acts as demonstrator and template for PEP functionality for other BBs. For the IAM itself, it serves the following purposes:

* It restricts administrative access to Keycloak, OPA and OPAL.
* It restricts access to OPA by other BBs.
* It blocks anonymous access to the IAM. However, it does not impose any limitations on the authentication flow, which explicitly deals with initially anonymous users.
* It blocks anonymous access to the IAM. However, it does not impose any limitations on the authentication flow, which explicitly deals with initially anonymous users.