Opt-out from SecurityPolicies

[nbrns]

Description: I would like to apply a default security policy, e.g. on gateway level, and opt-out from this policy for specific routes.

Example: I have a set of HTTP routes and all of them should be secured, e.g. via basic auth. This works well by applying a security policy on gateway level. Now, for a single HTTP route, I would like to opt-out from this policy and make it available without any security policy

My current solution ideas:

1. Create another listener on the gateway, apply the default security policy to a specific listener via sectionName -> this is not supported for security policies yet
2. Create a separate gateway -> while this works, it has some implications, e.g. additional pods and services (LoadBalancers)
3. Use label selectors to target only routes with specific labels -> this is an opt-in solution, but does not create a "secure-by-default" situation

Is there another way to accomplish it? Am I missing something? If not, as far as I see, either adding an exclusive or negated matchLabels on targetSelectors or adding support for sectionName in targetRefs would resolve my request.

[arkodg]

does creating an empty SecurityPolicy and targeting that HTTPRoute work ?

[nbrns]

@arkodg yes, that does indeed work! Nice catch, that helps a lot, thanks!

As this behaviour is not documented (at least I couldn't find it), can I rely on it to work in the future? Should this behaviour be added to the documentation?

[arkodg]

great ! yeah it should continue to work, we should document this as part of #2072