Sidecar Configuration
    • 01 Sep 2024
    • 5 Minutes to read
    • Dark
      Light
    • PDF

    Sidecar Configuration

    • Dark
      Light
    • PDF

    Article summary

    Custom Resource Definitions

    PlainidInjector

    The PlainidInjector CRD provides a mechanism to inject the PlainID Authorizer into a pod.

    Sample authz-v1-plainidinjector.yaml

    apiVersion: authz.plainid.io/v1
    kind: PlainidInjector
    metadata:
      name: plainidinjector-sample
    spec:
      volume:
        name: podinfo
        downwardAPI:
          items:
            - path: "labels"
              fieldRef:
                fieldPath: metadata.labels
            - path: "annotations"
              fieldRef:
                fieldPath: metadata.annotations
      container:
        name: plainid-authz
        image: docker.io/plainid/authz-envoy-sidecar:1.6.0
        resources:
          requests:
            cpu: "0.05"
            memory: "50M"
          limits:
            cpu: "0.2"
        imagePullPolicy: Always
        ports:
          - containerPort: 50051
          - containerPort: 9090
        volumeMounts:
          - name: podinfo
            mountPath: /config
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.name
          - name: POD_NAMESPACE
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
      config:
        params:
          mgr: plainid-controller-manager-discover.plainid-system:16000
          SKIP_TLS_VERIFY: "true"
    

    The following table lists the keys that should be updated in the authz-v1-plainidinjector.
    All remaining text should be the default value.

    NameDescriptionExample
    config.params.mgrOperator service name and portplainid-controller-manager-discover.plainid-system:16000
    config.params.SKIP_TLS_VERIFYSkip TLS certificate verification (for dev environments)false

    PlainidSidecar

    The PlainidSidecar CRD provides a mechanism to customize the Sidecar configuration generated by the operator. Use the
    PlainidSidecar CRD to modify values for certain fields and define the specific behavior of the Sidecar.
    *This feature must be used with care, as incorrect configurations could potentially destabilize the Sidecar and the service. *
    Apply configuration by workload selectors and namespaces. The following example applies to all workloads with the label
    app:echo in a namespace test.

    Sample sidecar-echo.yaml

    Following is an example of a microservice sidecar configuration file.

    apiVersion: authz.plainid.io/v1
    kind: PlainidSidecar
    metadata:
      name: echo
    spec:
      workloadSelector:
        labels:
          app: echo
      sidecarConfig:
        matchers: # API Matchers section (Optional)
          - match: /echo/bypass# Request path pattern
            method: # Request methods
              - POST
              - GET
            bypass: true       # Bypass request (ignore all validations and authorization) 
          - match: /echo/:abc
            runtime: # Specific runtime configuratoin for matching requests 
              entityTypeid: jwt
              cacheTime: 11s
            mode: # Specific mode configuratoin for matching requests
              entitlement: true
              format: 5
              flat: false
              denyOnEmpty: true
          - match: /echo
            runtime:
              entityTypeid: jwt
              cacheTime: 11s
              clientId: client_id_goes_here
              clientSecret: client_secret_goes_here
              environments:
                amount: "$.body.amount"
                account: "$.body.account"
                url: $.path.[0]
            mode:
              resolution: true
              format: 5
              flat: false
              denyOnEmpty: true
        runtime:
          clientId: client_id_goes_here           # Mandatory: From Policy Manager Management UI
          clientSecret: client_secret_goes_here   # From Policy Manager Management UI, if no Secret store used 
          entityTypeid: jwt
          plainidUrl: https://demo.plainid.cloud  # Mandatory: PDP URL, Should be set
          resourceTypes: # Asset mappings example (only for PDP API v1-4)
            - name: Accounts
              assetPath: $.path[4]
            - name: Loans
          environments:
            amount: "$.body.amount"
            account: "$.path[2]"
            url: $.path.[0]
          options:
            includeDetails: true
            includeAccessPolicy: true
            includeAssetAttributes: true
            includeIdentity: true
            includeDenyReason: true
        jwt: # Mandatory: External request JWT configuration
          header: authorization
          allowed:
            - name: demo.plainid.cloud            # Mandatory: JWT Issuer example
            - name: demo                          # Mandatory: JWT Issuer mapping example in case of JWT issuer do not match an issuer provided by Auth service
              mapped: https://demo.plainid.cloud/auth/realms/demo
          userClaim: "$.user.preferred_username[0]"
          validateJwt: true
          algs: # List of supported Signing Algorythms (RS256 by default if not set)
            - ES256
            - RS256
        mode: # Mandatory: Operation mode, ONLY ONE OF SHOULD BE TRUE: decision/entitlement/resolution/denyOnEmpty
          decision: true     # PERMIT/DENY Mode
          entitlement: false # Header Injection mode
          resolution: false  # Header injection mode Query format
          denyOnEmpty: false # DENY transaction when no policy fits the access request.
          format: 2
        logger:
          logLevel: debug
          detailedLog: false
          format: text
        tlsSkip: true
        grpc:
          servicePort: "7001"
    
    NameDescriptionExample
    workloadSelectorThis criteria is used to select the specific set of pods on which this configuration should be applied. If omitted, the set of patches in this configuration will be applied to all workload instances in the same namespace.app: echo
    jwt.allowedList of allowed jwt issuers Ability to define mappings between iss claim and the actual issuer.ID mapping is not required omit mapped value- name: demo mapped: <https://demo.plainid.cloud/auth/realms/demo> - name: demo.plainid.cloud
    jwt.userClaimstring: JsonPath of the user unique identifier$.user.preferred_username[0]
    jwt.headerstring: Header name of the jwtauthorization
    jwt.validateJwtBool: Indicates if jwt should be validated (use for development purposes only)true
    jwt.algsList: Algorithms (RS256 by default if not set)- ES256
    - RS256
    mode.decision *PERMIT/DENY Mode * only one mode should be set to truetrue
    mode.entitlement *Boolean: Header Injection mode * only one mode should be set to truetrue
    mode.resolution *Boolean: Header injection mode Query format * only one mode should be set to truetrue
    mode.denyOnEmptyBoolean: DENY transaction when no policy fits the access request.false
    mode.format0 – full access token 1 – short access token – action with list of assets. Ex. {"Accounts":{"assets":{"get":["0008","0001","0004","0002"],"view":["0008","0001","0004","0002"]}}} 2 – short access token – asset with list of actions Ex. {"0001":["view","get"],"0002":["view","get"],"0004":["view","get"],"0008":["view","get"]}0
    runtime.clientIdApplication ClientIdFrom Platform UI.
    runtime.clientSecretApplication SecretFromPlatform UI.
    runtime.entityTypeidEntity TypeFrom Platform UI.
    runtime.plainidUrlRuntime (pdp) base URLhttp://pdp:8000
    runtime.resourceTypesRefer to ResourceTypes****
    runtime.environmentsenvironment variable and the values from the requestamount: $.body.amount
    runtime.passIncomingJwtBoolean: To define whether to pass the IDP JWT as-is to the PDPfalse
    runtime.optionsPDP Runtime response fine tune options
    runtime.options.includeDetailsBoolean: Determines whether to include the details of the Access Decision in the response.false
    runtime.options.includeAccessPolicyBoolean: Show/hide the name of the Policy in the response that has granted the specified access.false
    runtime.options.includeAssetAttributesBoolean: Show/hide the asset attribute of the assets in the response.false
    runtime.options.includeIdentityBoolean: Show/hide the identity attribute of the identity in the response.false
    runtime.options.includeDenyReasonBoolean: Show/hide the reason for the denial of access in the response.false

    ResourceTypes

    NameDescriptionExample
    actionPathThe Request part that is considered as an Action. Default HTTP Method See Request Parts Locations$.body.action
    assetPathRequest part considered as Asset ID. See Request Parts Locations$.path[4]
    nameTemplate name to useAccounts
    virtualMapThe mapping between Template Attributes and Request partsvirtualMap: userid: $.path[1] userid - is an attribute in plainid template $.path[1] – is JsonPath of the request part

    Request Parts Locations

    Request PartJsonPath root objectNotes
    Body$.body
    URI$.pathArray of URI parts Full URI - $.path[0] First Part - $.path[1]
    Headers$.headerAll headers will be converted to lowercase
    Query Parameters$.param
    User Attributes$.user

    Operation Modes

    The Platform sidecar supports three operation modes:

    • Decision – a basic Permit/Deny mode that enables or blocks the transaction.
    • Entitlements – an advanced mode that can enrich the request header with a list of entitlements or any authorization supporting data.
    • Resolution – an advanced mode that can enrich the request header with a “policy resolution” decision - JSON or SQL filtering for data.
      For more information on these options, refer to the Authorization APIs in the Developer Portal.

    Example

    Request Sample

    Request URLPOST
    http://localhost:18000/echo/0000001/assets?test=true
    Request headerTenant: t1
    X-Forwarded-For: 10.2.3.1
    Request body{
    "amount":50,
    "type": "transaction",
    "asset" :1234
    }

    Mapping Sample

    JSONPathValue based on above request
    $.body.amount50
    $.param.testtrue
    $.path[2]0000001
    $.header.x-forwarded-for10.2.3.1

    Was this article helpful?