Can I create an authorization policy when I'm using knative serving?

[anqliu]

I'm using Knative serving/contour to deploy my services. (I injected LinkerD in all namespaces and used ingress mode for envoy)

The traffic pass like this:
Service A -> envoy -> knative-activator -> Service B
Service C -> envoy -> knative-activator -> Service B

I want to create an authorization policy to allow only ServiceA(namespace A) to call ServiceB(namespace B)
But ServiceB is using Knative-serving's identity when applying its policies. Is it possible to use ServiceA's identity?

[kleimkuhler]

I'm not too familiar with Knative Serving but I assume it does create workloads that can be targeted with a Server, correct? So you should be able to create a Server that targets the workloads created by Knative Serving and then create AuthorizationPolicies that have a requiredAuthenticationRefs field that points to the ServiceA ServiceAccount.

[anqliu]

Thanks for your response. :-)
In our case, we hope to isolate AuthorizationPolicies in each team.
For example:
ServiceA and ServiceB are owned by different teams, and Knative is owned by the infra team.
We hope that teamB can create their AuthorizationPolicies in their namespace.
Same for teamA or teamZ, so each team can decide who has the right to call their API.

[adleong]

Hi @anqliu!

Identities in Linkerd are not transitive. In other words, if traffic passes from A -> B -> C then B must authorize A and C must authorize B. B never uses any identity other than its own.

There may be work in the future to allow transitive identity or delegation of some kind, but this work has not yet been scoped.