Hi all, I have a question about using AuthorizationPolicy to accomplish a specific scenario. In particular, I have set things up with a CUSTOM action and OAuth2-Proxy so that traffic hitting my Ingress Gateway, targeted to host httpbin.example.com, is sent through OAuth2-Proxy and Dex for login. After logging in I am then able to access the httpbin pod, as expected.
But… what I would like to do is further processing after the login, so I can, for example, permit access to a particular workload for some whitelisted set of users, but not “everybody who can login” and then conversely gate access to a different workload to a different set of users.
My naive thought would be to have the initial CUSTOM action based AuthorizationPolicy scoped to the Ingress Gateway to trigger the OAuth login, and then have subsequent AuthorizationPolicies scoped to the specific workloads, and that inspect the user principal from the headers provided by the OAuth flow.
Is this a reasonable understanding? If not, is there another way to achieve the same overall effect?