Set Initial Pod Clients Allow List#
The default ACP policies for a new Pod states that for an agent whose WebID matches the Pod owner and is using an application whose ClientID matches a value listed in the policy, that agent is allowed Read and Write access.
Starting in 2.1, Authorization Service uses its
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST configration to
initialize the client matcher portion of the initial policies. [1]
Note
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST
only affects the initial policies during Pod creation. Once the
initial policies have been created, any change to the list has no
effect on existing policies.
Example Customization#
The following customization updates
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST.
Go to your ESS installation directory:
cd ${HOME}/ess
Create a
authz-default-acr-client-id-allow-list.yamlfile with the following content:apiVersion: apps/v1 kind: Deployment metadata: name: ess-authorization-acp spec: template: spec: containers: - env: - name: INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST value: https://myPodApp.example.com/appid name: ess-authorization-acp
Modify the
kustomization.yaml(i.e., step 3 of the Applying Your Customizations procedure) to useauthz-default-acr-client-id-allow-list.Specifically, add the highlighted content to the
kustomization.yamlfile to thepatchessection:Tip
If the
patcheskey does not exist inkustomization.yaml, add the keypatchesas well.# kustomization.yaml in your ESS installation directory # ... Preceding content omitted for brevity # ... patches: - path: authz-default-acr-client-id-allow-list.yaml
Continue with the rest of the Applying Your Customizations procedure.