An authorization system determines whether an agent has access to perform a given action on a particular resource.
For more information, see Access Control Policy (ACP).
Access Control Mechanisms#
Identity-Based Access, where access to Pod resources is based on agents’ identity, and optionally, the identity of their clients.
Access Grants, where access to Pod resources can be requested and granted.
To support authorization, ESS provides the following services:
Authorization and Clients#
Client Allow Lists#
Operators can use Client IDs in the following allow lists:
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST(New in version 2.1).
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LISTis used to initialize a Pod’s default access policies, specifically the policies’ client matcher. To configure this option, see Set Initial Pod Clients Allow List for an example.
INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LISTdetermines which applications can modify the Access Control Resource (i.e., which applications can modify the Access Control Policies for Pod resources). To configure this option, see Set Authorization Client Allow List for an example.
This list may also used to initialize a Pod’s access policies if
For example, if client allow list configuration for the initial policy is set, ESS creates default ACP policies of the form:
If allOf(AgentMatcher and ClientMatcher) evaluates to true, Then allow (Read and Write).