Applications API tokens

[Ingvord]

Hi,

My name is Igor (Ingvord) on behalf of the scientific community that uses K8s I would like to raise this discussion.

I believe starting this discussion is a good first step toward enabling Applications API tokens in the K8s Gateway API.

Very high level overview:
Imagine a bunch of applications spinning in a K8s cluster. Those applications provide APIs used by both our own applications, as well as publicly available. Those are some REST APIs that provide some useful services to our clients.

What we want to achieve - is to say, that these particular clients have no limits e.g. our own applications; or very friendly clients. Another category would be some default limit rating e.g. no more than 1000 RPS and finally some blacklist for those who abuse our APIs

So in other words, what is required:

1. client authentication/categorization
2. rate limiting based on the authentication result
3. provide means to issue valid tokens

The first one can be done via some HTTP header (API token) matching mechanism. While the second should be easily achievable on the underlying ingress implementation level via standard rate limiting mechanisms. The third one will probably require some 3rd party integrations

I was thinking about my own implementation based on Nginx zones and a microservice that categorizes clients:

But if that can be done on the level of Gateway API, my firm believe everyone will greatly benefit from that. Thanks

[guicassolato]

@Ingvord, I know it's been a while, but if you're still looking for a solution to the problem described above, you may want to check out Kuadrant. It gives Gateway API Gateways the ability to check API tokens and rate-limit applications behind the gateway.

API tokens are stored in K8s Secrets, but you can also use OAuth, or K8s ServiceAccount tokens, if you prefer. As for rate-limiting, you can specify a limit in a RateLimitPolicy resource that qualifies the counters by some attribute of the user (e.g. group) extracted during authentication, which in turn is specified in an AuthPolicy. E.g.: https://docs.kuadrant.io/0.8.0/kuadrant-operator/doc/user-guides/authenticated-rl-for-app-developers/

[Ingvord]

@guicassolato thanks for the heads up! That's definitely worth checking!