GEP 3779 - Identity Based Authz for east-west

aryan16 · aryan16 · commit 38ac13bb7d6a · 2025-05-27T18:39:36.000Z
diff --git a/geps/gep-3779/index.md b/geps/gep-3779/index.md
@@ -0,0 +1,69 @@
+# GEP-3779: Identity Based Authz for East-West Traffic
+
+* Issue: [#3779](https://github.com/kubernetes-sigs/gateway-api/issues/3779)
+* Status: Provisional
+
+(See [status definitions](../overview.md#gep-states).)
+
+
+## TLDR
+
+Provide a method for configuing **Gateway API implementations** to add identity based Authorization for east-west traffic. K8s Service Accounts can serve as the client identities. 
+
+
+## Goals
+
+(Using the [Gateway API Personas](../../concepts/roles-and-personas.md))
+
+* A way for Ana the Application Developer to configure a Gateway API implementation to perform identity based authorization that **allows** or **denies** the requests for some K8s clients to the K8s workloads.
+
+* A way for Chihiro, the Cluster Operator, to configure a Gateway API implementation to perform identity based authorization that **allows** or **denies** the requests from some K8s clients to all the K8s workload in some namespace.
+
+## Non-Goals
+
+* Supporting any other identity than K8s service accounts.
+
+* Supporting identity based authorization for north-south traffic.
+
+
+## Introduction
+
+An identity-based authorization API is essential because it provides a structured way to control access to network traffic based on client identities within a Kubernetes cluster, a capability particularly vital for enforcing fine-grained security policies in complex multi-tenant or large-scale environments.
+
+All the open source meshes have their own implementaition of idenity based authorization and it is now important use case for Gateway APIs for east-west traffic.
+
+### State of the World
+
+Here are the examples of some of the service meshes. 
+
+* Istio
+Istio [authorization policy] (https://istio.io/latest/docs/reference/config/security/authorization-policy/) provides a way to validate the request based on client identities derived from peer certificate used in mTLS. Users can apply to Kubernetes pod labels. This same API is used in Istio's Ambient Mesh as well.
+
+* Linkerd
+Linkerd [authorization policy] (https://linkerd.io/2-edge/reference/authorization-policy/) also provides a way to validate the request based on client identities. Linkerd also provides an option to pick the peer identity from the client certs used in mTLS.
+
+
+With this GEP, we want to propose a new API that let users enable authorization based identities. The request to their data plane is then permitted or denied based on the rules defined in the authorization policy.
+
+Identity based authorization policies can also be applied to an entire namespace. The rules of that policy are enforced for network traffic involving all workloads within that namespace.
+
+## Outstanding Questions and Concerns (TODO)
+
+
+## API
+
+
+
+## Conformance Details
+
+
+#### Feature Names
+
+
+### Conformance tests 
+
+
+## Alternatives
+
+
+## References
diff --git a/geps/gep-3779/metadata.yaml b/geps/gep-3779/metadata.yaml
@@ -0,0 +1,19 @@
+apiVersion: internal.gateway.networking.k8s.io/v1alpha1
+kind: GEPDetails
+number: 3779
+name: Identity Based Authz for east-west traffic
+status: Provisional
+# Any authors who contribute to the GEP in any way should be listed here using
+# their GitHub handle.
+authors:
+  - aryan16
+  - liorliberman
+# references is a list of hyperlinks to relevant external references.
+# It's intended to be used for storing GitHub discussions, Google docs, etc.
+references: {}
+# featureNames is a list of the feature names introduced by the GEP, if there
+# are any. This will allow us to track which feature was introduced by which GEP.
+featureNames: {}
+# changelog is a list of hyperlinks to PRs that make changes to the GEP, in
+# ascending date order.
+changelog: {}
