add draft authz gep e/w

Author: LiorLieberman

geps/gep-3779/index.md

@@ -0,0 +1,85 @@
+# GEP-3779: Identity Based Authz for East-West Traffic
+
+* Issue: [#3779](https://github.com/kubernetes-sigs/gateway-api/issues/3779)
+* Status: Provisional
+
+(See [status definitions](../overview.md#gep-states).)
+
+
+## TLDR
+
+Provide a method for configuring Gateway API Mesh implementations to enforce east-west identity-based Authorization controls. At the time of writing this we leave Authentication for specific implementation and outside of this proposal scope.
+
+
+## Goals
+
+(Using the [Gateway API Personas](../../concepts/roles-and-personas.md))
+
+* A way for Ana the Application Developer to configure a Gateway API for Mesh implementation to enforce authorization policy that **allows** or **denies** identity or multiple identities to talk with some set of the workloads she controls.
+
+* A way for Chihiro, the Cluster Admin, to configure a Gateway API for Mesh implementation to enforce non-overridable cluster-wide, authorization policies that **allows** or **denies** identity or multiple identities to talk with some set of the workloads in the cluster.
+
+* A way for both Ana and Chihiro to restrict the scope of the policies they deploy to specific ports.
+
+## Stretch Goals
+
+* A way for Chihiro, the Cluster Admin, to configure a Gateway API for Mesh implementation to enforce default, overridable, cluster-wide, authorization policies that **allows** or **denies** identity or multiple identities to talk with some set of the workloads in the cluster.
+
+## Non-Goals
+
+* Support identity based authorization for north-south traffic or define the composition with this API.
+
+## Deferred Goals
+
+* (Potentially) Support enforcement on attributes beyond identities and ports.
+
+## Introduction
+
+Authorization is positioned as one of core mesh values. Every mesh supports some kind of east/west authorization between the workloads it controls.
+
+Kubernetes core provides NetworkPolicies as one way to do it. Network Policies however falls short in many ways including:
+
+* Network policies leverage labels as identities.
+  * Labels are mutable at runtime. This opens a path for escalating privileges
+  * Most implementations of network policies translate labels to IPs, this involves an eventual consistency nature which can and has lea to over permissiveness in the past.
+
+* Scale. Network Policies are enforced using IPs (different selectors in the APIs get translated to IPs). This does not scale well with large clusters or beyond a single cluster
+
+An identity-based authorization API is essential because it provides a structured way to control authorization between identities within the cluster.
+
+### State of the World
+
+Every mesh vendor has their own API of such authorization. Below we describe the UX for different implementations:
+
+<TODO>
+
+#### Istio
+
+
+#### Linkerd
+
+
+#### Cilium
+
+
+
+## Outstanding Questions and Concerns (TODO)
+
+
+## API
+
+
+
+## Conformance Details
+
+
+#### Feature Names
+
+
+### Conformance tests 
+
+
+## Alternatives
+
+
+## References

geps/gep-3779/metadata.yaml

@@ -0,0 +1,19 @@
+apiVersion: internal.gateway.networking.k8s.io/v1alpha1
+kind: GEPDetails
+number: 3779
+name: Identity Based Authz for east-west traffic
+status: Provisional
+# Any authors who contribute to the GEP in any way should be listed here using
+# their GitHub handle.
+authors:
+  - liorlieberman
+  - aryan16
+# references is a list of hyperlinks to relevant external references.
+# It's intended to be used for storing GitHub discussions, Google docs, etc.
+references: {}
+# featureNames is a list of the feature names introduced by the GEP, if there
+# are any. This will allow us to track which feature was introduced by which GEP.
+featureNames: {}
+# changelog is a list of hyperlinks to PRs that make changes to the GEP, in
+# ascending date order.
+changelog: {}