GEP 3779 - Identity Based Authz for east-west

Author: aryan16

geps/gep-3779/index.md

@@ -0,0 +1,59 @@
+# GEP-3779: Identity Based Authz for East-West Traffic
+
+* Issue: [#3779](https://github.com/kubernetes-sigs/gateway-api/issues/3779)
+* Status: Provisional
+
+(See [status definitions](../overview.md#gep-states).)
+
+
+## TLDR
+
+Provide a method for configuing **Gateway API implementations** to add identity based Authorization for east-west traffic. K8s Service Accounts can serve as the client identities. 
+
+
+## Goals
+
+(Using the [Gateway API Personas](../../concepts/roles-and-personas.md))
+
+* A way for Ana the Application Developer to configure a Gateway API implementation to perform identity based authorization that **allows** the requests for some K8s clients to the K8s workloads.
+
+* A way for Chihiro the Application Developer to configure a Gateway API implementation to perform identity based authorization that **denies** the requests for some K8s to the K8s workloads.
+
+
+## Non-Goals
+
+* Supporting any other identity than K8s service accounts.
+
+* Supporting identity based authorization for north-south traffic.
+
+
+## Introduction
+
+An identity-based authorization API is essential because it provides a structured way to control access to network traffic based on client identities within a Kubernetes cluster, a capability particularly vital for enforcing fine-grained security policies in complex multi-tenant or large-scale environments.
+
+All the open source meshes have their own implementaition of idenity based authorization and it is now important use case for Gateway APIs for east-west traffic.
+
+As service meshes commonly implement mTLS , client identity is provided in X.509 certificates through fields such as the URI SAN (often for workload-specific identities like SPIFFE IDs), DNS SAN etc. After TLS termination on the destination side for inbound traffic, identity-based authorization can be applied by the users. The request is then permitted or denied based on the rules defined in the authorization policy.
+
+Identity based authorization policies can also be applied to an entire namespace. The rules of that policy are enforced for network traffic involving all workloads within that namespace.
+
+## Outstanding Questions and Concerns (TODO)
+
+
+## API
+
+
+
+## Conformance Details
+
+
+#### Feature Names
+
+
+### Conformance tests 
+
+
+## Alternatives
+
+
+## References

geps/gep-3779/metadata.yaml

@@ -0,0 +1,19 @@
+apiVersion: internal.gateway.networking.k8s.io/v1alpha1
+kind: GEPDetails
+number: 3779
+name: Identity Based Authz for east-west traffic
+status: Provisional
+# Any authors who contribute to the GEP in any way should be listed here using
+# their GitHub handle.
+authors:
+  - aryan16
+  - liorliberman
+# references is a list of hyperlinks to relevant external references.
+# It's intended to be used for storing GitHub discussions, Google docs, etc.
+references: {}
+# featureNames is a list of the feature names introduced by the GEP, if there
+# are any. This will allow us to track which feature was introduced by which GEP.
+featureNames: {}
+# changelog is a list of hyperlinks to PRs that make changes to the GEP, in
+# ascending date order.
+changelog: {}