{"id":16826987,"url":"https://github.com/retocode/knative-multitenancy","last_synced_at":"2025-03-17T19:45:26.437Z","repository":{"id":154107294,"uuid":"595621019","full_name":"ReToCode/knative-multitenancy","owner":"ReToCode","description":null,"archived":false,"fork":false,"pushed_at":"2023-07-20T12:29:05.000Z","size":101,"stargazers_count":0,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-24T07:08:27.384Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ReToCode.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-31T13:20:29.000Z","updated_at":"2023-01-31T13:21:04.000Z","dependencies_parsed_at":"2024-03-08T12:01:10.303Z","dependency_job_id":null,"html_url":"https://github.com/ReToCode/knative-multitenancy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReToCode%2Fknative-multitenancy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReToCode%2Fknative-multitenancy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReToCode%2Fknative-multitenancy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ReToCode%2Fknative-multitenancy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ReToCode","download_url":"https://codeload.github.com/ReToCode/knative-multitenancy/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244102039,"owners_count":20398379,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-13T11:19:19.601Z","updated_at":"2025-03-17T19:45:26.417Z","avatar_url":"https://github.com/ReToCode.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Serverless multi-tenancy based on Istio (Service Mesh) functionality\nThe basic idea of this setup is to use Istio (Service Mesh) features to leverage a `network based` isolation \nfor multiple tenants. \n\n# Architecture\n![Architecture](https://raw.githubusercontent.com/ReToCode/diagrams/main/knative/multi-tenancy-service-mesh.drawio.svg)\n\n# High level overview\n* The setup is enforcing `istio mTLS` while using `AuthorizationPolicies` to isolate workloads.\n* As `Knative` has different `data-paths` (via ingress-gateway, via activator, via ingress-gateway and activator or directly through the mesh) network isolation must be enforced on multiple places.\n* `PeerAuthentication` is used to enforce `mTLS` on all relevant namespaces.\n* `knative-local-gateway` is patched to enforce `istio mTLS`.\n* `AuthorizationPolicy` are in place to only allow tenant traffic. The namespace `knative-serving` has additional rules that filter traffic based on `source namespaces` and `target hosts`. \n\n# Setup (K8S with Kind)\n\n## Prerequisites\n* A `kubernetes` cluster with `kubectl` configured\n* Installed the following components:\n\n```bash\n# Knative Serving\nkubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.8.3/serving-crds.yaml\nkubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.8.3/serving-core.yaml\n\n# Istio as networking layer\nkubectl apply -l knative.dev/crd-install=true -f https://github.com/knative/net-istio/releases/download/knative-v1.8.1/istio.yaml\nkubectl apply -f https://github.com/knative/net-istio/releases/download/knative-v1.8.1/istio.yaml\n\n# Enable proxies in knative-serving\nkubectl label namespace knative-serving istio-injection=enabled\n\n# Restart containers to pick up the proxy\nkubectl delete pod --all -n knative-serving\n\n# Install the net-istio controller\nkubectl apply -f https://github.com/knative/net-istio/releases/download/knative-v1.8.1/net-istio.yaml\n```\n\n## Tenant setup (on Kind)\n```bash\n# Creating tenants\nkubectl create ns tenant-1\nkubectl create ns tenant-2\nkubectl label namespace tenant-1 istio-injection=enabled\nkubectl label namespace tenant-2 istio-injection=enabled\n\n# Apply secured config\nkubectl apply -f kind/config \n\n# Create kservices\nkubectl apply -f kind/services/tenant-1\nkubectl apply -f kind/services/tenant-2\n```\n\n# Setup (OpenShift)\n```bash\n# Install Service Mesh\noc apply -f openshift/mesh-operators\noc apply -f openshift/mesh-config\n\n# Install Serverless Operator\noc apply -f openshift/serverless-operator\noc apply -f openshift/serverless-config\n\n# Integrate Service Mesh and Serverless\noc apply -f openshift/serverless-mesh-integration\n```\n\n## Tenant setup (on OpenShift)\n```bash\n# Creating tenants\noc new-project tenant-1\noc new-project tenant-2\n\n# Apply secured config\noc apply -f openshift/securing-config\n\n# Create kservices\noc apply -f openshift/services/tenant-1\noc apply -f openshift/services/tenant-2\n```\n\n# Verification\nUse the script to verify the configuration \n```bash\n./hack/verify.sh\n```\nExample output\n```text\nTesting same tenant directly\nCall to svc-always-scaled-00001-private.tenant-1.svc.cluster.local/headers succeeded\nCall to 10.244.3.11/headers succeeded\nTesting cross tenant directly (should fail)\nCall to svc-always-scaled-00001-private.tenant-1.svc.cluster.local/headers succeeded\nCall to 10.244.3.11/headers succeeded\nTesting same tenant via activator\nCall to svc-activator-in-path.tenant-1.svc.cluster.local/headers succeeded\nCall to svc-activator-in-path.tenant-2.svc.cluster.local/headers succeeded\nTesting cross tenant via activator (should fail)\nCall to svc-activator-in-path.tenant-1.svc.cluster.local/headers succeeded\nTesting same tenant via ingress-gateway and activator\nCall to knative-local-gateway.istio-system.svc.cluster.local/headers succeeded\nCall to knative-local-gateway.istio-system.svc.cluster.local/headers succeeded\nTesting cross tenant via ingress-gateway and activator (should fail)\nCall to knative-local-gateway.istio-system.svc.cluster.local/headers succeeded\nTesting same tenant via ingress-gateway no activator\nCall to knative-local-gateway.istio-system.svc.cluster.local/headers succeeded\nCall to knative-local-gateway.istio-system.svc.cluster.local/headers succeeded\nTesting cross tenant via ingress-gateway no activator (should fail)\nCall to knative-local-gateway.istio-system.svc.cluster.local/headers succeeded\n✅  All tests completed successfully\n```\n\n# Testing\n\n## Testing same tenant directly\n### [tenant-1] -\u003e [tenant-1]\n```bash\n# Directly via k8s private service\nkubectl exec deployment/curl -n tenant-1 -it -- curl -siv http://svc-always-scaled-00001-private.tenant-1.svc.cluster.local/headers\n{\n  \"headers\": {\n    \"Accept\": \"*/*\",\n    \"Forwarded\": \"proto=http\",\n    \"Host\": \"svc-always-scaled-00001-private.tenant-1.svc.cluster.local\",\n    \"User-Agent\": \"curl/7.87.0-DEV\",\n    \"X-B3-Parentspanid\": \"2a8f1b2cb0ca6bf9\",\n    \"X-B3-Sampled\": \"0\",\n    \"X-B3-Spanid\": \"83529b99ef1980e7\",\n    \"X-B3-Traceid\": \"583952dce1087bed2a8f1b2cb0ca6bf9\",\n    \"X-Envoy-Attempt-Count\": \"1\",\n    \"X-Forwarded-Client-Cert\": \"By=spiffe://cluster.local/ns/tenant-1/sa/default;Hash=c838e811068f18ec3292b88311c1b1c4944ba34e8a0a53ed8efd1db6a9e78b01;Subject=\\\"\\\";URI=spiffe://cluster.local/ns/tenant-1/sa/default\"\n  }\n}\n\n# Directly via pod ip\nPOD_IP=$(kubectl get pod -l serving.knative.dev/configuration=svc-always-scaled -n tenant-1 -o jsonpath=\"{.items[0].status.podIP}\")\nkubectl exec deployment/curl -n tenant-1 -it -- curl -siv \"http://${POD_IP}/headers\" -H 'Host: svc-always-scaled-00001-private.tenant-1.svc.cluster.local'\n{\n  \"headers\": {\n    \"Accept\": \"*/*\",\n    \"Forwarded\": \"proto=http\",\n    \"Host\": \"svc-always-scaled-00001-private.tenant-1.svc.cluster.local\",\n    \"User-Agent\": \"curl/7.87.0-DEV\",\n    \"X-B3-Parentspanid\": \"ac4fa8ff5da2e6f1\",\n    \"X-B3-Sampled\": \"0\",\n    \"X-B3-Spanid\": \"50d4b124d5139390\",\n    \"X-B3-Traceid\": \"d34f058a010a7592ac4fa8ff5da2e6f1\",\n    \"X-Envoy-Attempt-Count\": \"1\",\n    \"X-Forwarded-Client-Cert\": \"By=spiffe://cluster.local/ns/tenant-1/sa/default;Hash=c838e811068f18ec3292b88311c1b1c4944ba34e8a0a53ed8efd1db6a9e78b01;Subject=\\\"\\\";URI=spiffe://cluster.local/ns/tenant-1/sa/default\"\n  }\n}\n```\n\n## Testing cross tenant directly (should fail)\n### [tenant-2] -\u003e [tenant-1]\n```bash\n# Directly via k8s private service\nkubectl exec deployment/curl -n tenant-2 -it -- curl -siv http://svc-always-scaled-00001-private.tenant-1.svc.cluster.local/headers\n# HTTP/1.1 403 Forbidden\n# RBAC: access denied\n\n# The request was denied in the istio-proxy in tenant-1\n2023-01-31T12:35:25.789968Z     debug   envoy rbac      checking request: requestedServerName: outbound_.80_._.svc-always-scaled-00001-private.tenant-1.svc.cluster.local, sourceIP: 10.244.2.5:48626, directRemoteIP: 10.244.2.5:48626, remoteIP: 10.244.2.5:48626,localAddress: 10.244.3.8:8012, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/tenant-2/sa/default, dnsSanPeerCertificate: , subjectPeerCertificate: , headers: ':authority', 'svc-always-scaled-00001-private.tenant-1.svc.cluster.local'\n':path', '/headers'\n':method', 'GET'\n':scheme', 'http'\n'user-agent', 'curl/7.87.0-DEV'\n'accept', '*/*'\n'x-forwarded-proto', 'http'\n'x-request-id', '2a9b8705-50d8-4ad8-9c63-f0e6d675134a'\n'x-envoy-attempt-count', '1'\n'x-b3-traceid', '369e395e39048b55b9adf569231d5a3a'\n'x-b3-spanid', 'b9adf569231d5a3a'\n'x-b3-sampled', '0'\n'x-forwarded-client-cert', 'By=spiffe://cluster.local/ns/tenant-1/sa/default;Hash=587068c5492cbbde398f042b499fbe7d2a5c10d89d353e0ecb1af58293beac13;Subject=\"\";URI=spiffe://cluster.local/ns/tenant-2/sa/default'\n, dynamicMetadata:\n2023-01-31T12:35:25.789994Z     debug   envoy rbac      enforced denied, matched policy none\n\n\n# Directly via pod ip\nPOD_IP=$(kubectl get pod -l serving.knative.dev/configuration=svc-always-scaled -n tenant-1 -o jsonpath=\"{.items[0].status.podIP}\")\nkubectl exec deployment/curl -n tenant-2 -it -- curl -siv \"http://${POD_IP}/headers\" -H 'Host: svc-always-scaled-00001-private.tenant-1.svc.cluster.local'\n# HTTP/1.1 403 Forbidden\n# RBAC: access denied\n\n# The request was denied in the istio-proxy in tenant-1\n2023-01-31T12:36:00.398043Z     debug   envoy rbac      checking request: requestedServerName: outbound_.80_._.svc-always-scaled-00001-private.tenant-1.svc.cluster.local, sourceIP: 10.244.2.5:48626, directRemoteIP: 10.244.2.5:48626, remoteIP: 10.244.2.5:48626,localAddress: 10.244.3.8:8012, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/tenant-2/sa/default, dnsSanPeerCertificate: , subjectPeerCertificate: , headers: ':authority', 'svc-always-scaled-00001-private.tenant-1.svc.cluster.local'\n':path', '/headers'\n':method', 'GET'\n':scheme', 'http'\n'user-agent', 'curl/7.87.0-DEV'\n'accept', '*/*'\n'x-forwarded-proto', 'http'\n'x-request-id', '309d8aaa-e0da-4ad3-a262-a0aa5084e5bb'\n'x-envoy-attempt-count', '1'\n'x-b3-traceid', 'a38d543371352fddd061c800434ec310'\n'x-b3-spanid', 'd061c800434ec310'\n'x-b3-sampled', '0'\n'x-forwarded-client-cert', 'By=spiffe://cluster.local/ns/tenant-1/sa/default;Hash=587068c5492cbbde398f042b499fbe7d2a5c10d89d353e0ecb1af58293beac13;Subject=\"\";URI=spiffe://cluster.local/ns/tenant-2/sa/default'\n, dynamicMetadata:\n2023-01-31T12:36:00.398225Z     debug   envoy rbac      enforced denied, matched policy none\n```\n\n## Testing same tenant via activator\n### [tenant-1] -\u003e [activator] -\u003e [tenant-1]\n```bash\n# Note: this is routed directly to the activator, even though the service points (CNAME) to knative-local-gateway.\nkubectl exec deployment/curl -n tenant-1 -it -- curl -siv http://svc-activator-in-path.tenant-1.svc.cluster.local/headers\n{\n  \"headers\": {\n    \"Accept\": \"*/*\",\n    \"Forwarded\": \"for=127.0.0.6;proto=http\",\n    \"Host\": \"svc-activator-in-path.tenant-1.svc.cluster.local\",\n    \"K-Proxy-Request\": \"activator\",\n    \"User-Agent\": \"curl/7.87.0-DEV\",\n    \"X-B3-Parentspanid\": \"b12e83377ddc9f54\",\n    \"X-B3-Sampled\": \"0\",\n    \"X-B3-Spanid\": \"c6f2e9788ef0bf45\",\n    \"X-B3-Traceid\": \"d42f69aa2fb623640c0968ddc6e61159\",\n    \"X-Envoy-Attempt-Count\": \"1\",\n    \"X-Forwarded-Client-Cert\": \"By=spiffe://cluster.local/ns/tenant-1/sa/default;Hash=e1521c5650156cbfd7e8c99305cb4a8fa929196e46fa34b4dd1f91c3ccd8dcf5;Subject=\\\"\\\";URI=spiffe://cluster.local/ns/knative-serving/sa/controller\"\n  }\n}\n```\n\n## Testing cross tenant via activator (should fail)\n### [tenant-2] -\u003e [activator] -\u003e [tenant-1]\n```bash\n# Note: this is routed directly to the activator, even though the service points (CNAME) to knative-local-gateway.\nkubectl exec deployment/curl -n tenant-2 -it -- curl -siv http://svc-activator-in-path.tenant-1.svc.cluster.local/headers\n# HTTP/1.1 403 Forbidden\n# RBAC: access denied\n\n# The request was denied in the istio-proxy in activator\n2023-01-31T12:39:53.827806Z     debug   envoy rbac      checking request: requestedServerName: outbound_.80_._.svc-activator-in-path-00001.tenant-1.svc.cluster.local, sourceIP: 10.244.2.5:40768, directRemoteIP: 10.244.2.5:40768, remoteIP: 10.244.2.5:40768,localAddress: 10.244.3.10:8012, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/tenant-2/sa/default, dnsSanPeerCertificate: , subjectPeerCertificate: , headers: ':authority', 'svc-activator-in-path.tenant-1.svc.cluster.local'\n':path', '/headers'\n':method', 'GET'\n':scheme', 'http'\n'user-agent', 'curl/7.87.0-DEV'\n'accept', '*/*'\n'x-forwarded-proto', 'http'\n'x-request-id', 'b6b7f318-3cd1-4d01-9d16-c54ed64feea8'\n'x-envoy-attempt-count', '1'\n'knative-serving-namespace', 'tenant-1'\n'knative-serving-revision', 'svc-activator-in-path-00001'\n'x-b3-traceid', '526528972e4e218e0b91361d0ced09c6'\n'x-b3-spanid', '0b91361d0ced09c6'\n'x-b3-sampled', '0'\n'x-forwarded-client-cert', 'By=spiffe://cluster.local/ns/knative-serving/sa/controller;Hash=587068c5492cbbde398f042b499fbe7d2a5c10d89d353e0ecb1af58293beac13;Subject=\"\";URI=spiffe://cluster.local/ns/tenant-2/sa/default'\n, dynamicMetadata:\n2023-01-31T12:39:53.827878Z     debug   envoy rbac      enforced denied, matched policy none\n```\n\n## Testing same tenant via ingress-gateway and activator\n### [tenant-1] -\u003e [istio-ingressgateway] -\u003e [activator] -\u003e [tenant-1]\n```bash\nkubectl exec deployment/curl -n tenant-1 -it -- curl -siv http://knative-local-gateway.istio-system.svc.cluster.local/headers -H 'Host: svc-activator-in-path.tenant-1.svc.cluster.local'\n{\n  \"headers\": {\n    \"Accept\": \"*/*\",\n    \"Forwarded\": \"for=127.0.0.6;proto=http\",\n    \"Host\": \"svc-activator-in-path.tenant-1.svc.cluster.local\",\n    \"K-Proxy-Request\": \"activator\",\n    \"User-Agent\": \"curl/7.87.0-DEV\",\n    \"X-B3-Parentspanid\": \"2f2c43bcd2bac779\",\n    \"X-B3-Sampled\": \"0\",\n    \"X-B3-Spanid\": \"7c81319d6bcc29e3\",\n    \"X-B3-Traceid\": \"70655bc454f33ee72e412696e00bce2b\",\n    \"X-Envoy-Attempt-Count\": \"1\",\n    \"X-Forwarded-Client-Cert\": \"By=spiffe://cluster.local/ns/tenant-1/sa/default;Hash=e1521c5650156cbfd7e8c99305cb4a8fa929196e46fa34b4dd1f91c3ccd8dcf5;Subject=\\\"\\\";URI=spiffe://cluster.local/ns/knative-serving/sa/controller\"\n  }\n}\n```\n\n## Testing cross tenant via ingress-gateway and activator (should fail)\n### [tenant-2] -\u003e [istio-ingressgateway] -\u003e [activator] -\u003e [tenant-1]\n```bash\n# Note: we must explicitly set the destination to knative-local-gateway, otherwise this would be routed to the activator by istio.\nkubectl exec deployment/curl -n tenant-2 -it -- curl -siv http://knative-local-gateway.istio-system.svc.cluster.local/headers -H 'Host: svc-activator-in-path.tenant-1.svc.cluster.local'\n# HTTP/1.1 403 Forbidden\n# RBAC: access denied\n\n# The request was denied in the istio-proxy in activator\n2023-01-31T12:42:27.387460Z     debug   envoy rbac      checking request: requestedServerName: outbound_.80_._.svc-activator-in-path-00001.tenant-1.svc.cluster.local, sourceIP: 10.244.2.5:40754, directRemoteIP: 10.244.2.5:40754, remoteIP: 10.244.2.5:40754,localAddress: 10.244.3.10:8012, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/tenant-2/sa/default, dnsSanPeerCertificate: , subjectPeerCertificate: , headers: ':authority', 'svc-activator-in-path.tenant-1.svc.cluster.local'\n':path', '/headers'\n':method', 'GET'\n':scheme', 'http'\n'user-agent', 'curl/7.87.0-DEV'\n'accept', '*/*'\n'x-forwarded-proto', 'http'\n'x-request-id', 'b6c569ad-d5c2-476e-a929-f2b7c18d9917'\n'x-envoy-attempt-count', '1'\n'knative-serving-namespace', 'tenant-1'\n'knative-serving-revision', 'svc-activator-in-path-00001'\n'x-b3-traceid', '118a47cd6fccbdd0a7aa692ae1070d0c'\n'x-b3-spanid', 'a7aa692ae1070d0c'\n'x-b3-sampled', '0'\n'x-forwarded-client-cert', 'By=spiffe://cluster.local/ns/knative-serving/sa/controller;Hash=587068c5492cbbde398f042b499fbe7d2a5c10d89d353e0ecb1af58293beac13;Subject=\"\";URI=spiffe://cluster.local/ns/tenant-2/sa/default'\n, dynamicMetadata:\n2023-01-31T12:42:27.387491Z     debug   envoy rbac      enforced denied, matched policy none\n```\n\n## Testing same tenant via ingress-gateway no activator\n### [tenant-1] -\u003e [istio-ingressgateway] -\u003e [tenant-1]\n```bash\n# Note: we must explicitly set the destination to knative-local-gateway, otherwise this would be routed to the activator by istio.\nkubectl exec deployment/curl -n tenant-1 -it -- curl -siv http://knative-local-gateway.istio-system.svc.cluster.local/headers -H 'Host: svc-always-scaled.tenant-1.svc.cluster.local'\n{\n  \"headers\": {\n    \"Accept\": \"*/*\",\n    \"Forwarded\": \"proto=http\",\n    \"Host\": \"svc-always-scaled.tenant-1.svc.cluster.local\",\n    \"User-Agent\": \"curl/7.87.0-DEV\",\n    \"X-B3-Parentspanid\": \"92488bf0eb97b2c4\",\n    \"X-B3-Sampled\": \"0\",\n    \"X-B3-Spanid\": \"abb15c5e3b784c4c\",\n    \"X-B3-Traceid\": \"7bd3323e2a4e56e892488bf0eb97b2c4\",\n    \"X-Envoy-Attempt-Count\": \"1\",\n    \"X-Forwarded-Client-Cert\": \"By=spiffe://cluster.local/ns/tenant-1/sa/default;Hash=c838e811068f18ec3292b88311c1b1c4944ba34e8a0a53ed8efd1db6a9e78b01;Subject=\\\"\\\";URI=spiffe://cluster.local/ns/tenant-1/sa/default\"\n  }\n}\n```\n\n## Testing cross tenant via ingress-gateway no activator (should fail)\n### [tenant-2] -\u003e [istio-ingressgateway] -\u003e [tenant-1]\n```bash\n# Note: we must explicitly set the destination to knative-local-gateway, otherwise this would be routed to the activator by istio.\nkubectl exec deployment/curl -n tenant-2 -it -- curl -siv http://knative-local-gateway.istio-system.svc.cluster.local/headers -H 'Host: svc-always-scaled.tenant-1.svc.cluster.local'\n# HTTP/1.1 403 Forbidden\n# RBAC: access denied\n\n# The request was denied in the istio-proxy in tenant-1\n2023-01-31T12:44:54.419393Z     debug   envoy rbac      checking request: requestedServerName: outbound_.80_._.svc-always-scaled-00001.tenant-1.svc.cluster.local, sourceIP: 10.244.2.5:48640[0/9633]RemoteIP: 10.244.2.5:48640, remoteIP: 10.244.2.5:48640,localAddress: 10.244.3.8:8012, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/tenant-2/sa/default, dnsSanPeerCertificate: , subjectPeerCertificate: , headers: ':authority', 'svc-always-scaled.tenant-1.svc.cluster.local'\n':path', '/headers'\n':method', 'GET'\n':scheme', 'http'\n'user-agent', 'curl/7.87.0-DEV'\n'accept', '*/*'\n'x-forwarded-proto', 'http'\n'x-request-id', '7188b123-3f5c-4773-90f1-58364c786733'\n'x-envoy-attempt-count', '1'\n'knative-serving-namespace', 'tenant-1'\n'knative-serving-revision', 'svc-always-scaled-00001'\n'x-b3-traceid', '40ae8af4ab0d2fe184f385c2297926a7'\n'x-b3-spanid', '84f385c2297926a7'\n'x-b3-sampled', '0'\n'x-forwarded-client-cert', 'By=spiffe://cluster.local/ns/tenant-1/sa/default;Hash=587068c5492cbbde398f042b499fbe7d2a5c10d89d353e0ecb1af58293beac13;Subject=\"\";URI=spiffe://cluster.local/ns/tenant-2/sa/default'\n, dynamicMetadata:\n2023-01-31T12:44:54.419427Z     debug   envoy rbac      enforced denied, matched policy none\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fretocode%2Fknative-multitenancy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fretocode%2Fknative-multitenancy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fretocode%2Fknative-multitenancy/lists"}