chore: upstream our authorization changes for oauth2-proxy (#11347)

Signed-off-by: juliusvonkohout <[email protected]>

manifests/kustomize/base/installs/multi-user/istio-authorization-config.yaml

@@ -8,10 +8,21 @@ spec:
     matchLabels:
       app: ml-pipeline-ui
   rules:
+  # Allow all requests from the ingress gateway
   - from:
     - source:
-        namespaces:
-        - istio-system
+        principals:
+        - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
+
+  # Allow all requests with an `authorization` header but NOT a `kubeflow-userid` header.
+  # This is needed to allow Kubernetes JWTs to be passed to the KFP API.
+  - when:
+    - key: request.headers[authorization]
+      values:
+      - "*"
+    - key: request.headers[kubeflow-userid]
+      notValues:
+      - "*"
 ---
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -32,7 +43,7 @@ spec:
         - cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow
         - cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account
         - cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache
-  # For user workloads, which cannot user http headers for authentication
+  # Allow all requests that dont have a `kubeflow-userid` header.
   - when:
     - key: request.headers[kubeflow-userid]
       notValues: ['*']