Investigate whether we should make the source field in an AccessPolicyRule optional

[haiyanmeng]

Context: #193 (comment)

The source field is required currently. An AccessPolicyRule applying to all the agents looks like:

apiVersion: agentic.prototype.x-k8s.io/v0alpha0
kind: XAccessPolicy
metadata:
  name: e2e-gateway-extauth-policy
  namespace: e2e-test-ns
spec:
  targetRefs:
  - ...
  rules:
  - name: ext-authz-rule
    source:
      type: ServiceAccount
    authorization:
      type: ExternalAuth
      externalAuth:
        ...

I wonder whether we should make it optional. If the field is optional, An AccessPolicyRule applying to all the agents looks like:

apiVersion: agentic.prototype.x-k8s.io/v0alpha0
kind: XAccessPolicy
metadata:
  name: e2e-gateway-extauth-policy
  namespace: e2e-test-ns
spec:
  targetRefs:
  - ...
  rules:
  - name: ext-authz-rule
    authorization:
      type: ExternalAuth
      externalAuth:
        ...

cc @guicassolato @LiorLieberman @david-martin

[haiyanmeng]

/assign @haiyanmeng

[david-martin]

One option is to have a source type of Any to make it explicit.

Question: Is validation on there being a source enforced at runtime? Like if there is no identity/authN (no serviceaccount header or bearer token), what happens when the authZ kicks in?