The configuration model of authentication and authorization in Ambient Mesh mode is different from that in the original Sidecar mode due to the separation between Layer 4 and Layer 7. This topic describes how to use Layer 7 authorization policies.
Prerequisites
An ingress gateway and related applications are deployed, and basic features are verified. For more information, see Prerequisites and Step 1 in Getting started.
Limits
The following limits are applicable to authorization policies in a waypoint proxy:
The
actionfield cannot be set toCUSTOM, which indicates that a waypoint proxy does not support custom authorization services.ipBlocksis not supported in thesourcefield.
If a waypoint proxy is deployed, a corresponding ztunnel allows all requests from the waypoint proxy to pass through. In this case, authorization policies must be bound to the waypoint proxy for the authorization policies to take effect.
Preparations
For Service Mesh (ASM) instances of V1.21 and earlier
Run the following command to deploy a waypoint proxy for the productpage service:
istioctl x waypoint apply --service-account bookinfo-productpageRun the following command to view the pod of the waypoint proxy:
kubectl get pod --show-labels | grep waypointExpected output:
bookinfo-productpage-istio-waypoint-6c579dd48d-l**** 1/1 Running 0 91s gateway.istio.io/managed=istio.io-mesh-controller,istio.io/gateway-name=bookinfo-productpage,pod-template-hash=6c579dd48d,service.istio.io/canonical-name=bookinfo-productpage-istio-waypoint,service.istio.io/canonical-revision=latest,sidecar.istio.io/inject=false
For ASM instances of V1.22 and later
Use the following content to deploy a gateway:
apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: labels: istio.io/waypoint-for: service name: waypoint namespace: default spec: gatewayClassName: istio-waypoint listeners: - name: mesh port: 15008 protocol: HBONERun the following command to deploy a waypoint proxy for the productpage service:
kubectl label service productpage istio.io/use-waypoint=waypoint
Example 1: If a waypoint proxy is deployed for the productpage service, the authorization policy on ztunnels does not take effect.
If a waypoint proxy is deployed for the productpage service, the corresponding ztunnels allow all traffic from the waypoint proxy of the productpage service to pass through. In this case, if an authorization policy is applied to a ztunnel (an application pod is selected by the selector of the authorization policy), the authorization policy does not take effect.
Use the following content to create a productpage-viewer.yaml file.
The following authorization policy applies to the corresponding ztunnel and prohibits access to port 9080 of the productpage service.
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: productpage-viewer namespace: default spec: selector: matchLabels: app: productpage action: DENY rules: - to: - operation: ports: - "9080"Use kubectl to connect to the ASM instance based on the information in the kubeconfig file, and then run the following command to create the authorization policy:
kubectl apply -f productpage-viewer.yamlVerify whether the authorization policy takes effect.
Run the following command to perform an access test:
kubectl exec deploy/sleep -- curl -s http://productpage:9080/| grep -o "<title>.*</title>"Expected output:
command terminated with exit code 56Run the following command to perform an access test:
kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"Expected output:
<title>Simple Bookstore App</title>
The preceding tests and the tests in Example 2: Prohibit access to port 9080 of the productpage service (no waypoint proxy is deployed) use the same authorization policy. However, all accesses to port 9080 of the productpage service were successful in the preceding tests.
The preceding results show that after you deploy a waypoint proxy, all authorization policies on the ztunnel become invalid.
Change the productpage-viewer.yaml file to the following content and run the
kubectl apply -f productpage-viewer.yamlcommand to deploy the authorization policy.For ASM instances of V1.21 and earlier
The configuration of the
selectorfield is changed in the following YAML file.apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: productpage-viewer namespace: default spec: selector: matchLabels: istio.io/gateway-name: bookinfo-productpage action: DENY rules: - to: - operation: ports: - "9080"For ASM instances of V1.22 and later
The desired service is specified in the following YAML file.
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: productpage-viewer namespace: default spec: targetRefs: - kind: Service group: "" name: productpage action: DENY rules: - to: - operation: ports: - "9080"Verify whether the authorization policy takes effect.
Run the following command to perform an access test:
kubectl exec deploy/sleep -- curl -s http://productpage:9080/Expected output:
RBAC: access denied%Run the following command to perform an access test:
kubectl exec deploy/notsleep -- curl -s http://productpage:9080/Expected output:
RBAC: access denied%The error message returned here is
RBAC: access denied%, which is different from that in Example 2: Prohibit access to port 9080 of the productpage service in the "Layer 4 authentication and authorization" topic. This error is actually returned by the waypoint proxy of the productpage service. When the waypoint proxy finds that access to port 9080 is refused, it returns an HTTP RBAC error with the HTTP 403 status code.
Run the following command to remove the authorization policy:
kubectl delete authorizationpolicy productpage-viewer
Example 2: Prohibit the IP address of the sleep pod from accessing the productpage service directly
Currently, authorization policies configured on a waypoint proxy do not support the ipBlocks field, and only support the remoteIpBlocks field. You can configure only the remoteIpBlocks field to match requests that pass through the gateway.
Create a productpage-viewer.yaml file with the following content to prohibit the sleep pod from accessing the productpage service:
For ASM instances of V1.21 and earlier
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: productpage-viewer namespace: default spec: selector: matchLabels: istio.io/gateway-name: bookinfo-productpage action: DENY rules: - from: - source: remoteIpBlocks: - "${sleep Pod IP}"For ASM instances of V1.22 and later
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: productpage-viewer namespace: default spec: targetRefs: - kind: Service group: "" name: productpage action: DENY rules: - from: - source: remoteIpBlocks: - "${sleep Pod IP}"Use kubectl to connect to the ASM instance based on the information in the kubeconfig file, and then run the following command to create the authorization policy:
kubectl apply -f productpage-viewer.yamlVerify whether the authorization policy takes effect.
Run the following command to perform an access test:
kubectl exec deploy/sleep -- curl -s http://productpage:9080/ -IExpected output:
HTTP/1.1 403 Forbidden content-length: 19 content-type: text/plain date: Fri, 19 Jul 2024 08:17:08 GMT server: istio-envoyThe expected output indicates that the sleep pod cannot directly access the productpage service or through the gateway.
Run the following command to remove the authorization policy:
kubectl delete authorizationpolicy productpage-viewer
Example 3: Prohibit the HEAD method from accessing the /productpage path
Use the following content to create a productpage-viewer.yaml file:
For ASM instances of V1.21 and earlier
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: productpage-viewer namespace: default spec: selector: matchLabels: istio.io/gateway-name: bookinfo-productpage action: DENY rules: - to: - operation: methods: ["HEAD"] paths: ["/productpage"]For ASM instances of V1.22 and later
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: productpage-viewer namespace: default spec: targetRefs: - kind: Service group: "" name: productpage action: DENY rules: - to: - operation: methods: - "HEAD" paths: - "/productpage"Use kubectl to connect to the ASM instance based on the information in the kubeconfig file, and then run the following command to create the authorization policy:
kubectl apply -f productpage-viewer.yamlVerify whether the authorization policy takes effect.
Run the following command to access the
/productpagepath by using the HEAD method:kubectl exec deploy/sleep -- curl -s productpage:9080/productpage -IExpected output:
HTTP/1.1 403 Forbidden content-length: 19 content-type: text/plain date: Thu, 15 Aug 2024 12:20:51 GMT server: istio-envoyRun the following command to access the
/productpagepath by using the GET method:kubectl exec deploy/sleep -- curl -s productpage:9080/productpage | grep -o "<title>.*</title>"Expected output:
<title>Simple Bookstore App</title>Accessing the
/productpagepath is successful.Run the following command to access the
/path by using the HEAD method:kubectl exec deploy/sleep -- curl -s productpage:9080/ -IExpected output:
HTTP/1.1 200 OK server: istio-envoy date: Thu, 15 Aug 2024 12:23:17 GMT content-type: text/html; charset=utf-8 content-length: 1743 x-envoy-upstream-service-time: 2
Run the following command to remove the authorization policy:
kubectl delete authorizationpolicy productpage-viewer