Service Mesh (ASM) provides the security policy feature to encapsulate Istio native security resources based on scenarios. This way, you can complete security configurations with ease in common scenarios. This topic provides an overview of ASM security policies and describes their features.
What are ASM security policies?
If you need advanced security features, you must use multiple Istio native security resources. The configuration of multiple Istio native security resources is complex. The configuration fields are abstract and difficult to understand for people who are not familiar with Istio.
ASM encapsulates Istio native security resources based on common scenarios and provides ASM security policies which are easy to understand and configure. You can view all the Istio native security resources that your ASM security policies use, learn about security resources and concepts, and then customize more complex security capabilities.
Features
You can configure ASM security policies to implement the following features: OpenID Connect (OIDC) single sign-on (SSO), JSON Web Token (JWT) authentication, blacklist and whitelist, and custom authorization.
Feature | Description | References | |
Authentication | OIDC SSO | OIDC is a protocol for identity authentication and authorization. It is commonly used to implement SSO. ASM allows you to enable OIDC SSO for specific services by using an ingress gateway. | |
JWT authentication | JWTs are commonly used to authenticate users. ASM allows you to enable JWT authentication for specific requests to access workloads. | Configure an ASM security policy to implement JWT authentication | |
Authorization | Blacklist and whitelist | Blacklists and whitelists are commonly used to perform access control, which deny or allow specific requests to access applications. ASM allows you to configure blacklists and whitelists to control east-west traffic and north-south traffic. | Configure an ASM security policy to implement blacklist/whitelist access control |
Custom authorization service | ASM allows you to forward requests to a custom authorization service that you specify. The custom authorization service authenticates the requests. This way, you can implement complex authentication logic, reduce development and maintenance costs, and improve development efficiency. | Configure an ASM security policy to implement custom authorization | |