Use an authorization policy to control access traffic from services in an ASM instance to an external website - Alibaba Cloud Service Mesh

Kubernetes allows you to use a NetworkPolicy object in a Kubernetes cluster to deny or allow access traffic from services in specific namespaces to specific external websites. However, the method of using a NetworkPolicy object implements only coarse-grained network isolation and cannot ensure application security or business security. The zero-trust security system of Service Mesh (ASM) allows you to dynamically configure authorization policies to control access traffic from services in a namespace to an external website. This helps reduce risks. This topic describes how to use an authorization policy to deny access traffic from all services in a namespace to an external website. The demo-frontend namespace and the aliyun.com external website are used in the example.

Prerequisites

The cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
A namespace named demo-frontend is created and automatic sidecar proxy injection is enabled for the namespace. For more information, see Manage global namespaces.

Step 1: Create a test service

Obtain the kubeconfig file of the cluster and use kubectl to connect to the cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

Create a service named sleep in the demo-frontend namespace.

Create a sleep.yaml file that contains the following content:

Show the sleep.yaml file

apiVersion: v1
kind: ServiceAccount
metadata:
  name: sleep
---
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
    service: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      terminationGracePeriodSeconds: 0
      serviceAccountName: sleep
      containers:
      - name: sleep
        image: curlimages/curl
        command: ["/bin/sleep", "3650d"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: sleep-secret
          optional: true
---

Run the following commands to create the sleep service:
```
kubectl apply -f sleep.yaml -n demo-frontend
```

Verify that a sidecar proxy is injected into the sleep service.
1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
2. On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Pods in the left-side navigation pane.
3. In the upper part of the Pods page, select demo-frontend from the Namespace drop-down list and click the pod name of the sleep service.
  On the Container tab, a sidecar proxy named istio-proxy is displayed. This indicates that a sidecar proxy is injected into the sleep service.

Step 2: Create an egress gateway

You can use an egress gateway to control access traffic from services in a Service Mesh instance to an external website. After you configure an authorization policy for an egress gateway, you can also specify conditions to control whether to allow access to an external website. In this example, the name of the egress gateway is set to egressgateway. For more information, see Create an egress gateway.

Step 3: Configure a policy for accessing external services

By default, services in an ASM instance are allowed to access all external services. To control access to a specific external website, set the Outbound Traffic Policy parameter to REGISTRY_ONLY for an ASM instance in the ASM console. In this case, external services that are not registered as service entries cannot be accessed by services in the Service Mesh instance.

Configure a policy for accessing external services.
1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Dataplane Component Management > Sidecar Proxy Setting.
3. On the global tab, click Outbound Traffic Policy, set the Outbound Traffic Policy parameter to REGISTEY_ONLY, and then click Update Settings.
Register the aliyun.com external website as a service entry.
1. On the details page of the ASM instance, choose Cluster & Workload Management > External Service(ServiceEntry) in the left-side navigation pane. On the page that appears, click Create from YAML.
2. On the Create page, select istio-system from the Namespace drop-down list and copy the following content to the code editor. Then, click Create.
```
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: aliyuncom-ext
  namespace: istio-system
spec:
  hosts:
    - www.aliyun.com  
  location: MESH_EXTERNAL
  ports:
    - name: http
      number: 80
      protocol: HTTP
    - name: tls
      number: 443
      protocol: TLS
  resolution: DNS
```

Step 4: Create a traffic policy

Create an Istio gateway, a destination rule, and a virtual service to route traffic from the demo-frontend namespace to the egress gateway and then to the specific external website.

Create an Istio gateway in the istio-system namespace by using the following YAML code. For more information, see Manage Istio gateways.
```
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: istio-egressgateway
  namespace: istio-system
spec:
  selector:
    istio: egressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTPS
      tls:
        mode: ISTIO_MUTUAL
      hosts:
        - '*'
```
In the preceding code, the mode parameter is set to ISTIO_MUTUAL. This means that mutual Transport Layer Security (mTLS) authentication is enabled. In this case, services in an ASM instance must pass TLS authentication before they can access external websites.
Create a destination rule in the demo-frontend namespace by using the following YAML code. For more information, see Manage destination rules.
```
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: target-egress-gateway
  namespace: demo-frontend
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
    - name: target-egress-gateway-mTLS
      trafficPolicy:
        loadBalancer:
          simple: ROUND_ROBIN
        tls:
          mode: ISTIO_MUTUAL
```
In the preceding code, the mode parameter is set to ISTIO_MUTUAL. This means that mTLS authentication is enabled. In this case, services in an ASM instance must pass TLS authentication before they can access external websites.

Create a virtual service in the demo-frontend namespace by using the following YAML code. For more information, see Manage virtual services.

Show the YAML code of the virtual service

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: example-com-through-egress-gateway
  namespace: demo-frontend
spec:
  exportTo:
    - istio-system
    - demo-frontend
  gateways:
    - mesh
    - istio-system/istio-egressgateway
  hosts:
    - www.aliyun.com
  http:
    - match:
        - gateways:
            - mesh
          port: 80
      route:
        - destination:
            host: istio-egressgateway.istio-system.svc.cluster.local
            port:
              number: 80
            subset: target-egress-gateway-mTLS
          weight: 100
    - match:
        - gateways:
            - istio-system/istio-egressgateway
          port: 80
      route:
        - destination:
            host: www.aliyun.com
            port:
              number: 80
          weight: 100

In the http section in the preceding code, two matching rules are configured.

In the first matching rule, the gateways parameter is set to mesh. This indicates that the first matching rule applies to the sidecar proxy injected into the demo-frontend namespace and the first matching rule is used to route traffic from the demo-frontend namespace to the egress gateway.
In the second matching rule, the gateways parameter is set to istio-system/istio-egressgateway. This indicates that the second matching rule is used to route traffic from the egress gateway to the external services that are registered.

Step 5: Create an authorization policy

In the demo-frontend namespace, create an authorization policy that allows the egressgateway egress gateway to deny access traffic from the demo-frontend namespace.

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Mesh Security Center > AuthorizationPolicy. On the page that appears, click Create.

On the Create page, set the parameters described in the following table, and then click Create.

Parameter	Description
Name	The name of the authorization policy.
Policy Type	The authorization action. In this example, this parameter is set to DENY.
ASM Gateway	The gateway on which the authorization policy takes effect. In this example, the ASM Gateway parameter on the Gateway Scope tab is set to egressgateway.
Request Matching Rules	In this example, Namespaces is turned on in the Add Request Source section and the value is set to `demo-frontend`.

Step 6: Verify that the authorization policy can be used to deny access traffic from services in the demo-frontend namespace to the external website

Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Pods in the left-side navigation pane.
In the upper part of the Pods page, select demo-frontend from the Namespace drop-down list. Find the pod name of the sleep service and click Terminal > sleep in the Actions column.
Run the following command to access the aliyun.com external website:
```
curl -I http://www.aliyun.com
```
Expected output:
```
HTTP/1.1 403 Forbidden
content-length: 19
content-type: text/plain
date: Thu, 12 Oct 2023 07:14:09 GMT
server: envoy
x-envoy-upstream-service-time: 4
```
The 403 error is returned, which indicates that services in the demo-frontend namespace fail to access the aliyun.com external website. The test results indicate that the authorization policy can be used to deny access traffic from services in the demo-frontend namespace to the external website.