Use Layer 4 security policy

The layering of ztunnel and waypoint proxies in Istio’s ambient mode gives you a choice on whether or not you want to enable Layer 7 (L7) processing for a given workload.

The Layer 4 (L4) features of Istio’s security policies are supported by ztunnel, and are available in ambient mode. Kubernetes Network Policies also continue to work if your cluster has a CNI plugin that supports them, and can be used to provide defense-in-depth.

To use L7 policies, and Istio’s traffic routing features, you can deploy a waypoint for your workloads.

Layer 4 authorization policies

The ztunnel proxy performs authorization policy enforcement when a workload is enrolled in secure overlay mode.

The actual enforcement point is at the receiving (server-side) ztunnel proxy in the path of a connection.

A basic L4 authorization policy looks like this:

  1. apiVersion: security.istio.io/v1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: allow-sleep-to-httpbin
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: httpbin
  9.  action: ALLOW
  10.  rules:
  11.  - from:
  12.    - source:
  13.        principals:
  14.        - cluster.local/ns/ambient-demo/sa/sleep
  15. EOF

The behavior of the L4 AuthorizationPolicy API has the same functional behavior in Istio ambient mode as in sidecar mode. When there is no AuthorizationPolicy provisioned, then the default action is ALLOW. Once a policy is provisioned, pods matching the selector in the policy only allow traffic which is explicitly allowed. In this example, pods with the label app: httpbin only allow traffic from sources with an identity principal of cluster.local/ns/ambient-demo/sa/sleep. Traffic from all other sources will be denied.

Layer 7 authorization policies without waypoints installed

If an AuthorizationPolicy has been configured that requires any traffic processing beyond L4, and if no waypoint proxies are configured for the destination of the traffic, then ztunnel proxy will simply drop all traffic as a defensive move. Hence, check to ensure that either all rules involve L4 processing only or else if non-L4 rules are unavoidable, that waypoint proxies are configured.

This example adds a check for the HTTP GET method:

  1. apiVersion: security.istio.io/v1beta1
  2. kind: AuthorizationPolicy
  3. metadata:
  4.  name: allow-sleep-to-httpbin
  5. spec:
  6.  selector:
  7.    matchLabels:
  8.      app: httpbin
  9.  action: ALLOW
  10.  rules:
  11.  - from:
  12.    - source:
  13.        principals:
  14.        - cluster.local/ns/ambient-demo/sa/sleep
  15.    to:
  16.    - operation:
  17.        methods: ["GET"]
  18. EOF

Even though the identity of the pod is otherwise correct, the presence of a L7 policy, and the traffic not originating from a waypoint proxy, causes the ztunnel to deny the connection:

  1. command terminated with exit code 56

Peer authentication

Istio’s peer authentication policies, which configure mutual TLS (mTLS) modes, are supported by ztunnel.

As ztunnel and HBONE implies the use of mTLS, it is not possible to use the DISABLE mode in a policy. Such policies will be ignored.

If you need to disable mTLS for an entire namespace, you will have to disable ambient mode:

{{ text bash }} $ kubectl label namespace default istio.io/dataplane-mode- {{ /text }}