Explicit Deny
This task shows you how to set up Istio authorization policy of DENY
action to explicitly deny traffic in an Istio mesh. This is different from the ALLOW
action because the DENY
action has higher priority and will not be bypassed by any ALLOW
actions.
Before you begin
Before you begin this task, do the following:
Read the Istio authorization concepts.
Follow the Istio installation guide to install Istio.
Deploy workloads:
This task uses two workloads,
httpbin
andcurl
, deployed on one namespace,foo
. Both workloads run with an Envoy proxy in front of each. Deploy the example namespace and workloads with the following command:$ kubectl create ns foo
$ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n foo
$ kubectl apply -f <(istioctl kube-inject -f @samples/curl/curl.yaml@) -n foo
Verify that
curl
talks tohttpbin
with the following command:$ kubectl exec "$(kubectl get pod -l app=curl -n foo -o jsonpath={.items..metadata.name})" -c curl -n foo -- curl http://httpbin.foo:8000/ip -sS -o /dev/null -w "%{http_code}\n"
200
If you don’t see the expected output as you follow the task, retry after a few seconds. Caching and propagation overhead can cause some delay.
Explicitly deny a request
The following command creates the
deny-method-get
authorization policy for thehttpbin
workload in thefoo
namespace. The policy sets theaction
toDENY
to deny requests that satisfy the conditions set in therules
section. This type of policy is better known as a deny policy. In this case, the policy denies requests if their method isGET
.$ kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: deny-method-get
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
action: DENY
rules:
- to:
- operation:
methods: ["GET"]
EOF
Verify that
GET
requests are denied:$ kubectl exec "$(kubectl get pod -l app=curl -n foo -o jsonpath={.items..metadata.name})" -c curl -n foo -- curl "http://httpbin.foo:8000/get" -X GET -sS -o /dev/null -w "%{http_code}\n"
403
Verify that
POST
requests are allowed:$ kubectl exec "$(kubectl get pod -l app=curl -n foo -o jsonpath={.items..metadata.name})" -c curl -n foo -- curl "http://httpbin.foo:8000/post" -X POST -sS -o /dev/null -w "%{http_code}\n"
200
Update the
deny-method-get
authorization policy to denyGET
requests only if thex-token
value of the HTTP header is notadmin
. The following example policy sets the value of thenotValues
field to["admin"]
to deny requests with a header value that is notadmin
:$ kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: deny-method-get
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
action: DENY
rules:
- to:
- operation:
methods: ["GET"]
when:
- key: request.headers[x-token]
notValues: ["admin"]
EOF
Verify that
GET
requests with the HTTP headerx-token: admin
are allowed:$ kubectl exec "$(kubectl get pod -l app=curl -n foo -o jsonpath={.items..metadata.name})" -c curl -n foo -- curl "http://httpbin.foo:8000/get" -X GET -H "x-token: admin" -sS -o /dev/null -w "%{http_code}\n"
200
Verify that GET requests with the HTTP header
x-token: guest
are denied:$ kubectl exec "$(kubectl get pod -l app=curl -n foo -o jsonpath={.items..metadata.name})" -c curl -n foo -- curl "http://httpbin.foo:8000/get" -X GET -H "x-token: guest" -sS -o /dev/null -w "%{http_code}\n"
403
The following command creates the
allow-path-ip
authorization policy to allow requests at the/ip
path to thehttpbin
workload. This authorization policy sets theaction
field toALLOW
. This type of policy is better known as an allow policy.$ kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: allow-path-ip
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
action: ALLOW
rules:
- to:
- operation:
paths: ["/ip"]
EOF
Verify that
GET
requests with the HTTP headerx-token: guest
at path/ip
are denied by thedeny-method-get
policy. Deny policies takes precedence over the allow policies:$ kubectl exec "$(kubectl get pod -l app=curl -n foo -o jsonpath={.items..metadata.name})" -c curl -n foo -- curl "http://httpbin.foo:8000/ip" -X GET -H "x-token: guest" -s -o /dev/null -w "%{http_code}\n"
403
Verify that
GET
requests with the HTTP headerx-token: admin
at path/ip
are allowed by theallow-path-ip
policy:$ kubectl exec "$(kubectl get pod -l app=curl -n foo -o jsonpath={.items..metadata.name})" -c curl -n foo -- curl "http://httpbin.foo:8000/ip" -X GET -H "x-token: admin" -s -o /dev/null -w "%{http_code}\n"
200
Verify that
GET
requests with the HTTP headerx-token: admin
at path/get
are denied because they don’t match theallow-path-ip
policy:$ kubectl exec "$(kubectl get pod -l app=curl -n foo -o jsonpath={.items..metadata.name})" -c curl -n foo -- curl "http://httpbin.foo:8000/get" -X GET -H "x-token: admin" -s -o /dev/null -w "%{http_code}\n"
403
Clean up
Remove the namespace foo
from your configuration:
$ kubectl delete namespace foo