Authorization for HTTP traffic
This task shows you how to set up Istio authorization for HTTP traffic in an Istio mesh.Learn more in our authorization concept page.
Before you begin
The activities in this task assume that you:
Read the authorization concept.
Follow the Istio installation guide to install Istio with mutual TLS enabled.
Deploy the Bookinfo sample application.
After deploying the Bookinfo application, go to the Bookinfo product page at http://$GATEWAY_URL/productpage
. Onthe product page, you can see the following sections:
- Book Details on the lower left side, which includes: book type, number ofpages, publisher, etc.
- Book Reviews on the lower right of the page.
When you refresh the page, the app shows different versions of reviews in the product page.The app presents the reviews in a round robin style: red stars, black stars, or no stars.
If you don’t see the expected output in the browser as you follow the task, retry in a few more secondsbecause some delay is possible due to caching and other propagation overhead.
Configure access control for workloads using HTTP traffic
Using Istio, you can easily setup access control for workloadsin your mesh. This task shows you how to set up access control using Istio authorization.First, you configure a simple deny-all
policy that rejects all requests to the workload,and then grant more access to the workload gradually and incrementally.
- Run the following command to create a
deny-all
policy in thedefault
namespace.The policy doesn’t have aselector
field, which applies the policy to every workload in thedefault
namespace. Thespec:
field of the policy has the empty value{}
.That value means that no traffic is permitted, effectively denying all requests.
$ kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: default
spec:
{}
EOF
Point your browser at the Bookinfo productpage
(http://$GATEWAY_URL/productpage
).You should see "RBAC: access denied"
. The error shows that the configured deny-all
policyis working as intended, and Istio doesn’t have any rules that allow any access toworkloads in the mesh.
- Run the following command to create a
productpage-viewer
policy to allow accesswithGET
method to theproductpage
workload. The policy does not set thefrom
field in therules
which means all sources are allowed, effectively allowingall users and workloads:
$ kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "productpage-viewer"
namespace: default
spec:
selector:
matchLabels:
app: productpage
rules:
- to:
- operation:
methods: ["GET"]
EOF
Point your browser at the Bookinfo productpage
(http://$GATEWAY_URL/productpage
).Now you should see the “Bookinfo Sample” page.However, you can see the following errors on the page:
Error fetching product details
Error fetching product reviews
on the page.These errors are expected because we have not granted theproductpage
workload access to thedetails
andreviews
workloads. Next, you need toconfigure a policy to grant access to those workloads.
- Run the following command to create the
details-viewer
policy to allow theproductpage
workload, which issues requests using thecluster.local/ns/default/sa/bookinfo-productpage
service account, to access thedetails
workload throughGET
methods:
$ kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "details-viewer"
namespace: default
spec:
selector:
matchLabels:
app: details
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]
to:
- operation:
methods: ["GET"]
EOF
- Run the following command to create a policy
reviews-viewer
to allow theproductpage
workload,which issues requests using thecluster.local/ns/default/sa/bookinfo-productpage
service account,to access thereviews
workload throughGET
methods:
$ kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "reviews-viewer"
namespace: default
spec:
selector:
matchLabels:
app: reviews
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]
to:
- operation:
methods: ["GET"]
EOF
Point your browser at the Bookinfo productpage
(http://$GATEWAY_URL/productpage
). Now, you should see the “Bookinfo Sample”page with “Book Details” on the lower left part, and “Book Reviews” on the lower right part. However, in the “Book Reviews” section,there is an error Ratings service currently unavailable
.
This is because the reviews
workload doesn’t have permission to access the ratings
workload.To fix this issue, you need to grant the reviews
workload access to the ratings
workload.Next, we configure a policy to grant the reviews
workload that access.
- Run the following command to create the
ratings-viewer
policy to allow thereviews
workload,which issues requests using thecluster.local/ns/default/sa/bookinfo-reviews
service account,to access theratings
workload throughGET
methods:
$ kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
name: "ratings-viewer"
namespace: default
spec:
selector:
matchLabels:
app: ratings
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/bookinfo-reviews"]
to:
- operation:
methods: ["GET"]
EOF
Point your browser at the Bookinfo productpage
(http://$GATEWAY_URL/productpage
).You should see the “black” and “red” ratings in the “Book Reviews” section.
Congratulations! You successfully applied authorization policy to enforce accesscontrol for workloads using HTTP traffic.
Clean up
- Remove all authorization policies from your configuration:
$ kubectl delete authorizationpolicy.security.istio.io/deny-all
$ kubectl delete authorizationpolicy.security.istio.io/productpage-viewer
$ kubectl delete authorizationpolicy.security.istio.io/details-viewer
$ kubectl delete authorizationpolicy.security.istio.io/reviews-viewer
$ kubectl delete authorizationpolicy.security.istio.io/ratings-viewer
See also
Authorization Policy Trust Domain Migration
Shows how to migrate from one trust domain to another without changing authorization policy.
Shows how to set up access control for TCP traffic.
Describes Istio's authorization and authentication functionality.
Micro-Segmentation with Istio Authorization
Describe Istio's authorization feature and how to use it in various use cases.
Introducing the Istio v1beta1 Authorization Policy
Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy.
Authorization for groups and list claims
Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio.