Authorization for TCP traffic
This task shows you how to set up Istio authorization for TCP traffic in an Istio mesh.You can learn more about the Istio authorization in theauthorization concept page.
Before you begin
The activities in this task assume that you:
Read the authorization concept.
Follow the Istio installation guide to install Istio with mutual TLS enabled.
Deploy the Bookinfo sample application.
After deploying the Bookinfo application, go to the Bookinfo product page at http://$GATEWAY_URL/productpage
. Onthe product page, you can see the following sections:
- Book Details on the lower left side, which includes: book type, number ofpages, publisher, etc.
- Book Reviews on the lower right of the page.
When you refresh the page, the app shows different versions of reviews in the product page.The app presents the reviews in a round robin style: red stars, black stars, or no stars.
If you don’t see the expected output in the browser as you follow the task, retry in a few secondsbecause some delay is possible due to caching and other propagation overhead.
Configure access control for a TCP workload
By default, the Bookinfo example application only uses the HTTP protocol.To showcase the authorization of TCP traffic, you must update the application to use TCP.The following steps deploy the Bookinfo application and update its ratings
workload to the v2
version,which talks to a MongoDB backend using TCP, and then apply the authorization policy to the MongoDB workload.
- Install
v2
of theratings
workload with thebookinfo-ratings-v2
service account:
$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml@
$ kubectl apply -f <(istioctl kube-inject -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml@)
- Create the appropriate destination rules:
$ kubectl apply -f @samples/bookinfo/networking/destination-rule-all-mtls.yaml@
Since the subset referenced in the virtual service rules relies on the destination rules,wait a few seconds for the destination rules to propagate before adding the virtual service rules.
- After the destination rules propagate, update the
reviews
workload to only use thev2
of theratings
workload:
$ kubectl apply -f @samples/bookinfo/networking/virtual-service-ratings-db.yaml@
- Go to the Bookinfo product page at (
http://$GATEWAY_URL/productpage
).
On the product page, you can see an error message on the Book Reviews section.The message reads: “Ratings service is currently unavailable.”. The message appears because wenow use the v2
subset of the ratings
workload but we haven’t deployed the MongoDB workload.
- Deploy the MongoDB workload:
$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-db.yaml@
$ kubectl apply -f <(istioctl kube-inject -f @samples/bookinfo/platform/kube/bookinfo-db.yaml@)
Go to the Bookinfo product page at
http://$GATEWAY_URL/productpage
.Verify that the Book Reviews section shows the reviews.
With the MongoDB workload deployed and before we configure authorization to only allow authorized requests,we need to apply a default deny-all
policy for the workload to ensure that all requests to the MongoDBworkload are denied by default.
- Apply a default
deny-all
policy for the MongoDB workload:
$ kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
spec:
selector:
matchLabels:
app: mongodb
EOF
Point your browser at the Bookinfo productpage
(http://$GATEWAY_URL/productpage
). You should see:
- The Book Details section on the lower left of the page includes book type, number of pages, publisher, etc.
- The Book Reviews section on the lower right of the page includes an error message “Ratings service iscurrently unavailable”.After configuring that all requests be denied by default, we need to create a
bookinfo-ratings-v2
policy that lets requests coming from thecluster.local/ns/default/sa/bookinfo-ratings-v2
service accountthrough to the MongoDB workload at port27017
. We grant access to the service account, becauserequests coming from theratings-v2
workload are issued using thecluster.local/ns/default/sa/bookinfo-ratings-v2
service account.
- Enforce workload-level access control for TCP traffic coming from the
cluster.local/ns/default/sa/bookinfo-ratings-v2
service account:
$ kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bookinfo-ratings-v2
spec:
selector:
matchLabels:
app: mongodb
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/bookinfo-ratings-v2"]
to:
- operation:
ports: ["27017"]
EOF
Point your browser at the Bookinfo productpage
(http://$GATEWAY_URL/productpage
),you should see now the following sections working as intended:
- Book Details on the lower left side, which includes: book type, number of pages, publisher, etc.
- Book Reviews on the lower right side, which includes: red stars.Congratulations! You successfully deployed a workload communicating over TCP traffic and appliedboth a mesh-level and a workload-level authorization policy to enforce access control for the requests.
Cleanup
- Remove Istio authorization policy configuration:
$ kubectl delete authorizationpolicy.security.istio.io/deny-all
$ kubectl delete authorizationpolicy.security.istio.io/bookinfo-ratings-v2
- Remove
v2
of the ratings workload and the MongoDB deployment:
$ kubectl delete -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml@
$ kubectl delete -f @samples/bookinfo/networking/destination-rule-all-mtls.yaml@
$ kubectl delete -f @samples/bookinfo/networking/virtual-service-ratings-db.yaml@
$ kubectl delete -f @samples/bookinfo/platform/kube/bookinfo-db.yaml@
See also
Authorization Policy Trust Domain Migration
Shows how to migrate from one trust domain to another without changing authorization policy.
Authorization for HTTP traffic
Shows how to set up role-based access control for HTTP traffic.
Describes Istio's authorization and authentication functionality.
Micro-Segmentation with Istio Authorization
Describe Istio's authorization feature and how to use it in various use cases.
Introducing the Istio v1beta1 Authorization Policy
Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy.
Authorization for groups and list claims
Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio.