Denials and White/Black Listing
This task shows how to control access to a service using simple denials, attribute-based white or black listing, or IP-based white or black listing.
Before you begin
- Set up Istio on Kubernetes by following the instructions in theInstallation guide.
Policy enforcement must be enabled in your cluster for this task. Follow the steps inEnabling Policy Enforcement to ensure that policy enforcement is enabled.
Deploy the Bookinfo sample application.
Initialize the application version routing to direct
reviews
servicerequests from test user “jason” to version v2 and requests from any otheruser to v3.
$ kubectl apply -f @samples/bookinfo/networking/virtual-service-all-v1.yaml@
and then run the following command:
$ kubectl apply -f @samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml@
If you are using a namespace other than default
,use kubectl -n namespace …
to specify the namespace.
Simple denials
Using Istio you can control access to a service based on any attributes that are available within Mixer.This simple form of access control is based on conditionally denying requests using Mixer selectors.
Consider the Bookinfo sample application where the ratings
service is accessed by multiple versionsof the reviews
service. We would like to cut off access to version v3
of the reviews
service.
- Point your browser at the Bookinfo
productpage
(http://$GATEWAY_URL/productpage
).
If you log in as user “jason”, you should see black rating stars with each review,indicating that the ratings
service is being called by the “v2” version of the reviews
service.
If you log in as any other user (or logout) you should see red rating stars with each review,indicating that the ratings
service is being called by the “v3” version of the reviews
service.
- Explicitly deny access to version
v3
of thereviews
service.
Run the following command to set up the deny rule along with a handler and an instance.
$ kubectl apply -f @samples/bookinfo/policy/mixer-rule-deny-label.yaml@
If you use Istio 1.1.2 or prior, please use the following configuration instead:
$ kubectl apply -f @samples/bookinfo/policy/mixer-rule-deny-label-crd.yaml@
Notice the following in the denyreviewsv3
rule:
match: destination.labels["app"] == "ratings" && source.labels["app"]=="reviews" && source.labels["version"] == "v3"
It matches requests coming from the workload reviews
with label v3
to the workload ratings
.
This rule uses the denier
adapter to deny requests coming from version v3
of the reviews service.The adapter always denies requests with a preconfigured status code and message.The status code and the message is specified in the denieradapter configuration.
- Refresh the
productpage
in your browser.
If you are logged out or logged in as any user other than “jason” you will no longer see red ratings stars becausethe reviews:v3
service has been denied access to the ratings
service.In contrast, if you log in as user “jason” (the reviews:v2
user) you continue to seethe black ratings stars.
Attribute-based whitelists or blacklists
Istio supports attribute-based whitelists and blacklists. The followingwhitelist configuration is equivalent to the denier
configuration in theprevious section. The rule effectively rejects requests from version v3
ofthe reviews
service.
- Remove the denier configuration that you added in the previous section.
$ kubectl delete -f @samples/bookinfo/policy/mixer-rule-deny-label.yaml@
If you are using Istio 1.1.2 or prior:
$ kubectl delete -f @samples/bookinfo/policy/mixer-rule-deny-label-crd.yaml@
Verify that when you access the Bookinfo
productpage
(http://$GATEWAY_URL/productpage
) without logging in, you see red stars.After performing the following steps you will no longer be able to see stars unless you are logged in as “jason”.Apply configuration for the
list
adapter that white-lists versionsv1, v2
:
$ kubectl apply -f @samples/bookinfo/policy/mixer-rule-deny-whitelist.yaml@
If you use Istio 1.1.2 or prior, please use the following configuration instead:
$ kubectl apply -f @samples/bookinfo/policy/mixer-rule-deny-whitelist-crd.yaml@
- Verify that when you access the Bookinfo
productpage
(http://$GATEWAY_URL/productpage
) without logging in, you see no stars.Verify that after logging in as “jason” you see black stars.
IP-based whitelists or blacklists
Istio supports whitelists and blacklists based on IP address. You canconfigure Istio to accept or reject requests from a specific IP address or asubnet.
Verify you can access the Bookinfo
productpage
found athttp://$GATEWAY_URL/productpage
. You won’t be able to access it once youapply the rules below.Apply configuration for the listadapter that white-lists subnet
"10.57.0.0\16"
at the ingress gateway:
$ kubectl apply -f @samples/bookinfo/policy/mixer-rule-deny-ip.yaml@
If you use Istio 1.1.2 or prior, please use the following configuration instead:
$ kubectl apply -f @samples/bookinfo/policy/mixer-rule-deny-ip-crd.yaml@
- Try to access the Bookinfo
productpage
athttp://$GATEWAY_URL/productpage
and verify that you get an error similarto:PERMISSION_DENIED:staticversion.istio-system:<your mesh source ip> isnot whitelisted
Cleanup
- Remove the Mixer configuration for simple denials:
$ kubectl delete -f @samples/bookinfo/policy/mixer-rule-deny-label.yaml@
- Remove the Mixer configuration for attribute-based white- and blacklisting:
$ kubectl delete -f @samples/bookinfo/policy/mixer-rule-deny-whitelist.yaml@
If you are using Istio 1.1.2 or prior:
$ kubectl delete -f @samples/bookinfo/policy/mixer-rule-deny-whitelist-crd.yaml@
- Remove the Mixer configuration for IP-based white- and blacklisting:
$ kubectl delete -f @samples/bookinfo/policy/mixer-rule-deny-ip.yaml@
If you are using Istio 1.1.2 or prior:
$ kubectl delete -f @samples/bookinfo/policy/mixer-rule-deny-ip-crd.yaml@
- Remove the application routing rules:
$ kubectl delete -f @samples/bookinfo/networking/virtual-service-all-v1.yaml@
$ kubectl delete -f @samples/bookinfo/networking/virtual-service-reviews-jason-v2-v3.yaml@
- If you are not planning to explore any follow-on tasks, refer to theBookinfo cleanup instructionsto shutdown the application.
See also
App Identity and Access Adapter
Using Istio to secure multi-cloud Kubernetes applications with zero code changes.
Improving availability and reducing latency.
Provides an overview of Mixer's plug-in architecture.
Shows how to modify request headers and routing using policy adapters.
This task shows you how to enable Istio policy enforcement.
This task shows you how to use Istio to dynamically limit the traffic to a service.