Authorization for groups and list claims

This tutorial walks you through examples to configure the groups-baseauthorization and the authorization of list-typed claims in Istio.

Before you begin

Setup the required namespace and services

This tutorial runs in a new namespace called rbac-groups-test-ns,with two services, httpbin and sleep, both running with an Envoy sidecarproxy. The following command sets an environmental variable to store thename of the namespace, creates the namespace, and starts the two services.Before running the following command, you need to enter the directorycontaining the Istio installation files.

  • Set the value of the NS environmental variable to rbac-groups-test-ns:
  1. $ export NS=rbac-groups-test-ns
  • Make sure that the NS environmental variable points to a testing-onlynamespace. Run the following command to delete all resources in the namespacepointed by the NS environmental variable.
  1. $ kubectl delete namespace $NS
  • Create the namespace for this tutorial:
  1. $ kubectl create ns $NS
  • Create the httpbin and sleep services and deployments:

ZipZip

  1. $ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n $NS
  2. $ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@) -n $NS
  • To verify that httpbin and sleep services are running and sleep is able toreach httpbin, run the following curl command:
  1. $ kubectl exec $(kubectl get pod -l app=sleep -n $NS -o jsonpath={.items..metadata.name}) -c sleep -n $NS -- curl http://httpbin.$NS:8000/ip -s -o /dev/null -w "%{http_code}\n"

When the command succeeds, it returns the HTTP code 200.

Configure JSON Web Token (JWT) authentication with mutual TLS

The authentication policy you apply next enforces that a valid JWT is needed toaccess the httpbin service.The JSON Web Key Set (JWKS) endpoint defined in the policy must sign the JWT.This tutorial uses theJWKS endpointfrom the Istio code base and usesthis sample JWT.The sample JWT contains a JWT claim with a groups claim key and a list ofstrings, ["group1", "group2"] as the claim value.The JWT claim value could either be a string or a list of strings; both typesare supported.

  • Apply an authentication policy to require both mutual TLS andJWT authentication for httpbin.
  1. $ cat <<EOF | kubectl apply -n $NS -f -
  2. apiVersion: "authentication.istio.io/v1alpha1"
  3. kind: "Policy"
  4. metadata:
  5. name: "require-mtls-jwt"
  6. spec:
  7. targets:
  8. - name: httpbin
  9. peers:
  10. - mtls: {}
  11. origins:
  12. - jwt:
  13. issuer: "testing@secure.istio.io"
  14. jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json"
  15. principalBinding: USE_ORIGIN
  16. EOF
  • Apply a DestinationRule policy on sleep to use mutual TLS whencommunicating with httpbin.
  1. $ cat <<EOF | kubectl apply -n $NS -f -
  2. apiVersion: networking.istio.io/v1alpha3
  3. kind: DestinationRule
  4. metadata:
  5. name: use-mtls-on-sleep
  6. spec:
  7. host: httpbin.$NS.svc.cluster.local
  8. trafficPolicy:
  9. tls:
  10. mode: ISTIO_MUTUAL
  11. EOF
  • Set the TOKEN environmental variable to contain a valid sample JWT.
  1. $ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/groups-scope.jwt -s)
  • Connect to the httpbin service:
  1. $ kubectl exec $(kubectl get pod -l app=sleep -n $NS -o jsonpath={.items..metadata.name}) -c sleep -n $NS -- curl http://httpbin.$NS:8000/ip -s -o /dev/null -w "%{http_code}\n" --header "Authorization: Bearer $TOKEN"

When a valid JWT is attached, it returns the HTTP code 200.

  • Verify that the connection to the httpbin service fails when the JWT is not attached:
  1. $ kubectl exec $(kubectl get pod -l app=sleep -n $NS -o jsonpath={.items..metadata.name}) -c sleep -n $NS -- curl http://httpbin.$NS:8000/ip -s -o /dev/null -w "%{http_code}\n"

When no valid JWT is attached, it returns the HTTP code 401.

Configure groups-based authorization

This section creates a policy to authorize the access to the httpbinservice if the requests are originated from specific groups.As there may be some delays due to caching and other propagation overhead,wait until the newly defined RBAC policy to take effect.

  • Enable the Istio RBAC for the namespace:
  1. $ cat <<EOF | kubectl apply -n $NS -f -
  2. apiVersion: "rbac.istio.io/v1alpha1"
  3. kind: ClusterRbacConfig
  4. metadata:
  5. name: default
  6. spec:
  7. mode: 'ON_WITH_INCLUSION'
  8. inclusion:
  9. namespaces: ["rbac-groups-test-ns"]
  10. EOF
  • Once the RBAC policy takes effect, verify that Istio rejected the curlconnection to the httpbin service:
  1. $ kubectl exec $(kubectl get pod -l app=sleep -n $NS -o jsonpath={.items..metadata.name}) -c sleep -n $NS -- curl http://httpbin.$NS:8000/ip -s -o /dev/null -w "%{http_code}\n" --header "Authorization: Bearer $TOKEN"

Once the RBAC policy takes effect, the command returns the HTTP code 403.

  • To give read access to the httpbin service, create the httpbin-viewerservice role:
  1. $ cat <<EOF | kubectl apply -n $NS -f -
  2. apiVersion: "rbac.istio.io/v1alpha1"
  3. kind: ServiceRole
  4. metadata:
  5. name: httpbin-viewer
  6. namespace: rbac-groups-test-ns
  7. spec:
  8. rules:
  9. - services: ["httpbin.rbac-groups-test-ns.svc.cluster.local"]
  10. methods: ["GET"]
  11. EOF
  • To assign the httpbin-viewer role to users in group1, create thebind-httpbin-viewer service role binding.
  1. $ cat <<EOF | kubectl apply -n $NS -f -
  2. apiVersion: "rbac.istio.io/v1alpha1"
  3. kind: ServiceRoleBinding
  4. metadata:
  5. name: bind-httpbin-viewer
  6. namespace: rbac-groups-test-ns
  7. spec:
  8. subjects:
  9. - properties:
  10. request.auth.claims[groups]: "group1"
  11. roleRef:
  12. kind: ServiceRole
  13. name: "httpbin-viewer"
  14. EOF

Alternatively, you can specify the group property under subjects.Both ways to specify the group are equivalent.Currently, Istio only supports matching against a list of strings inthe JWT for the request.auth.claims property and the group property undersubjects.

To specify the group property under subjects, use the following command:

  1. $ cat <<EOF | kubectl apply -n $NS -f -
  2. apiVersion: "rbac.istio.io/v1alpha1"
  3. kind: ServiceRoleBinding
  4. metadata:
  5. name: bind-httpbin-viewer
  6. namespace: rbac-groups-test-ns
  7. spec:
  8. subjects:
  9. - group: "group1"
  10. roleRef:
  11. kind: ServiceRole
  12. name: "httpbin-viewer"
  13. EOF

Wait for the newly defined RBAC policy to take effect.

  • After the RBAC policy takes effect, verify the connection to the httpbinservice succeeds:
  1. $ kubectl exec $(kubectl get pod -l app=sleep -n $NS -o jsonpath={.items..metadata.name}) -c sleep -n $NS -- curl http://httpbin.$NS:8000/ip -s -o /dev/null -w "%{http_code}\n" --header "Authorization: Bearer $TOKEN"

The HTTP header including a valid JWT with the groups claimvalue of ["group1", "group2"] returns HTTP code 200since it contains group1.

Configure the authorization of list-typed claims

Istio RBAC supports configuring the authorization of list-typed claims.The example JWT contains a JWT claim with a scope claim key anda list of strings, ["scope1", "scope2"] as the claim value.You may use the gen-jwtpython scriptto generate a JWT with other list-typed claims for testing purposes.Follow the instructions in the gen-jwt script to use the gen-jwt.py file.

  • To assign the httpbin-viewer role to a request with a JWT including alist-typed scope claim with the value of scope1,create a service role binding with name bind-httpbin-viewer:
  1. $ cat <<EOF | kubectl apply -n $NS -f -
  2. apiVersion: "rbac.istio.io/v1alpha1"
  3. kind: ServiceRoleBinding
  4. metadata:
  5. name: bind-httpbin-viewer
  6. namespace: rbac-groups-test-ns
  7. spec:
  8. subjects:
  9. - properties:
  10. request.auth.claims[scope]: "scope1"
  11. roleRef:
  12. kind: ServiceRole
  13. name: "httpbin-viewer"
  14. EOF

Wait for the newly defined RBAC policy to take effect.

  • After the RBAC policy takes effect, verify that the connection tothe httpbin service succeeds:
  1. $ kubectl exec $(kubectl get pod -l app=sleep -n $NS -o jsonpath={.items..metadata.name}) -c sleep -n $NS -- curl http://httpbin.$NS:8000/ip -s -o /dev/null -w "%{http_code}\n" --header "Authorization: Bearer $TOKEN"

The HTTP header including a valid JWT with the scope claimvalue of ["scope1", "scope2"] returns HTTP code 200since it contains scope1.

Cleanup

After completing this tutorial, run the following command to delete allresources created in the namespace.

  1. $ kubectl delete namespace $NS

相关内容

Micro-Segmentation with Istio Authorization

Describe Istio's authorization feature and how to use it in various use cases.

Authorization for HTTP Services

Shows how to set up role-based access control for HTTP services.

TCP 服务的权限控制

展示如何为 TCP 服务设置基于角色的权限控制。

安全

描述 Istio 的授权与鉴权功能。

Multi-mesh deployments for isolation and boundary protection

Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation.

App Identity and Access Adapter

Using Istio to secure multi-cloud Kubernetes applications with zero code changes.