Authorization for HTTP Services

This task covers the activities you might need to perform to set up Istio authorization, also knownas Istio Role Based Access Control (RBAC), for HTTP services in an Istio mesh. You can read more inauthorization and get started witha basic tutorial in Istio Security Basics.

Before you begin

The activities in this task assume that you:

After deploying the Bookinfo application, go to the Bookinfo product page at http://$GATEWAY_URL/productpage. Onthe product page, you can see the following sections:

  • Book Details on the lower left side, which includes: book type, number ofpages, publisher, etc.
  • Book Reviews on the lower right of the page.When you refresh the page, the app shows different versions of reviews in the product page.The app presents the reviews in a round robin style: red stars, black stars, or no stars.

Enabling Istio authorization

Run the following command to enable Istio authorization for the default namespace:

Zip

  1. $ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-config-ON.yaml@

Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). Now you should see"RBAC: access denied". This is because Istio authorization is “deny by default”, which means that you need toexplicitly define access control policy to grant access to any service.

There may be some delays due to caching and other propagation overhead.

Enforcing Namespace-level access control

Using Istio authorization, you can easily setup namespace-level access control by specifying all (or a collection of) servicesin a namespace are accessible by services from another namespace.

In our Bookinfo sample, the productpage, reviews, details, ratings services are deployed in the default namespace.The Istio components like istio-ingressgateway service are deployed in the istio-system namespace. We can define a policy thatany service in the default namespace that has the app label set to one of the values ofproductpage, details, reviews, or ratingsis accessible by services in the same namespace (i.e., default) and services in the istio-system namespace.

Run the following command to create a namespace-level access control policy:

Zip

  1. $ kubectl apply -f @samples/bookinfo/platform/kube/rbac/namespace-policy.yaml@

Once applied, the policy has the following effects:

  • Creates a ServiceRole service-viewer which allows read access to any service in the default namespace that hasthe app labelset to one of the values productpage, details, reviews, or ratings. Note that there is aconstraint specifying thatthe services must have one of the listed app labels.
  1. apiVersion: "rbac.istio.io/v1alpha1"
  2. kind: ServiceRole
  3. metadata:
  4. name: service-viewer
  5. namespace: default
  6. spec:
  7. rules:
  8. - services: ["*"]
  9. methods: ["GET"]
  10. constraints:
  11. - key: "destination.labels[app]"
  12. values: ["productpage", "details", "reviews", "ratings"]
  • Creates a ServiceRoleBinding that assigns the service-viewer role to all services in the istio-system and default namespaces.
  1. apiVersion: "rbac.istio.io/v1alpha1"
  2. kind: ServiceRoleBinding
  3. metadata:
  4. name: bind-service-viewer
  5. namespace: default
  6. spec:
  7. subjects:
  8. - properties:
  9. source.namespace: "istio-system"
  10. - properties:
  11. source.namespace: "default"
  12. roleRef:
  13. kind: ServiceRole
  14. name: "service-viewer"

You can expect to see output similar to the following:

  1. servicerole "service-viewer" created
  2. servicerolebinding "bind-service-viewer" created

Now if you point your browser at Bookinfo’s productpage (http://$GATEWAY_URL/productpage). You should see the “Bookinfo Sample” page,with the “Book Details” section in the lower left part and the “Book Reviews” section in the lower right part.

There may be some delays due to caching and other propagation overhead.

Cleanup namespace-level access control

Remove the following configuration before you proceed to the next task:

Zip

  1. $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/namespace-policy.yaml@

Enforcing Service-level access control

This task shows you how to set up service-level access control using Istio authorization. Before you start, please make sure that:

Step 1. allowing access to the productpage service

In this step, we will create a policy that allows external requests to access the productpage service via Ingress.

Run the following command:

Zip

  1. $ kubectl apply -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@

Once applied, the policy has the following effects:

  • Creates a ServiceRole productpage-viewer which allows read access to the productpage service.
  1. apiVersion: "rbac.istio.io/v1alpha1"
  2. kind: ServiceRole
  3. metadata:
  4. name: productpage-viewer
  5. namespace: default
  6. spec:
  7. rules:
  8. - services: ["productpage.default.svc.cluster.local"]
  9. methods: ["GET"]
  • Creates a ServiceRoleBinding bind-productpage-viewer which assigns the productpage-viewer role to allusers and services.
  1. apiVersion: "rbac.istio.io/v1alpha1"
  2. kind: ServiceRoleBinding
  3. metadata:
  4. name: bind-productpage-viewer
  5. namespace: default
  6. spec:
  7. subjects:
  8. - user: "*"
  9. roleRef:
  10. kind: ServiceRole
  11. name: "productpage-viewer"

Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). Now you should see the “Bookinfo Sample”page. But there are errors Error fetching product details and Error fetching product reviews on the page. These errorsare expected because we have not granted the productpage service access to the details and reviews services. We will fix the errorsin the following steps.

There may be some delays due to caching and other propagation overhead.

Step 2. allowing access to the details and reviews services

We will create a policy to allow the productpage service to access the details and reviews services. Note that in thesetup step, we created the bookinfo-productpage service account for the productpage service. Thisbookinfo-productpage service account is the authenticated identify for the productpage service.

Run the following command:

Zip

  1. $ kubectl apply -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy.yaml@

Once applied, the policy has the following effects:

  • Creates a ServiceRole details-reviews-viewer which allows access to the details and reviews services.
  1. apiVersion: "rbac.istio.io/v1alpha1"
  2. kind: ServiceRole
  3. metadata:
  4. name: details-reviews-viewer
  5. namespace: default
  6. spec:
  7. rules:
  8. - services: ["details.default.svc.cluster.local", "reviews.default.svc.cluster.local"]
  9. methods: ["GET"]
  • Creates a ServiceRoleBinding bind-details-reviews which assigns the details-reviews-viewer role to thecluster.local/ns/default/sa/bookinfo-productpage service account (representing the productpage service).
  1. apiVersion: "rbac.istio.io/v1alpha1"
  2. kind: ServiceRoleBinding
  3. metadata:
  4. name: bind-details-reviews
  5. namespace: default
  6. spec:
  7. subjects:
  8. - user: "cluster.local/ns/default/sa/bookinfo-productpage"
  9. roleRef:
  10. kind: ServiceRole
  11. name: "details-reviews-viewer"

Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). Now you should see the “Bookinfo Sample”page with “Book Details” on the lower left part, and “Book Reviews” on the lower right part. However, in the “Book Reviews” section,there is an error Ratings service currently unavailable. This is because “reviews” service does not have permission to access“ratings” service. To fix this issue, you need to grant the reviews service access to the ratings service.We will show how to do that in the next step.

There may be some delays due to caching and other propagation overhead.

Step 3. allowing access to the ratings service

We will create a policy to allow the reviews service to access the ratings service. Note that in thesetup step, we created a bookinfo-reviews service account for the reviews service. Thisservice account is the authenticated identify for the reviews service.

Run the following command to create a policy that allows the reviews service to access the ratings service.

Zip

  1. $ kubectl apply -f @samples/bookinfo/platform/kube/rbac/ratings-policy.yaml@

Once applied, the policy has the following effects:

  • Creates a ServiceRole ratings-viewer which allows access to the ratings service.
  1. apiVersion: "rbac.istio.io/v1alpha1"
  2. kind: ServiceRole
  3. metadata:
  4. name: ratings-viewer
  5. namespace: default
  6. spec:
  7. rules:
  8. - services: ["ratings.default.svc.cluster.local"]
  9. methods: ["GET"]
  • Creates a ServiceRoleBinding bind-ratings which assigns ratings-viewer role to thecluster.local/ns/default/sa/bookinfo-reviews service account, which represents the reviews service.
  1. apiVersion: "rbac.istio.io/v1alpha1"
  2. kind: ServiceRoleBinding
  3. metadata:
  4. name: bind-ratings
  5. namespace: default
  6. spec:
  7. subjects:
  8. - user: "cluster.local/ns/default/sa/bookinfo-reviews"
  9. roleRef:
  10. kind: ServiceRole
  11. name: "ratings-viewer"

Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). Now you should seethe “black” and “red” ratings in the “Book Reviews” section.

There may be some delays due to caching and other propagation overhead.

Cleanup

  • Remove Istio authorization policy configuration:

ZipZipZip

  1. $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/ratings-policy.yaml@
  2. $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy.yaml@
  3. $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@

Alternatively, you can delete all ServiceRole and ServiceRoleBinding resources by running the following commands:

  1. $ kubectl delete servicerole --all
  2. $ kubectl delete servicerolebinding --all
  • Disable Istio authorization:

Zip

  1. $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-config-ON.yaml@

相关内容

TCP 服务的权限控制

展示如何为 TCP 服务设置基于角色的权限控制。

安全

描述 Istio 的授权与鉴权功能。

Micro-Segmentation with Istio Authorization

Describe Istio's authorization feature and how to use it in various use cases.

Authorization for groups and list claims

Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio.

Multi-mesh deployments for isolation and boundary protection

Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation.

App Identity and Access Adapter

Using Istio to secure multi-cloud Kubernetes applications with zero code changes.