Authorization for HTTP traffic

This task shows you how to set up Istio authorization for HTTP traffic in an Istio mesh. Learn more in our authorization concept page.

Before you begin

The activities in this task assume that you:

After deploying the Bookinfo application, go to the Bookinfo product page at http://$GATEWAY_URL/productpage. On the product page, you can see the following sections:

  • Book Details on the lower left side, which includes: book type, number of pages, publisher, etc.
  • Book Reviews on the lower right of the page.

When you refresh the page, the app shows different versions of reviews in the product page. The app presents the reviews in a round robin style: red stars, black stars, or no stars.

If you don’t see the expected output in the browser as you follow the task, retry in a few more seconds because some delay is possible due to caching and other propagation overhead.

This task requires mutual TLS enabled because the following examples use principal and namespace in the policies.

Configure access control for workloads using HTTP traffic

Using Istio, you can easily setup access control for workloads in your mesh. This task shows you how to set up access control using Istio authorization. First, you configure a simple deny-all policy that rejects all requests to the workload, and then grant more access to the workload gradually and incrementally.

  1. Run the following command to create a deny-all policy in the default namespace. The policy doesn’t have a selector field, which applies the policy to every workload in the default namespace. The spec: field of the policy has the empty value {}. That value means that no traffic is permitted, effectively denying all requests.

    1. $ kubectl apply -f - <<EOF
    2. apiVersion: security.istio.io/v1beta1
    3. kind: AuthorizationPolicy
    4. metadata:
    5. name: deny-all
    6. namespace: default
    7. spec:
    8. {}
    9. EOF

    Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). You should see "RBAC: access denied". The error shows that the configured deny-all policy is working as intended, and Istio doesn’t have any rules that allow any access to workloads in the mesh.

  2. Run the following command to create a productpage-viewer policy to allow access with GET method to the productpage workload. The policy does not set the from field in the rules which means all sources are allowed, effectively allowing all users and workloads:

    1. $ kubectl apply -f - <<EOF
    2. apiVersion: "security.istio.io/v1beta1"
    3. kind: "AuthorizationPolicy"
    4. metadata:
    5. name: "productpage-viewer"
    6. namespace: default
    7. spec:
    8. selector:
    9. matchLabels:
    10. app: productpage
    11. rules:
    12. - to:
    13. - operation:
    14. methods: ["GET"]
    15. EOF

    Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). Now you should see the “Bookinfo Sample” page. However, you can see the following errors on the page:

    • Error fetching product details
    • Error fetching product reviews on the page.

    These errors are expected because we have not granted the productpage workload access to the details and reviews workloads. Next, you need to configure a policy to grant access to those workloads.

  3. Run the following command to create the details-viewer policy to allow the productpage workload, which issues requests using the cluster.local/ns/default/sa/bookinfo-productpage service account, to access the details workload through GET methods:

    1. $ kubectl apply -f - <<EOF
    2. apiVersion: "security.istio.io/v1beta1"
    3. kind: "AuthorizationPolicy"
    4. metadata:
    5. name: "details-viewer"
    6. namespace: default
    7. spec:
    8. selector:
    9. matchLabels:
    10. app: details
    11. rules:
    12. - from:
    13. - source:
    14. principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]
    15. to:
    16. - operation:
    17. methods: ["GET"]
    18. EOF
  4. Run the following command to create a policy reviews-viewer to allow the productpage workload, which issues requests using the cluster.local/ns/default/sa/bookinfo-productpage service account, to access the reviews workload through GET methods:

    1. $ kubectl apply -f - <<EOF
    2. apiVersion: "security.istio.io/v1beta1"
    3. kind: "AuthorizationPolicy"
    4. metadata:
    5. name: "reviews-viewer"
    6. namespace: default
    7. spec:
    8. selector:
    9. matchLabels:
    10. app: reviews
    11. rules:
    12. - from:
    13. - source:
    14. principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]
    15. to:
    16. - operation:
    17. methods: ["GET"]
    18. EOF

    Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). Now, you should see the “Bookinfo Sample” page with “Book Details” on the lower left part, and “Book Reviews” on the lower right part. However, in the “Book Reviews” section, there is an error Ratings service currently unavailable.

    This is because the reviews workload doesn’t have permission to access the ratings workload. To fix this issue, you need to grant the reviews workload access to the ratings workload. Next, we configure a policy to grant the reviews workload that access.

  5. Run the following command to create the ratings-viewer policy to allow the reviews workload, which issues requests using the cluster.local/ns/default/sa/bookinfo-reviews service account, to access the ratings workload through GET methods:

    1. $ kubectl apply -f - <<EOF
    2. apiVersion: "security.istio.io/v1beta1"
    3. kind: "AuthorizationPolicy"
    4. metadata:
    5. name: "ratings-viewer"
    6. namespace: default
    7. spec:
    8. selector:
    9. matchLabels:
    10. app: ratings
    11. rules:
    12. - from:
    13. - source:
    14. principals: ["cluster.local/ns/default/sa/bookinfo-reviews"]
    15. to:
    16. - operation:
    17. methods: ["GET"]
    18. EOF

    Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). You should see the “black” and “red” ratings in the “Book Reviews” section.

    Congratulations! You successfully applied authorization policy to enforce access control for workloads using HTTP traffic.

Clean up

  1. Remove all authorization policies from your configuration:

    1. $ kubectl delete authorizationpolicy.security.istio.io/deny-all
    2. $ kubectl delete authorizationpolicy.security.istio.io/productpage-viewer
    3. $ kubectl delete authorizationpolicy.security.istio.io/details-viewer
    4. $ kubectl delete authorizationpolicy.security.istio.io/reviews-viewer
    5. $ kubectl delete authorizationpolicy.security.istio.io/ratings-viewer

See also

Authorization Policy Trust Domain Migration

Shows how to migrate from one trust domain to another without changing authorization policy.

Authorization for TCP traffic

How to set up access control for TCP traffic.

Authorization on Ingress Gateway

How to set up access control on an ingress gateway.

Authorization policies with a deny action

Shows how to set up access control to deny traffic explicitly.

External authorization with custom action

Shows how to integrate and delegate access control to an external authorization system.

Security

Describes Istio’s authorization and authentication functionality.