Authorization for HTTP traffic
This task shows you how to set up Istio authorization for HTTP traffic in an Istio mesh. Learn more in our authorization concept page.
Before you begin
The activities in this task assume that you:
Read the authorization concept.
Follow the Istio installation guide to install Istio with mutual TLS enabled.
Deploy the Bookinfo sample application.
After deploying the Bookinfo application, go to the Bookinfo product page at http://$GATEWAY_URL/productpage. On
the product page, you can see the following sections:
- Book Details on the lower left side, which includes: book type, number of pages, publisher, etc.
- Book Reviews on the lower right of the page.
When you refresh the page, the app shows different versions of reviews in the product page. The app presents the reviews in a round robin style: red stars, black stars, or no stars.
Configure access control for workloads using HTTP traffic
Using Istio, you can easily setup access control for workloads
in your mesh. This task shows you how to set up access control using Istio authorization.
First, you configure a simple deny-all policy that rejects all requests to the workload,
and then grant more access to the workload gradually and incrementally.
Run the following command to create a
deny-allpolicy in thedefaultnamespace. The policy doesn’t have aselectorfield, which applies the policy to every workload in thedefaultnamespace. Thespec:field of the policy has the empty value{}. That value means that no traffic is permitted, effectively denying all requests.$ kubectl apply -f - <<EOF apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: deny-all namespace: default spec: {} EOFPoint your browser at the Bookinfo
productpage(http://$GATEWAY_URL/productpage). You should see"RBAC: access denied". The error shows that the configureddeny-allpolicy is working as intended, and Istio doesn’t have any rules that allow any access to workloads in the mesh.Run the following command to create a
productpage-viewerpolicy to allow access withGETmethod to theproductpageworkload. The policy does not set thefromfield in theruleswhich means all sources are allowed, effectively allowing all users and workloads:$ kubectl apply -f - <<EOF apiVersion: "security.istio.io/v1beta1" kind: "AuthorizationPolicy" metadata: name: "productpage-viewer" namespace: default spec: selector: matchLabels: app: productpage rules: - to: - operation: methods: ["GET"] EOFPoint your browser at the Bookinfo
productpage(http://$GATEWAY_URL/productpage). Now you should see the “Bookinfo Sample” page. However, you can see the following errors on the page:Error fetching product detailsError fetching product reviewson the page.
These errors are expected because we have not granted the
productpageworkload access to thedetailsandreviewsworkloads. Next, you need to configure a policy to grant access to those workloads.Run the following command to create the
details-viewerpolicy to allow theproductpageworkload, which issues requests using thecluster.local/ns/default/sa/bookinfo-productpageservice account, to access thedetailsworkload throughGETmethods:$ kubectl apply -f - <<EOF apiVersion: "security.istio.io/v1beta1" kind: "AuthorizationPolicy" metadata: name: "details-viewer" namespace: default spec: selector: matchLabels: app: details rules: - from: - source: principals: ["cluster.local/ns/default/sa/bookinfo-productpage"] to: - operation: methods: ["GET"] EOFRun the following command to create a policy
reviews-viewerto allow theproductpageworkload, which issues requests using thecluster.local/ns/default/sa/bookinfo-productpageservice account, to access thereviewsworkload throughGETmethods:$ kubectl apply -f - <<EOF apiVersion: "security.istio.io/v1beta1" kind: "AuthorizationPolicy" metadata: name: "reviews-viewer" namespace: default spec: selector: matchLabels: app: reviews rules: - from: - source: principals: ["cluster.local/ns/default/sa/bookinfo-productpage"] to: - operation: methods: ["GET"] EOFPoint your browser at the Bookinfo
productpage(http://$GATEWAY_URL/productpage). Now, you should see the “Bookinfo Sample” page with “Book Details” on the lower left part, and “Book Reviews” on the lower right part. However, in the “Book Reviews” section, there is an errorRatings service currently unavailable.This is because the
reviewsworkload doesn’t have permission to access theratingsworkload. To fix this issue, you need to grant thereviewsworkload access to theratingsworkload. Next, we configure a policy to grant thereviewsworkload that access.Run the following command to create the
ratings-viewerpolicy to allow thereviewsworkload, which issues requests using thecluster.local/ns/default/sa/bookinfo-reviewsservice account, to access theratingsworkload throughGETmethods:$ kubectl apply -f - <<EOF apiVersion: "security.istio.io/v1beta1" kind: "AuthorizationPolicy" metadata: name: "ratings-viewer" namespace: default spec: selector: matchLabels: app: ratings rules: - from: - source: principals: ["cluster.local/ns/default/sa/bookinfo-reviews"] to: - operation: methods: ["GET"] EOFPoint your browser at the Bookinfo
productpage(http://$GATEWAY_URL/productpage). You should see the “black” and “red” ratings in the “Book Reviews” section.Congratulations! You successfully applied authorization policy to enforce access control for workloads using HTTP traffic.
Clean up
Remove all authorization policies from your configuration:
$ kubectl delete authorizationpolicy.security.istio.io/deny-all $ kubectl delete authorizationpolicy.security.istio.io/productpage-viewer $ kubectl delete authorizationpolicy.security.istio.io/details-viewer $ kubectl delete authorizationpolicy.security.istio.io/reviews-viewer $ kubectl delete authorizationpolicy.security.istio.io/ratings-viewer