Authorization for HTTP traffic

This task shows you how to set up Istio authorization for HTTP traffic in an Istio mesh.Learn more in our authorization concept page.

Before you begin

The activities in this task assume that you:

After deploying the Bookinfo application, go to the Bookinfo product page at http://$GATEWAY_URL/productpage. Onthe product page, you can see the following sections:

  • Book Details on the lower left side, which includes: book type, number ofpages, publisher, etc.
  • Book Reviews on the lower right of the page.

When you refresh the page, the app shows different versions of reviews in the product page.The app presents the reviews in a round robin style: red stars, black stars, or no stars.

If you don’t see the expected output in the browser as you follow the task, retry in a few more secondsbecause some delay is possible due to caching and other propagation overhead.

Configure access control for workloads using HTTP traffic

Using Istio, you can easily setup access control for workloadsin your mesh. This task shows you how to set up access control using Istio authorization.First, you configure a simple deny-all policy that rejects all requests to the workload,and then grant more access to the workload gradually and incrementally.

  • Run the following command to create a deny-all policy in the default namespace.The policy doesn’t have a selector field, which applies the policy to every workload in thedefault namespace. The spec: field of the policy has the empty value {}.That value means that no traffic is permitted, effectively denying all requests.
  1. $ kubectl apply -f - <<EOF
  2. apiVersion: security.istio.io/v1beta1
  3. kind: AuthorizationPolicy
  4. metadata:
  5.   name: deny-all
  6.   namespace: default
  7. spec:
  8.   {}
  9. EOF

Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage).You should see "RBAC: access denied". The error shows that the configured deny-all policyis working as intended, and Istio doesn’t have any rules that allow any access toworkloads in the mesh.

  • Run the following command to create a productpage-viewer policy to allow accesswith GET method to the productpage workload. The policy does not set the fromfield in the rules which means all sources are allowed, effectively allowingall users and workloads:
  1. $ kubectl apply -f - <<EOF
  2. apiVersion: "security.istio.io/v1beta1"
  3. kind: "AuthorizationPolicy"
  4. metadata:
  5.   name: "productpage-viewer"
  6.   namespace: default
  7. spec:
  8.   selector:
  9.     matchLabels:
  10.       app: productpage
  11.   rules:
  12.   - to:
  13.     - operation:
  14.         methods: ["GET"]
  15. EOF

Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage).Now you should see the “Bookinfo Sample” page.However, you can see the following errors on the page:

  • Error fetching product details
  • Error fetching product reviews on the page.These errors are expected because we have not granted the productpageworkload access to the details and reviews workloads. Next, you need toconfigure a policy to grant access to those workloads.
  • Run the following command to create the details-viewer policy to allow the productpageworkload, which issues requests using the cluster.local/ns/default/sa/bookinfo-productpageservice account, to access the details workload through GET methods:
  1. $ kubectl apply -f - <<EOF
  2. apiVersion: "security.istio.io/v1beta1"
  3. kind: "AuthorizationPolicy"
  4. metadata:
  5.   name: "details-viewer"
  6.   namespace: default
  7. spec:
  8.   selector:
  9.     matchLabels:
  10.       app: details
  11.   rules:
  12.   - from:
  13.     - source:
  14.         principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]
  15.     to:
  16.     - operation:
  17.         methods: ["GET"]
  18. EOF
  • Run the following command to create a policy reviews-viewer to allow the productpage workload,which issues requests using the cluster.local/ns/default/sa/bookinfo-productpage service account,to access the reviews workload through GET methods:
  1. $ kubectl apply -f - <<EOF
  2. apiVersion: "security.istio.io/v1beta1"
  3. kind: "AuthorizationPolicy"
  4. metadata:
  5.   name: "reviews-viewer"
  6.   namespace: default
  7. spec:
  8.   selector:
  9.     matchLabels:
  10.       app: reviews
  11.   rules:
  12.   - from:
  13.     - source:
  14.         principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]
  15.     to:
  16.     - operation:
  17.         methods: ["GET"]
  18. EOF

Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). Now, you should see the “Bookinfo Sample”page with “Book Details” on the lower left part, and “Book Reviews” on the lower right part. However, in the “Book Reviews” section,there is an error Ratings service currently unavailable.

This is because the reviews workload doesn’t have permission to access the ratings workload.To fix this issue, you need to grant the reviews workload access to the ratings workload.Next, we configure a policy to grant the reviews workload that access.

  • Run the following command to create the ratings-viewer policy to allow the reviews workload,which issues requests using the cluster.local/ns/default/sa/bookinfo-reviews service account,to access the ratings workload through GET methods:
  1. $ kubectl apply -f - <<EOF
  2. apiVersion: "security.istio.io/v1beta1"
  3. kind: "AuthorizationPolicy"
  4. metadata:
  5.   name: "ratings-viewer"
  6.   namespace: default
  7. spec:
  8.   selector:
  9.     matchLabels:
  10.       app: ratings
  11.   rules:
  12.   - from:
  13.     - source:
  14.         principals: ["cluster.local/ns/default/sa/bookinfo-reviews"]
  15.     to:
  16.     - operation:
  17.         methods: ["GET"]
  18. EOF

Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage).You should see the “black” and “red” ratings in the “Book Reviews” section.

Congratulations! You successfully applied authorization policy to enforce accesscontrol for workloads using HTTP traffic.

Clean up

  • Remove all authorization policies from your configuration:
  1. $ kubectl delete authorizationpolicy.security.istio.io/deny-all
  2. $ kubectl delete authorizationpolicy.security.istio.io/productpage-viewer
  3. $ kubectl delete authorizationpolicy.security.istio.io/details-viewer
  4. $ kubectl delete authorizationpolicy.security.istio.io/reviews-viewer
  5. $ kubectl delete authorizationpolicy.security.istio.io/ratings-viewer

See also

Authorization Policy Trust Domain Migration

Shows how to migrate from one trust domain to another without changing authorization policy.

Authorization for TCP traffic

Shows how to set up access control for TCP traffic.

Security

Describes Istio's authorization and authentication functionality.

Micro-Segmentation with Istio Authorization

Describe Istio's authorization feature and how to use it in various use cases.

Introducing the Istio v1beta1 Authorization Policy

Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy.

Authorization for groups and list claims

Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio.