Authorization on Ingress Gateway

This task shows you how to enforce access control on an Istio ingress gateway using an authorization policy.

An Istio authorization policy supports IP-based allow lists or deny lists as well as the attribute-based allow lists or deny lists previously provided by Mixer policy. The Mixer policy is deprecated in 1.5 and not recommended for production use.

Before you begin

Before you begin this task, do the following:

  • Read the Authorization conceptual documentation.

  • Install Istio using the Istio installation guide.

  • Deploy a workload, httpbin in a namespace, for example foo, and expose it through the Istio ingress gateway with this command:

    ZipZip

    1. $ kubectl create ns foo
    2. $ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n foo
    3. $ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin-gateway.yaml@) -n foo

  • See Source IP for Services with Type=NodePort for more information. Update the ingress gateway to set externalTrafficPolicy: local to preserve the original client source IP on the ingress gateway using the following command:

    1. $ kubectl patch svc istio-ingressgateway -n istio-system -p '{"spec":{"externalTrafficPolicy":"Local"}}'

  • Follow the instructions in Determining the ingress IP and ports to define the INGRESS_HOST and INGRESS_PORT environment variables.

  • Verify that the httpbin workload and ingress gateway are working as expected using this command:

    1. $ curl "$INGRESS_HOST":"$INGRESS_PORT"/headers -s -o /dev/null -w "%{http_code}\n"
    2. 200

  • Verify the output of the following command to ensure the ingress gateway receives the original client source IP address, which will be used in the authorization policy:

    1. $ CLIENT_IP=$(curl "$INGRESS_HOST":"$INGRESS_PORT"/ip -s | grep "origin" | cut -d'"' -f 4) && echo "$CLIENT_IP"
    2. 105.133.10.12

If you don’t see the expected output, retry after a few seconds. Caching and propagation overhead can cause a delay.

IP-based allow list and deny list

  1. The following command creates the authorization policy, ingress-policy, for the Istio ingress gateway. The following policy sets the action field to ALLOW to allow the IP addresses specified in the ipBlocks to access the ingress gateway. IP addresses not in the list will be denied. The ipBlocks supports both single IP address and CIDR notation. Create the authorization policy:

    1. $ kubectl apply -f - <<EOF
    2. apiVersion: security.istio.io/v1beta1
    3. kind: AuthorizationPolicy
    4. metadata:
    5.   name: ingress-policy
    6.   namespace: istio-system
    7. spec:
    8.   selector:
    9.     matchLabels:
    10.       app: istio-ingressgateway
    11.   action: ALLOW
    12.   rules:
    13.   - from:
    14.     - source:
    15.        ipBlocks: ["1.2.3.4", "5.6.7.0/24"]
    16. EOF

  2. Verify that a request to the ingress gateway is denied:

    1. $ curl "$INGRESS_HOST":"$INGRESS_PORT"/headers -s -o /dev/null -w "%{http_code}\n"
    2. 403

  3. Update the ingress-policy to include your client IP address:

    1. $ kubectl apply -f - <<EOF
    2. apiVersion: security.istio.io/v1beta1
    3. kind: AuthorizationPolicy
    4. metadata:
    5.   name: ingress-policy
    6.   namespace: istio-system
    7. spec:
    8.   selector:
    9.     matchLabels:
    10.       app: istio-ingressgateway
    11.   action: ALLOW
    12.   rules:
    13.   - from:
    14.     - source:
    15.        ipBlocks: ["1.2.3.4", "5.6.7.0/24", "$CLIENT_IP"]
    16. EOF

  4. Verify that a request to the ingress gateway is allowed:

    1. $ curl "$INGRESS_HOST":"$INGRESS_PORT"/headers -s -o /dev/null -w "%{http_code}\n"
    2. 200

  5. Update the ingress-policy authorization policy to set the action key to DENY so that the IP addresses specified in the ipBlocks are not allowed to access the ingress gateway:

    1. $ kubectl apply -f - <<EOF
    2. apiVersion: security.istio.io/v1beta1
    3. kind: AuthorizationPolicy
    4. metadata:
    5.   name: ingress-policy
    6.   namespace: istio-system
    7. spec:
    8.   selector:
    9.     matchLabels:
    10.       app: istio-ingressgateway
    11.   action: DENY
    12.   rules:
    13.   - from:
    14.     - source:
    15.        ipBlocks: ["$CLIENT_IP"]
    16. EOF

  6. Verify that a request to the ingress gateway is denied:

    1. $ curl "$INGRESS_HOST":"$INGRESS_PORT"/headers -s -o /dev/null -w "%{http_code}\n"
    2. 403

  7. You could use an online proxy service to access the ingress gateway using a different client IP to verify the request is allowed.

Clean up

  1. Remove the namespace foo:

    1. $ kubectl delete namespace foo

  2. Remove the authorization policy:

    1. $ kubectl delete authorizationpolicy ingress-policy -n istio-system

See also

Authorization Policy Trust Domain Migration

Shows how to migrate from one trust domain to another without changing authorization policy.

Authorization for HTTP traffic

Shows how to set up access control for HTTP traffic.

Authorization for TCP traffic

How to set up access control for TCP traffic.

Authorization policies with a deny action

Shows how to set up access control to deny traffic explicitly.

Security

Describes Istio’s authorization and authentication functionality.

Micro-Segmentation with Istio Authorization

Describe Istio’s authorization feature and how to use it in various use cases.