Istio Role Based Access Control (RBAC)

Before StartYou should have NO virtualservice, destinationrule, gateway or policy (in tutorial namespace) kubectl get virtualservice kubectl get destinationrule kubectl get gateway kubectl get policyif so run:
  1. ./scripts/clean.sh

In this chapter, we are going to see how to use Istio’s authorization feature to provide access control for services in an Istio Mesh.

Enabling RBAC

The first thing to do is enable Istio Authorization by using ClusterRbacConfig object.

  1. kubectl create -f istiofiles/authorization-enable-rbac.yml -n tutorial

Now RBAC is enabled on your mesh.Run next command:

  1. curl http://istio-ingressgateway-istio-system.$(minishift ip).nip.io/customer
  3. RBAC: access denied

By default, Istio uses a deny by default strategy, meaning that nothing is permitted until you explicitly define access control policy to grant access to any service.

Authorization and JWT

In this section, you’ll learn how to use a JWT claim to manage the access to the services.

The first thing you need to do is applying all the steps described at End-user authentication with JWT section so you enable JWT authentication logic inside the mesh.

After that, you are ready to use JWT in the authorization phase as well.

Now apply next Istio resource which makes that only tokens that contain a field named role with value customer.

  1. kubectl create -f istiofiles/namespace-rbac-policy-jwt.yml -n tutorial

and then you can do a new call with the new token containing the role claim with value customer`:

  1. token=$(curl https://gist.githubusercontent.com/lordofthejars/f590c80b8d83ea1244febb2c73954739/raw/21ec0ba0184726444d99018761cf0cd0ece35971/token.role.jwt -s)
  3. curl -H "Authorization: Bearer $token" http://istio-ingressgateway-istio-system.$(minishift ip).nip.io/customer
  5. customer => preference => recommendation v1 from 'b4d67bcb7-7rp88': 4

Notice that now only valid JWT tokens containing the claim role set to customer will suceed, the rest you’ll get an access denied.

To validate that this is working correctly, do next thing:

Open istiofiles/namespace-rbac-policy-jwt.yml and change the role with value xxx and save the file.

istiofiles/namespace-rbac-policy-jwt.yml

  1. spec:
  2.   subjects:
  3.   - user: "*"
  4.     properties:
  5.       request.auth.claims[role]: "xxx"

And then replace it:

  1. kubectl replace -f istiofiles/namespace-rbac-policy-jwt.yml -n tutorial

After that, repeat the same request as before:

  1. curl -H "Authorization: Bearer $token" http://istio-ingressgateway-istio-system.$(minishift ip).nip.io/customer
  3. RBAC: access denied

But notice that now the access is denied because the role field value in the token is customer instead of xxx.

Final Notes

In this chapter you’ve seen how to RBAC.Obviously, you should also enable mTLS to authenticate also your requests.

Check mTLS section to learn more about mTLS and Istio.

Clean Up

Follow End-user authentication with JWT Clean Up steps there to clean all JWT stuff and then call:

  1. kubectl delete -f istiofiles/namespace-rbac-policy-jwt.yml -n tutorial
  2. kubectl create -f istiofiles/authorization-enable-rbac.yml -n tutorial