Authorization Policy
|
Before Start
You should have NO virtualservice nor destinationrule (in |
|
This section requires mutual TLS enabled because the following examples use principal in the policies. This is enabled by default, so you should not do anything special. |
| The Authorization Policy rules take some time to be applied and reflected. Be patient here! |
Authorization Policies
We’ll create an authorization path that will only allow the following communication path: customer → preference → recommendation. Any other path will result to a 403 forbidden HTTP error.
Deny All
Let’s start by denying any request that occurs on our application:
kubectl apply -f istiofiles/authorization-policy-deny-all.yaml -n tutorialThen if you do:
curl $GATEWAY_URL/customerRBAC: access deniedOf course any interaction is forbidden.
Allow Customer
Let’s permit the interaction to customer service:
kubectl apply -f istiofiles/authorization-policy-allow-customer.yaml -n tutorialThen if you do:
curl $GATEWAY_URL/customercustomer => Error: 403 - RBAC: access deniedNow customer is reached but not preference.
Allow Preference
Let’s permit it:
kubectl apply -f istiofiles/authorization-policy-allow-preference.yaml -n tutorialThen if you do:
curl $GATEWAY_URL/customercustomer => Error: 503 - preference => Error: 403 - RBAC: access deniedThe preference service is accessed but not the recommendation one.
Allow Recommendation
Let’s end up by allowing all the path:
kubectl apply -f istiofiles/authorization-policy-allow-recommendation.yaml -n tutorialThen if you do:
curl $GATEWAY_URL/customercustomer => preference => recommendation v1 from 'recommendation-v1-656788f945-9srp8': 12Validate Other Paths
Now let’s assume that someone gets access to recommendation service:
kubectl exec -it -n tutorial $(kubectl get pods -n tutorial|grep recommendation|awk '{ print $1 }'|head -1) -c recommendation /bin/bashYou will be inside the application container of recommendation pod.
Now execute:
curl preference:8080RBAC: access deniedexitSo you can see that preference service can only be accessed by customer service and not any other service such as recommendation.