Authorization Policy
Before Start
You should have NO virtualservice nor destinationrule (in
|
This section requires mutual TLS enabled because the following examples use principal in the policies. This is enabled by default, so you should not do anything special. |
The Authorization Policy rules take some time to be applied and reflected. Be patient here! |
Authorization Policies
We’ll create an authorization path that will only allow the following communication path: customer → preference → recommendation. Any other path will result to a 403 forbidden HTTP error.
Deny All
Let’s start by denying any request that occurs on our application:
kubectl apply -f istiofiles/authorization-policy-deny-all.yaml -n tutorial
Then if you do:
curl $GATEWAY_URL/customer
RBAC: access denied
Of course any interaction is forbidden.
Allow Customer
Let’s permit the interaction to customer service:
kubectl apply -f istiofiles/authorization-policy-allow-customer.yaml -n tutorial
Then if you do:
curl $GATEWAY_URL/customer
customer => Error: 403 - RBAC: access denied
Now customer
is reached but not preference.
Allow Preference
Let’s permit it:
kubectl apply -f istiofiles/authorization-policy-allow-preference.yaml -n tutorial
Then if you do:
curl $GATEWAY_URL/customer
customer => Error: 503 - preference => Error: 403 - RBAC: access denied
The preference
service is accessed but not the recommendation one.
Allow Recommendation
Let’s end up by allowing all the path:
kubectl apply -f istiofiles/authorization-policy-allow-recommendation.yaml -n tutorial
Then if you do:
curl $GATEWAY_URL/customer
customer => preference => recommendation v1 from 'recommendation-v1-656788f945-9srp8': 12
Validate Other Paths
Now let’s assume that someone gets access to recommendation
service:
kubectl exec -it -n tutorial $(kubectl get pods -n tutorial|grep recommendation|awk '{ print $1 }'|head -1) -c recommendation /bin/bash
You will be inside the application container of recommendation
pod.
Now execute:
curl preference:8080
RBAC: access denied
exit
So you can see that preference
service can only be accessed by customer
service and not any other service such as recommendation
.