Istio Role Based Access Control (RBAC)
Before Start
You should have NO virtualservice, destinationrule, gateway or policy (in
|
In this chapter, we are going to see how to use Istio’s authorization feature to provide access control for services in an Istio Mesh.
Authorization and JWT
In this section, you’ll learn how to use a JWT claim to manage the access to the services.
The first thing you need to do is applying all the steps described at End-user authentication with JWT section so you enable JWT authentication logic inside the mesh.
After that, you are ready to use JWT in the authorization phase as well.
Now apply the following Istio resource which makes that only tokens that contain a field named role
with value customer
.
kubectl create -f istiofiles/authorization-policy-jwt.yaml -n tutorial
and then you can do a new call with the new token containing the role
claim with value customer`
:
curl -H "Authorization: Bearer $token" $GATEWAY_URL/customer
customer => preference => recommendation v1 from 'recommendation-v1-b4d67bcb7-7rp88': 4
Notice that now only valid JWT tokens containing the claim role
set to customer
will succeed, the rest you’ll get an access denied.
To validate that this is working correctly, do the following thing:
Open istiofiles/authorization-policy-jwt.yaml
and change the role
with value xxx
and save the file.
when:
- key: request.auth.claims[role]
values: ["xxxx"]
And then replace it:
kubectl replace -f istiofiles/authorization-policy-jwt.yaml -n tutorial
After that, repeat the same request as before:
curl -H "Authorization: Bearer $token" $GATEWAY_URL/customer
RBAC: access denied
But notice that now the access is denied because the role
field value in the token is customer
instead of xxx
.
Final Notes
In this chapter you’ve seen how to RBAC. Obviously, you should also enable mTLS to authenticate also your requests.
Check mTLS section to learn more about mTLS and Istio.
Clean Up
Follow End-user authentication with JWT Clean Up steps there to clean all JWT stuff and then call:
kubectl delete -f istiofiles/authorization-policy-jwt.yaml -n tutorial
kubectl delete -f istiofiles/enduser-authentication-jwt.yml -n tutorial