Reputation: 2229
Istio AuthorizationPolicy rules questions
I’ve been testing istio (1.6) authorization policies and would like to confirm the following:
- Can I use k8s service names as shown below where
httpbin.baris the service name for deployment/workload httpbin:
- to:
- operation:
hosts: ["httpbin.bar"]
- I have the following rule; only ALLOW access to the
httpbin.barservice from service accountsleepinfoonamespace.
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: whitelist-httpbin-bar
namespace: bar
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/foo/sa/sleep"]
- to:
- operation:
hosts: ["httpbin.bar"]
I setup 2 services; httpbin.bar and privatehttpbin.bar. My assumption was that it would block access to privatehttpbin.bar but this is not the case. On a side note, I deliberately avoided adding selector.matchLabels because as far as I can tell the rule should only succeed for httpbin.bar.
The docs state:
A match occurs when at least one source, operation and condition matches the request.
as per here.
I interpreted that AND logic will apply to the source and operation.
Would appreciate if I can find out why this may not be working or if my understanding needs to be corrected.
Upvotes: 0
Views: 2475
Answers (2)
Reputation: 8776
With your AuthorizationPolicy object, you have two rules in the namespace bar:
- Allow any request coming from
foonamespace; with service accountsleepto any service. - Allow any request to
httpbinservice; from any namespace, with any service account.
So it is an OR, you are applying.
If you want and AND to be applied; meaning allow any request from the namespace foo with service account sleep to talk to the service httpbin, in the namespace bar, you need to apply the following rule:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: whitelist-httpbin-bar
namespace: bar
rules:
- from:
- source:
principals: ["cluster.local/ns/foo/sa/sleep"]
to: # <- remove the dash (-) from here
- operation:
hosts: ["httpbin.bar"]
Upvotes: 1
Reputation: 1350
On the first point You can specify the host name by k8s service name.Therefore httpbin.bar is acceptable for the host field.
On the second point, As per here ,
Authorization Policy scope (target) is determined by “metadata/namespace” and an optional “selector”.
“metadata/namespace” tells which namespace the policy applies. If set to root namespace, the policy applies to all namespaces in a mesh.
So the authorization policy whitelist-httpbin-bar applies to workloads in the namespace foo.But the services httpbin and privatehttpbin you want to authorize lies in bar namespace.So your authorization policy does not restrict access to these services.
If there are no ALLOW policies for the workload, allow the request.
The above criteria makes the request a valid one.
Hope this helps.
Upvotes: 1
Related Questions
- Questions about istio external authorization
- Istio Service Mesh Security with AuthorizationPolicy & RequestAuthentication
- istioctl AuthorizationPolicy allow/deny working opposite ways
- Istio authorization policy not applying on child gateway
- What are the differences between Authorization Policy and Request Authentication in Istio?
- Understanding Istio AuthN and authz for kubernetes Pods
- Are intersecting rules allowed in istio? What is the strategy of applying it?
- Can't understand istio authentication policy
- Why is my ISTIO policy configuration not applied?
- Istio Egresses with Kubernetes Services