Reputation: 480
Questions about istio external authorization
Problem statement:
My goal is to have istio with external authorization service (ideally HTTP, if not possible than GRPC would do as well). There is a requirement to be able to control what exact status code will be returned to client on authorization service. The latter requirement is the most problematic part.
My research
I have read istio documentation on external authorizer
I have made a prototype with HTTP Auth service, but whatever non 200 status code I return from Auth Service the client always receives 403 Forbidden
In mesh config specification I see the only possibility to set statusOnError but it will be used only in case auth service is unreachable and it can not be dynamically changed.
Also in envoy documentation for GRPC service I see possibility to set custom status
HTTP attributes for a denied response. { "status": "{...}", "headers": [], "body": "..." }
Questions:
- Is having custom status possible only with GRPC auth service?
- Is istio using envoy API-V3 or API-V2?
- Any suggestion how to cook istio with external authorizer and custin status codes?
Upvotes: 0
Views: 799
Answers (1)
Reputation: 480
I made the GRPC Auth service prototype and found the answer. It is counter-intuitive but GRPC external auth service is really more flexible than HTTP one. And it really allows to set arbitrary status code
Upvotes: 1
Related Questions
- Confused about where K8s Services reside and where Istio's Envoy Proxy Reside?
- How to communicate securely to a k8s service via istio?
- Istio/Envoy edge proxy EnvoyFilter (1.9.0)
- Istio | TLS mutual-auth without using Istio ingress gateway
- Istio Authorization Policy IP whitelisting
- Istio AuthorizationPolicy only for external requests
- Istio AuthorizationPolicy rules questions
- Envoy sidecar proxy
- Understanding Istio AuthN and authz for kubernetes Pods
- Can't understand istio authentication policy