• Authorization Policy
    • AuthorizationPolicy
    • Condition
    • Operation
    • Rule
    • Rule.From
    • Rule.To
    • Source
    • istio.type.v1beta1.WorkloadSelector

    Authorization Policy

    Istio Authorization Policy enables access control on workloads in the mesh.

    For example, the following authorization policy applies to workloads matched withlabel selector “app: httpbin, version: v1”.

    It allows requests from:- service account “cluster.local/ns/default/sa/sleep” or- namespace “test”to access the workload with:- “GET” method at paths of prefix “/info” or,- “POST” method at path “/data”.when the request has a valid JWT token issued by “https://accounts.google.com”.

    Any other requests will be rejected.

    1. apiVersion: security.istio.io/v1beta1
    2. kind: AuthorizationPolicy
    3. metadata:
    4.  name: httpbin
    5.  namespace: foo
    6. spec:
    7.  selector:
    8.    matchLabels:
    9.      app: httpbin
    10.      version: v1
    11.  rules:
    12.  - from:
    13.    - source:
    14.        principals: ["cluster.local/ns/default/sa/sleep"]
    15.    - source:
    16.        namespaces: ["test"]
    17.    to:
    18.    - operation:
    19.        methods: ["GET"]
    20.        paths: ["/info*"]
    21.    - operation:
    22.        methods: ["POST"]
    23.        paths: ["/data"]
    24.    when:
    25.    - key: request.auth.claims[iss]
    26.      values: ["https://accounts.google.com"]

    Access control is enabled on a workload if there is any authorization policies selectingthe workload. When access control is enabled, the default behavior is deny (deny-by-default)which means requests to the workload will be rejected if the request is not allowed by any ofthe authorization policies selecting the workload.

    Currently AuthorizationPolicy only supports “ALLOW” action. This means thatif multiple authorization policies apply to the same workload, the effect is additive.

    Authorization Policy scope (target) is determined by “metadata/namespace” andan optional “selector”.- “metadata/namespace” tells which namespace the policy applies. If set to rootnamespace, the policy applies to all namespaces in a mesh.- workload “selector” can be used to further restrict where a policy applies.

    For example,

    The following authorization policy applies to workloads containing label“app: httpbin” in namespace bar.

    1. apiVersion: security.istio.io/v1beta1
    2. kind: AuthorizationPolicy
    3. metadata:
    4.  name: policy
    5.  namespace: bar
    6. spec:
    7.  selector:
    8.    matchLabels:
    9.      app: httpbin

    The following authorization policy applies to all workloads in namespace foo.

    1. apiVersion: security.istio.io/v1beta1
    2. kind: AuthorizationPolicy
    3. metadata:
    4.  name: policy
    5.  namespace: foo
    6. spec:

    The following authorization policy applies to workloads containing label“version: v1” in all namespaces in the mesh. (Assuming the root namespace isconfigured to “istio-config”).

    1. apiVersion: security.istio.io/v1beta1
    2. kind: AuthorizationPolicy
    3. metadata:
    4.  name: policy
    5.  namespace: istio-config
    6. spec:
    7.  selector:
    8.    matchLabels:
    9.      version: v1

    AuthorizationPolicy

    AuthorizationPolicy enables access control on workloads.

    For example, the following authorization policy denies all requests to workloadsin namespace foo.

    1. apiVersion: security.istio.io/v1beta1
    2. kind: AuthorizationPolicy
    3. metadata:
    4.  name: deny-all
    5.  namespace: foo
    6. spec:

    The following authorization policy allows all requests to workloads in namespacefoo.

    1. apiVersion: security.istio.io/v1beta1
    2. kind: AuthorizationPolicy
    3. metadata:
    4.  name: allow-all
    5.  namespace: foo
    6. spec:
    7.  rules:
    8.  - {}
    FieldTypeDescriptionRequired
    selectorWorkloadSelectorOptional. Workload selector decides where to apply the authorization policy.If not set, the authorization policy will be applied to all workloads in thesame namespace as the authorization policy.No
    rulesRule[]Optional. A list of rules to specify the allowed access to the workload.If not set, access is denied unless explicitly allowed by other authorization policy.No

    Condition

    Condition specifies additional required attributes.

    FieldTypeDescriptionRequired
    keystringThe name of an Istio attribute.See the full list of supported attributes.Yes
    valuesstring[]The allowed values for the attribute.Yes

    Operation

    Operation specifies the operations of a request.

    FieldTypeDescriptionRequired
    hostsstring[]Optional. A list of hosts, which matches to the “request.host” attribute.If not set, any host is allowed. Must be used only with HTTP.No
    portsstring[]Optional. A list of ports, which matches to the “destination.port” attribute.If not set, any port is allowed.No
    methodsstring[]Optional. A list of methods, which matches to the “request.method” attribute.For gRPC service, this should be the fully-qualified name in the form of“/package.service/method”If not set, any method is allowed. Must be used only with HTTP or gRPC.No
    pathsstring[]Optional. A list of paths, which matches to the “request.url_path” attribute.If not set, any path is allowed. Must be used only with HTTP.No

    Rule

    Rule allows access from a list of sources to perform a list of operations whenthe condition is matched.

    Any string field in the rule supports Exact, Prefix, Suffix and Presence match:- Exact match: “abc” will match on value “abc”.- Prefix match: “abc_” will match on value “abc” and “abcd”.- Suffix match: “_abc” will match on value “abc” and “xabc”.- Presence match: “*” will match when value is not empty.

    FieldTypeDescriptionRequired
    fromFrom[]Optional. from specifies the source of a request.If not set, any source is allowed.No
    toTo[]Optional. to specifies the operation of a request.If not set, any operation is allowed.No
    whenCondition[]Optional. when specifies a list of additional conditions of a request.If not set, any condition is allowed.No

    Rule.From

    From includes a list or sources.

    FieldTypeDescriptionRequired
    sourceSourceSource specifies the source of a request.No

    Rule.To

    To includes a list or operations.

    FieldTypeDescriptionRequired
    operationOperationOperation specifies the operation of a request.No

    Source

    Source specifies the source identities of a request.

    FieldTypeDescriptionRequired
    principalsstring[]Optional. A list of source peer identities (i.e. service account), whichmatches to the “source.principal” attribute.If not set, any principal is allowed.No
    requestPrincipalsstring[]Optional. A list of request identities (i.e. “iss/sub” claims), whichmatches to the “request.auth.principal” attribute.If not set, any request principal is allowed.No
    namespacesstring[]Optional. A list of namespaces, which matches to the “source.namespace”attribute.If not set, any namespace is allowed.No
    ipBlocksstring[]Optional. A list of IP blocks, which matches to the “source.ip” attribute.Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported.If not set, any IP is allowed.No

    istio.type.v1beta1.WorkloadSelector

    WorkloadSelector specifies the criteria used to determine if a policy can be appliedto a proxy. The matching criteria includes the metadata associated with a proxy,workload instance info such as labels attached to the pod/VM, or any other infothat the proxy provides to Istio during the initial handshake. If multiple conditions arespecified, all conditions need to match in order for the workload instance to beselected. Currently, only label based selection mechanism is supported.

    FieldTypeDescriptionRequired
    matchLabelsmap<string, string>One or more labels that indicate a specific set of pods/VMson which a policy should be applied. The scope of label search is restricted tothe configuration namespace in which the resource is present.Yes