Use Layer 4 security policy

The layering of ztunnel and waypoint proxies in Istio’s ambient mode gives you a choice on whether or not you want to enable Layer 7 (L7) processing for a given workload.

The Layer 4 (L4) features of Istio’s security policies are supported by ztunnel, and are available in ambient mode. Kubernetes Network Policies also continue to work if your cluster has a CNI plugin that supports them, and can be used to provide defense-in-depth.

To use L7 policies, and Istio’s traffic routing features, you can deploy a waypoint for your workloads.

Layer 4 authorization policies

The ztunnel proxy performs authorization policy enforcement when a workload is enrolled in secure overlay mode.

The actual enforcement point is at the receiving (server-side) ztunnel proxy in the path of a connection.

A basic L4 authorization policy looks like this:

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
 name: allow-sleep-to-httpbin
spec:
 selector:
   matchLabels:
     app: httpbin
 action: ALLOW
 rules:
 - from:
   - source:
       principals:
       - cluster.local/ns/ambient-demo/sa/sleep
EOF

The behavior of the L4 AuthorizationPolicy API has the same functional behavior in Istio ambient mode as in sidecar mode. When there is no AuthorizationPolicy provisioned, then the default action is ALLOW. Once a policy is provisioned, pods matching the selector in the policy only allow traffic which is explicitly allowed. In this example, pods with the label app: httpbin only allow traffic from sources with an identity principal of cluster.local/ns/ambient-demo/sa/sleep. Traffic from all other sources will be denied.

Layer 7 authorization policies without waypoints installed

This example adds a check for the HTTP GET method:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: allow-sleep-to-httpbin
spec:
 selector:
   matchLabels:
     app: httpbin
 action: ALLOW
 rules:
 - from:
   - source:
       principals:
       - cluster.local/ns/ambient-demo/sa/sleep
   to:
   - operation:
       methods: ["GET"]
EOF

Even though the identity of the pod is otherwise correct, the presence of a L7 policy, and the traffic not originating from a waypoint proxy, causes the ztunnel to deny the connection:

command terminated with exit code 56

Peer authentication

Istio’s peer authentication policies, which configure mutual TLS (mTLS) modes, are supported by ztunnel.

As ztunnel and HBONE implies the use of mTLS, it is not possible to use the DISABLE mode in a policy. Such policies will be ignored.

If you need to disable mTLS for an entire namespace, you will have to disable ambient mode:

$ kubectl label namespace default istio.io/dataplane-mode-
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!