Authorization for HTTP Services
This task covers the activities you might need to perform to set up Istio authorization, also known as Istio Role Based Access Control (RBAC), for HTTP services in an Istio mesh. You can read more in authorization and get started with a basic tutorial in Istio Security Basics.
Before you begin
The activities in this task assume that you:
Read the authorization concept.
Follow the instructions in the Kubernetes quick start to install Istio with mutual TLS enabled.
Deploy the Bookinfo sample application.
Create service accounts and for the Bookinfo application. Run the following command to create service account
bookinfo-productpage
forproductpage
and service accountbookinfo-reviews
forreviews
:$ kubectl apply -f <(istioctl kube-inject -f @samples/bookinfo/platform/kube/bookinfo-add-serviceaccount.yaml@)
Point your browser at the Bookinfo
productpage
(http://$GATEWAY_URL/productpage
). You should see:- The “Book Details” section in the lower left part of the page, including type, pages, publisher, etc.
- The “Book Reviews” section in the lower right part of the page.
If you refresh the page several times, you should see different versions of reviews shown in the product page, presented in a round robin style (red stars, black stars, no stars)
Enabling Istio authorization
Run the following command to enable Istio authorization for the default
namespace:
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-config-ON.yaml@
Point your browser at the Bookinfo productpage
(http://$GATEWAY_URL/productpage
). Now you should see
"RBAC: access denied"
. This is because Istio authorization is “deny by default”, which means that you need to
explicitly define access control policy to grant access to any service.
Namespace-level access control
Using Istio authorization, you can easily setup namespace-level access control by specifying all (or a collection of) services in a namespace are accessible by services from another namespace.
In our Bookinfo sample, the productpage
, reviews
, details
, ratings
services are deployed in the default
namespace.
The Istio components like istio-ingressgateway
service are deployed in the istio-system
namespace. We can define a policy that
any service in the default
namespace that has the app
label set to one of the values of
productpage
, details
, reviews
, or ratings
is accessible by services in the same namespace (i.e., default
) and services in the istio-system
namespace.
Run the following command to create a namespace-level access control policy:
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/namespace-policy.yaml@
The policy does the following:
Creates a
ServiceRole
service-viewer
which allows read access to any service in thedefault
namespace that has theapp
label set to one of the valuesproductpage
,details
,reviews
, orratings
. Note that there is a constraint specifying that the services must have one of the listedapp
labels.apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRole metadata: name: service-viewer namespace: default spec: rules: - services: ["*"] methods: ["GET"] constraints: - key: "destination.labels[app]" values: ["productpage", "details", "reviews", "ratings"]
Creates a
ServiceRoleBinding
that assign theservice-viewer
role to all services in theistio-system
anddefault
namespaces.apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRoleBinding metadata: name: bind-service-viewer namespace: default spec: subjects: - properties: source.namespace: "istio-system" - properties: source.namespace: "default" roleRef: kind: ServiceRole name: "service-viewer"
You can expect to see output similar to the following:
servicerole "service-viewer" created
servicerolebinding "bind-service-viewer" created
Now if you point your browser at Bookinfo’s productpage
(http://$GATEWAY_URL/productpage
). You should see the “Bookinfo Sample” page,
with the “Book Details” section in the lower left part and the “Book Reviews” section in the lower right part.
Cleanup namespace-level access control
Remove the following configuration before you proceed to the next task:
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/namespace-policy.yaml@
Service-level access control
This task shows you how to set up service-level access control using Istio authorization. Before you start, please make sure that:
- You have enabled Istio authorization.
- You have removed namespace-level authorization policy.
Point your browser at the Bookinfo productpage
(http://$GATEWAY_URL/productpage
). You should see "RBAC: access denied"
.
We will incrementally add access permission to the services in the Bookinfo sample.
Step 1. allowing access to the productpage
service
In this step, we will create a policy that allows external requests to access the productpage
service via Ingress.
Run the following command:
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
The policy does the following:
Creates a
ServiceRole
productpage-viewer
which allows read access to theproductpage
service.apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRole metadata: name: productpage-viewer namespace: default spec: rules: - services: ["productpage.default.svc.cluster.local"] methods: ["GET"]
Creates a
ServiceRoleBinding
bind-productpage-viewer
which assigns theproductpage-viewer
role to all users and services.apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRoleBinding metadata: name: bind-productpage-viewer namespace: default spec: subjects: - user: "*" roleRef: kind: ServiceRole name: "productpage-viewer"
Point your browser at the Bookinfo productpage
(http://$GATEWAY_URL/productpage
). Now you should see the “Bookinfo Sample”
page. But there are errors Error fetching product details
and Error fetching product reviews
on the page. These errors
are expected because we have not granted the productpage
service access to the details
and reviews
services. We will fix the errors
in the following steps.
Step 2. allowing access to the details
and reviews
services
We will create a policy to allow the productpage
service to access the details
and reviews
services. Note that in the
setup step, we created the bookinfo-productpage
service account for the productpage
service. This
bookinfo-productpage
service account is the authenticated identify for the productpage
service.
Run the following command:
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy.yaml@
The policy does the following:
Creates a
ServiceRole
details-reviews-viewer
which allows access to thedetails
andreviews
services.apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRole metadata: name: details-reviews-viewer namespace: default spec: rules: - services: ["details.default.svc.cluster.local", "reviews.default.svc.cluster.local"] methods: ["GET"]
Creates a
ServiceRoleBinding
bind-details-reviews
which assigns thedetails-reviews-viewer
role to thecluster.local/ns/default/sa/bookinfo-productpage
service account (representing theproductpage
service).apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRoleBinding metadata: name: bind-details-reviews namespace: default spec: subjects: - user: "cluster.local/ns/default/sa/bookinfo-productpage" roleRef: kind: ServiceRole name: "details-reviews-viewer"
Point your browser at the Bookinfo productpage
(http://$GATEWAY_URL/productpage
). Now you should see the “Bookinfo Sample”
page with “Book Details” on the lower left part, and “Book Reviews” on the lower right part. However, in the “Book Reviews” section,
there is an error Ratings service currently unavailable
. This is because “reviews” service does not have permission to access
“ratings” service. To fix this issue, you need to grant the reviews
service access to the ratings
service.
We will show how to do that in the next step.
Step 3. allowing access to the ratings
service
We will create a policy to allow the reviews
service to access the ratings
service. Note that in the
setup step, we created a bookinfo-reviews
service account for the reviews
service. This
service account is the authenticated identify for the reviews
service.
Run the following command to create a policy that allows the reviews
service to access the ratings
service.
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/ratings-policy.yaml@
The policy does the following:
Creates a
ServiceRole
ratings-viewer
which allows access to theratings
service.apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRole metadata: name: ratings-viewer namespace: default spec: rules: - services: ["ratings.default.svc.cluster.local"] methods: ["GET"]
Creates a
ServiceRoleBinding
bind-ratings
which assignsratings-viewer
role to thecluster.local/ns/default/sa/bookinfo-reviews
service account, which represents thereviews
service.apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRoleBinding metadata: name: bind-ratings namespace: default spec: subjects: - user: "cluster.local/ns/default/sa/bookinfo-reviews" roleRef: kind: ServiceRole name: "ratings-viewer"
Point your browser at the Bookinfo productpage
(http://$GATEWAY_URL/productpage
). Now you should see
the “black” and “red” ratings in the “Book Reviews” section.
Cleanup
Remove Istio authorization policy configuration:
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/ratings-policy.yaml@ $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy.yaml@ $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
Alternatively, you can delete all
ServiceRole
andServiceRoleBinding
resources by running the following commands:$ kubectl delete servicerole --all $ kubectl delete servicerolebinding --all
Disable Istio authorization:
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-config-ON.yaml@