Authorization on Ingress Gateway

    An Istio authorization policy supports IP-based allow lists or deny lists as well as the attribute-based allow lists or deny lists previously provided by Mixer policy. The Mixer policy is deprecated in 1.5 and not recommended for production use.

    Before you begin this task, do the following:

    • Read the Authorization conceptual documentation.

    • Install Istio using the .

    • Deploy a workload, in a namespace, for example foo, and expose it through the Istio ingress gateway with this command:

      Zip

    • See Source IP for Services with Type=NodePort for more information. Update the ingress gateway to set externalTrafficPolicy: local to preserve the original client source IP on the ingress gateway using the following command:

      1. $ kubectl patch svc istio-ingressgateway -n istio-system -p '{"spec":{"externalTrafficPolicy":"Local"}}'

    • Verify that the httpbin workload and ingress gateway are working as expected using this command:

      1. $ export INGRESS_HOST=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
      2. $ curl $INGRESS_HOST/headers -s -o /dev/null -w "%{http_code}\n"
      3. 200

    • Verify the output of the following command to ensure the ingress gateway receives the original client source IP address, which will be used in the authorization policy:

      1. $ CLIENT_IP=$(curl $INGRESS_HOST/ip -s | grep "origin" | cut -d'"' -f 4) && echo $CLIENT_IP

    1. The following command creates the authorization policy, ingress-policy, for the Istio ingress gateway. The following policy sets the action field to ALLOW to allow the IP addresses specified in the ipBlocks to access the ingress gateway. IP addresses not in the list will be denied. The supports both single IP address and CIDR notation. Create the authorization policy:

    2. Verify that a request to the ingress gateway is denied:

      1. $ curl $INGRESS_HOST/headers -s -o /dev/null -w "%{http_code}\n"
      2. 403

    3. Update the ingress-policy to include your client IP address:

      1. $ kubectl apply -f - <<EOF
      2. apiVersion: security.istio.io/v1beta1
      3. kind: AuthorizationPolicy
      4. metadata:
      5.   name: ingress-policy
      6.   namespace: istio-system
      7. spec:
      8.   selector:
      9.     matchLabels:
      10.       app: istio-ingressgateway
      12.   - from:
      13.     - source:
      14.        ipBlocks: ["1.2.3.4", "5.6.7.0/24", "$CLIENT_IP"]
      15. EOF

    4. Verify that a request to the ingress gateway is allowed:

      1. $ curl $INGRESS_HOST/headers -s -o /dev/null -w "%{http_code}\n"
      2. 200

    5. Update the ingress-policy authorization policy to set the action key to DENY so that the IP addresses specified in the ipBlocks are not allowed to access the ingress gateway:

    6. Verify that a request to the ingress gateway is denied:

      1. $ curl $INGRESS_HOST/headers -s -o /dev/null -w "%{http_code}\n"
      2. 403

    7. You could use an online proxy service to access the ingress gateway using a different client IP to verify the request is allowed.

    1. Remove the namespace foo:

      1. $ kubectl delete namespace foo

    Shows how to migrate from one trust domain to another without changing authorization policy.

    Shows how to set up access control for HTTP traffic.

    Authorization for TCP traffic

    How to set up access control for TCP traffic.

    Shows how to set up access control to deny traffic explicitly.

    Security

    Describes Istio’s authorization and authentication functionality.

    Describe Istio’s authorization feature and how to use it in various use cases.