Authorization Policy Trust Domain Migration

    In Istio 1.4, we introduce an alpha feature to support trust domain migration for authorization policy. This means if an Istio mesh needs to change its trust domain, the authorization policy doesn’t need to be changed manually. In Istio, if a workload is running in namespace with the service account bar, and the trust domain of the system is my-td, the identity of said workload is spiffe://my-td/ns/foo/sa/bar. By default, the Istio mesh trust domain is cluster.local, unless you specify it during the installation.

    1. Read the authorization concept guide.

    2. Install Istio with a custom trust domain and mutual TLS enabled.

    3. Deploy the sample in the default namespace and the sleep sample in the default and sleep-allow namespaces:

      Zip

      1. $ kubectl label namespace default istio-injection=enabled
      2. $ kubectl apply -f @samples/httpbin/httpbin.yaml@
      3. $ kubectl apply -f @samples/sleep/sleep.yaml@
      4. $ kubectl create namespace sleep-allow
      5. $ kubectl label namespace sleep-allow istio-injection=enabled
      6. $ kubectl apply -f @samples/sleep/sleep.yaml@ -n sleep-allow

    4. Apply the authorization policy below to deny all requests to httpbin except from sleep in the sleep-allow namespace.

      1. $ kubectl apply -f - <<EOF
      2. apiVersion: security.istio.io/v1beta1
      3. kind: AuthorizationPolicy
      4. metadata:
      5.   name: service-httpbin.default.svc.cluster.local
      6.   namespace: default
      7. spec:
      8.   - from:
      9.     - source:
      10.         principals:
      11.         - old-td/ns/sleep-allow/sa/sleep
      12.     to:
      13.     - operation:
      14.         methods:
      15.         - GET
      17.     matchLabels:
      18.       app: httpbin
      19. ---
      20. EOF

    Notice that it may take tens of seconds for the authorization policy to be propagated to the sidecars.

    1. Verify that requests to httpbin from:

      • sleep in the default namespace are denied.
      1. $ kubectl exec $(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) -c sleep -- curl http://httpbin.default:8000/ip -s -o /dev/null -w "%{http_code}\n"
      2. 403
      • sleep in the sleep-allow namespace are allowed.

    Migrate trust domain without trust domain aliases

      1. $ istioctl manifest apply --set profile=demo --set values.global.trustDomain=new-td

      Istio mesh is now running with a new trust domain, new-td.

    2. Redeploy the httpbin and sleep applications to pick up changes from the new Istio control plane.

      1. $ kubectl delete pod --all
      1. $ kubectl delete pod --all -n sleep-allow

    1. Install Istio with a new trust domain and trust domain aliases.

      1. $ cat <<EOF > ./td-installation.yaml
      2. apiVersion: install.istio.io/v1alpha1
      3. kind: IstioOperator
      4. spec:
      5.   values:
      6.     global:
      7.       trustDomain: new-td
      8.       trustDomainAliases:
      9.         - old-td
      10. EOF
      11. $ istioctl manifest apply --set profile=demo -f td-installation.yaml

    2. Without changing the authorization policy, verify that requests to httpbin from:

      • sleep in the default namespace are denied.
      1. $ kubectl exec $(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) -c sleep -- curl http://httpbin.default:8000/ip -s -o /dev/null -w "%{http_code}\n"
      2. 403
      • sleep in the sleep-allow namespace are allowed.

    Best practices

    Starting from Istio 1.4, when writing authorization policy, you should consider using the value cluster.local as the trust domain part in the policy. For example, instead of old-td/ns/sleep-allow/sa/sleep, it should be cluster.local/ns/sleep-allow/sa/sleep. Notice that in this case, cluster.local is not the Istio mesh trust domain (the trust domain is still old-td). However, in authorization policy, cluster.local is a pointer that points to the current trust domain, i.e. old-td (and later new-td), as well as its aliases. By using cluster.local in the authorization policy, when you migrate to a new trust domain, Istio will detect this and treat the new trust domain as the old trust domain without you having to include the aliases.

    1. $ kubectl delete authorizationpolicy service-httpbin.default.svc.cluster.local
    2. $ kubectl delete deploy httpbin; kubectl delete service httpbin; kubectl delete serviceaccount httpbin
    3. $ kubectl delete deploy sleep; kubectl delete service sleep; kubectl delete serviceaccount sleep
    4. $ kubectl delete namespace sleep-allow

    See also

    Authorization for TCP traffic

    How to set up access control for TCP traffic.

    How to set up access control on an ingress gateway.

    Authorization policies with a deny action

    Shows how to set up access control to deny traffic explicitly.

    Describes Istio’s authorization and authentication functionality.

    Describe Istio’s authorization feature and how to use it in various use cases.