Authorization Policy

Authorization policy supports both allow and deny policies. When allow and deny policies are used for a workload at the same time, the deny policies are evaluated first. The evaluation is determined by the following rules:

If there are any DENY policies that match the request, deny the request.
If there are no ALLOW policies for the workload, allow the request.
If any of the ALLOW policies match the request, allow the request.
Deny the request.

For example, the following authorization policy sets the to “ALLOW” to create an allow policy. The default action is “ALLOW” but it is useful to be explicit in the policy.

It allows requests from:

service account “cluster.local/ns/default/sa/sleep” or
namespace “test”

to access the workload with:

“GET” method at paths of prefix “/info” or,
“POST” method at path “/data”.

when the request has a valid JWT token issued by “https://accounts.google.com”.

Any other requests will be denied.

The following is another example that sets action to “DENY” to create a deny policy. It denies requests from the “dev” namespace to the “POST” method on all workloads in the “foo” namespace.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: httpbin
 namespace: foo
 action: DENY
 rules:
 - from:
   - source:
       namespaces: ["dev"]
   to:
   - operation:
       methods: ["POST"]

Authorization Policy scope (target) is determined by “metadata/namespace” and an optional “selector”.

“metadata/namespace” tells which namespace the policy applies. If set to root namespace, the policy applies to all namespaces in a mesh.
workload “selector” can be used to further restrict where a policy applies.

For example,

The following authorization policy applies to workloads containing label “app: httpbin” in namespace bar.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: policy
 namespace: bar
spec:
 selector:
   matchLabels:
     app: httpbin

The following authorization policy applies to all workloads in namespace foo.

The following authorization policy applies to workloads containing label “version: v1” in all namespaces in the mesh. (Assuming the root namespace is configured to “istio-config”).

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
 name: policy
 namespace: istio-config
spec:
 selector:
   matchLabels:
     version: v1

AuthorizationPolicy enables access control on workloads.

For example, the following authorization policy denies all requests to workloads in namespace foo.


kind: AuthorizationPolicy
metadata:
 name: deny-all
 namespace: foo
spec:
  {}

The following authorization policy allows all requests to workloads in namespace foo.

Rule

Rule matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, operation and condition matches the request. An empty rule is always matched.

Any string field in the rule supports Exact, Prefix, Suffix and Presence match:

Exact match: “abc” will match on value “abc”.
Prefix match: “abc*” will match on value “abc” and “abcd”.
Suffix match: “*abc” will match on value “abc” and “xabc”.
Presence match: “*” will match when value is not empty.

Field Type Description Required

Field	Type	Description	Required
`from`	`From[]`	If not set, any source is allowed.	No
`to`		Optional. to specifies the operation of a request. If not set, any operation is allowed.	No
`when`	`Condition[]`	Optional. when specifies a list of additional conditions of a request. If not set, any condition is allowed.	No

from

From[]

If not set, any source is allowed.

to

Optional. to specifies the operation of a request.

If not set, any operation is allowed.

when

Condition[]

Optional. when specifies a list of additional conditions of a request.

If not set, any condition is allowed.

Source specifies the source identities of a request. Fields in the source are ANDed together.

For example, the following source matches if the principal is “admin” or “dev” and the namespace is “prod” or “test” and the ip is not “1.2.3.4”.

principals: ["admin", "dev"]
namespaces: ["prod", "test"]
not_ipblocks: ["1.2.3.4"]

Operation

Operation specifies the operations of a request. Fields in the operation are ANDed together.

For example, the following operation matches if the host has suffix “.example.com” and the method is “GET” or “HEAD” and the path doesn’t have prefix “/admin”.

hosts: ["*.example.com"]
not_paths: ["/admin*"]

Field	Type	Description	Required
`hosts`	`string[]`	If not set, any host is allowed. Must be used only with HTTP.	No
`notHosts`	`string[]`	Optional. A list of negative match of hosts.	No
`ports`	`string[]`	Optional. A list of ports, which matches to the “destination.port” attribute. If not set, any port is allowed.	No
`notPorts`	`string[]`	Optional. A list of negative match of ports.	No
`methods`	`string[]`	Optional. A list of methods, which matches to the “request.method” attribute. For gRPC service, this will always be “POST”. If not set, any method is allowed. Must be used only with HTTP.	No
`notMethods`	`string[]`	Optional. A list of negative match of methods.	No
`paths`	`string[]`	Optional. A list of paths, which matches to the “request.url_path” attribute. For gRPC service, this will be the fully-qualified name in the form of “/package.service/method”. If not set, any path is allowed. Must be used only with HTTP.	No
`notPaths`	`string[]`	Optional. A list of negative match of paths.	No

Condition specifies additional required attributes.

Rule.From

From includes a list or sources.

Field	Type	Description	Required
`source`		Source specifies the source of a request.	No

To includes a list or operations.

AuthorizationPolicy.Action

Action specifies the operation to take.

Name	Description
`ALLOW`	Allow a request only if it matches the rules. This is the default type.