Authorization for HTTP services

This task covers the activities you might need to perform to set up Istio authorization, also known as Istio Role Based Access Control (RBAC), for HTTP services in an Istio mesh. You can read more in authorization and get started with a basic tutorial in Istio Security Basics.

Before you begin

The activities in this task assume that you:

  • Understand authorization concepts.

  • Have set up Istio on Kubernetes with authentication enabled by following the instructions in the quick start, this tutorial requires mutual TLS to work. Mutual TLS authentication should be enabled in the installation steps.

  • Deploy the Bookinfo sample application.

  • In this task, we will enable access control based on Service Accounts, which are cryptographically authenticated in the mesh. In order to give different microservices different access privileges, we will create some service accounts and redeploy Bookinfo microservices running under them.

    Run the following command to

    • Create service account bookinfo-productpage, and redeploy the service productpage with the service account.
    • Create service account bookinfo-reviews, and redeploy the services reviews (deployments reviews-v2 and reviews-v3) with the service account.
    $ kubectl apply -f <(istioctl kube-inject -f @samples/bookinfo/platform/kube/bookinfo-add-serviceaccount.yaml@)

If you are using a namespace other than default, use kubectl -n namespace ... to specify the namespace.

  • There is a major update to RBAC in Istio 1.0. Please make sure to remove any existing RBAC configuration before continuing.

    • Run the following commands to disable the old RBAC functionality, these are no longer needed in Istio 1.0:
    $ kubectl delete authorization requestcontext -n istio-system
    $ kubectl delete rbac handler -n istio-system
    $ kubectl delete rule rbaccheck -n istio-system
    • Run the following commands to remove any existing RBAC policies:

    You could keep existing policies but you will need to make some changes to the constraints and properties field in the policy, see constraints and properties for the list of supported keys in constraints and properties.

    $ kubectl delete servicerole --all
    $ kubectl delete servicerolebinding --all
  • Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). You should see:

    • The “Book Details” section in the lower left part of the page, including type, pages, publisher, etc.
    • The “Book Reviews” section in the lower right part of the page.

    If you refresh the page several times, you should see different versions of reviews shown in the product page, presented in a round robin style (red stars, black stars, no stars)

Authorization permissive mode

The authorization permissive mode is an experimental feature in Istio’s 1.1 release. Its interface can change in future releases. You can skip enabling the permissive mode and directly enable Istio authorization if you do not want to try out the permissive mode feature.

This section shows how to use authorization permissive mode in below two scenarios:

* In environment without authorization, test whether it's safe to enable authorization.
* In environment already with authorization enabled, test whether it's safe to add a new authorization policy.

Testing whether it’s safe to turn on authorization globally

This tasks show how to use authorization permissive mode to test whether it’s safe to turn on authorization globally.

Before you start, please make sure that you have finished preparation task.

  1. Set the global authorization configuration to permissive mode.

    Run the following command:

    kubectl apply -f - <<EOF
    apiVersion: "rbac.istio.io/v1alpha1"
    kind: ClusterRbacConfig
    metadata:
      name: default
    spec:
      mode: 'ON_WITH_INCLUSION'
      inclusion:
        namespaces: ["default"]
      enforcement_mode: PERMISSIVE
    EOF

    Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage), you should see everything works fine, same as in preparation task.

  2. Apply YAML file for the permissive mode metric collection.

    Run the following command:

    $ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
    logentry.config.istio.io/rbacsamplelog created
    stdio.config.istio.io/rbacsamplehandler created
    rule.config.istio.io/rabcsamplestdio created
  3. Send traffic to the sample application.

    For the Bookinfo sample, visit http://$GATEWAY_URL/productpage in your web browser or issue the following command:

    $ curl http://$GATEWAY_URL/productpage

    Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage), you should see everything works fine.

  4. Verify the logs stream has been created and check permissiveResponseCode.

    In a Kubernetes environment, search through the logs for the istio-telemetry pods as follows:

    $ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep \"instance\":\"rbacsamplelog.logentry.istio-system\"
    {"level":"warn","time":"2018-08-30T21:53:42.059444Z","instance":"rbacsamplelog.logentry.istio-system","destination":"ratings","latency":"9.158879ms","permissiveResponseCode":"403","permissiveResponsePolicyID":"","responseCode":200,"responseSize":48,"source":"reviews","user":"cluster.local/ns/default/sa/bookinfo-reviews"}
    {"level":"warn","time":"2018-08-30T21:53:41.037824Z","instance":"rbacsamplelog.logentry.istio-system","destination":"reviews","latency":"1.091670916s","permissiveResponseCode":"403","permissiveResponsePolicyID":"","responseCode":200,"responseSize":379,"source":"productpage","user":"cluster.local/ns/default/sa/bookinfo-productpage"}
    {"level":"warn","time":"2018-08-30T21:53:41.019851Z","instance":"rbacsamplelog.logentry.istio-system","destination":"productpage","latency":"1.112521495s","permissiveResponseCode":"403","permissiveResponsePolicyID":"","responseCode":200,"responseSize":5723,"source":"istio-ingressgateway","user":"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"}

    In telemetry logs above, the responseCode is 200 which is what user see now. The permissiveResponseCode is 403 which is what user will see after switching global authorization configuration from PERMISSIVE mode to ENFORCED mode, which indicates the global authorization configuration will work as expected after rolling to production.

  5. Before rolling out a new authorization policy in production, apply it in permissive mode. Note, when global authorization configuration is in permissive mode, all policies will be in permissive mode by default.

    Run the following command:

    $ kubectl apply -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
  6. Send traffic to the sample application again.

    For the Bookinfo sample, visit http://$GATEWAY_URL/productpage in your web browser or issue the following command:

    $ curl http://$GATEWAY_URL/productpage

    Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage), you should see everything works fine.

  7. Verify the logs and check permissiveResponseCode again.

    In a Kubernetes environment, search through the logs for the istio-telemetry pods as follows:

    $ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep \"instance\":\"rbacsamplelog.logentry.istio-system\"
    {"level":"warn","time":"2018-08-30T21:55:53.590430Z","instance":"rbacsamplelog.logentry.istio-system","destination":"ratings","latency":"4.415633ms","permissiveResponseCode":"403","permissiveResponsePolicyID":"","responseCode":200,"responseSize":48,"source":"reviews","user":"cluster.local/ns/default/sa/bookinfo-reviews"}
    {"level":"warn","time":"2018-08-30T21:55:53.565914Z","instance":"rbacsamplelog.logentry.istio-system","destination":"reviews","latency":"32.97524ms","permissiveResponseCode":"403","permissiveResponsePolicyID":"","responseCode":200,"responseSize":379,"source":"productpage","user":"cluster.local/ns/default/sa/bookinfo-productpage"}
    {"level":"warn","time":"2018-08-30T21:55:53.544441Z","instance":"rbacsamplelog.logentry.istio-system","destination":"productpage","latency":"57.800056ms","permissiveResponseCode":"200","permissiveResponsePolicyID":"productpage-viewer","responseCode":200,"responseSize":5723,"source":"istio-ingressgateway","user":"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"}

    In telemetry logs above, the responseCode is 200 which is what user see now. The permissiveResponseCode is 200 for productpage service, 403 for ratings and reviews services, which are what user will see after switching policy mode from PERMISSIVE mode to ENFORCED mode; the result aligns with step 1.

  8. Remove permissive mode related yaml files:

    $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
    $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-config-on-permissive.yaml@
    $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
  9. Now we have verified authorization will work as expected when turning it on, it’s safe following below Enabling Istio authorization to turn on authorization.

Testing new authorization policy works as expected before rolling to production

This tasks shows how to use authorization permissive mode to test a new authorization policy works as expected in environment with authorization already enabled.

Before you start, please make sure that you have finished step 1.

  1. Before applying a new policy, test it by setting its mode to permissive:

    Run the following command:

    $ kubectl apply -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy-permissive.yaml@

    The policy is the same as defined in allowing access to the details and reviews services, except PERMISSIVE mode is set in ServiceRoleBinding.

    apiVersion: "rbac.istio.io/v1alpha1"
    kind: ServiceRoleBinding
    metadata:
      name: bind-details-reviews
      namespace: default
    spec:
      subjects:
      - user: "cluster.local/ns/default/sa/bookinfo-productpage"
      roleRef:
        kind: ServiceRole
        name: "details-reviews-viewer"
      mode: PERMISSIVE

    Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage), you should still see there are errors Error fetching product details and Error fetching product reviews on the page. These errors are expected because the policy is in PERMISSIVE mode.

  2. Apply YAML file for the permissive mode metric collection.

    Run the following command:

    $ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
  3. Send traffic to the sample application.

    For the Bookinfo sample, visit http://$GATEWAY_URL/productpage in your web browser or issue the following command:

    $ curl http://$GATEWAY_URL/productpage
  4. Verify the logs and check permissiveResponseCode again.

    In a Kubernetes environment, search through the logs for the istio-telemetry pods as follows:

    $ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep \"instance\":\"rbacsamplelog.logentry.istio-system\"
    {"level":"warn","time":"2018-08-30T22:59:42.707093Z","instance":"rbacsamplelog.logentry.istio-system","destination":"details","latency":"423.381µs","permissiveResponseCode":"200","permissiveResponsePolicyID":"details-reviews-viewer","responseCode":403,"responseSize":19,"source":"productpage","user":"cluster.local/ns/default/sa/bookinfo-productpage"}
    {"level":"warn","time":"2018-08-30T22:59:42.763423Z","instance":"rbacsamplelog.logentry.istio-system","destination":"reviews","latency":"237.333µs","permissiveResponseCode":"200","permissiveResponsePolicyID":"details-reviews-viewer","responseCode":403,"responseSize":19,"source":"productpage","user":"cluster.local/ns/default/sa/bookinfo-productpage"}

    In telemetry logs above, the responseCode is 403 for ratings and reviews services, which is what users see now. The permissiveResponseCode is 200 for ratings and reviews services, which is what users will see after switching policy mode from PERMISSIVE mode to ENFORCED mode; it indicates the new authorization policy will work as expected after rolling to production.

  5. Remove permissive mode related yaml files:

    $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy-permissive.yaml@
    $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
  6. Now we have verified the new policy will work as expected, it’s safe following step 2 to apply the policy.

Enabling Istio authorization

Run the following command to enable Istio authorization for the default namespace:

$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-config-ON.yaml@

Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). Now you should see "RBAC: access denied". This is because Istio authorization is “deny by default”, which means that you need to explicitly define access control policy to grant access to any service.

There may be some delays due to caching and other propagation overhead.

Namespace-level access control

Using Istio authorization, you can easily setup namespace-level access control by specifying all (or a collection of) services in a namespace are accessible by services from another namespace.

In our Bookinfo sample, the productpage, reviews, details, ratings services are deployed in the default namespace. The Istio components like istio-ingressgateway service are deployed in the istio-system namespace. We can define a policy that any service in the default namespace that has the app label set to one of the values of productpage, details, reviews, or ratings is accessible by services in the same namespace (i.e., default) and services in the istio-system namespace.

Run the following command to create a namespace-level access control policy:

$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/namespace-policy.yaml@

The policy does the following:

  • Creates a ServiceRole service-viewer which allows read access to any service in the default namespace that has the app label set to one of the values productpage, details, reviews, or ratings. Note that there is a constraint specifying that the services must have one of the listed app labels.

    apiVersion: "rbac.istio.io/v1alpha1"
    kind: ServiceRole
    metadata:
      name: service-viewer
      namespace: default
    spec:
      rules:
      - services: ["*"]
        methods: ["GET"]
        constraints:
        - key: "destination.labels[app]"
          values: ["productpage", "details", "reviews", "ratings"]
  • Creates a ServiceRoleBinding that assign the service-viewer role to all services in the istio-system and default namespaces.

    apiVersion: "rbac.istio.io/v1alpha1"
    kind: ServiceRoleBinding
    metadata:
      name: bind-service-viewer
      namespace: default
    spec:
      subjects:
      - properties:
          source.namespace: "istio-system"
      - properties:
          source.namespace: "default"
      roleRef:
        kind: ServiceRole
        name: "service-viewer"

You can expect to see output similar to the following:

servicerole "service-viewer" created
servicerolebinding "bind-service-viewer" created

Now if you point your browser at Bookinfo’s productpage (http://$GATEWAY_URL/productpage). You should see the “Bookinfo Sample” page, with the “Book Details” section in the lower left part and the “Book Reviews” section in the lower right part.

There may be some delays due to caching and other propagation overhead.

Cleanup namespace-level access control

Remove the following configuration before you proceed to the next task:

$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/namespace-policy.yaml@

Service-level access control

This task shows you how to set up service-level access control using Istio authorization. Before you start, please make sure that:

Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). You should see "RBAC: access denied". We will incrementally add access permission to the services in the Bookinfo sample.

Step 1. allowing access to the productpage service

In this step, we will create a policy that allows external requests to access the productpage service via Ingress.

Run the following command:

$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@

The policy does the following:

  • Creates a ServiceRole productpage-viewer which allows read access to the productpage service.

    apiVersion: "rbac.istio.io/v1alpha1"
    kind: ServiceRole
    metadata:
      name: productpage-viewer
      namespace: default
    spec:
      rules:
      - services: ["productpage.default.svc.cluster.local"]
        methods: ["GET"]
  • Creates a ServiceRoleBinding bind-productpager-viewer which assigns the productpage-viewer role to all users and services.

    apiVersion: "rbac.istio.io/v1alpha1"
    kind: ServiceRoleBinding
    metadata:
      name: bind-productpager-viewer
      namespace: default
    spec:
      subjects:
      - user: "*"
      roleRef:
        kind: ServiceRole
        name: "productpage-viewer"

Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). Now you should see the “Bookinfo Sample” page. But there are errors Error fetching product details and Error fetching product reviews on the page. These errors are expected because we have not granted the productpage service access to the details and reviews services. We will fix the errors in the following steps.

There may be some delays due to caching and other propagation overhead.

Step 2. allowing access to the details and reviews services

We will create a policy to allow the productpage service to access the details and reviews services. Note that in the setup step, we created the bookinfo-productpage service account for the productpage service. This bookinfo-productpage service account is the authenticated identify for the productpage service.

Run the following command:

$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy.yaml@

The policy does the following:

  • Creates a ServiceRole details-reviews-viewer which allows access to the details and reviews services.

    apiVersion: "rbac.istio.io/v1alpha1"
    kind: ServiceRole
    metadata:
      name: details-reviews-viewer
      namespace: default
    spec:
      rules:
      - services: ["details.default.svc.cluster.local", "reviews.default.svc.cluster.local"]
        methods: ["GET"]
  • Creates a ServiceRoleBinding bind-details-reviews which assigns the details-reviews-viewer role to the cluster.local/ns/default/sa/bookinfo-productpage service account (representing the productpage service).

    apiVersion: "rbac.istio.io/v1alpha1"
    kind: ServiceRoleBinding
    metadata:
      name: bind-details-reviews
      namespace: default
    spec:
      subjects:
      - user: "cluster.local/ns/default/sa/bookinfo-productpage"
      roleRef:
        kind: ServiceRole
        name: "details-reviews-viewer"

Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). Now you should see the “Bookinfo Sample” page with “Book Details” on the lower left part, and “Book Reviews” on the lower right part. However, in the “Book Reviews” section, there is an error Ratings service currently unavailable. This is because “reviews” service does not have permission to access “ratings” service. To fix this issue, you need to grant the reviews service access to the ratings service. We will show how to do that in the next step.

There may be some delays due to caching and other propagation overhead.

Step 3. allowing access to the ratings service

We will create a policy to allow the reviews service to access the ratings service. Note that in the setup step, we created a bookinfo-reviews service account for the reviews service. This service account is the authenticated identify for the reviews service.

Run the following command to create a policy that allows the reviews service to access the ratings service.

$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/ratings-policy.yaml@

The policy does the following:

  • Creates a ServiceRole ratings-viewer\ which allows access to the ratings service.

    apiVersion: "rbac.istio.io/v1alpha1"
    kind: ServiceRole
    metadata:
      name: ratings-viewer
      namespace: default
    spec:
      rules:
      - services: ["ratings.default.svc.cluster.local"]
        methods: ["GET"]
  • Creates a ServiceRoleBinding bind-ratings which assigns ratings-viewer role to the cluster.local/ns/default/sa/bookinfo-reviews service account, which represents the reviews service.

    apiVersion: "rbac.istio.io/v1alpha1"
    kind: ServiceRoleBinding
    metadata:
      name: bind-ratings
      namespace: default
    spec:
      subjects:
      - user: "cluster.local/ns/default/sa/bookinfo-reviews"
      roleRef:
        kind: ServiceRole
        name: "ratings-viewer"

Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). Now you should see the “black” and “red” ratings in the “Book Reviews” section.

There may be some delays due to caching and other propagation overhead.

Cleanup

  • Remove Istio authorization policy configuration:

    $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/ratings-policy.yaml@
    $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy.yaml@
    $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@

    Alternatively, you can delete all ServiceRole and ServiceRoleBinding resources by running the following commands:

    $ kubectl delete servicerole --all
    $ kubectl delete servicerolebinding --all
  • Disable Istio authorization:

    $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-config-ON.yaml@

See also

Describes Istio's authorization and authentication functionality.

Shows how to set up role-based access control for TCP services.

Describe Istio's authorization feature and how to use it in various use cases.

Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio.

Demonstrates how to debug authorization.

Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication.