Authorization policies enable access control on workloads in Alibaba Cloud Service Mesh (ASM) instances. This topic shows you how to use authorization policies to enable access control.

Prerequisites

Step 1: Deploy a sample application in the ACK cluster

  1. Enable automatic sidecar injection for the default namespace. For more information, see Enable automatic sidecar injection.
  2. Use kubectl to connect to the ACK cluster. For more information, see Connect to ACK clusters by using kubectl.
  3. Use the following content to create a YAML file that is named httpbin:
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: httpbin
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: httpbin
      labels:
        app: httpbin
        service: httpbin
    spec:
      ports:
      - name: http
        port: 8000
        targetPort: 80
      selector:
        app: httpbin
    ---
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: httpbin
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: httpbin
          version: v1
      template:
        metadata:
          labels:
            app: httpbin
            version: v1
        spec:
          serviceAccountName: httpbin
          containers:
          - image: docker.io/kennethreitz/httpbin
            imagePullPolicy: IfNotPresent
            name: httpbin
            ports:
            - containerPort: 80
  4. Run the following command to create the httpbin application:
    kubectl apply -f httpbin.yaml
  5. Run the following command to check whether the pod of the httpbin application runs as expected:
    kubectl get pod |grep httpbin

    The following output is expected:

    httpbin-66cdbdb6c5-vhsh6          2/2     Running   0          11s

Step 2: Preserve the source IP address of the client that sends requests

Note You can use the following methods to preserve the source IP address of the client that sends requests:
  • Set the externalTrafficPolicy parameter to Local to preserve the source IP address and use the ipBlocks parameter to create an authorization policy. We recommend that you use this method.
  • Use the X-Forwarded-For HTTP header or the proxy protocol to preserve the source IP address and use the remoteIpBlocks parameter to create an authorization policy.
  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column of the ASM instance.
  4. On the details page of the ASM instance, click ASM Gateways in the left-side navigation pane.
  5. Find the ingress gateway that is named ingressgateway and click YAML in the Actions column.
  6. In the Edit panel, enter externalTrafficPolicy: Local and click OK.
    Source IP address
  7. Run the following command to enable role-based access control (RBAC) debugging for the ingress gateway:
    kubectl exec -it -n istio-system <istio-ingressgateway pod name> -- curl-x post localhost:15000/logging?rbac=debug
  8. Run the following command in the ACK cluster to query the IP address of the client:
    CLIENT_IP=$(kubectl get pods -n istio-system -o name -l istio=ingressgateway | sed 's|pod/||' | while read -r pod; do kubectl logs "$pod" -n istio-system | grep remoteIP; done | tail -1 | awk -F, '{print $3}' | awk -F: '{print $2}' | sed 's/ //') && echo "$CLIENT_IP"

Step 3: Configure a routing rule in the ASM instance

Configure an ingress gateway and a virtual service to allow all requests to access the httpbin application.

  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column of the ASM instance.
  4. Create an ingress gateway.
    1. On the details page of the ASM instance, choose Traffic Management > Gateway in the left-side navigation pane. On the Gateway page, click Create.
    2. In the Create panel, select default from the Namespace drop-down list and copy the following content to the code editor. Then, click OK.
      apiVersion: networking.istio.io/v1alpha3
      kind: Gateway
      metadata:
        name: httpbin-gateway
      spec:
        selector:
          istio: ingressgateway
        servers:
        - port:
            number: 80
            name: http
            protocol: HTTP
          hosts:
          - "*"
  5. Create a virtual service.
    1. On the details page of the ASM instance, choose Traffic Management > VirtualService in the left-side navigation pane. On the VirtualService page, click Create.
    2. In the Create panel, select default from the Namespace drop-down list and copy the following content to the code editor. Then, click OK.
      apiVersion: networking.istio.io/v1alpha3
      kind: VirtualService
      metadata:
        name: httpbin
      spec:
        hosts:
        - "*"
        gateways:
        - httpbin-gateway
        http:
        - route:
          - destination:
              host: httpbin
              port:
                number: 8000
  6. Run the following command to check whether the httpbin application is accessible:
    curl "<IP address of the ingress gateway>:<Port number of the ingress gateway>"/headers -s -o /dev/null -w "%{http_code}\n"
    Note For more information about how to query the IP address of the ingress gateway, see Define Istio resources.

    The following output is expected:

    200

    A return value of 200 indicates that the httpbin application is accessible.

Step 4: Configure an authorization policy

Configure an authorization policy to allow specified IP addresses to access the httpbin application

  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column of the ASM instance.
  4. On the details page of the ASM instance, choose Security > AuthorizationPolicy in the left-side navigation pane. On the AuthorizationPolicy page, click Create.
  5. In the Create panel, select istio-system from the Namespace drop-down list and copy the following content to the code editor. Then, click OK.
    apiVersion: security.istio.io/v1beta1
    kind: AuthorizationPolicy
    metadata:
      name: ingress-policy
      namespace: istio-system
    spec:
      selector:
        matchLabels:
          app: istio-ingressgateway
      action: ALLOW
      rules:
      - from:
        - source:
            ipBlocks: ["1.2.3.4", "5.6.7.0/24"]

    Set the action parameter to ALLOW and the ipBlocks parameter to ["1.2.3.4", "5.6.7.0/24"]. The settings specify that only the 1.2.3.4 IP address and IP addresses in the 5.6.7.0/24 block can access the httpbin application.

  6. Run the following command to check whether the IP address of the client can access the httpbin application:
    curl "<IP address of the ingress gateway>:<Port number of the ingress gateway>"/headers -s -o /dev/null -w "%{http_code}\n"

    The following output is expected:

    403

    A return value of 403 indicates that the client fails to access the httpbin application. This means that IP addresses other than 1.2.3.4 and 5.6.7.0/24 cannot access the httpbin application.

Configure an authorization policy to allow the client to access the httpbin application

  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column of the ASM instance.
  4. On the details page of the ASM instance, choose Security > AuthorizationPolicy in the left-side navigation pane. On the AuthorizationPolicy page, click Create.
  5. In the Create panel, select istio-system from the Namespace drop-down list and copy the following content to the code editor. Then, click OK.
    apiVersion: security.istio.io/v1beta1
    kind: AuthorizationPolicy
    metadata:
      name: ingress-policy
      namespace: istio-system
    spec:
      selector:
        matchLabels:
          app: istio-ingressgateway
      action: ALLOW
      rules:
      - from:
        - source:
            ipBlocks: ["1.2.3.4", "5.6.7.0/24", "$CLIENT_IP"]

    Set the action parameter to ALLOW and the ipBlocks parameter to ["1.2.3.4", "5.6.7.0/24", "$CLIENT_IP"]. The settings specify that only 1.2.3.4, 5.6.7.0/24, and the IP address of the client can access the httpbin application.

  6. Run the following command to check whether the IP address of the client can access the httpbin application:
    curl "<IP address of the ingress gateway>:<Port number of the ingress gateway>"/headers -s -o /dev/null -w "%{http_code}\n"

    The following output is expected:

    200

    A return value of 200 indicates that the client can access the httpbin application.

Configure an authorization policy to deny access to the httpbin application from specified IP addresses

  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column of the ASM instance.
  4. On the details page of the ASM instance, choose Security > AuthorizationPolicy in the left-side navigation pane. On the AuthorizationPolicy page, click Create.
  5. In the Create panel, select istio-system from the Namespace drop-down list and copy the following content to the code editor. Then, click OK.
    apiVersion: security.istio.io/v1beta1
    kind: AuthorizationPolicy
    metadata:
      name: ingress-policy
      namespace: istio-system
    spec:
      selector:
        matchLabels:
          app: istio-ingressgateway
      action: DENY
      rules:
      - from:
        - source:
            ipBlocks: ["1.2.3.4", "5.6.7.0/24", "$CLIENT_IP"]

    Set the action parameter to DENY and the ipBlocks parameter to ["1.2.3.4", "5.6.7.0/24", "$CLIENT_IP"]. The settings specify that 1.2.3.4, 5.6.7.0/24, and the IP address of the client cannot access the httpbin application.

  6. Run the following command to check whether the IP address of the client can access the httpbin application:
    curl "<IP address of the ingress gateway>:<Port number of the ingress gateway>"/headers -s -o /dev/null -w "%{http_code}\n"

    The following output is expected:

    403

    A return value of 403 indicates that the client fails to access the httpbin application.