By default, services can access each other across namespaces in a Kubernetes cluster. For example, services that are deployed to a namespace in a development environment can access services in a production environment. The zero-trust security system of Alibaba Cloud Service Mesh (ASM) allows you to dynamically configure authorization policies to prevent all services in one namespace from accessing services in another namespace. This helps reduce risks. This topic describes how to use an authorization policy to control service access across namespaces. The demo-frontend and demo-server namespaces are used in the example.

Prerequisites

The ACK cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.

Step 1: Enable automatic sidecar injection

You can enable automatic sidecar injection for a namespace so that you can authorize and manage services in the namespace.

  1. Create a namespace named demo-frontend and a namespace named demo-server.
    1. Log on to the ASM console.
    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
    3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
    4. On the details page of the ASM instance, choose ASM Instance > Global Namespace in the left-side navigation pane. On the Global Namespace page, click Create.
    5. In the Create Namespace panel, enter demo-frontend in the Name field, and then click OK.
    6. Repeat the preceding steps to create a namespace named demo-server.
  2. Enable automatic sidecar injection for the demo-frontend and demo-server namespaces.
    1. On the Global Namespace page, find the demo-frontend namespace and click Enable Automatic Sidecar Injection in the Automatic Sidecar Injection column.
    2. In the Submit message, click OK.
    3. Repeat the preceding steps to enable automatic sidecar injection for the demo-server namespace.

Step 2: Create test services

Create a service named sleep in the demo-frontend namespace and a service named httpbin in the demo-server namespace. The sleep service is used to send requests to access the httpbin service.

  1. Connect to a Container Service for Kubernetes (ACK) cluster by using kubectl.
  2. Create a service named sleep in the demo-frontend namespace.
    1. Create a sleep.yaml file that contains the following content:
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: sleep
      ---
      apiVersion: v1
      kind: Service
      metadata:
        name: sleep
        labels:
          app: sleep
          service: sleep
      spec:
        ports:
        - port: 80
          name: http
        selector:
          app: sleep
      ---
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: sleep
      spec:
        replicas: 1
        selector:
          matchLabels:
            app: sleep
        template:
          metadata:
            labels:
              app: sleep
          spec:
            terminationGracePeriodSeconds: 0
            serviceAccountName: sleep
            containers:
            - name: sleep
              image: curlimages/curl
              command: ["/bin/sleep", "3650d"]
              imagePullPolicy: IfNotPresent
              volumeMounts:
              - mountPath: /etc/sleep/tls
                name: secret-volume
            volumes:
            - name: secret-volume
              secret:
                secretName: sleep-secret
                optional: true
      ---
    2. Run the following command to create the sleep service:
      kubectl apply -f sleep.yaml -n demo-frontend
  3. Create a service named httpbin in the demo-server namespace.
    1. Create an httpbin.yaml file that contains the following content:
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: httpbin
      ---
      apiVersion: v1
      kind: Service
      metadata:
        name: httpbin
        labels:
          app: httpbin
          service: httpbin
      spec:
        ports:
        - name: http
          port: 8000
          targetPort: 80
        selector:
          app: httpbin
      ---
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: httpbin
      spec:
        replicas: 1
        selector:
          matchLabels:
            app: httpbin
            version: v1
        template:
          metadata:
            labels:
              app: httpbin
              version: v1
          spec:
            serviceAccountName: httpbin
            containers:
            - image: docker.io/kennethreitz/httpbin
              imagePullPolicy: IfNotPresent
              name: httpbin
              ports:
              - containerPort: 80
    2. Run the following command to create the httpbin service:
      kubectl apply -f httpbin.yaml -n demo-server
  4. Verify that a sidecar proxy is injected into the sleep and httpbin services.
    1. Log on to the ACK console.
    2. In the left-side navigation pane of the ACK console, click Clusters.
    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
    4. In the left-side navigation pane of the details page, choose Workloads > Pods.
    5. On the Pods page, click the pod name of the sleep service.
      On the Container tab, a sidecar proxy named istio-proxy is displayed. This indicates that a sidecar proxy is injected into the sleep service.
    6. Repeat the preceding steps to verify that a sidecar proxy is injected into the httpbin service.

Step 3: Create peer authentication policies

You can create a peer authentication policy for a namespace so that you can use an authorization policy to authorize services in the namespace based on Transport Layer Security (TLS).

  1. Log on to the ASM console.
  2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
  4. On the details page of the ASM instance, choose Zero Trust Security > PeerAuthentication in the left-side navigation pane.
  5. On the PeerAuthentication page, click Create mTLS Mode.
  6. Select demo-frontend from the Namespace drop-down list, enter a name in the Name field, select STRICT - Strictly Enforce mTLS from the mTLS Mode (Namespace-wide) drop-down list, and then click Create.
  7. Repeat the preceding steps to create a peer authentication policy for the demo-server namespace to enable mutual Transport Layer Security (mTLS) authentication.

Step 4: Verify that an authorization policy can be used to control service access across namespaces

You can create an authorization policy and modify the action parameter in the authorization policy to deny or allow access requests from services in the demo-frontend namespace to services in the demo-server namespace. This way, you can control service access across namespaces.

  1. Create an authorization policy to deny access requests from the demo-frontend namespace to the demo-server namespace.
    1. Log on to the ASM console.
    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
    3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
    4. On the details page of the ASM instance, choose Zero Trust Security > AuthorizationPolicy in the left-side navigation pane. On the AuthorizationPolicy page, click Create.
    5. On the Create page, set the parameters that are described in the following table and click Create.
      Parameter Description
      Namespace The name of the namespace to which the authorization policy belongs. In this example, demo-server is selected.
      Name The name of the authorization policy.
      Policies The policy. In this example, RULES is selected.
      Action The action on requests that meet specified requirements. In this example, DENY is selected.
      Request Source Specifies whether to authenticate the sources of requests. Turn on Request Source, click Add Request Source to List, and then click Add Request Source. Then, select namespaces from the Request Source Domain drop-down list and set the Value parameter to demo-frontend.
  2. Access the httpbin service.
    1. Log on to the ACK console.
    2. In the left-side navigation pane of the ACK console, click Clusters.
    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
    4. In the left-side navigation pane of the details page, choose Workloads > Pods.
    5. On the Pods page, find the pod name of the sleep service and click Terminal in the Actions column. Then, click Container: sleep.
    6. Run the following command on the terminal of the sleep container to access the httpbin service:
      curl -I httpbin.demo-server.svc.cluster.local:8000 
      Expected output:
      HTTP/1.1 403 Foribidden
      The preceding output indicates that access requests to the httpbin service fail. Services in the demo-frontend namespace fail to access services in the demo-server namespace.
  3. Change the value of the action parameter in the authorization policy to ALLOW to allow access requests from the demo-frontend namespace to the demo-server namespace.
    1. Log on to the ASM console.
    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.
    3. On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM instance or click Manage in the Actions column.
    4. On the details page of the ASM instance, choose Zero Trust Security > AuthorizationPolicy in the left-side navigation pane.
    5. On the AuthorizationPolicy page, find the authorization policy that you want to manage and click YAML in the Actions column.
    6. In the Edit panel, change the value of the action parameter to ALLOW, and then click OK.
  4. Run the following command on the terminal of the sleep container to access the httpbin service:
    curl -I httpbin.demo-server.svc.cluster.local:8000 
    Expected output:
    HTTP/1.1 200 OK
    The preceding output indicates that access requests to the httpbin service are successful. Services in the demo-frontend namespace can access services in the demo-server namespace.

    To sum up, if you specify the DENY action in the authorization policy, services in the demo-frontend namespace fail to access services in the demo-server namespace. If you specify the ALLOW action in the authorization policy, services in the demo-frontend namespace can access services in the demo-server namespace. The test results indicate that an authorization policy can be used to control service access across namespaces.