Authorization policies enable access control on workloads in Alibaba Cloud Service
Mesh (ASM) instances. This topic shows you how to use authorization policies to enable
access control.
Step 1: Deploy a sample application in the ACK cluster
- Enable automatic sidecar injection for the default namespace. For more information,
see Enable automatic sidecar injection.
- The ACK cluster is connected by using kubectl. For more information, see Connect to ACK clusters by using kubectl.
- Use the following content to create a YAML file that is named httpbin:
apiVersion: v1
kind: ServiceAccount
metadata:
name: httpbin
---
apiVersion: v1
kind: Service
metadata:
name: httpbin
labels:
app: httpbin
service: httpbin
spec:
ports:
- name: http
port: 8000
targetPort: 80
selector:
app: httpbin
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
version: v1
template:
metadata:
labels:
app: httpbin
version: v1
spec:
serviceAccountName: httpbin
containers:
- image: docker.io/kennethreitz/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
ports:
- containerPort: 80
- Run the following command to create the httpbin application:
kubectl apply -f httpbin.yaml
- Run the following command to check whether the pod of the httpbin application runs
as expected:
kubectl get pod |grep httpbin
Expected output:
httpbin-66cdbdb6c5-vhsh6 2/2 Running 0 11s
Step 2: Preserve the source IP address of the client that sends requests
Note You can use the following methods to preserve the source IP address of the client
that sends requests:
- Set the
externalTrafficPolicy
parameter to Local to preserve the source IP address and use the ipBlocks
parameter to create an authorization policy. We recommend that you use this method.
- Use the X-Forwarded-For HTTP header or the proxy protocol to preserve the source IP
address, and use the
remoteIpBlocks
parameter to create an authorization policy.
- Log on to the ASM console.
- In the left-side navigation pane, choose .
- On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM
instance or click Manage in the Actions column.
- On the details page of the ASM instance, click ASM Gateways in the left-side navigation pane.
- Find the ingress gateway that is named ingressgateway and click YAML in the Actions column.
- In the Edit panel, enter
externalTrafficPolicy: Local
and click OK.
- Run the following command to enable role-based access control (RBAC) debugging for
the ingress gateway:
kubectl exec -it -n istio-system <istio-ingressgateway pod name> -- curl -X POST localhost:15000/logging?rbac=debug
- Run the following command in the ACK cluster to query the IP address of the client:
CLIENT_IP=$(kubectl get pods -n istio-system -o name -l istio=ingressgateway | sed 's|pod/||' | while read -r pod; do kubectl logs "$pod" -n istio-system | grep remoteIP; done | tail -1 | awk -F, '{print $3}' | awk -F: '{print $2}' | sed 's/ //') && echo "$CLIENT_IP"
Step 3: Configure a routing rule in the ASM instance
Configure an ingress gateway and a virtual service to allow all requests to access
the httpbin application.
- Log on to the ASM console.
- In the left-side navigation pane, choose .
- On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM
instance or click Manage in the Actions column.
- Create an ingress gateway.
- On the details page of the ASM instance, choose in the left-side navigation pane. On the Gateway page, click Create from YAML.
- On the Create page, select default from the Namespace drop-down list and copy the following content to the code editor. Then, click Create.
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
- Create a virtual service.
- On the details page of the ASM instance, choose in the left-side navigation pane. On the VirtualService page, click Create from YAML.
- On the Create page, select default from the Namespace drop-down list and copy the following content to the code editor. Then, click Create.
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- "*"
gateways:
- httpbin-gateway
http:
- route:
- destination:
host: httpbin
port:
number: 8000
- Run the following command to check whether the httpbin application is accessible:
curl "<IP address of the ingress gateway>:<Port number of the ingress gateway>"/headers -s -o /dev/null -w "%{http_code}\n"
Note For more information about how to query the IP address of the ingress gateway, see
Define Istio resources.
Expected output:
200
A return value of 200 indicates that the httpbin application is accessible.
Step 4: Configure an authorization policy
Configure an authorization policy to allow specified IP addresses to access the httpbin
application
- Log on to the ASM console.
- In the left-side navigation pane, choose .
- On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM
instance or click Manage in the Actions column.
- On the details page of the ASM instance, choose in the left-side navigation pane. On the AuthorizationPolicy page, click Create from YAML.
- On the Create page, select istio-system from the Namespace drop-down list and copy the following content to the code editor. Then, click Create.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: ALLOW
rules:
- from:
- source:
ipBlocks: ["1.2.3.4", "5.6.7.0/24"]
Set the action
parameter to ALLOW
and the ipBlocks
parameter to ["1.2.3.4", "5.6.7.0/24"]
. The settings specify that only the 1.2.3.4 IP address and IP addresses in the 5.6.7.0/24
block can access the httpbin application.
- Run the following command to check whether the IP address of the client can access
the httpbin application:
curl "<IP address of the ingress gateway>:<Port number of the ingress gateway>"/headers -s -o /dev/null -w "%{http_code}\n"
Expected output:
403
A return value of 403 indicates that the client fails to access the httpbin application.
This means that IP addresses other than 1.2.3.4 and 5.6.7.0/24 cannot access the httpbin
application.
Configure an authorization policy to allow the client to access the httpbin application
- Log on to the ASM console.
- In the left-side navigation pane, choose .
- On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM
instance or click Manage in the Actions column.
- On the details page of the ASM instance, choose in the left-side navigation pane. On the AuthorizationPolicy page, click Create from YAML.
- On the Create page, select istio-system from the Namespace drop-down list and copy the following content to the code editor. Then, click Create.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: ALLOW
rules:
- from:
- source:
ipBlocks: ["1.2.3.4", "5.6.7.0/24", "$CLIENT_IP"]
Set the action
parameter to ALLOW
and the ipBlocks
parameter to ["1.2.3.4", "5.6.7.0/24", "$CLIENT_IP"]
. The settings specify that only 1.2.3.4, 5.6.7.0/24, and the IP address of the client
can access the httpbin application.
- Run the following command to check whether the IP address of the client can access
the httpbin application:
curl "<IP address of the ingress gateway>:<Port number of the ingress gateway>"/headers -s -o /dev/null -w "%{http_code}\n"
Expected output:
200
A return value of 200 indicates that the client can access the httpbin application.
Configure an authorization policy to deny access to the httpbin application from specified
IP addresses
- Log on to the ASM console.
- In the left-side navigation pane, choose .
- On the Mesh Management page, find the ASM instance that you want to configure. Click the name of the ASM
instance or click Manage in the Actions column.
- On the details page of the ASM instance, choose in the left-side navigation pane. On the AuthorizationPolicy page, click Create from YAML.
- On the Create page, select istio-system from the Namespace drop-down list and copy the following content to the code editor. Then, click Create.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: DENY
rules:
- from:
- source:
ipBlocks: ["1.2.3.4", "5.6.7.0/24", "$CLIENT_IP"]
Set the action
parameter to DENY
and the ipBlocks
parameter to ["1.2.3.4", "5.6.7.0/24", "$CLIENT_IP"]
. The settings specify that 1.2.3.4, 5.6.7.0/24, and the IP address of the client
cannot access the httpbin application.
- Run the following command to check whether the IP address of the client can access
the httpbin application:
curl "<IP address of the ingress gateway>:<Port number of the ingress gateway>"/headers -s -o /dev/null -w "%{http_code}\n"
Expected output:
403
A return value of 403 indicates that the client fails to access the httpbin application.