Configure authorization policies for the application - Alibaba Cloud Service Mesh

After enabling Ambient mode for ASM, you can secure application access using Layer 4 or Layer 7 authorization policies, and enforce traffic access control based on the ServiceAccount of your workloads. This topic describes how to configure Layer 4 and Layer 7 authorization policies for the Bookinfo application.

Prerequisites

Deploy a sample application and enable ambient for encrypted communication.

Preparations

Before beginning the configuration steps in this article, you need to deploy the Sleep application in your cluster as an additional client.

kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: sleep
---
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
    service: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      terminationGracePeriodSeconds: 0
      serviceAccountName: sleep
      containers:
      - name: sleep
        image: registry.cn-hangzhou.aliyuncs.com/acs/curl:8.1.2
        command: ["/bin/sleep", "infinity"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: sleep-secret
          optional: true
EOF

Configure a Layer 4 authorization policy

The Layer 4 proxy, called Ztunnel, is developed in Rust language and is designed to handle Layer 3 and Layer 4 traffic, such as mTLS, identity verification, Layer 4 authorization, and observability. It is deployed as a Daemonset, with pods on the same node sharing one Ztunnel. All traffic entering and exiting these pods is processed by Ztunnel.

Configure an authorization policy for Pods with the app: productpage label, allowing only clients from the istio-ingressgateway ServiceAccount to access the productpage service.

kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: productpage-ztunnel
  namespace: default
spec:
  selector:
    matchLabels:
      app: productpage
  action: ALLOW
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/istio-system/sa/istio-ingressgateway
EOF

Access the Bookinfo application in your browser at http://{IP address of the ingress gateway}/productpage and you will see that the traffic is normal.
Access the Bookinfo application through the Sleep application.
```
kubectl exec deployment/sleep -- curl -s "http://productpage:9080/productpage" -I
```
Expected results:
```
command terminated with exit code 56
```
You can see that the access is denied. Because the Ztunnel authorization policy works at Layer 4, you will not see the rejected HTTP status code.

Configure a Layer 7 authorization policy

Configuring a Layer 7 authorization policy requires deploying a Waypoint proxy, and then configuring the istio.io/use-waypoint=waypoint label for the namespace, so that all Service traffic in the namespace must go through the Waypoint.

Deploy Waypoint.

kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: waypoint
spec:
  gatewayClassName: istio-waypoint
  listeners:
  - name: mesh
    port: 15008
    protocol: HBONE
EOF

Check the status of the Waypoint proxy until PROGRAMMED is True.

kubectl get gtw

Expected results:

NAME       CLASS            ADDRESS        PROGRAMMED   AGE
waypoint   istio-waypoint   172.16.99.15   True         2m29s

Add a label to the namespace.

kubectl label namespace default istio.io/use-waypoint=waypoint --overwrite

Configure an authorization policy that explicitly allows the Sleep application to access the productpage application only through the GET method.

Create a Layer 7 authorization policy.

kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: productpage-waypoint
  namespace: default
spec:
  targetRefs:
  - kind: Service
    group: ""
    name: productpage
  action: ALLOW
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
    to:
    - operation:
        methods: ["GET"]
EOF

Note

Layer 7 authorization policies no longer use labels to mark the services to which they apply, but use targetRefs to indicate which service the current policy is executed on at the Waypoint. The first part of the rule is similar to the Ztunnel authorization policy, but adds a to field to restrict HTTP methods.

Update the Layer 4 authorization policy to allow traffic from Waypoint.

kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: productpage-ztunnel
  namespace: default
spec:
  selector:
    matchLabels:
      app: productpage
  action: ALLOW
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/istio-system/sa/istio-ingressgateway
        - cluster.local/ns/default/sa/waypoint
EOF

Verify the authorization policy.
1. Access the Bookinfo application from the Sleep application using a non-GET method.
```
kubectl exec deploy/sleep -- curl -s "http://productpage:9080/productpage" -X DELETE
```
  Expected results:
```
RBAC: access denied
```
2. Access the Bookinfo application from the reviews-v1 service.
```
kubectl exec deploy/reviews-v1 -- curl -s http://productpage:9080/productpage
```
  Expected results:
```
RBAC: access denied
```
3. Access the Bookinfo application from the Sleep application using the GET method.
```
kubectl exec deploy/sleep -- curl -s http://productpage:9080/productpage | grep -o "<title>.*</title>"
```
  Expected results:
```
<title>Simple Bookstore App</title>
```
You can see that the results of the above requests are consistent with the expected policy configuration, that means the policy is working properly.