All Products
Search

This Product

    Alibaba Cloud Service Mesh:Manage access to external services using authorization policies

    Document Center

    Alibaba Cloud Service Mesh:Manage access to external services using authorization policies

    Last Updated:Dec 03, 2025

    In Service Mesh, you use AuthorizationPolicy resources to configure authorization. In Ambient mode, you can enable Layer 4 and Layer 7 authorization for your applications. This topic describes how to use authorization policies to restrict access to external services from services inside a cluster.

    Prerequisites

    Before you begin, make sure that you understand the following:

    • Authorization Policy

    • In Ambient mode, you can configure Layer 4 authorization, such as restricting client identities and ports, without enabling Waypoint. However, to use Layer 7 authorization capabilities, which are based on attributes such as request paths and methods, you must enable Waypoint for the specified service. For more information, see Configure authorization policies for an application.

    Before you proceed, make sure that you have completed the steps in Manage access to external services from clients within a cluster to access aliyun.com using Waypoint.

    Deploy a test application

    Deploy the not-sleep application to differentiate between the clients in the cluster.

    1. Create a file named nosleep.yaml.

      apiVersion: v1
kind: ServiceAccount
metadata:
  name: not-sleep
---
apiVersion: v1
kind: Service
metadata:
  name: not-sleep
  labels:
    app: not-sleep
    service: not-sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: not-sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: not-sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: not-sleep
  template:
    metadata:
      labels:
        app: not-sleep
    spec:
      terminationGracePeriodSeconds: 0
      serviceAccountName: not-sleep
      containers:
      - name: not-sleep
        image:  registry-cn-hangzhou.ack.aliyuncs.com/ack-demo/curl:asm-sleep
        command: ["/bin/sleep", "infinity"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: sleep-secret
          optional: true
---

    2. Deploy the not-sleep application.

      kubectl apply -f nosleep.yaml

    Scenario 1: Allow only GET requests to access the external service

    1. Create an authorization policy.

      kubectl -n istio-egress apply -f - <<EOF
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: aliyun-policy
spec:
  targetRefs:
  - group: networking.istio.io
    kind: ServiceEntry
    name: external-svc-aliyun
  action: ALLOW
  rules:
  - to:
    - operation:
        methods: ["GET"]
EOF

    2. Verify the access configuration.

      1. Access the service using the GET method.

        kubectl exec deployment/sleep -- curl aliyun.com -s

        Expected output:

        HTTP/1.1 301 Moved Permanently
server: envoy
date: Mon, 18 Aug 2025 09:36:30 GMT
content-type: text/html
content-length: 239
location: https://aliyun.com/
eagleeye-traceid: 0be3e0ac17555097903637743e684e
timing-allow-origin: *
x-envoy-upstream-service-time: 27

      2. Access the service using the DELETE method.

        kubectl exec deployment/sleep -- curl aliyun.com -XDELETE -s -v

        Expected output:

        * Host aliyun.com:80 was resolved.
* IPv6: 2001:2::7
* IPv4: 240.xxx.xxx.7
*   Trying 240.xxx.xxx.7:80...
* Connected to aliyun.com (240.xxx.xxx.7) port 80
> DELETE / HTTP/1.1
> Host: aliyun.com
> User-Agent: curl/8.8.0
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 403 Forbidden
< content-length: 19
< content-type: text/plain
< date: Wed, 20 Aug 2025 08:10:58 GMT
< server: istio-envoy
< 
{ [19 bytes data]
* Connection #0 to host aliyun.com left intact
RBAC: access denied%

        The output shows that a GET request returns a 301 status code, while a DELETE request returns a 403 status code. This indicates that the authorization policy is enforced.

    Scenario 2: Allow only the sleep application to access the external service over HTTPS

    1. Create an authorization policy.

      kubectl -n istio-egress apply -f - <<EOF
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: aliyun-policy
spec:
  targetRefs:
  - group: networking.istio.io
    kind: ServiceEntry
    name: external-svc-aliyun
  action: ALLOW
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/sleep
EOF

    2. Verify the access configuration.

      1. Access the service from the sleep application.

        kubectl exec deployment/sleep -- curl https://aliyun.com -s

        Expected output:

        <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<h1>301 Moved Permanently</h1>
<p>The requested resource has been assigned a new permanent URI.</p>
<hr/>Powered by Tengine</body>
</html>

      2. Access the service from the not-sleep application.

        kubectl exec deployment/not-sleep -- curl https://aliyun.com -s

        Expected output:

        command terminated with exit code 35