Microservices in a service mesh require fine-grained access control and identity verification. Implementing these capabilities with Istio native security resources typically involves configuring multiple interdependent resources with abstract, low-level fields.
Service Mesh (ASM) security policies solve this by bundling the required Istio native security resources for common scenarios into a single configuration unit.
How ASM security policies work
Each ASM security policy encapsulates one or more Istio native security resources. When you create a policy, ASM generates the corresponding Istio resources and applies them to the mesh. This abstraction reduces configuration complexity. You can view the generated Istio resources, learn about security concepts, and then customize more complex security capabilities.
Authentication
Authentication policies verify the identity of users or services before granting access. ASM provides two authentication policies:
OpenID Connect (OIDC) single sign-on
OpenID Connect (OIDC) is a protocol for identity authentication and authorization, commonly used to implement single sign-on (SSO). ASM enables OIDC SSO for specific services through an ingress gateway, so users authenticate once and access multiple services without repeated logins.
For setup instructions, see Configure an ASM security policy to implement OIDC SSO.
JSON Web Token (JWT) authentication
JSON Web Tokens (JWTs) are commonly used to authenticate users. ASM enables JWT authentication for specific requests to access workloads.
For setup instructions, see Configure an ASM security policy to implement JWT authentication.
Authorization
Authorization policies control which requests are allowed or denied after identity is verified. ASM provides two authorization policies:
Blacklist and whitelist access control
Blacklists and whitelists let you deny or allow specific requests to access applications. ASM security policies support access control for both:
East-west traffic -- service-to-service communication within the mesh.
North-south traffic -- requests entering or leaving the mesh through an ingress or egress gateway.
For setup instructions, see Configure an ASM security policy to implement blacklist/whitelist access control.
Custom authorization
For authorization logic that goes beyond built-in policies, ASM can forward incoming requests to a custom authorization service that you specify. The custom authorization service evaluates the requests and returns an allow or deny decision. This approach lets you:
Implement authorization logic tailored to your business requirements.
Centralize authorization decisions to reduce development and maintenance costs and improve development efficiency.
For setup instructions, see Configure an ASM security policy to implement custom authorization.
Security policy quick reference
Category | Policy | Use case | Related topic |
Authentication | OIDC SSO | Enable single sign-on for services behind an ingress gateway | |
Authentication | JWT authentication | Require token-based identity verification for workload requests | |
Authorization | Blacklist and whitelist | Deny or allow specific requests to access applications | |
Authorization | Custom authorization | Delegate authorization decisions to an external service |