Use Layer 7 authorization policies - Alibaba Cloud Service Mesh

The configuration model of authentication and authorization in Ambient Mesh mode is different from that in the original Sidecar mode due to the separation between Layer 4 and Layer 7. This topic describes how to use Layer 7 authorization policies in Service Mesh (ASM) instances of v1.18.

Prerequisites

An ingress gateway and related applications are deployed, and basic features are verified. For more information, see Prerequisites and Step 1 in Getting started.

Limits

The following limits are applicable to authorization policies in a waypoint proxy:
- The action field cannot be set to CUSTOM, which indicates that a waypoint proxy does not support custom authorization services.
- ipBlocks is not supported in the source field.
If a waypoint proxy is deployed, a corresponding ztunnel allows all requests from the waypoint proxy to pass through. In this case, authorization policies must be bound to the waypoint proxy.

Preparations

Run the following command to deploy a waypoint proxy for the productpage service:
```
istioctl x waypoint apply --service-account bookinfo-productpage
```

Run the following command to view the pod of the waypoint proxy:

kubectl get pod --show-labels | grep waypoint

Expected output:

bookinfo-productpage-istio-waypoint-6c579dd48d-l****   1/1     Running   0          91s    gateway.istio.io/managed=istio.io-mesh-controller,istio.io/gateway-name=bookinfo-productpage,pod-template-hash=6c579dd48d,service.istio.io/canonical-name=bookinfo-productpage-istio-waypoint,service.istio.io/canonical-revision=latest,sidecar.istio.io/inject=false

Example 1: If a waypoint proxy is deployed for the productpage service, the authorization policy on ztunnels does not take effect.

If a waypoint proxy is deployed for the productpage service, the corresponding ztunnels allow all traffic from the waypoint proxy of the productpage service to pass through. In this case, if an authorization policy is applied to a ztunnel (an application pod is selected by the selector of the authorization policy), the authorization policy does not take effect.

Use the following content to create a productpage-viewer.yaml file.

The following authorization policy applies to the corresponding ztunnel and prohibits access to port 9080 of the productpage service.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-viewer
 namespace: default
spec:
 selector:
   matchLabels:
     app: productpage
 action: DENY
 rules:
 - to:
   - operation:
       ports:
       - "9080"

Use kubectl to connect to the ASM instance based on the information in the kubeconfig file, and then run the following command to create the authorization policy:
```
kubectl apply -f productpage-viewer.yaml
```
Verify whether the authorization policy takes effect.
1. Run the following command to perform an access test:
```
kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o "<title>.*</title>"
```
  Expected output:
```
<title>Simple Bookstore App</title>
```
2. Run the following command to perform an access test:
```
kubectl exec deploy/notsleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o "<title>.*</title>"
```
  Expected output:
```
<title>Simple Bookstore App</title>
```
3. Run the following command to perform an access test:
```
kubectl exec deploy/sleep -- curl -s http://productpage:9080/| grep -o "<title>.*</title>"
```
  Expected output:
```
command terminated with exit code 56
```
4. Run the following command to perform an access test:
```
kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
```
  Expected output:
```
<title>Simple Bookstore App</title>
```
The preceding tests and the tests in Example 2: Prohibit access to port 9080 of the productpage service (no waypoint proxy is deployed) use the same authorization policy. However, all accesses to port 9080 of the productpage service were successful in the preceding tests.
The preceding results show that after you deploy a waypoint proxy, all authorization policies on the ztunnel become invalid. You must change the configuration of the selector field to apply the authorization policy to the waypoint proxy for the productpage service.

Change the productpage-viewer.yaml file to the following content and run the kubectl apply -f productpage-viewer.yaml command to deploy the authorization policy.

The configuration of the selector field is changed in the following YAML file.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-viewer
 namespace: default
spec:
 selector:
   matchLabels:
     istio.io/gateway-name: bookinfo-productpage
 action: DENY
 rules:
 - to:
   - operation:
       ports:
       - "9080"

Verify whether the authorization policy takes effect.
1. Run the following command to perform an access test:
```
kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" 
```
  Expected output:
```
RBAC: access denied%
```
2. Run the following command to perform an access test:
```
kubectl exec deploy/notsleep -- curl -s "http://$GATEWAY_HOST/productpage"
```
  Expected output:
```
RBAC: access denied%
```
3. Run the following command to perform an access test:
```
kubectl exec deploy/sleep -- curl -s http://productpage:9080/
```
  Expected output:
```
RBAC: access denied%
```
4. Run the following command to perform an access test:
```
kubectl exec deploy/notsleep -- curl -s http://productpage:9080/
```
  Expected output:
```
RBAC: access denied%
```
  The error message returned here is RBAC: access denied%, which is different from that in Example 2: Prohibit access to port 9080 of the productpage service in the "Layer 4 authentication and authorization" topic. This error is actually returned by the waypoint proxy of the productpage service. When the waypoint proxy finds that access to port 9080 is refused, it returns an HTTP RBAC error with the HTTP 403 status code.
Run the following command to remove the authorization policy:
```
kubectl delete authorizationpolicy productpage-viewer
```

Example 2: Prohibit the IP address of the sleep pod from accessing the productpage service directly or indirectly through the gateway

Currently, authorization policies configured on a waypoint proxy do not support the ipBlocks field, and only support the remoteIpBlocks field. You can configure only the remoteIpBlocks field to match requests that pass through the gateway.

Create a productpage-viewer.yaml file with the following content to prohibit the sleep pod from accessing the productpage service through the gateway:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-viewer
 namespace: default
spec:
 selector:
   matchLabels:
     istio.io/gateway-name: bookinfo-productpage
 action: DENY
 rules:
 - from:
   - source:
       remoteIpBlocks:
       - "${sleep Pod IP}"

Use kubectl to connect to the ASM instance based on the information in the kubeconfig file, and then run the following command to create the authorization policy:
```
kubectl apply -f productpage-viewer.yaml
```
Verify whether the authorization policy takes effect.
1. Run the following command to perform an access test:
```
kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage"
```
  Expected output:
```
RBAC: access denied%
```
2. Run the following command to perform an access test:
```
kubectl exec deploy/sleep -- curl -s http://productpage:9080/ -I
```
  Expected output:
```
HTTP/1.1 403 Forbidden
content-length: 19
content-type: text/plain
date: Fri, 19 Jul 2024 08:17:08 GMT
server: istio-envoy
```
  The expected output indicates that the sleep pod cannot directly access the productpage service or through the gateway.
Run the following command to remove the authorization policy:
```
kubectl delete authorizationpolicy productpage-viewer
```

Example 3: Prohibit access to the productpage service from the pods in the istio-system namespace

Use the following content to create a productpage-viewer.yaml file that prohibits the pods in the istio-system namespace from accessing the productpage service:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: productpage-viewer
 namespace: default
spec:
 selector:
   matchLabels:
     istio.io/gateway-name: bookinfo-productpage
 action: DENY
 rules:
 - from:
   - source:
       namespaces:
       - istio-system

Use kubectl to connect to the ASM instance based on the information in the kubeconfig file, and then run the following command to create the authorization policy:
```
kubectl apply -f productpage-viewer.yaml
```
Verify whether the authorization policy takes effect.
1. Run the following command to perform an access test:
```
kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" 
```
  Expected output:
```
RBAC: access denied%
```
2. Run the following command to perform an access test:
```
kubectl exec deploy/notsleep -- curl -s "http://$GATEWAY_HOST/productpage"
```
  Expected output:
```
RBAC: access denied%
```
3. Run the following command to perform an access test:
```
kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
```
  Expected output:
```
<title>Simple Bookstore App</title>
```
4. Run the following command to perform an access test:
```
kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o "<title>.*</title>"
```
  Expected output:
```
<title>Simple Bookstore App</title>
```
  The expected output indicates that neither the sleep application nor the notsleep application can access the productpage service through the gateway, but they can directly access the productpage service. This is because the gateway is in the istio-system namespace.
Run the following command to remove the authorization policy:
```
kubectl delete authorizationpolicy productpage-viewer
```

Example 4: Prohibit requests whose host is test.com from accessing port 9080 of the productpage service

Port 9080 of the productpage service is exposed for access. In this example configuration, requests whose host field is test.com are not allowed to access port 9080 of the productpage service, and other requests are allowed to access this port.

Use the following content to create a productpage-viewer.yaml file:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: productpage-viewer
  namespace: default
spec:
  selector:
    matchLabels:
      istio.io/gateway-name: bookinfo-productpage
  action: DENY
  rules:
  - to:
    - operation:
        hosts: ["test.com"]
        ports: ["9080"]

Use kubectl to connect to the ASM instance based on the information in the kubeconfig file, and then run the following command to create the authorization policy:
```
kubectl apply -f productpage-viewer.yaml
```

Verify whether the authorization policy takes effect.

Run the following command to perform an access test:

kubectl exec deploy/sleep -- curl -s http://$GATEWAY_HOST/productpage -H "Host: test.com"

Expected output:

RBAC: access denied%

Run the following command to perform an access test:

kubectl exec deploy/sleep -- curl -s http://$GATEWAY_HOST/productpage -H "Host: test1.com" -I

Expected output:

HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 5290
server: istio-envoy
date: Tue, 15 Aug 2023 03:39:29 GMT
x-envoy-upstream-service-time: 18

Run the following command to remove the authorization policy:
```
kubectl delete authorizationpolicy productpage-viewer
```

Example 5: Prohibit the HEAD method from accessing the /productpage path

Use the following content to create a productpage-viewer.yaml file:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: productpage-viewer
  namespace: default
spec:
  selector:
    matchLabels:
      istio.io/gateway-name: bookinfo-productpage
  action: DENY
  rules:
  - to:
    - operation:
        methods: ["HEAD"]
        paths: ["/productpage"]

Use kubectl to connect to the ASM instance based on the information in the kubeconfig file, and then run the following command to create the authorization policy:
```
kubectl apply -f productpage-viewer.yaml
```

Verify whether the authorization policy takes effect.

Run the following command to perform an access test:

kubectl exec deploy/sleep -- curl -s http://$GATEWAY_HOST/productpage -I

Expected output:

HTTP/1.1 403 Forbidden
content-length: 19
content-type: text/plain
date: Tue, 15 Aug 2023 03:59:37 GMT
server: istio-envoy
x-envoy-upstream-service-time: 0

Run the following command to perform an access test:

kubectl exec deploy/sleep -- curl -s http://$GATEWAY_HOST/productpage -XGET -I

Expected output:

HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 5290
server: istio-envoy
date: Tue, 15 Aug 2023 03:39:29 GMT
x-envoy-upstream-service-time: 18

Run the following command to perform an access test:

kubectl exec deploy/sleep -- curl -s http://$GATEWAY_HOST/api/v1/products -I

Expected output:

HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 5290
server: istio-envoy
date: Tue, 15 Aug 2023 03:39:29 GMT
x-envoy-upstream-service-time: 18

Run the following command to remove the authorization policy:
```
kubectl delete authorizationpolicy productpage-viewer
```