When you need to customize an access control policy based on your business requirements, you can configure a Service Mesh (ASM) security policy to implement custom authorization. That is, requests are forwarded to a custom authorization service that you specify. The custom authorization service authenticates the requests. This way, you can implement complex authentication logic, reduce development and maintenance costs, and improve development efficiency.
Prerequisites
Procedure
-
Log on to the ASM console. In the left-side navigation pane, choose .
-
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
-
On the ASMSecurityPolicy page, click Create. In the Create ASMSecurityPolicy dialog box, click Custom Authorization Service, and then click OK.
-
On the Create Custom Authorization Service page, in the Custom Authorization Service Configuration wizard, select the Custom authorization service (HTTP or gRPC protocol) implemented based on envoy.ext_authz tab. Then, configure the parameters and click Next.
This example uses the following configurations. For more information about the parameters, see Connect to a custom authorization service that uses HTTP. Configure the following parameters: ASM security policy name (for example,
test), Protocol (HTTP or gRPC), Service address (for example,ext-authz.default.svc.cluster.local), Service port (for example,8000), and Timeout (for example,10seconds). Optionally, enable the Allow requests when authorization service is unavailable and Use custom error code when authorization service is unavailable switches. Enable the Include request headers in check (includeRequestHeadersInCheck) switch and add the required headers to the list below, such ascookie,authorization,x-forwarded-access-token,x-forwarded-user,x-forwarded-email,x-forwarded-proto,proxy-authorization,user-agent,x-forwarded-host,from,x-forwarded-for,accept, and the custom headerx-ext-authz. Enable the Override headers on allow (headersToUpstreamOnAllow) switch and add the headers you want to override, such asauthorization,cookie,path,x-auth-request-access-token,x-forwarded-access-token, andx-ext-authz-check-result. Enable the Override headers on deny (headersToDownstreamOnDeny) switch and add the headers you want to override, such ascontent-type,set-cookie, andx-ext-authz-check-result. Thex-ext-authz-check-resultheader is a custom header and must be added to both the allow and deny lists. -
In the Workload and Match Rules wizard, click Add Workload Group. In the New Workload Group dialog box, configure the parameters and click Submit.
The following table describes how to configure the parameters in this example.
Parameter
Description
Workload Group Name
Set the name to test-policy.
Workload List
-
Click Add Workload.
-
In the Add Workload dialog box, select Workload Scope. Set Namespaces to default and Workload Type to Service.
-
In the Select workloads area, select productpage, click the
icon to move it to the selected area, and then click OK.
Match Rule List
Set Match Mode to The selected request must be authenticated. Select Custom Matching Rules for Matching Rules. Then, enable the Path switch and set the path to /productpage.
After the policy is created, the "ASM security policy created successfully" message appears in the Complete step of the wizard. You can click View YAML to view the YAML file of the created resource, or click Complete to return to the ASMSecurityPolicy page and view the new policy.
-
Check whether the custom authorization configuration takes effect.
Run the following command to initiate a request with the
x-ext-authz: allowheader to access the productpage service:curl -I -H "x-ext-authz: allow" http://${IP address of the ingress gateway}/productpageExpected output:
HTTP/1.1 200 OK content-type: text/html; charset=utf-8 content-length: 5288 server: istio-envoy date: Tue, 17 Jan 2023 07:53:14 GMT x-envoy-upstream-service-time: 20The output indicates that custom authorization is triggered and the authentication is successful.
Run the following command to initiate a request with the
x-ext-authz: denyheader to access the productpage service:curl -I -H "x-ext-authz: deny" http://${IP address of the ingress gateway}/productpageExpected output:
HTTP/1.1 403 Forbidden x-ext-authz-check-result: denied date: Tue, 17 Jan 2023 07:55:27 GMT server: istio-envoy x-envoy-upstream-service-time: 2 transfer-encoding: chunkedThe output indicates that custom authorization is triggered but the authentication fails.
The preceding results indicate that the custom authorization configuration takes effect.
References
For more information about the concepts and features of ASM security policies, see Overview of ASM security policies.
You can enable the mesh audit feature to record or trace the daily operations of different users. You can also configure audit alerts for operations on ASM resources and send alert notifications to alert contacts in a timely manner when important resources change. For more information, see Use the KubeAPI operation audit feature in ASM and Configure audit alerts for operations on ASM resources.