istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.3/blog/2019/app-identity-and-access-ada.../index.html

95 lines
34 KiB
HTML
Raw Permalink Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="App Identity and Access Adapter"><meta name=description content="Using Istio to secure multi-cloud Kubernetes applications with zero code changes."><meta name=author content="Anton Aleksandrov (IBM)"><meta name=keywords content=microservices,services,mesh,security,oidc,jwt,policies><meta property=og:title content="App Identity and Access Adapter"><meta property=og:type content=website><meta property=og:description content="Using Istio to secure multi-cloud Kubernetes applications with zero code changes."><meta property=og:url content=/v1.3/blog/2019/app-identity-and-access-adapter/><meta property=og:image content=/v1.3/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.3 / App Identity and Access Adapter</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.3/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.3/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.3/feed.xml><link rel="shortcut icon" href=/v1.3/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.3/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.3/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.3/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.3/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.3/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.3/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.3/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.3/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.3/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.3/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.3/css/all.css><script src=/v1.3/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.3";const docTitle="App Identity and Access Adapter";const iconFile="\/v1.3/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.3/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.3/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.3</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.3/docs/>Docs</a>
<span title="Posts about using Istio.">Blog</span>
<a title="Timely news about the Istio project." href=/v1.3/news/2019/announcing-1.2-eol/>News</a>
<a title="Frequently Asked Questions about Istio." href=/v1.3/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.3/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/blog\/2019\/app-identity-and-access-adapter\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/blog\/2019\/app-identity-and-access-adapter\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.3/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card0 title="Blog posts for 2019." aria-controls=card0-body><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#blog"/></svg>2019 Posts</button><div class="body default" aria-labelledby=card0 role=region id=card0-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card0><li role=none><a role=treeitem title="Configure Istio ingress gateway to act as a proxy for external services." href=/v1.3/blog/2019/proxy/>Istio as a Proxy for External Services</a></li><li role=none><a role=treeitem title="How can you use Istio to monitor blocked and passthrough external traffic." href=/v1.3/blog/2019/monitoring-external-service-traffic/>Monitoring blocked and passthrough external service traffic</a></li><li role=none><span role=treeitem class=current title="Using Istio to secure multi-cloud Kubernetes applications with zero code changes.">App Identity and Access Adapter</span></li><li role=none><a role=treeitem title="Demonstrates a Mixer out-of-process adapter which implements the Knative scale-from-zero logic." href=/v1.3/blog/2019/knative-activator-adapter/>Mixer out-of-process adapter for Knative</a></li><li role=none><a role=treeitem title="Taking advantage of Kubernetes trustworthy JWTs to issue certificates for workload instances more securely." href=/v1.3/blog/2019/trustworthy-jwt-sds/>Change in Secret Discovery Service in Istio 1.3</a></li><li role=none><a role=treeitem title="The design principles behind Istio's APIs and how those APIs are evolving." href=/v1.3/blog/2019/evolving-istios-apis/>The Evolution of Istio&#39;s APIs</a></li><li role=none><a role=treeitem title="Comparison of alternative solutions to control egress traffic including performance considerations." href=/v1.3/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></li><li role=none><a role=treeitem title="Use Istio Egress Traffic Control to prevent attacks involving egress traffic." href=/v1.3/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></li><li role=none><a role=treeitem title="Tools and guidance for evaluating Istio's data plane performance." href=/v1.3/blog/2019/performance-best-practices/>Best Practices: Benchmarking Service Mesh Performance</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of Istio self-signed root certificate." href=/v1.3/blog/2019/root-transition/>Extending Istio Self-Signed Root Certificate Lifetime</a></li><li role=none><a role=treeitem title="Attacks involving egress traffic and requirements for egress traffic control." href=/v1.3/blog/2019/egress-traffic-control-in-istio-part-1/>Secure Control of Egress Traffic in Istio, part 1</a></li><li role=none><a role=treeitem title="An overview of Istio 1.1 performance." href=/v1.3/blog/2019/istio1.1_perf/>Architecting Istio 1.1 for Performance</a></li><li role=none><a role=treeitem title="Configuring Istio route rules in a multicluster service mesh." href=/v1.3/blog/2019/multicluster-version-routing/>Version Routing in a Multicluster Service Mesh</a></li><li role=none><a role=treeitem title="Announces the new Istio blog policy." href=/v1.3/blog/2019/sail-the-blog/>Sail the Blog!</a></li><li role=none><a role=treeitem title="De-mystify how Istio manages to plugin its data-plane components into an existing deployment." href=/v1.3/blog/2019/data-plane-setup/>Demystifying Istio&#39;s Sidecar Injection Model</a></li><li role=none><a role=treeitem title="Verifies the performance impact of adding an egress gateway." href=/v1.3/blog/2019/egress-performance/>Egress Gateway Performance Investigation</a></li><li role=none><a role=treeitem title="Addressing application startup ordering and startup latency using AppSwitch." href=/v1.3/blog/2019/appswitch/>Sidestepping Dependency Ordering with AppSwitch</a></li><li role=none><a role=treeitem title="Describes how to deploy a custom ingress gateway using cert-manager manually." href=/v1.3/blog/2019/custom-ingress-gateway/>Deploy a Custom Ingress Gateway Using Cert-Manager</a></li></ul></div></div><div class=card><button class="header dynamic" id=card1 title="Blog posts for 2018." aria-controls=card1-body><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#blog"/></svg>2018 Posts</button><div class=body aria-labelledby=card1 role=region id=card1-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card1><li role=none><a role=treeitem title="How to use Istio for traffic management without deploying sidecar proxies." href=/v1.3/blog/2018/incremental-traffic-management/>Incremental Istio Part 1, Traffic Management</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example." href=/v1.3/blog/2018/egress-mongo/>Consuming External MongoDB Services</a></li><li role=none><a role=treeitem title="Istio hosting an all day Twitch stream to celebrate the 1.0 release." href=/v1.3/blog/2018/istio-twitch-stream/>All Day Istio Twitch Stream</a></li><li role=none><a role=treeitem title="How HP is building its next-generation footwear personalization platform on Istio." href=/v1.3/blog/2018/hp/>Istio a Game Changer for HP&#39;s FitStation Platform</a></li><li role=none><a role=treeitem title="Automatic application onboarding and latency optimizations using AppSwitch." href=/v1.3/blog/2018/delayering-istio/>Delayering Istio with AppSwitch</a></li><li role=none><a role=treeitem title="Describe Istio's authorization feature and how to use it in various use cases." href=/v1.3/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></li><li role=none><a role=treeitem title="How to export Istio Access Logs to different sinks like BigQuery, GCS, Pub/Sub through Stackdriver." href=/v1.3/blog/2018/export-logs-through-stackdriver/>Exporting Logs to BigQuery, GCS, Pub/Sub through Stackdriver</a></li><li role=none><a role=treeitem title="Describes how to configure Istio for monitoring and access policies of HTTP egress traffic." href=/v1.3/blog/2018/egress-monitoring-access-control/>Monitoring and Access Policies for HTTP Egress Traffic</a></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1alpha3 routing API." href=/v1.3/blog/2018/v1alpha3-routing/>Introducing the Istio v1alpha3 routing API</a></li><li role=none><a role=treeitem title="Describes how to configure Istio ingress with a network load balancer on AWS." href=/v1.3/blog/2018/aws-nlb/>Configuring Istio Ingress with AWS NLB</a></li><li role=none><a role=treeitem title="Using Kubernetes namespaces and RBAC to create an Istio soft multi-tenancy environment." href=/v1.3/blog/2018/soft-multitenancy/>Istio Soft Multi-Tenancy Support</a></li><li role=none><a role=treeitem title="An introduction to safer, lower-risk deployments and release to production." href=/v1.3/blog/2018/traffic-mirroring/>Traffic Mirroring with Istio for Testing in Production</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example." href=/v1.3/blog/2018/egress-tcp/>Consuming External TCP Services</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example." href=/v1.3/blog/2018/egress-https/>Consuming External Web Services</a></li></ul></div></div><div class=card><button class="header dynamic" id=card2 title="Blog posts for 2017." aria-controls=card2-body><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#blog"/></svg>2017 Posts</button><div class=body aria-labelledby=card2 role=region id=card2-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card2><li role=none><a role=treeitem title="Improving availability and reducing latency." href=/v1.3/blog/2017/mixer-spof-myth/>Mixer and the SPOF Myth</a></li><li role=none><a role=treeitem title="Provides an overview of Mixer's plug-in architecture." href=/v1.3/blog/2017/adapter-model/>Mixer Adapter Model</a></li><li role=none><a role=treeitem title="How Kubernetes Network Policy relates to Istio policy." href=/v1.3/blog/2017/0.1-using-network-policy/>Using Network Policy with Istio</a></li><li role=none><a role=treeitem title="Using Istio to create autoscaled canary deployments." href=/v1.3/blog/2017/0.1-canary/>Canary Deployments using Istio</a></li><li role=none><a role=treeitem title="Istio Auth 0.1 announcement." href=/v1.3/blog/2017/0.1-auth/>Using Istio to Improve End-to-End Security</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.3/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.3/blog/ title="Posts about using Istio.">Blog</a></li><li><a href=/v1.3/blog/2019/ title="Blog posts for 2019.">2019 Posts</a></li><li>App Identity and Access Adapter</li></ol></nav><article aria-labelledby=title><div class=title-area><div><h1 id=title>App Identity and Access Adapter</h1><p class=subtitle>Using Istio to secure multi-cloud Kubernetes applications with zero code changes</p><p class=byline><span>By</span>
<span class=attribution>Anton Aleksandrov (IBM)</span><span> | </span><span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#calendar"/></svg><span>&nbsp;</span>September 18, 2019</span><span> | </span><span title="1250 words"><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#clock"/></svg><span>&nbsp;</span>6 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Understanding Istio and the adapter"><a href=#understanding-istio-and-the-adapter>Understanding Istio and the adapter</a><li role=none aria-label=Installation><a href=#installation>Installation</a><li role=none aria-label="Protecting web applications"><a href=#protecting-web-applications>Protecting web applications</a><ol><li role=none aria-label="Applying web application protection"><a href=#applying-web-application-protection>Applying web application protection</a></ol></li><li role=none aria-label="Protecting backend application and APIs"><a href=#protecting-backend-application-and-apis>Protecting backend application and APIs</a><ol><li role=none aria-label="Applying backend application and APIs protection"><a href=#applying-backend-application-and-apis-protection>Applying backend application and APIs protection</a></ol></li><li role=none aria-label="Known limitations"><a href=#known-limitations>Known limitations</a><li role=none aria-label=Summary><a href=#summary>Summary</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>If you are running your containerized applications on Kubernetes, you can benefit from using the App Identity and Access Adapter for an abstracted level of security with zero code changes or redeploys.</p><p>Whether your computing environment is based on a single cloud provider, a combination of multiple cloud providers, or following a hybrid cloud approach, having a centralized identity management can help you to preserve existing infrastructure and avoid vendor lock-in.</p><p>With the <a href=https://github.com/ibm-cloud-security/app-identity-and-access-adapter>App Identity and Access Adapter</a>, you can use any OAuth2/OIDC provider: IBM Cloud App ID, Auth0, Okta, Ping Identity, AWS Cognito, Azure AD B2C and more. Authentication and authorization policies can be applied in a streamlined way in all environments — including frontend and backend applications — all without code changes or redeploys.</p><h2 id=understanding-istio-and-the-adapter>Understanding Istio and the adapter</h2><p><a href=/v1.3/docs/concepts/what-is-istio/>Istio</a> is an open source service mesh that transparently layers onto distributed applications and seamlessly integrates with Kubernetes. To reduce the complexity of deployments Istio provides behavioral insights and operational control over the service mesh as a whole. <a href=/v1.3/docs/concepts/what-is-istio/#architecture>See Istio Architecture for more details.</a></p><p>Istio uses <a href=/v1.3/blog/2019/data-plane-setup/>Envoy proxy sidecars</a> to mediate inbound and outbound traffic for all pods in the service mesh. Istio extracts telemetry from the Envoy sidecars and sends it to <a href=/v1.3/docs/concepts/what-is-istio/#mixer>Mixer</a>, the Istio component responsible for collecting telemetry and policy enforcement.</p><p>The App Identity and Access adapter extends the Mixer functionality by analyzing the telemetry (attributes) against various access control policies across the service mesh. The access control policies can be linked to a particular Kubernetes services and can be finely tuned to specific service endpoints. For more information about policies and telemetry, see the Istio documentation.</p><p>When <a href=https://github.com/ibm-cloud-security/app-identity-and-access-adapter>App Identity and Access Adapter</a> is combined with Istio, it provides a scalable, integrated identity and access solution for multicloud architectures that does not require any custom application code changes.</p><h2 id=installation>Installation</h2><p>App Identity and Access adapter can be installed using Helm directly from the <code>github.com</code> repository</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ helm repo add appidentityandaccessadapter https://raw.githubusercontent.com/ibm-cloud-security/app-identity-and-access-adapter/master/helm/appidentityandaccessadapter
$ helm install --name appidentityandaccessadapter appidentityandaccessadapter/appidentityandaccessadapter
</code></pre><p>Alternatively, you can clone the repo and install the Helm chart locally</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ git clone git@github.com:ibm-cloud-security/app-identity-and-access-adapter.git
$ helm install ./helm/appidentityandaccessadapter --name appidentityandaccessadapter.
</code></pre><h2 id=protecting-web-applications>Protecting web applications</h2><p>Web applications are most commonly protected by the OpenID Connect (OIDC) workflow called <code>authorization_code</code>. When an unauthenticated/unauthorized user is detected, they are automatically redirected to the identity service of your choice and presented with the authentication page. When authentication completes, the browser is redirected back to an implicit <code>/oidc/callback</code> endpoint intercepted by the adapter. At this point, the adapter obtains access and identity tokens from the identity service and then redirects users back to their originally requested URL in the web app.</p><p>Authentication state and tokens are maintained by the adapter. Each request processed by the adapter will include the Authorization header bearing both access and identity tokens in the following format <code>Authorization: Bearer &lt;access_token&gt; &lt;id_token&gt;</code></p><p>Developers can read leverage the tokens for application experience adjustments, e.g. displaying user name, adjusting UI based on user role etc.</p><p>In order to terminate the authenticated session and wipe tokens, aka user logout, simply redirect browser to the <code>/oidc/logout</code> endpoint under the protected service, e.g. if you&rsquo;re serving your app from <code>https://example.com/myapp</code>, redirect users to <code>https://example.com/myapp/oidc/logout</code></p><p>Whenever access token expires, a refresh token is used to automatically acquire new access and identity tokens without your user&rsquo;s needing to re-authenticate. If the configured identity provider returns a refresh token, it is persisted by the adapter and used to retrieve new access and identity tokens when the old ones expire.</p><h3 id=applying-web-application-protection>Applying web application protection</h3><p>Protecting web applications requires creating two types of resources - use <code>OidcConfig</code> resources to define various OIDC providers, and <code>Policy</code> resources to define the web app protection policies.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;security.cloud.ibm.com/v1&#34;
kind: OidcConfig
metadata:
name: my-oidc-provider-config
namespace: sample-namespace
spec:
discoveryUrl: &lt;discovery-url-from-oidc-provider&gt;
clientId: &lt;client-id-from-oidc-provider&gt;
clientSecretRef:
name: &lt;kubernetes-secret-name&gt;
key: &lt;kubernetes-secret-key&gt;
</code></pre><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;security.cloud.ibm.com/v1&#34;
kind: Policy
metadata:
name: my-sample-web-policy
namespace: sample-namespace
spec:
targets:
- serviceName: &lt;kubernetes-service-name-to-protect&gt;
paths:
- prefix: /webapp
method: ALL
policies:
- policyType: oidc
config: my-oidc-provider-config
rules: // optional
- claim: iss
match: ALL
source: access_token
values:
- &lt;expected-issuer-id&gt;
- claim: scope
match: ALL
source: access_token
values:
- openid
</code></pre><p><a href=https://github.com/ibm-cloud-security/app-identity-and-access-adapter>Read more about protecting web applications</a></p><h2 id=protecting-backend-application-and-apis>Protecting backend application and APIs</h2><p>Backend applications and APIs are protected using the Bearer Token flow, where an incoming token is validated against a particular policy. The Bearer Token authorization flow expects a request to contain the <code>Authorization</code> header with a valid access token in JWT format. The expected header structure is <code>Authorization: Bearer {access_token}</code>. In case token is successfully validated request will be forwarded to the requested service. In case token validation fails the HTTP 401 will be returned back to the client with a list of scopes that are required to access the API.</p><h3 id=applying-backend-application-and-apis-protection>Applying backend application and APIs protection</h3><p>Protecting backend applications and APIs requires creating two types of resources - use <code>JwtConfig</code> resources to define various JWT providers, and <code>Policy</code> resources to define the backend app protection policies.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;security.cloud.ibm.com/v1&#34;
kind: JwtConfig
metadata:
name: my-jwt-config
namespace: sample-namespace
spec:
jwksUrl: &lt;the-jwks-url&gt;
</code></pre><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;security.cloud.ibm.com/v1&#34;
kind: Policy
metadata:
name: my-sample-backend-policy
namespace: sample-namespace
spec:
targets:
- serviceName: &lt;kubernetes-service-name-to-protect&gt;
paths:
- prefix: /api/files
method: ALL
policies:
- policyType: jwt
config: my-oidc-provider-config
rules: // optional
- claim: iss
match: ALL
source: access_token
values:
- &lt;expected-issuer-id&gt;
- claim: scope
match: ALL
source: access_token
values:
- files.read
- files.write
</code></pre><p><a href=https://github.com/ibm-cloud-security/app-identity-and-access-adapter>Read more about protecting backend applications</a></p><h2 id=known-limitations>Known limitations</h2><p>At the time of writing this blog there are two known limitations of the App Identity and Access adapter:</p><ul><li><p>If you use the App Identity and Access adapter for Web Applications you should not create more than a single replica of the adapter. Due to the way Envoy Proxy was handling HTTP headers it was impossible to return multiple <code>Set-Cookie</code> headers from Mixer back to Envoy. Therefore we couldn&rsquo;t set all the cookies required for handling Web Application scenarios. The issue was recently addressed in Envoy and Mixer and we&rsquo;re planning to address this in future versions of our adapter. <strong>Note that this only affects Web Applications, and doesn&rsquo;t affect Backend Apps and APIs in any way</strong>.</p></li><li><p>As a general best practice you should always consider using mutual-tls for any in-cluster communications. At the moment the communications channel between Mixer and App Identity and Access adapter currently does not use mutual-tls. In future we plan to address this by implementing an approach described in the <a href=https://github.com/istio/istio/wiki/Mixer-Out-of-Process-Adapter-Walkthrough#step-7-encrypt-connection-between-mixer-and-grpc-adapter>Mixer Adapter developer guide</a>.</p></li></ul><h2 id=summary>Summary</h2><p>When a multicloud strategy is in place, security can become complicated as the environment grows and diversifies. While cloud providers supply protocols and tools to ensure their offerings are safe, the development teams are still responsible for the application-level security, such as API access control with OAuth2, defending against man-in-the-middle attacks with traffic encryption, and providing mutual TLS for service access control. However, this becomes complex in a multicloud environment since you might need to define those security details for each service separately. With proper security protocols in place, those external and internal threats can be mitigated.</p><p>Development teams have spent time making their services portable to different cloud providers, and in the same regard, the security in place should be flexible and not infrastructure-dependent.</p><p>Istio and App Identity and Access Adapter allow you to secure your Kubernetes apps with absolutely zero code changes or redeployments regardless of which programming language and which frameworks you use. Following this approach ensures maximum portability of your apps, and ability to easily enforce same security policies across multiple environments.</p><p>You can read more about the App Identity and Access Adapter in the <a href=https://www.ibm.com/cloud/blog/using-istio-to-secure-your-multicloud-kubernetes-applications-with-zero-code-change>release blog</a>.</p><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/docs/concepts/security/>Policies and Security</a></p><p class=desc>Describes Istio&#39;s authorization and authentication functionality.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/blog/2019/trustworthy-jwt-sds/>Change in Secret Discovery Service in Istio 1.3</a></p><p class=desc>Taking advantage of Kubernetes trustworthy JWTs to issue certificates for workload instances more securely.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/news/2019/incorrect-sidecar-image-1.2.4/>Istio 1.2.4 sidecar image vulnerability</a></p><p class=desc>An erroneous 1.2.4 sidecar image was available due to a faulty release operation.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></p><p class=desc>Comparison of alternative solutions to control egress traffic including performance considerations.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></p><p class=desc>Use Istio Egress Traffic Control to prevent attacks involving egress traffic.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.3/blog/2019/root-transition/>Extending Istio Self-Signed Root Certificate Lifetime</a></p><p class=desc>Learn how to extend the lifetime of Istio self-signed root certificate.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="How can you use Istio to monitor blocked and passthrough external traffic." href=/v1.3/blog/2019/monitoring-external-service-traffic/><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#left-arrow"/></svg>Monitoring blocked and passthrough external service traffic</a></div><div class=right><a title="Demonstrates a Mixer out-of-process adapter which implements the Knative scale-from-zero logic." href=/v1.3/blog/2019/knative-activator-adapter/>Mixer out-of-process adapter for Knative<svg class="icon"><use xlink:href="/v1.3/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="Understanding Istio and the adapter"><a href=#understanding-istio-and-the-adapter>Understanding Istio and the adapter</a><li role=none aria-label=Installation><a href=#installation>Installation</a><li role=none aria-label="Protecting web applications"><a href=#protecting-web-applications>Protecting web applications</a><ol><li role=none aria-label="Applying web application protection"><a href=#applying-web-application-protection>Applying web application protection</a></ol></li><li role=none aria-label="Protecting backend application and APIs"><a href=#protecting-backend-application-and-apis>Protecting backend application and APIs</a><ol><li role=none aria-label="Applying backend application and APIs protection"><a href=#applying-backend-application-and-apis-protection>Applying backend application and APIs protection</a></ol></li><li role=none aria-label="Known limitations"><a href=#known-limitations>Known limitations</a><li role=none aria-label=Summary><a href=#summary>Summary</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.3.5 now" href=/v1.3/docs/setup#downloading-the-release aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.3.5<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on November 14, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.3/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink