istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.7/blog/2019/app-identity-and-access-ada.../index.html

103 lines
42 KiB
HTML
Raw Permalink Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="App Identity and Access Adapter"><meta name=description content="Using Istio to secure multi-cloud Kubernetes applications with zero code changes."><meta name=author content="Anton Aleksandrov (IBM)"><meta name=keywords content="microservices,services,mesh,security,oidc,jwt,policies"><meta property="og:title" content="App Identity and Access Adapter"><meta property="og:type" content="website"><meta property="og:description" content="Using Istio to secure multi-cloud Kubernetes applications with zero code changes."><meta property="og:url" content="/v1.7/blog/2019/app-identity-and-access-adapter/"><meta property="og:image" content="/v1.7/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="112"><meta property="og:image:height" content="150"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.7 / App Identity and Access Adapter</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.7/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.7/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.7/feed.xml><link rel="shortcut icon" href=/v1.7/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.7/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.7/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.7/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.7/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.7/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.7/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.7/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.7/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.7/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.7/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.7/css/all.css><script src=/v1.7/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.7";const docTitle="App Identity and Access Adapter";const iconFile="\/v1.7/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.7/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.7/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2"/><polygon points="65 240 225 240 125 270"/><polygon points="65 230 125 220 125 110"/><polygon points="135 220 225 230 135 30"/></svg></span><span class=name>Istioldie 1.7</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.7/docs/>Docs</a>
<a class=current title="Posts about using Istio." href=/v1.7/blog/2020/>Blog<i class=dot data-prefix=/blog></i></a>
<a title="Timely news about the Istio project." href=/v1.7/news/>News<i class=dot data-prefix=/news></i></a>
<a title="Frequently Asked Questions about Istio." href=/v1.7/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.7/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/blog\/2019\/app-identity-and-access-adapter\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/blog\/2019\/app-identity-and-access-adapter\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://istio.io/archive>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.7/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#cancel-x"/></svg></button></form></nav></header><div class=banner-container></div><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card0 title="Blog posts for 2020." aria-controls=card0-body><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#blog"/></svg>2020 Posts</button><div class=body aria-labelledby=card0 role=region id=card0-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card0><li role=none><a role=treeitem title="Announcing the four newest Istio Steering Committee members (September 29, 2020)" href=/v1.7/blog/2020/steering-election-results/>2020 Steering Committee Election Results</a></li><li role=none><a role=treeitem title="The effect of security policies on latency of requests (September 15, 2020)" href=/v1.7/blog/2020/large-scale-security-policy-performance-tests/>Large Scale Security Policy Performance Tests</a></li><li role=none><a role=treeitem title="A new deployment model for Istio (August 27, 2020)" href=/v1.7/blog/2020/new-deployment-model/>Deploying Istio Control Planes Outside the Mesh</a></li><li role=none><a role=treeitem title="The Istio Steering Committee is now in part proportionally allocated to companies based on contribution, and in part elected by community members (August 24, 2020)" href=/v1.7/blog/2020/steering-changes/>Introducing the new Istio steering committee</a></li><li role=none><a role=treeitem title="An alternative sidecar proxy for Istio (July 28, 2020)" href=/v1.7/blog/2020/mosn-proxy/>Using MOSN with Istio: an alternative data plane</a></li><li role=none><a role=treeitem title="An update on trademarks and project governance (July 8, 2020)" href=/v1.7/blog/2020/open-usage/>Open and neutral: transferring our trademarks to the Open Usage Commons</a></li><li role=none><a role=treeitem title="A new way to manage installation of telemetry addons (June 4, 2020)" href=/v1.7/blog/2020/addon-rework/>Reworking our Addon Integrations</a></li><li role=none><a role=treeitem title="Describing the new functionality of Workload Entries (May 21, 2020)" href=/v1.7/blog/2020/workload-entry/>Introducing Workload Entries</a></li><li role=none><a role=treeitem title="Simplifying Istio upgrades by offering safe canary deployments of the control plane (May 19, 2020)" href=/v1.7/blog/2020/multiple-control-planes/>Safely Upgrade Istio using a Canary Control Plane Deployment</a></li><li role=none><a role=treeitem title="Configure the IBM Cloud Kubernetes Service Application Load Balancer to direct traffic to the Istio Ingress gateway with mutual TLS (May 15, 2020)" href=/v1.7/blog/2020/alb-ingress-gateway-iks/>Direct encrypted traffic from IBM Cloud Kubernetes Service Ingress to Istio Ingress Gateway</a></li><li role=none><a role=treeitem title="Community partner tooling of Wasm for Istio by Solo.io (March 25, 2020)" href=/v1.7/blog/2020/wasmhub-istio/>Extended and Improved WebAssemblyHub to Bring the Power of WebAssembly to Envoy and Istio</a></li><li role=none><a role=treeitem title="A mechanism to acquire and share an application certificate and key through mounted files (March 25, 2020)" href=/v1.7/blog/2020/proxy-cert/>Provision a certificate and key for an application without sidecars</a></li><li role=none><a role=treeitem title="Istiod consolidates the Istio control plane components into a single binary (March 19, 2020)" href=/v1.7/blog/2020/istiod/>Introducing istiod: simplifying the control plane</a></li><li role=none><a role=treeitem title="Configuring Wasm extensions for Envoy and Istio declaratively (March 16, 2020)" href=/v1.7/blog/2020/deploy-wasm-declarative/>Declarative WebAssembly deployment for Istio</a></li><li role=none><a role=treeitem title="The future of Istio extensibility using WASM (March 5, 2020)" href=/v1.7/blog/2020/wasm-announce/>Redefining extensibility in proxies - introducing WebAssembly to Envoy and Istio</a></li><li role=none><a role=treeitem title="A vision statement and roadmap for Istio in 2020 (March 3, 2020)" href=/v1.7/blog/2020/tradewinds-2020/>Istio in 2020 - Following the Trade Winds</a></li><li role=none><a role=treeitem title="A more secure way to manage secrets (February 20, 2020)" href=/v1.7/blog/2020/istio-agent/>Remove cross-pod unix domain sockets</a></li><li role=none><a role=treeitem title="Automating Istio configuration for Istio deployments (clusters) that work as a single mesh (January 5, 2020)" href=/v1.7/blog/2020/multi-cluster-mesh-automation/>Multicluster Istio configuration and service discovery using Admiral</a></li></ul></div></div><div class=card><button class="header dynamic" id=card1 title="Blog posts for 2019." aria-controls=card1-body><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#blog"/></svg>2019 Posts</button><div class="body default" aria-labelledby=card1 role=region id=card1-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card1><li role=none><a role=treeitem title="Introduction to Istio's new operator-based installation and control plane management feature (November 14, 2019)" href=/v1.7/blog/2019/introducing-istio-operator/>Introducing the Istio Operator</a></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy (November 14, 2019)" href=/v1.7/blog/2019/v1beta1-authorization-policy/>Introducing the Istio v1beta1 Authorization Policy</a></li><li role=none><a role=treeitem title="A more secure way to manage Istio webhooks (November 14, 2019)" href=/v1.7/blog/2019/webhook/>Secure Webhook Management</a></li><li role=none><a role=treeitem title="Provision and manage DNS certificates in Istio (November 14, 2019)" href=/v1.7/blog/2019/dns-cert/>DNS Certificate Management</a></li><li role=none><a role=treeitem title="Getting programmatic access to Istio resources (November 14, 2019)" href=/v1.7/blog/2019/announcing-istio-client-go/>Announcing Istio client-go</a></li><li role=none><a role=treeitem title="Analyze your Istio configuration to detect potential issues and get general insights (November 14, 2019)" href=/v1.7/blog/2019/introducing-istioctl-analyze/>Introducing istioctl analyze</a></li><li role=none><a role=treeitem title="Configure Istio ingress gateway to act as a proxy for external services (October 15, 2019)" href=/v1.7/blog/2019/proxy/>Istio as a Proxy for External Services</a></li><li role=none><a role=treeitem title="Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation (October 2, 2019)" href=/v1.7/blog/2019/isolated-clusters/>Multi-Mesh Deployments for Isolation and Boundary Protection</a></li><li role=none><a role=treeitem title="How can you use Istio to monitor blocked and passthrough external traffic (September 28, 2019)" href=/v1.7/blog/2019/monitoring-external-service-traffic/>Monitoring Blocked and Passthrough External Service Traffic</a></li><li role=none><span role=treeitem class=current title="Using Istio to secure multi-cloud Kubernetes applications with zero code changes (September 18, 2019)">App Identity and Access Adapter</span></li><li role=none><a role=treeitem title="Demonstrates a Mixer out-of-process adapter which implements the Knative scale-from-zero logic (September 18, 2019)" href=/v1.7/blog/2019/knative-activator-adapter/>Mixer Adapter for Knative</a></li><li role=none><a role=treeitem title="Taking advantage of Kubernetes trustworthy JWTs to issue certificates for workload instances more securely (September 10, 2019)" href=/v1.7/blog/2019/trustworthy-jwt-sds/>Change in Secret Discovery Service in Istio 1.3</a></li><li role=none><a role=treeitem title="The design principles behind Istio's APIs and how those APIs are evolving (August 5, 2019)" href=/v1.7/blog/2019/evolving-istios-apis/>The Evolution of Istio's APIs</a></li><li role=none><a role=treeitem title="Comparison of alternative solutions to control egress traffic including performance considerations (July 22, 2019)" href=/v1.7/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></li><li role=none><a role=treeitem title="Use Istio Egress Traffic Control to prevent attacks involving egress traffic (July 10, 2019)" href=/v1.7/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></li><li role=none><a role=treeitem title="Tools and guidance for evaluating Istio's data plane performance (July 9, 2019)" href=/v1.7/blog/2019/performance-best-practices/>Best Practices: Benchmarking Service Mesh Performance</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of Istio self-signed root certificate (June 7, 2019)" href=/v1.7/blog/2019/root-transition/>Extending Istio Self-Signed Root Certificate Lifetime</a></li><li role=none><a role=treeitem title="Attacks involving egress traffic and requirements for egress traffic control (May 22, 2019)" href=/v1.7/blog/2019/egress-traffic-control-in-istio-part-1/>Secure Control of Egress Traffic in Istio, part 1</a></li><li role=none><a role=treeitem title="An overview of Istio 1.1 performance (March 19, 2019)" href=/v1.7/blog/2019/istio1.1_perf/>Architecting Istio 1.1 for Performance</a></li><li role=none><a role=treeitem title="Configuring Istio route rules in a multicluster service mesh (February 7, 2019)" href=/v1.7/blog/2019/multicluster-version-routing/>Version Routing in a Multicluster Service Mesh</a></li><li role=none><a role=treeitem title="Announces the new Istio blog policy (February 5, 2019)" href=/v1.7/blog/2019/sail-the-blog/>Sail the Blog!</a></li><li role=none><a role=treeitem title="Verifies the performance impact of adding an egress gateway (January 31, 2019)" href=/v1.7/blog/2019/egress-performance/>Egress Gateway Performance Investigation</a></li><li role=none><a role=treeitem title="De-mystify how Istio manages to plugin its data-plane components into an existing deployment (January 31, 2019)" href=/v1.7/blog/2019/data-plane-setup/>Demystifying Istio's Sidecar Injection Model</a></li><li role=none><a role=treeitem title="Addressing application startup ordering and startup latency using AppSwitch (January 14, 2019)" href=/v1.7/blog/2019/appswitch/>Sidestepping Dependency Ordering with AppSwitch</a></li><li role=none><a role=treeitem title="Istio has a new discussion board (January 10, 2019)" href=/v1.7/blog/2019/announcing-discuss.istio.io/>Announcing discuss.istio.io</a></li><li role=none><a role=treeitem title="Describes how to deploy a custom ingress gateway using cert-manager manually (January 10, 2019)" href=/v1.7/blog/2019/custom-ingress-gateway/>Deploy a Custom Ingress Gateway Using Cert-Manager</a></li></ul></div></div><div class=card><button class="header dynamic" id=card2 title="Blog posts for 2018." aria-controls=card2-body><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#blog"/></svg>2018 Posts</button><div class=body aria-labelledby=card2 role=region id=card2-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card2><li role=none><a role=treeitem title="How to use Istio for traffic management without deploying sidecar proxies (November 21, 2018)" href=/v1.7/blog/2018/incremental-traffic-management/>Incremental Istio Part 1, Traffic Management</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (November 16, 2018)" href=/v1.7/blog/2018/egress-mongo/>Consuming External MongoDB Services</a></li><li role=none><a role=treeitem title="Istio hosting an all day Twitch stream to celebrate the 1.0 release (August 3, 2018)" href=/v1.7/blog/2018/istio-twitch-stream/>All Day Istio Twitch Stream</a></li><li role=none><a role=treeitem title="How HP is building its next-generation footwear personalization platform on Istio (July 31, 2018)" href=/v1.7/blog/2018/hp/>Istio a Game Changer for HP's FitStation Platform</a></li><li role=none><a role=treeitem title="Automatic application onboarding and latency optimizations using AppSwitch (July 30, 2018)" href=/v1.7/blog/2018/delayering-istio/>Delayering Istio with AppSwitch</a></li><li role=none><a role=treeitem title="Describe Istio's authorization feature and how to use it in various use cases (July 20, 2018)" href=/v1.7/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></li><li role=none><a role=treeitem title="How to export Istio Access Logs to different sinks like BigQuery, GCS, Pub/Sub through Stackdriver (July 9, 2018)" href=/v1.7/blog/2018/export-logs-through-stackdriver/>Exporting Logs to BigQuery, GCS, Pub/Sub through Stackdriver</a></li><li role=none><a role=treeitem title="Describes how to configure Istio for monitoring and access policies of HTTP egress traffic (June 22, 2018)" href=/v1.7/blog/2018/egress-monitoring-access-control/>Monitoring and Access Policies for HTTP Egress Traffic</a></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1alpha3 routing API (April 25, 2018)" href=/v1.7/blog/2018/v1alpha3-routing/>Introducing the Istio v1alpha3 routing API</a></li><li role=none><a role=treeitem title="Describes how to configure Istio ingress with a network load balancer on AWS (April 20, 2018)" href=/v1.7/blog/2018/aws-nlb/>Configuring Istio Ingress with AWS NLB</a></li><li role=none><a role=treeitem title="Using Kubernetes namespaces and RBAC to create an Istio soft multi-tenancy environment (April 19, 2018)" href=/v1.7/blog/2018/soft-multitenancy/>Istio Soft Multi-Tenancy Support</a></li><li role=none><a role=treeitem title="An introduction to safer, lower-risk deployments and release to production (February 8, 2018)" href=/v1.7/blog/2018/traffic-mirroring/>Traffic Mirroring with Istio for Testing in Production</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (February 6, 2018)" href=/v1.7/blog/2018/egress-tcp/>Consuming External TCP Services</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (January 31, 2018)" href=/v1.7/blog/2018/egress-https/>Consuming External Web Services</a></li></ul></div></div><div class=card><button class="header dynamic" id=card3 title="Blog posts for 2017." aria-controls=card3-body><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#blog"/></svg>2017 Posts</button><div class=body aria-labelledby=card3 role=region id=card3-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card3><li role=none><a role=treeitem title="Improving availability and reducing latency (December 7, 2017)" href=/v1.7/blog/2017/mixer-spof-myth/>Mixer and the SPOF Myth</a></li><li role=none><a role=treeitem title="Provides an overview of Mixer's plug-in architecture (November 3, 2017)" href=/v1.7/blog/2017/adapter-model/>Mixer Adapter Model</a></li><li role=none><a role=treeitem title="How Kubernetes Network Policy relates to Istio policy (August 10, 2017)" href=/v1.7/blog/2017/0.1-using-network-policy/>Using Network Policy with Istio</a></li><li role=none><a role=treeitem title="Using Istio to create autoscaled canary deployments (June 14, 2017)" href=/v1.7/blog/2017/0.1-canary/>Canary Deployments using Istio</a></li><li role=none><a role=treeitem title="Istio Authentication 0.1 announcement (May 25, 2017)" href=/v1.7/blog/2017/0.1-auth/>Using Istio to Improve End-to-End Security</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.7/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.7/blog/ title="Posts about using Istio.">Blog</a></li><li><a href=/v1.7/blog/2019/ title="Blog posts for 2019.">2019 Posts</a></li><li>App Identity and Access Adapter</li></ol></nav><article aria-labelledby=title><div class=title-area><div style=width:100%><h1 id=title>App Identity and Access Adapter</h1><p class=subtitle>Using Istio to secure multi-cloud Kubernetes applications with zero code changes</p><p class=byline><span>By</span>
<span class=attribution>Anton Aleksandrov (IBM)</span><span> | </span><span><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#calendar"/></svg><span>&nbsp;</span>September 18, 2019</span><span> | </span><span title="1251 words"><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#clock"/></svg><span>&nbsp;</span>6 minute read</span>
<span>&nbsp;</span>
<span></span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Understanding Istio and the adapter"><a href=#understanding-istio-and-the-adapter>Understanding Istio and the adapter</a><li role=none aria-label=Installation><a href=#installation>Installation</a><li role=none aria-label="Protecting web applications"><a href=#protecting-web-applications>Protecting web applications</a><ol><li role=none aria-label="Applying web application protection"><a href=#applying-web-application-protection>Applying web application protection</a></ol></li><li role=none aria-label="Protecting backend application and APIs"><a href=#protecting-backend-application-and-apis>Protecting backend application and APIs</a><ol><li role=none aria-label="Applying backend application and APIs protection"><a href=#applying-backend-application-and-apis-protection>Applying backend application and APIs protection</a></ol></li><li role=none aria-label="Known limitations"><a href=#known-limitations>Known limitations</a><li role=none aria-label=Summary><a href=#summary>Summary</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.7/img/icons.svg#callout-warning"/></svg></div><div class=content>This blog post was written assuming Istio 1.3, so some of this content may now be outdated.</div></aside></div><p>If you are running your containerized applications on Kubernetes, you can benefit from using the App Identity and Access Adapter for an abstracted level of security with zero code changes or redeploys.</p><p>Whether your computing environment is based on a single cloud provider, a combination of multiple cloud providers, or following a hybrid cloud approach, having a centralized identity management can help you to preserve existing infrastructure and avoid vendor lock-in.</p><p>With the <a href=https://github.com/ibm-cloud-security/app-identity-and-access-adapter>App Identity and Access Adapter</a>, you can use any OAuth2/OIDC provider: IBM Cloud App ID, Auth0, Okta, Ping Identity, AWS Cognito, Azure AD B2C and more. Authentication and authorization policies can be applied in a streamlined way in all environments — including frontend and backend applications — all without code changes or redeploys.</p><h2 id=understanding-istio-and-the-adapter>Understanding Istio and the adapter</h2><p><a href=/v1.7/docs/concepts/what-is-istio/>Istio</a> is an open source service mesh that
transparently layers onto distributed applications and seamlessly integrates
with Kubernetes. To reduce the complexity of deployments Istio provides
behavioral insights and operational control over the service mesh as a whole.
See the <a href=/v1.7/docs/ops/deployment/architecture/>Istio Architecture</a> for more details.</p><p>Istio uses <a href=/v1.7/blog/2019/data-plane-setup/>Envoy proxy sidecars</a> to mediate inbound and outbound traffic for all pods in the service mesh. Istio extracts telemetry from the Envoy sidecars and sends it to Mixer, the Istio component responsible for collecting telemetry and enforcing policy.</p><p>The App Identity and Access adapter extends the Mixer functionality by analyzing the telemetry (attributes) against various access control policies across the service mesh. The access control policies can be linked to a particular Kubernetes services and can be finely tuned to specific service endpoints. For more information about policies and telemetry, see the Istio documentation.</p><p>When <a href=https://github.com/ibm-cloud-security/app-identity-and-access-adapter>App Identity and Access Adapter</a> is combined with Istio, it provides a scalable, integrated identity and access solution for multicloud architectures that does not require any custom application code changes.</p><h2 id=installation>Installation</h2><p>App Identity and Access adapter can be installed using Helm directly from the <code>github.com</code> repository</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ helm repo add appidentityandaccessadapter https://raw.githubusercontent.com/ibm-cloud-security/app-identity-and-access-adapter/master/helm/appidentityandaccessadapter
$ helm install --name appidentityandaccessadapter appidentityandaccessadapter/appidentityandaccessadapter
</code></pre><p>Alternatively, you can clone the repository and install the Helm chart locally</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ git clone git@github.com:ibm-cloud-security/app-identity-and-access-adapter.git
$ helm install ./helm/appidentityandaccessadapter --name appidentityandaccessadapter.
</code></pre><h2 id=protecting-web-applications>Protecting web applications</h2><p>Web applications are most commonly protected by the OpenID Connect (OIDC) workflow called <code>authorization_code</code>. When an unauthenticated/unauthorized user is detected, they are automatically redirected to the identity service of your choice and presented with the authentication page. When authentication completes, the browser is redirected back to an implicit <code>/oidc/callback</code> endpoint intercepted by the adapter. At this point, the adapter obtains access and identity tokens from the identity service and then redirects users back to their originally requested URL in the web app.</p><p>Authentication state and tokens are maintained by the adapter. Each request processed by the adapter will include the Authorization header bearing both access and identity tokens in the following format <code>Authorization: Bearer &lt;access_token> &lt;id_token></code></p><p>Developers can read leverage the tokens for application experience adjustments, e.g. displaying user name, adjusting UI based on user role etc.</p><p>In order to terminate the authenticated session and wipe tokens, aka user logout, simply redirect browser to the <code>/oidc/logout</code> endpoint under the protected service, e.g. if you&rsquo;re serving your app from <code>https://example.com/myapp</code>, redirect users to <code>https://example.com/myapp/oidc/logout</code></p><p>Whenever access token expires, a refresh token is used to automatically acquire new access and identity tokens without your user&rsquo;s needing to re-authenticate. If the configured identity provider returns a refresh token, it is persisted by the adapter and used to retrieve new access and identity tokens when the old ones expire.</p><h3 id=applying-web-application-protection>Applying web application protection</h3><p>Protecting web applications requires creating two types of resources - use <code>OidcConfig</code> resources to define various OIDC providers, and <code>Policy</code> resources to define the web app protection policies.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;security.cloud.ibm.com/v1&#34;
kind: OidcConfig
metadata:
name: my-oidc-provider-config
namespace: sample-namespace
spec:
discoveryUrl: &lt;discovery-url-from-oidc-provider&gt;
clientId: &lt;client-id-from-oidc-provider&gt;
clientSecretRef:
name: &lt;kubernetes-secret-name&gt;
key: &lt;kubernetes-secret-key&gt;
</code></pre><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;security.cloud.ibm.com/v1&#34;
kind: Policy
metadata:
name: my-sample-web-policy
namespace: sample-namespace
spec:
targets:
- serviceName: &lt;kubernetes-service-name-to-protect&gt;
paths:
- prefix: /webapp
method: ALL
policies:
- policyType: oidc
config: my-oidc-provider-config
rules: // optional
- claim: iss
match: ALL
source: access_token
values:
- &lt;expected-issuer-id&gt;
- claim: scope
match: ALL
source: access_token
values:
- openid
</code></pre><p><a href=https://github.com/ibm-cloud-security/app-identity-and-access-adapter>Read more about protecting web applications</a></p><h2 id=protecting-backend-application-and-apis>Protecting backend application and APIs</h2><p>Backend applications and APIs are protected using the Bearer Token flow, where an incoming token is validated against a particular policy. The Bearer Token authorization flow expects a request to contain the <code>Authorization</code> header with a valid access token in JWT format. The expected header structure is <code>Authorization: Bearer {access_token}</code>. In case token is successfully validated request will be forwarded to the requested service. In case token validation fails the HTTP 401 will be returned back to the client with a list of scopes that are required to access the API.</p><h3 id=applying-backend-application-and-apis-protection>Applying backend application and APIs protection</h3><p>Protecting backend applications and APIs requires creating two types of resources - use <code>JwtConfig</code> resources to define various JWT providers, and <code>Policy</code> resources to define the backend app protection policies.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;security.cloud.ibm.com/v1&#34;
kind: JwtConfig
metadata:
name: my-jwt-config
namespace: sample-namespace
spec:
jwksUrl: &lt;the-jwks-url&gt;
</code></pre><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;security.cloud.ibm.com/v1&#34;
kind: Policy
metadata:
name: my-sample-backend-policy
namespace: sample-namespace
spec:
targets:
- serviceName: &lt;kubernetes-service-name-to-protect&gt;
paths:
- prefix: /api/files
method: ALL
policies:
- policyType: jwt
config: my-oidc-provider-config
rules: // optional
- claim: iss
match: ALL
source: access_token
values:
- &lt;expected-issuer-id&gt;
- claim: scope
match: ALL
source: access_token
values:
- files.read
- files.write
</code></pre><p><a href=https://github.com/ibm-cloud-security/app-identity-and-access-adapter>Read more about protecting backend applications</a></p><h2 id=known-limitations>Known limitations</h2><p>At the time of writing this blog there are two known limitations of the App Identity and Access adapter:</p><ul><li><p>If you use the App Identity and Access adapter for Web Applications you should not create more than a single replica of the adapter. Due to the way Envoy Proxy was handling HTTP headers it was impossible to return multiple <code>Set-Cookie</code> headers from Mixer back to Envoy. Therefore we couldn&rsquo;t set all the cookies required for handling Web Application scenarios. The issue was recently addressed in Envoy and Mixer and we&rsquo;re planning to address this in future versions of our adapter. <strong>Note that this only affects Web Applications, and doesn&rsquo;t affect Backend Apps and APIs in any way</strong>.</p></li><li><p>As a general best practice you should always consider using mutual-tls for any in-cluster communications. At the moment the communications channel between Mixer and App Identity and Access adapter currently does not use mutual-tls. In future we plan to address this by implementing an approach described in the <a href=https://github.com/istio/istio/wiki/Mixer-Out-of-Process-Adapter-Walkthrough#step-7-encrypt-connection-between-mixer-and-grpc-adapter>Mixer Adapter developer guide</a>.</p></li></ul><h2 id=summary>Summary</h2><p>When a multicloud strategy is in place, security can become complicated as the environment grows and diversifies. While cloud providers supply protocols and tools to ensure their offerings are safe, the development teams are still responsible for the application-level security, such as API access control with OAuth2, defending against man-in-the-middle attacks with traffic encryption, and providing mutual TLS for service access control. However, this becomes complex in a multicloud environment since you might need to define those security details for each service separately. With proper security protocols in place, those external and internal threats can be mitigated.</p><p>Development teams have spent time making their services portable to different cloud providers, and in the same regard, the security in place should be flexible and not infrastructure-dependent.</p><p>Istio and App Identity and Access Adapter allow you to secure your Kubernetes apps with absolutely zero code changes or redeployments regardless of which programming language and which frameworks you use. Following this approach ensures maximum portability of your apps, and ability to easily enforce same security policies across multiple environments.</p><p>You can read more about the App Identity and Access Adapter in the <a href=https://www.ibm.com/cloud/blog/using-istio-to-secure-your-multicloud-kubernetes-applications-with-zero-code-change>release blog</a>.</p><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.7/docs/tasks/security/authorization/authz-jwt/>Authorization with JWT</a></p><p class=desc>How to set up access control with JWT in Istio.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.7/docs/concepts/security/>Security</a></p><p class=desc>Describes Istio's authorization and authentication functionality.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.7/blog/2020/tradewinds-2020/>Istio in 2020 - Following the Trade Winds</a></p><p class=desc>A vision statement and roadmap for Istio in 2020.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.7/blog/2020/istio-agent/>Remove cross-pod unix domain sockets</a></p><p class=desc>A more secure way to manage secrets.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.7/blog/2019/dns-cert/>DNS Certificate Management</a></p><p class=desc>Provision and manage DNS certificates in Istio.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.7/blog/2019/v1beta1-authorization-policy/>Introducing the Istio v1beta1 Authorization Policy</a></p><p class=desc>Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="How can you use Istio to monitor blocked and passthrough external traffic." href=/v1.7/blog/2019/monitoring-external-service-traffic/><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#left-arrow"/></svg>Monitoring Blocked and Passthrough External Service Traffic</a></div><div class=right><a title="Demonstrates a Mixer out-of-process adapter which implements the Knative scale-from-zero logic." href=/v1.7/blog/2019/knative-activator-adapter/>Mixer Adapter for Knative<svg class="icon"><use xlink:href="/v1.7/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>Was this information useful?<br><button class="btn feedback" onclick="sendFeedback('en',1)">Yes</button>
<button class="btn feedback" onclick="sendFeedback('en',0)">No</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder="Help us improve..." data-lang=en></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="Understanding Istio and the adapter"><a href=#understanding-istio-and-the-adapter>Understanding Istio and the adapter</a><li role=none aria-label=Installation><a href=#installation>Installation</a><li role=none aria-label="Protecting web applications"><a href=#protecting-web-applications>Protecting web applications</a><ol><li role=none aria-label="Applying web application protection"><a href=#applying-web-application-protection>Applying web application protection</a></ol></li><li role=none aria-label="Protecting backend application and APIs"><a href=#protecting-backend-application-and-apis>Protecting backend application and APIs</a><ol><li role=none aria-label="Applying backend application and APIs protection"><a href=#applying-backend-application-and-apis-protection>Applying backend application and APIs protection</a></ol></li><li role=none aria-label="Known limitations"><a href=#known-limitations>Known limitations</a><li role=none aria-label=Summary><a href=#summary>Summary</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.7.4 now" href=/v1.7/docs/setup/getting-started/#download aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.7.4<br>&copy; 2020 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on November 19, 2020</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.7/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink