istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.0/docs/concepts/security/index.html

380 lines
87 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Security"><meta name=description content="Describes Istio's authorization and authentication functionality."><meta name=keywords content="microservices,services,mesh,security,authentication,authorization,rbac,access-control"><meta property="og:title" content="Security"><meta property="og:type" content="website"><meta property="og:description" content="Describes Istio's authorization and authentication functionality."><meta property="og:url" content="/v1.0/docs/concepts/security/"><meta property="og:image" content="/v1.0/img/istio-logo-blue-background.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="112"><meta property="og:image:height" content="150"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.0 / Security</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><script>var branchName="release-1.0";var docTitle="Security";</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.0/feed.xml><link rel="shortcut icon" href=/v1.0/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.0/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.0/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.0/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.0/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.0/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.0/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.0/favicons/android-96x196.png sizes=96x196><link rel=icon type=image/png href=/v1.0/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.0/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.0/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Chivo:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work Sans:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic"><link rel=stylesheet href=https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css integrity=sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm crossorigin=anonymous><link rel=stylesheet href=https://use.fontawesome.com/releases/v5.0.6/css/all.css><link rel=stylesheet href=/v1.0/css/light_theme_archive.css title=light><link rel="alternate stylesheet" href=/v1.0/css/dark_theme_archive.css title=dark><script src=/v1.0/js/styleSwitcher.min.js></script></head><body class=language-unknown><header><nav class="navbar navbar-expand-md navbar-dark fixed-top bg-dark justify-content-between"><a class=navbar-brand href=/v1.0/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="150" stroke-width="2" /><polygon points="65,240 225,240 125,270"/><polygon points="65,230 125,220 125,110"/><polygon points="135,220 225,230 135,30"/></svg></span><span class=brand-name>Istioldie 1.0</span></a>
<button class=navbar-toggler type=button data-toggle=collapse data-target=#navbarCollapse aria-controls=navbarCollapse aria-expanded=false aria-label="Toggle navigation">
<span class=navbar-toggler-icon></span></button><div class="collapse navbar-collapse justify-content-end" id=navbarCollapse><ul id=navbar-links class="navbar-nav active"><li class=nav-item><a class="nav-link active" title="Learn how to deploy, use, and operate Istio." href=/v1.0/docs/>Docs</a></li><li class=nav-item><a class=nav-link title="Posts about using Istio." href=/v1.0/blog/2019/announcing-1.0.6/>Blog</a></li><li class=nav-item><a class=nav-link title="A bunch of resources to help you deploy, configure and use Istio." href=/v1.0/help/>Help</a></li><li class=nav-item><a class=nav-link title="Get a bit more in-depth info about the Istio project." href=/v1.0/about/>About</a></li><li class="nav-item dropdown" id=gearDropdown style=white-space:nowrap><a title="Options and Settings" href class=nav-link data-toggle=dropdown aria-label=Tools aria-haspopup=true aria-expanded=false><i style=width:1em class="fa fa-lg fa-cog"></i></a><div class="dropdown-menu dropdown-menu-right" aria-labelledby=gearDropdown><a class=dropdown-item id=light-theme-item href onclick="setActiveStyleSheet('light');return false;">Light Theme</a>
<a class=dropdown-item id=dark-theme-item href onclick="setActiveStyleSheet('dark');return false;">Dark Theme</a><div class=dropdown-divider></div><h6 class=dropdown-header>Other versions of this site</h6><a href=https://istio.io class=dropdown-item>Current Release</a>
<a href=https://preliminary.istio.io class=dropdown-item>Next Release</a>
<a href=https://archive.istio.io class=dropdown-item>Older Releases</a></div></li><li class=nav-item><a id=search_show class=nav-link href title="Search istio.io" aria-label=Search><i style=width:1em class="fa fa-lg fa-search"></i></a></li></ul><form name=cse id=search_form class="form-inline mr-sm-2" role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search_page_url value=/v1.0/search.html>
<input id=search_textbox class=form-control name=q type=text aria-label="Search this site">
<button id=search_close type=reset aria-label="Cancel Search"><i class="far fa-lg fa-times-circle"></i></button></form></div></nav></header><div class=container-fluid><div class="row row-offcanvas"><div class="col-0 col-md-3 col-xl-2 sidebar-offcanvas"><nav class="sidebar d-print-none"><div class=spacer></div><div class=directory role=tablist><div class=card><div class=card-header role=tab id=header10><a data-toggle=collapse href=#collapse10 title="Learn about the different parts of the Istio system and the abstractions it uses." role=button aria-controls=collapse10><div><img src=/v1.0/img/concepts.svg alt=Icon class=page_icon>
Concepts</div></a></div><div id=collapse10 class="collapse show" data-parent=#sidebar role=tabpanel aria-labelledby=header10><div class=card-body><ul class=tree><li><a title="Introduces Istio, the problems it solves, its high-level architecture and design goals." href=/v1.0/docs/concepts/what-is-istio/>What is Istio?</a></li><li><a title="Describes the various Istio features focused on traffic routing and control." href=/v1.0/docs/concepts/traffic-management/>Traffic Management</a></li><li><span class=current title="Describes Istio's authorization and authentication functionality.">Security</span></li><li><a title="Describes the policy enforcement and telemetry mechanisms." href=/v1.0/docs/concepts/policies-and-telemetry/>Policies and Telemetry</a></li><li><a title="Introduces Performance and Scalability methodology, results and best practices for Istio components." href=/v1.0/docs/concepts/performance-and-scalability/>Performance and Scalability</a></li></ul></div></div></div><div class=card><div class=card-header role=tab id=header20><a data-toggle=collapse href=#collapse20 title="How to deploy Istio in various environments (e.g., Kubernetes, Consul)." role=button aria-controls=collapse20><div><img src=/v1.0/img/setup.svg alt=Icon class=page_icon>
Setup</div></a></div><div id=collapse20 class=collapse data-parent=#sidebar role=tabpanel aria-labelledby=header20><div class=card-body><ul class=tree><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Instructions for installing the Istio control plane on Kubernetes and adding virtual machines into the mesh." href=/v1.0/docs/setup/kubernetes/>Kubernetes</a></label><ul class="tree collapse"><li><a title="Instructions to download the Istio release." href=/v1.0/docs/setup/kubernetes/download-release/>Downloading the Release</a></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/>Platform Setup</a></label><ul class="tree collapse"><li><a title="Instructions to setup an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/alicloud/>Alibaba Cloud</a></li><li><a title="Instructions to setup an AWS cluster with Kops cluster for Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/aws/>Amazon Web Services</a></li><li><a title="Instructions to setup an Azure cluster for Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/azure/>Azure</a></li><li><a title="Instructions to setup a Google Kubernetes Engine cluster for Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/gke/>Google Kubernetes Engine</a></li><li><a title="Instructions to setup an IBM Cloud cluster for Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/ibm/>IBM Cloud</a></li><li><a title="Instructions to setup Minikube for use with Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/minikube/>Minikube</a></li><li><a title="Instructions to setup an OpenShift cluster for Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/openshift/>OpenShift</a></li><li><a title="Instructions to setup an OKE cluster for Istio." href=/v1.0/docs/setup/kubernetes/platform-setup/oci/>Oracle Cloud Infrastructure</a></li></ul></li><li><a title="Instructions to setup the Istio service mesh in a Kubernetes cluster." href=/v1.0/docs/setup/kubernetes/quick-start/>Quick Start with Kubernetes</a></li><li><a title="How to quickly setup Istio using Alibaba Cloud Kubernetes Container Service." href=/v1.0/docs/setup/kubernetes/quick-start-alicloud-ack/>Quick Start with Alibaba Cloud Kubernetes Container Service</a></li><li><a title="How to quickly setup Istio using IBM Cloud Public or IBM Cloud Private." href=/v1.0/docs/setup/kubernetes/quick-start-ibm/>Quick Start with IBM Cloud</a></li><li><a title="Install Istio with the included Helm chart." href=/v1.0/docs/setup/kubernetes/helm-install/>Installation with Helm</a></li><li><a title="Instructions for installing the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.0/docs/setup/kubernetes/sidecar-injection/>Installing the sidecar</a></li><li><a title="Install minimal Istio using Helm." href=/v1.0/docs/setup/kubernetes/minimal-install/>Minimal Istio Installation</a></li><li><a title="Install Istio with the included Ansible playbook." href=/v1.0/docs/setup/kubernetes/ansible-install/>Installation with Ansible</a></li><li><a title="Instructions for integrating VMs and bare metal hosts into an Istio mesh deployed on Kubernetes." href=/v1.0/docs/setup/kubernetes/mesh-expansion/>Mesh Expansion</a></li><li><a title="Install Istio with multicluster support." href=/v1.0/docs/setup/kubernetes/multicluster-install/>Istio Multicluster</a></li><li><a title="How to quickly setup Istio using Google Kubernetes Engine (GKE)." href=/v1.0/docs/setup/kubernetes/quick-start-gke/>Quick Start with Google Kubernetes Engine</a></li><li><a title="Demonstrates how to upgrade the Istio control plane and data plane independently." href=/v1.0/docs/setup/kubernetes/upgrading-istio/>Upgrading Istio</a></li><li><a title="Describes the requirements for Kubernetes pods and services to run Istio." href=/v1.0/docs/setup/kubernetes/spec-requirements/>Requirements for Pods and Services</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Instructions for installing the Istio control plane in a Consul based environment, with or without Nomad." href=/v1.0/docs/setup/consul/>Nomad & Consul</a></label><ul class="tree collapse"><li><a title="Quick Start instructions to setup the Istio service mesh with Docker Compose." href=/v1.0/docs/setup/consul/quick-start/>Quick Start on Docker</a></li><li><a title="Instructions for installing the Istio control plane in a Consul-based environment, with or without Nomad." href=/v1.0/docs/setup/consul/install/>Installation</a></li></ul></li></ul></div></div></div><div class=card><div class=card-header role=tab id=header33><a data-toggle=collapse href=#collapse33 title="How to do single specific targeted activities with the Istio system." role=button aria-controls=collapse33><div><img src=/v1.0/img/tasks.svg alt=Icon class=page_icon>
Tasks</div></a></div><div id=collapse33 class=collapse data-parent=#sidebar role=tabpanel aria-labelledby=header33><div class=card-body><ul class=tree><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.0/docs/tasks/traffic-management/>Traffic Management</a></label><ul class="tree collapse"><li><a title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.0/docs/tasks/traffic-management/request-routing/>Configuring Request Routing</a></li><li><a title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.0/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li><a title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.0/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li><a title="This task shows you how to setup request timeouts in Envoy using Istio." href=/v1.0/docs/tasks/traffic-management/request-timeouts/>Setting Request Timeouts</a></li><li><a title="Describes how to configure Istio to expose a service outside of the service mesh." href=/v1.0/docs/tasks/traffic-management/ingress/>Control Ingress Traffic</a></li><li><a title="Describes how to configure Istio to expose a service outside of the service mesh, over TLS, mutual TLS or JWT authentication." href=/v1.0/docs/tasks/traffic-management/secure-ingress/>Securing Gateways with HTTPS</a></li><li><a title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.0/docs/tasks/traffic-management/egress/>Control Egress Traffic</a></li><li><a title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.0/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li><a title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.0/docs/tasks/traffic-management/mirroring/>Mirroring</a></li><li><a title="Shows how to do health checking for Istio services." href=/v1.0/docs/tasks/traffic-management/app-health-check/>Health Checking of Istio Services</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Demonstrates how to secure the mesh." href=/v1.0/docs/tasks/security/>Security</a></label><ul class="tree collapse"><li><a title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href=/v1.0/docs/tasks/security/authn-policy/>Authentication Policy</a></li><li><a title="Shows you how to verify and test Istio's automatic mutual TLS authentication." href=/v1.0/docs/tasks/security/mutual-tls/>Mutual TLS Deep-Dive</a></li><li><a title="Shows how to set up role-based access control for services in the mesh." href=/v1.0/docs/tasks/security/role-based-access-control/>Authorization</a></li><li><a title="Shows how operators can configure Citadel with existing root certificate, signing certificate and key." href=/v1.0/docs/tasks/security/plugin-ca-cert/>Plugging in external CA key and certificate</a></li><li><a title="Shows how to enable Citadel health checking with Kubernetes." href=/v1.0/docs/tasks/security/health-check/>Citadel health checking</a></li><li><a title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.0/docs/tasks/security/mtls-migration/>Mutual TLS Migration</a></li><li><a title="Shows how to enable mutual TLS on HTTPS services." href=/v1.0/docs/tasks/security/https-overlay/>Mutual TLS over HTTPS</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Demonstrates policy enforcement features." href=/v1.0/docs/tasks/policy-enforcement/>Policies</a></label><ul class="tree collapse"><li><a title="This task shows you how to use Istio to dynamically limit the traffic to a service." href=/v1.0/docs/tasks/policy-enforcement/rate-limiting/>Enabling Rate Limits</a></li><li><a title="Shows how to control access to a service using simple denials or white/black listing." href=/v1.0/docs/tasks/policy-enforcement/denial-and-list/>Denials and White/Black Listing</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.0/docs/tasks/telemetry/>Telemetry</a></label><ul class="tree collapse"><li><a title="How to configure the proxies to send tracing requests to Zipkin or Jaeger." href=/v1.0/docs/tasks/telemetry/distributed-tracing/>Distributed Tracing</a></li><li><a title="This task shows you how to configure Istio to collect metrics and logs." href=/v1.0/docs/tasks/telemetry/metrics-logs/>Collecting Metrics and Logs</a></li><li><a title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.0/docs/tasks/telemetry/tcp-metrics/>Collecting Metrics for TCP services</a></li><li><a title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.0/docs/tasks/telemetry/querying-metrics/>Querying Metrics from Prometheus</a></li><li><a title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href=/v1.0/docs/tasks/telemetry/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li><li><a title="This task shows you how to visualize your services within an Istio mesh." href=/v1.0/docs/tasks/telemetry/kiali/>Visualizing Your Mesh</a></li><li><a title="This task shows you how to generate a graph of services within an Istio mesh." href=/v1.0/docs/tasks/telemetry/servicegraph/>Generating a Service Graph</a></li><li><a title="This task shows you how to configure Istio to log to a Fluentd daemon." href=/v1.0/docs/tasks/telemetry/fluentd/>Logging with Fluentd</a></li></ul></li></ul></div></div></div><div class=card><div class=card-header role=tab id=header46><a data-toggle=collapse href=#collapse46 title="A variety of fully working example uses for Istio that you can experiment with." role=button aria-controls=collapse46><div><img src=/v1.0/img/examples.svg alt=Icon class=page_icon>
Examples</div></a></div><div id=collapse46 class=collapse data-parent=#sidebar role=tabpanel aria-labelledby=header46><div class=card-body><ul class=tree><li><a title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.0/docs/examples/bookinfo/>Bookinfo Application</a></li><li><a title="Demonstrates how to use various traffic management capabilities of an Istio service mesh." href=/v1.0/docs/examples/intelligent-routing/>Intelligent Routing</a></li><li><a title="Demonstrates how to obtain uniform metrics, logs, traces across different services using Istio Mixer and Istio sidecar." href=/v1.0/docs/examples/telemetry/>In-Depth Telemetry</a></li><li><a title="Explains how to manually integrate Google Cloud Endpoints services with Istio." href=/v1.0/docs/examples/endpoints/>Install Istio for Google Cloud Endpoints Services</a></li><li><a title="Illustrates how to use Istio to control a Kubernetes cluster and raw VMs as a single mesh." href=/v1.0/docs/examples/integrating-vms/>Integrating Virtual Machines</a></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="A variety of fully working examples for egress traffic control in Istio that you can experiment with." href=/v1.0/docs/examples/advanced-egress/>Advanced egress traffic control</a></label><ul class="tree collapse"><li><a title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.0/docs/examples/advanced-egress/egress-tls-origination/>TLS Origination for Egress Traffic</a></li><li><a title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.0/docs/examples/advanced-egress/egress-gateway/>Configure an Egress Gateway</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="A variety of fully working multicluster examples for Istio that you can experiment with." href=/v1.0/docs/examples/multicluster/>Enabling multiclusters</a></label><ul class="tree collapse"><li><a title="Example multicluster GKE install of Istio." href=/v1.0/docs/examples/multicluster/gke/>Google Kubernetes Engine</a></li><li><a title="Example multicluster IBM Cloud Private install of Istio." href=/v1.0/docs/examples/multicluster/icp/>IBM Cloud Private</a></li><li><a title="Example multicluster between IBM Cloud Kubernetes Service & IBM Cloud Private." href=/v1.0/docs/examples/multicluster/iks-icp/>IBM Cloud Kubernetes Service & IBM Cloud Private</a></li></ul></li></ul></div></div></div><div class=card><div class=card-header role=tab id=header78><a data-toggle=collapse href=#collapse78 title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." role=button aria-controls=collapse78><div><img src=/v1.0/img/reference.svg alt=Icon class=page_icon>
Reference</div></a></div><div id=collapse78 class=collapse data-parent=#sidebar role=tabpanel aria-labelledby=header78><div class=card-body><ul class=tree><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Detailed information on configuration options." href=/v1.0/docs/reference/config/>Configuration</a></label><ul class="tree collapse"><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Describes how to configure Istio's authorization features." href=/v1.0/docs/reference/config/authorization/>Authorization</a></label><ul class="tree collapse"><li><a title="Describes the supported constraints and properties." href=/v1.0/docs/reference/config/authorization/constraints-and-properties/>Constraints and Properties</a></li><li><a title="Configuration for Role Based Access Control." href=/v1.0/docs/reference/config/authorization/istio.rbac.v1alpha1/>RBAC</a></li></ul></li><li><a title="Describes the options available when installing Istio using the included Helm chart." href=/v1.0/docs/reference/config/installation-options/>Installation Options</a></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Describes how to configure Istio's policy and telemetry features." href=/v1.0/docs/reference/config/policy-and-telemetry/>Policies and Telemetry</a></label><ul class="tree collapse"><li><a title="Describes the base attribute vocabulary used for policy and control." href=/v1.0/docs/reference/config/policy-and-telemetry/attribute-vocabulary/>Attribute Vocabulary</a></li><li><a title="Mixer configuration expression language reference." href=/v1.0/docs/reference/config/policy-and-telemetry/expression-language/>Expression Language</a></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Mixer adapters allow Istio to interface to a variety of infrastructure backends for such things as metrics and logs." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/>Adapters</a></label><ul class="tree collapse"><li><a title="Adapter for Apigee's distributed policy checks and analytics." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/apigee/>Apigee</a></li><li><a title="Adapter for circonus.com's monitoring solution." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/circonus/>Circonus</a></li><li><a title="Adapter for cloudwatch metrics." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/>CloudWatch</a></li><li><a title="Adapter to deliver metrics to a dogstatsd agent for delivery to DataDog." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/datadog/>Datadog</a></li><li><a title="Adapter that always returns a precondition denial." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/denier/>Denier</a></li><li><a title="Adapter that delivers logs to a fluentd daemon." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/fluentd/>Fluentd</a></li><li><a title="Adapter that extracts information from a Kubernetes environment." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/kubernetesenv/>Kubernetes Env</a></li><li><a title="Adapter that performs whitelist or blacklist checks." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/list/>List</a></li><li><a title="Adapter for a simple in-memory quota management system." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/memquota/>Memory quota</a></li><li><a title="Adapter that implements an Open Policy Agent engine." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/opa/>OPA</a></li><li><a title="Adapter that exposes Istio metrics for ingestion by a Prometheus harvester." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/prometheus/>Prometheus</a></li><li><a title="Adapter that exposes Istio's Role-Based Access Control model." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/rbac/>RBAC</a></li><li><a title="Adapter for a Redis-based quota management system." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/redisquota/>Redis Quota</a></li><li><a title="Adapter that delivers logs and metrics to Google Service Control." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/servicecontrol/>Service Control</a></li><li><a title="Adapter that sends Istio metrics to SignalFx." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/signalfx/>SignalFx</a></li><li><a title="Adapter to deliver logs and metrics to Papertrail and AppOptics backends." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/solarwinds/>SolarWinds</a></li><li><a title="Adapter to deliver logs, metrics, and traces to Stackdriver." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/stackdriver/>Stackdriver</a></li><li><a title="Adapter to deliver metrics to a StatsD backend." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/statsd/>StatsD</a></li><li><a title="Adapter for outputting logs and metrics locally." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/stdio/>Stdio</a></li><li><a title="Adapter to deliver metrics to Wavefront by VMware." href=/v1.0/docs/reference/config/policy-and-telemetry/adapters/wavefront/>Wavefront by VMware</a></li></ul></li><li><a title="Default Metrics exported from Istio through Mixer." href=/v1.0/docs/reference/config/policy-and-telemetry/metrics/>Default Metrics</a></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Mixer templates are used to send data to individual adapters." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/>Templates</a></label><ul class="tree collapse"><li><a title="The Analytics template is used to dispatch runtime telemetry to Apigee." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/analytics/>Analytics</a></li><li><a title="A template that represents a single API key." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/apikey/>API Key</a></li><li><a title="A template used to represent an access control query." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/authorization/>Authorization</a></li><li><a title="A template that carries no data, useful for testing." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/checknothing/>Check Nothing</a></li><li><a title="A template that is used to control the production of Kubernetes-specific attributes." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/kubernetes/>Kubernetes</a></li><li><a title="A template designed to let you perform list checking operations." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/listentry/>List Entry</a></li><li><a title="A template that represents a single runtime log entry." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/logentry/>Log Entry</a></li><li><a title="A template that represents a single runtime metric." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/metric/>Metric</a></li><li><a title="A template that represents a quota allocation request." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/quota/>Quota</a></li><li><a title="A template that carries no data, useful for testing." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/reportnothing/>Report Nothing</a></li><li><a title="A template used by the Google Service Control adapter." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/servicecontrolreport/>Service Control Report</a></li><li><a title="A template that represents\ an individual span within a distributed trace." href=/v1.0/docs/reference/config/policy-and-telemetry/templates/tracespan/>Trace Span</a></li></ul></li><li><a title="Describes the rules used to configure Mixer's policy and telemetry features." href=/v1.0/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/>Rules</a></li></ul></li><li><a title="Authentication policy for Istio services." href=/v1.0/docs/reference/config/istio.authentication.v1alpha1/>Authentication Policy</a></li><li><a title="Configuration affecting traffic routing." href=/v1.0/docs/reference/config/istio.networking.v1alpha3/>Traffic Routing</a></li></ul></li><li class=sublist><label class=tree-toggle><i class="fa fa-lg fa-caret-right"></i><a title="Describes usage and options of the Istio commands and utilities." href=/v1.0/docs/reference/commands/>Commands</a></label><ul class="tree collapse"><li><a title="Galley provides configuration management services for Istio." href=/v1.0/docs/reference/commands/galley/>galley</a></li><li><a title="Istio Certificate Authority (CA)." href=/v1.0/docs/reference/commands/istio_ca/>istio_ca</a></li><li><a title="Istio control interface." href=/v1.0/docs/reference/commands/istioctl/>istioctl</a></li><li><a title="Utility to trigger direct calls to Mixer's API." href=/v1.0/docs/reference/commands/mixc/>mixc</a></li><li><a title="Mixer is Istio's abstraction on top of infrastructure backends." href=/v1.0/docs/reference/commands/mixs/>mixs</a></li><li><a title="Istio security per-node agent." href=/v1.0/docs/reference/commands/node_agent/>node_agent</a></li><li><a title="Istio Pilot agent." href=/v1.0/docs/reference/commands/pilot-agent/>pilot-agent</a></li><li><a title="Istio Pilot." href=/v1.0/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li><li><a title="Kubernetes webhook for automatic Istio sidecar injection." href=/v1.0/docs/reference/commands/sidecar-injector/>sidecar-injector</a></li></ul></li></ul></div></div></div></div></nav></div><div class="col-12 col-md-9 col-xl-8"><p class=d-md-none><label class=sidebar-toggler data-toggle=offcanvas><i class="fa fa-sign-out-alt"></i></label></p><main aria-labelledby=title><div class=pagenav><p><a href=/v1.0/docs/concepts/ title="Learn about the different parts of the Istio system and the abstractions it uses."><i style=transform:scaleX(-1) class="fa fa-level-up-alt"></i>&nbsp;Concepts</a></p></div><h1 id=title>Security</h1><nav class="toc-inlined d-xl-none d-print-none"><hr><div class=directory role=directory><nav id=InlinedTableOfContents><ul><li><a href=#high-level-architecture>High-level architecture</a></li><li><a href=#istio-identity>Istio identity</a></li><ul><li><a href=#istio-security-vs-spiffe>Istio security vs SPIFFE</a></li></ul><li><a href=#pki>PKI</a></li><ul><li><a href=#kubernetes-scenario>Kubernetes scenario</a></li><li><a href=#on-premises-machines-scenario>on-premises machines scenario</a></li><li><a href=#node-agent-in-kubernetes-in-development>Node Agent in Kubernetes (in development)</a></li></ul><li><a href=#best-practices>Best practices</a></li><ul><li><a href=#deployment-guidelines>Deployment guidelines</a></li><li><a href=#example>Example</a></li></ul><li><a href=#authentication>Authentication</a></li><ul><li><a href=#mutual-tls-authentication>Mutual TLS authentication</a></li><ul><li><a href=#secure-naming>Secure naming</a></li></ul><li><a href=#authentication-architecture>Authentication architecture</a></li><li><a href=#authentication-policies>Authentication policies</a></li><ul><li><a href=#policy-storage-scope>Policy storage scope</a></li><li><a href=#target-selectors>Target selectors</a></li><li><a href=#transport-authentication>Transport authentication</a></li><li><a href=#origin-authentication>Origin authentication</a></li><li><a href=#principal-binding>Principal binding</a></li></ul><li><a href=#updating-authentication-policies>Updating authentication policies</a></li></ul><li><a href=#authorization>Authorization</a></li><ul><li><a href=#authorization-architecture>Authorization architecture</a></li><li><a href=#enabling-authorization>Enabling authorization</a></li><li><a href=#authorization-policy>Authorization policy</a></li><ul><li><a href=#servicerole><code>ServiceRole</code></a></li><li><a href=#servicerolebinding><code>ServiceRoleBinding</code></a></li></ul><li><a href=#using-other-authorization-mechanisms>Using other authorization mechanisms</a></li></ul><li><a href=#see-also>See also</a></li></ul></nav></div><hr></nav><p>Breaking down a monolithic application into atomic services offers various benefits, including better agility, better scalability
and better ability to reuse services.
However, microservices also have particular security needs:</p><ul><li><p>To defend against the man-in-the-middle attack, they need traffic encryption.</p></li><li><p>To provide flexible service access control, they need mutual TLS and fine-grained access policies.</p></li><li><p>To audit who did what at what time, they need auditing tools.</p></li></ul><p>Istio Security tries to provide a comprehensive security solution to solve all these issues.</p><p>This page gives an overview on how you can use Istio security features to secure your services, wherever you run them.
In particular, Istio security mitigates both insider and external threats against your data, endpoints, communication and platform.</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:56.25%><a class=not-for-endnotes href=/v1.0/docs/concepts/security/./overview.svg><img class=element-to-stretch src=/v1.0/docs/concepts/security/./overview.svg alt="Istio Security Overview" title="Istio Security Overview"></a></div><figcaption>Istio Security Overview</figcaption></figure><p>The Istio security features provide strong identity, powerful policy, transparent TLS encryption, and authentication, authorization
and audit (AAA) tools to protect your services and data. The goals of Istio security are:</p><ul><li><p><strong>Security by default</strong>: no changes needed for application code and infrastructure</p></li><li><p><strong>Defense in depth</strong>: integrate with existing security systems to provide multiple layers of defense</p></li><li><p><strong>Zero-trust network</strong>: build security solutions on untrusted networks</p></li></ul><p>Visit our <a href=/v1.0/docs/tasks/security/mtls-migration/>Mutual TLS Migration docs</a> to start using Istio security features with your deployed services.
Visit our <a href=/v1.0/docs/tasks/security/>Security Tasks</a> for detailed instructions to use the security features.</p><h2 id=high-level-architecture>High-level architecture</h2><p>Security in Istio involves multiple components:</p><ul><li><p><strong>Citadel</strong> for key and certificate management</p></li><li><p><strong>Sidecar and perimeter proxies</strong> to implement secure communication between clients and servers</p></li><li><p><strong>Pilot</strong> to distribute <a href=/v1.0/docs/concepts/security/#authentication-policies>authentication policies</a>
and <a href=/v1.0/docs/concepts/security/#secure-naming>secure naming information</a> to the proxies</p></li><li><p><strong>Mixer</strong> to manage authorization and auditing</p></li></ul><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:56.25%><a class=not-for-endnotes href=/v1.0/docs/concepts/security/./architecture.svg><img class=element-to-stretch src=/v1.0/docs/concepts/security/./architecture.svg alt="Istio Security Architecture" title="Istio Security Architecture"></a></div><figcaption>Istio Security Architecture</figcaption></figure><p>In the following sections, we introduce the Istio security features in detail.</p><h2 id=istio-identity>Istio identity</h2><p>Identity is a fundamental concept of any security infrastructure. At the beginning of a service-to-service communication,
the two parties must exchange credentials with their identity information for mutual authentication purposes.
On the client side, the server's identity is checked against the <a href=/v1.0/docs/concepts/security/#secure-naming>secure naming</a>
information to see if it is an authorized runner of the service.
On the server side, the server can determine what information the client can access based on the
<a href=/v1.0/docs/concepts/security/#authorization-policy>authorization policies</a>,
audit who accessed what at what time, charge clients based on the services they used,
and reject any clients who failed to pay their bill from accessing the services.</p><p>In the Istio identity model, Istio uses the first-class service identity to determine the identity of a service.
This gives great flexibility and granularity to represent a human user, an individual service, or a group of services.
On platforms that do not have such identity available,
Istio can use other identities that can group service instances, such as service names.</p><p>Istio service identities on different platforms:</p><ul><li><p><strong>Kubernetes</strong>: Kubernetes service account</p></li><li><p><strong>GKE/GCE</strong>: may use GCP service account</p></li><li><p><strong>GCP</strong>: GCP service account</p></li><li><p><strong>AWS</strong>: AWS IAM user/role account</p></li><li><p><strong>On-premises (non-Kubernetes)</strong>: user account, custom service account, service name, istio service account, or GCP service account.
The custom service account refers to the existing service account just like the identities that the customer's Identity Directory manages.</p></li></ul><h3 id=istio-security-vs-spiffe>Istio security vs SPIFFE</h3><p>The <a href=https://spiffe.io/>SPIFFE</a> standard provides a specification for a framework capable of bootstrapping and issuing identities to services
across heterogeneous environments.</p><p>Istio and SPIFFE share the same identity document: <a href=https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md>SVID</a> (SPIFFE Verifiable Identity Document).
For example, in Kubernetes, the X.509 certificate has the URI field in the format of
&ldquo;spiffe://&lt;domain>/ns/&lt;namespace>/sa/&lt;serviceaccount>&rdquo;.
This enables Istio services to establish and accept connections with other SPIFFE-compliant systems.</p><p>Istio security and <a href=https://spiffe.io/spire/>SPIRE</a>, which is the implementation of SPIFFE, differ in the PKI implementation details.
Istio provides a more comprehensive security solution, including authentication, authorization, and auditing.</p><h2 id=pki>PKI</h2><p>The Istio PKI is built on top of Istio Citadel and securely provisions strong workload identities to every workload.
Istio uses X.509 certificates to carry the identities in <a href=https://spiffe.io/>SPIFFE</a> format.
The PKI also automates the key & certificate rotation at scale.</p><p>Istio supports services running on both Kubernetes pods and on-premises machines.
Currently we use different certificate key provisioning mechanisms for each scenario.</p><h3 id=kubernetes-scenario>Kubernetes scenario</h3><ol><li><p>Citadel watches the Kubernetes <code>apiserver</code>, creates a SPIFFE certificate and key pair for each of the existing and new service accounts.
Citadel stores the certificate and key pairs as
<a href=https://kubernetes.io/docs/concepts/configuration/secret/>Kubernetes secrets</a>.</p></li><li><p>When you create a pod, Kubernetes mounts the certificate and key pair to the pod according to its service account via
<a href=https://kubernetes.io/docs/concepts/storage/volumes/#secret>Kubernetes secret volume</a>.</p></li><li><p>Citadel watches the lifetime of each certificate, and automatically rotates the certificates by rewriting the Kubernetes secrets.</p></li><li><p>Pilot generates the <a href=/v1.0/docs/concepts/security/#secure-naming>secure naming</a> information,
which defines what service account or accounts can run a certain service.
Pilot then passes the secure naming information to the sidecar Envoy.</p></li></ol><h3 id=on-premises-machines-scenario>on-premises machines scenario</h3><ol><li><p>Citadel creates a gRPC service to take <a href=https://en.wikipedia.org/wiki/Certificate_signing_request>Certificate Signing Requests</a> (CSRs).</p></li><li><p>Node agent generates a private key and CSR, and sends the CSR with its credentials to Citadel for signing.</p></li><li><p>Citadel validates the credentials carried with the CSR, and signs the CSR to generate the certificate.</p></li><li><p>The node agent sends both, the certificate received from Citadel and the
private key, to Envoy.</p></li><li><p>The above CSR process repeats periodically for certificate and key rotation.</p></li></ol><h3 id=node-agent-in-kubernetes-in-development>Node Agent in Kubernetes (in development)</h3><p>In the near future, Istio will use node agent in Kubernetes for certificate and key provision, as shown in the figure below.
Note that the identity provision flow for on-premises machines is the same so we only describe the Kubernetes scenario.</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:56.25%><a class=not-for-endnotes href=/v1.0/docs/concepts/security/./node_agent.svg><img class=element-to-stretch src=/v1.0/docs/concepts/security/./node_agent.svg alt="PKI with node agents in Kubernetes" title="PKI with node agents in Kubernetes"></a></div><figcaption>PKI with node agents in Kubernetes</figcaption></figure><p>The flow goes as follows:</p><ol><li><p>Citadel creates a gRPC service to take CSR requests.</p></li><li><p>Envoy sends a certificate and key request via Envoy secret discovery service (SDS) API.</p></li><li><p>Upon receiving the SDS request, node agent creates the private key and CSR, and sends the CSR with its credentials to Citadel for signing.</p></li><li><p>Citadel validates the credentials carried in the CSR, and signs the CSR to generate the certificate.</p></li><li><p>The node agent sends the certificate received from Citadel and the private key to Envoy, via the Envoy SDS API.</p></li><li><p>The above CSR process repeats periodically for certificate and key rotation.</p></li></ol><h2 id=best-practices>Best practices</h2><p>In this section, we provide a few deployment guidelines and discuss a real-world scenario.</p><h3 id=deployment-guidelines>Deployment guidelines</h3><p>If there are multiple service operators (a.k.a. <a href=https://en.wikipedia.org/wiki/Site_reliability_engineering>SREs</a>)
deploying different services in a medium- or large-size cluster, we recommend creating a separate
<a href=https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/>Kubernetes namespace</a> for each SRE team to isolate their access.
For example, you can create a <code>team1-ns</code> namespace for <code>team1</code>, and <code>team2-ns</code> namespace for <code>team2</code>, such
that both teams cannot access each other's services.</p><blockquote><p><img src=/v1.0/img/exclamation-mark.svg alt=Warning title=Warning style=width:2rem;height:2rem;display:inline> If Citadel is compromised, all its managed keys and certificates in the cluster may be exposed.
We <strong>strongly</strong> recommend running Citadel in a dedicated namespace (for example, <code>istio-citadel-ns</code>), to restrict access to
the cluster to only administrators.</p></blockquote><h3 id=example>Example</h3><p>Let us consider a three-tier application with three services: <code>photo-frontend</code>,
<code>photo-backend</code>, and <code>datastore</code>. The photo SRE team manages the
<code>photo-frontend</code> and <code>photo-backend</code> services while the datastore SRE team
manages the <code>datastore</code> service. The <code>photo-frontend</code> service can access
<code>photo-backend</code>, and the <code>photo-backend</code> service can access <code>datastore</code>.
However, the <code>photo-frontend</code> service cannot access <code>datastore</code>.</p><p>In this scenario, a cluster administrator creates three namespaces:
<code>istio-citadel-ns</code>, <code>photo-ns</code>, and <code>datastore-ns</code>. The administrator has
access to all namespaces and each team only has access to its own namespace.
The photo SRE team creates two service accounts to run <code>photo-frontend</code> and
<code>photo-backend</code> respectively in the <code>photo-ns</code> namespace. The datastore SRE
team creates one service account to run the <code>datastore</code> service in the
<code>datastore-ns</code> namespace. Moreover, we need to enforce the service access
control in <a href=/v1.0/docs/concepts/policies-and-telemetry/>Istio Mixer</a> such that
<code>photo-frontend</code> cannot access datastore.</p><p>In this setup, Kubernetes can isolate the operator privileges on managing the services.
Istio manages certificates and keys in all namespaces
and enforces different access control rules to the services.</p><h2 id=authentication>Authentication</h2><p>Istio provides two types of authentication:</p><ul><li><p><strong>Transport authentication</strong>, also known as <strong>service-to-service authentication</strong>:
verifies the direct client making the connection. Istio offers <a href=https://en.wikipedia.org/wiki/Mutual_authentication>mutual TLS</a>
as a full stack solution for transport authentication. You can
easily turn on this feature without requiring service code changes. This
solution:</p><ul><li>Provides each service with a strong identity representing its role to
enable interoperability across clusters and clouds.</li><li>Secures service-to-service communication and end-user-to-service
communication.</li><li>Provides a key management system to automate key and certificate
generation, distribution, and rotation.</li></ul></li><li><p><strong>Origin authentication</strong>, also known as <strong>end-user authentication</strong>: verifies the
original client making the request as an end-user or device.
Istio enables request-level authentication with JSON Web Token (JWT) validation
and a streamlined developer experience for <a href=https://auth0.com/>Auth0</a>, <a href=https://firebase.google.com/docs/auth/>Firebase Auth</a>,
<a href=https://developers.google.com/identity/protocols/OpenIDConnect>Google Auth</a>, and custom auth.</p></li></ul><p>In both cases, Istio stores the authentication policies in the <code>Istio config store</code> via a custom Kubernetes API.
Pilot keeps them up-to-date for each proxy, along with the keys where appropriate.
Additionally, Istio supports authentication in permissive mode to help you understand how a policy change can affect your security posture
before it becomes effective.</p><h3 id=mutual-tls-authentication>Mutual TLS authentication</h3><p>Istio tunnels service-to-service communication through the client side and server side <a href=https://envoyproxy.github.io/envoy/>Envoy proxies</a>.
For a client to call a server, the steps followed are:</p><ol><li><p>Istio re-routes the outbound traffic from a client to the client's local sidecar Envoy.</p></li><li><p>The client side Envoy starts a mutual TLS handshake with the server side Envoy.
During the handshake, the client side Envoy also does a <a href=/v1.0/docs/concepts/security/#secure-naming>secure naming</a> check to verify that
the service account presented in the server certificate is authorized to run the target service.</p></li><li><p>The client side Envoy and the server side Envoy establish a mutual TLS connection,
and Istio forwards the traffic from the client side Envoy to the server side Envoy.</p></li><li><p>After authorization, the server side Envoy forwards the traffic to the server service through local TCP connections.</p></li></ol><h4 id=secure-naming>Secure naming</h4><p>The secure naming information contains <em>N-to-N</em> mappings from the server identities, which are encoded in certificates,
to the service names that are referred by discovery service or DNS.
A mapping from identity <code>A</code> to service name <code>B</code> means &ldquo;<code>A</code> is allowed and authorized to run service <code>B</code>&rdquo;.
Pilot watches the Kubernetes <code>apiserver</code>, generates the secure naming information, and distributes it securely to the sidecar Envoys.
The following example explains why secure naming is critical in authentication.</p><p>Suppose the legitimate servers that run the service <code>datastore</code> only use the <code>infra-team</code> identity.
A malicious user has certificate and key for the <code>test-team</code> identity.
The malicious user intends to impersonate the service to inspect the data sent from the clients.
The malicious user deploys a forged server with the certificate and key for the <code>test-team</code> identity.
Suppose the malicious user successfully hacked the discovery service or DNS to map the <code>datastore</code> service name to the forged server.</p><p>When a client calls the <code>datastore</code> service, it extracts the <code>test-team</code> identity from the server's certificate,
and checks whether <code>test-team</code> is allowed to run <code>datastore</code> with the secure naming information.
The client detects that <code>test-team</code> is <strong>not</strong> allowed to run the <code>datastore</code> service and the authentication fails.</p><h3 id=authentication-architecture>Authentication architecture</h3><p>You can specify authentication requirements for services receiving requests in
an Istio mesh using authentication policies. The mesh operator uses <code>.yaml</code>
files to specify the policies. The policies are saved in the Istio
configuration storage once deployed. Pilot, the Istio controller, watches the
configuration storage. Upon any policy changes, Pilot translates the new policy
to the appropriate configuration telling the Envoy sidecar proxy how to perform
the required authentication mechanisms. Pilot may fetch the public key and
attach it to the configuration for JWT validation. Alternatively, Pilot
provides the path to the keys and certificates the Istio system manages and
installs them to the application pod for mutual TLS. You can find more info in
the <a href=/v1.0/docs/concepts/security/#pki>PKI section</a>.
Istio sends configurations to the targeted endpoints asynchronously. Once the
proxy receives the configuration, the new authentication requirement takes
effect immediately on that pod.</p><p>Client services, those that send requests, are responsible for following
the necessary authentication mechanism. For origin authentication (JWT), the
application is responsible for acquiring and attaching the JWT credential to
the request. For mutual TLS, Istio provides a <a href=/v1.0/docs/concepts/traffic-management/#destination-rules>destination rule</a>.
The operator can use the destination rule to instruct client proxies to make
initial connections using TLS with the certificates expected on the server
side. You can find out more about how mutual TLS works in Istio in
<a href=/v1.0/docs/concepts/security/mutual-tls/>PKI and identity section</a>.</p><figure style=width:60%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:67.12%><a class=not-for-endnotes href=/v1.0/docs/concepts/security/./authn.svg><img class=element-to-stretch src=/v1.0/docs/concepts/security/./authn.svg alt="Authentication Architecture" title="Authentication Architecture"></a></div><figcaption>Authentication Architecture</figcaption></figure><p>Istio outputs identities with both types of authentication, as well as other
claims in the credential if applicable, to the next layer:
<a href=/v1.0/docs/concepts/security/#authorization>authorization</a>. Additionally,
operators can specify which identity, either from transport or origin
authentication, should Istio use as the principal&rsquo;.</p><h3 id=authentication-policies>Authentication policies</h3><p>This section provides more details about how Istio authentication policies
work. As you'll remember from the <a href=/v1.0/docs/concepts/security/#authentication-architecture>Architecture section</a>,
authentication policies apply to requests that a service <strong>receives</strong>. To
specify client-side authentication rules in mutual TLS, you need to specify the
<code>TLSSettings</code> in the <code>DestinationRule</code>. You can find more information in our
<a href=/v1.0/docs/reference/config/istio.networking.v1alpha3/#TLSSettings>TLS settings reference docs</a>.
Like other Istio configuration, you can specify authentication policies in
<code>.yaml</code> files. You deploy policies using <code>kubectl</code>.</p><p>The following example authentication policy specifies that transport
authentication for the <code>reviews</code> service must use mutual TLS:</p><pre><code class=language-yaml>apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;Policy&#34;
metadata:
name: &#34;reviews&#34;
spec:
targets:
- name: reviews
peers:
- mtls: {}</code></pre><h4 id=policy-storage-scope>Policy storage scope</h4><p>Istio can store authentication policies in namespace-scope or mesh-scope
storage:</p><ul><li><p>Mesh-scope policy is specified with a value of <code>"MeshPolicy"</code> for the <code>kind</code>
field and the name <code>"default"</code>. For example:</p><pre><code class=language-yaml>apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;MeshPolicy&#34;
metadata:
name: &#34;default&#34;
spec:
peers:
- mtls: {}</code></pre></li><li><p>Namespace-scope policy is specified with a value of <code>"Policy"</code> for the <code>kind</code>
field and a specified namespace. If unspecified, the default namespace is
used. For example for namespace <code>ns1</code>:</p><pre><code class=language-yaml>apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;Policy&#34;
metadata:
name: &#34;default&#34;
namespace: &#34;ns1&#34;
spec:
peers:
- mtls: {}</code></pre></li></ul><p>Policies in the namespace-scope storage can only affect services in the same
namespace. Policies in mesh-scope can affect all services in the mesh. To
prevent conflict and misuse, only one policy can be defined in mesh-scope
storage. That policy must be named <code>default</code> and have an empty
<code>targets:</code> section. You can find more information on our
<a href=/v1.0/docs/concepts/security/#target-selectors>target selectors section</a>.</p><p>Kubernetes currently implements the Istio configuration on Custom Resource
Definitions (CRDs). These CRDs correspond to namespace-scope and
cluster-scope <code>CRDs</code> and automatically inherit access protection via the
Kubernetes RBAC. You can read more on the
<a href=https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions>Kubernetes CRD documentation</a></p><h4 id=target-selectors>Target selectors</h4><p>An authentication policy's targets specify the service or services to which the
policy applies. The following example shows a <code>targets:</code> section specifying
that the policy applies to:</p><ul><li>The <code>product-page</code> service on any port.</li><li>The reviews service on port <code>9000</code>.</li></ul><pre><code class=language-yaml>targets:
- name: product-page
- name: reviews
ports:
- number: 9000</code></pre><p>If you don't provide a <code>targets:</code> section, Istio matches the policy to all
services in the storage scope of the policy. Thus, the <code>targets:</code> section can
help you specify the scope of the policies:</p><ul><li><p>Mesh-wide policy: A policy defined in the mesh-scope storage with no target
selector section. There can be at most <strong>one</strong> mesh-wide policy <strong>in the
mesh</strong>.</p></li><li><p>Namespace-wide policy: A policy defined in the namespace-scope storage with
name <code>default</code> and no target selector section. There can be at most <strong>one</strong>
namespace-wide policy <strong>per namespace</strong>.</p></li><li><p>Service-specific policy: a policy defined in the namespace-scope storage,
with non-empty target selector section. A namespace can have <strong>zero, one, or
many</strong> service-specific policies.</p></li></ul><p>For each service, Istio applies the narrowest matching policy. The order is:
<strong>service-specific > namespace-wide > mesh-wide</strong>. If more than one
service-specific policy matches a service, Istio selects one of them at
random. Operators must avoid such conflicts when configuring their policies.</p><p>To enforce uniqueness for mesh-wide and namespace-wide policies, Istio accepts
only one authentication policy per mesh and one authentication policy per
namespace. Istio also requires mesh-wide and namespace-wide policies to have
the specific name <code>default</code>.</p><h4 id=transport-authentication>Transport authentication</h4><p>The <code>peers:</code> section defines the authentication methods and associated
parameters supported for transport authentication in a policy. The section can
list more than one method and only one method must be satisfied for the
authentication to pass. However, as of the Istio 0.7 release, the only
transport authentication method currently supported is mutual TLS. If you do not
need transport authentication, skip this section entirely.</p><p>The following example shows the <code>peers:</code> section enabling transport
authentication using mutual TLS.</p><pre><code class=language-yaml>peers:
- mtls: {}</code></pre><p>Currently, the mutual TLS setting doesn't require any parameters. Hence,
<code>-mtls: {}</code>, <code>- mtls:</code> or <code>- mtls: null</code> declarations are treated the same. In
the future, the mutual TLS setting may carry arguments to provide different
mutual TLS implementations.</p><h4 id=origin-authentication>Origin authentication</h4><p>The <code>origins:</code> section defines authentication methods and associated parameters
supported for origin authentication. Istio only supports JWT origin
authentication. However, a policy can list multiple JWTs by different issuers.
Similar to peer authentication, only one of the listed methods must be
satisfied for the authentication to pass.</p><p>The following example policy specifies an <code>origins:</code> section for origin
authentication that accepts JWTs issued by Google:</p><pre><code class=language-yaml>origins:
- jwt:
issuer: &#34;https://accounts.google.com&#34;
jwksUri: &#34;https://www.googleapis.com/oauth2/v3/certs&#34;</code></pre><h4 id=principal-binding>Principal binding</h4><p>The principal binding key-value pair defines the principal authentication for a
policy. By default, Istio uses the authentication configured in the <code>peers:</code>
section. If no authentication is configured in the <code>peers:</code> section, Istio
leaves the authentication unset. Policy writers can overwrite this behavior
with the <code>USE_ORIGIN</code> value. This value configures Istio to use the origin's
authentication as the principal authentication instead. In future, we will
support conditional binding, for example: <code>USE_PEER</code> when peer is X, otherwise
<code>USE_ORIGIN</code>.</p><p>The following example shows the <code>principalBinding</code> key with a value of
<code>USE_ORIGIN</code>:</p><pre><code class=language-yaml>principalBinding: USE_ORIGIN</code></pre><h3 id=updating-authentication-policies>Updating authentication policies</h3><p>You can change an authentication policy at any time and Istio pushes the change
to the endpoints almost in real time. However, Istio cannot guarantee that all
endpoints receive a new policy at the same time. The following are
recommendations to avoid disruption when updating your authentication policies:</p><ul><li>To enable or disable mutual TLS: Use a temporary policy with a <code>mode:</code> key
and a <code>PERMISSIVE</code> value. This configures receiving services to accept both
types of traffic: plain text and TLS. Thus, no request is dropped. Once all
clients switch to the expected protocol, with or without mutual TLS, you can
replace the <code>PERMISSIVE</code> policy with the final policy. For more information,
visit the <a href=/v1.0/docs/tasks/security/mtls-migration>Mutual TLS Migration tutorial</a>.</li></ul><pre><code class=language-yaml>peers:
- mTLS:
mode: PERMISSIVE</code></pre><ul><li>For JWT authentication migration: requests should contain new JWT before
changing policy. Once the server side has completely switched to the new
policy, the old JWT, if there is any, can be removed. Client applications
need to be changed for these changes to work.</li></ul><h2 id=authorization>Authorization</h2><p>Istio's authorization feature - also known as Role-based Access Control (RBAC)</p><ul><li><p>provides namespace-level, service-level, and method-level access control for
services in an Istio Mesh. It features:</p></li><li><p><strong>Role-Based semantics</strong>, which are simple and easy to use.</p></li><li><p><strong>Service-to-service and end-user-to-service authorization</strong>.</p></li><li><p><strong>Flexibility through custom properties support</strong>, for example conditions,
in roles and role-bindings.</p></li><li><p><strong>High performance</strong>, as Istio authorization is enforced natively on Envoy.</p></li></ul><h3 id=authorization-architecture>Authorization architecture</h3><figure style=width:90%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:56.25%><a class=not-for-endnotes href=/v1.0/docs/concepts/security/./authz.svg><img class=element-to-stretch src=/v1.0/docs/concepts/security/./authz.svg alt="Istio Authorization" title="Istio Authorization Architecture"></a></div><figcaption>Istio Authorization Architecture</figcaption></figure><p>The above diagram shows the basic Istio authorization architecture. Operators
specify Istio authorization policies using <code>.yaml</code> files. Once deployed, Istio
saves the policies in the <code>Istio Config Store</code>.</p><p>Pilot watches for changes to Istio authorization policies. It fetches the
updated authorization policies if it sees any changes. Pilot distributes Istio
authorization policies to the Envoy proxies that are co-located with the
service instances.</p><p>Each Envoy proxy runs an authorization engine that authorizes requests at
runtime. When a request comes to the proxy, the authorization engine evaluates
the request context against the current authorization policies, and returns the
authorization result, <code>ALLOW</code> or <code>DENY</code>.</p><h3 id=enabling-authorization>Enabling authorization</h3><p>You enable Istio Authorization using a <code>RbacConfig</code> object. The <code>RbacConfig</code>
object is a mesh-wide singleton with a fixed name value of <code>default</code>. You can
only use one <code>RbacConfig</code> instance in the mesh. Like other Istio configuration
objects, <code>RbacConfig</code> is defined as a
Kubernetes <code>CustomResourceDefinition</code>
<a href=https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/>(CRD)</a> object.</p><p>In the <code>RbacConfig</code> object, the operator can specify a <code>mode</code> value, which can
be:</p><ul><li><strong><code>OFF</code></strong>: Istio authorization is disabled.</li><li><strong><code>ON</code></strong>: Istio authorization is enabled for all services in the mesh.</li><li><strong><code>ON_WITH_INCLUSION</code></strong>: Istio authorization is enabled only for services and
namespaces specified in the <code>inclusion</code> field.</li><li><strong><code>ON_WITH_EXCLUSION</code></strong>: Istio authorization is enabled for all services in
the mesh except the services and namespaces specified in the <code>exclusion</code>
field.</li></ul><p>In the following example, Istio authorization is enabled for the <code>default</code>
namespace.</p><pre><code class=language-yaml>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: RbacConfig
metadata:
name: default
spec:
mode: &#39;ON_WITH_INCLUSION&#39;
inclusion:
namespaces: [&#34;default&#34;]</code></pre><h3 id=authorization-policy>Authorization policy</h3><p>To configure an Istio authorization policy, you specify a <code>ServiceRole</code> and
<code>ServiceRoleBinding</code>. Like other Istio configuration objects, they are
defined as
Kubernetes <code>CustomResourceDefinition</code> <a href=https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/>(CRD)</a> objects.</p><ul><li><strong><code>ServiceRole</code></strong> defines a group of permissions to access services.</li><li><strong><code>ServiceRoleBinding</code></strong> grants a <code>ServiceRole</code> to particular subjects, such
as a user, a group, or a service.</li></ul><p>The combination of <code>ServiceRole</code> and <code>ServiceRoleBinding</code> specifies: <strong>who</strong> is
allowed to do <strong>what</strong> under <strong>which conditions</strong>. Specifically:</p><ul><li><strong>who</strong> refers to the <code>subjects</code> section in <code>ServiceRoleBinding</code>.</li><li><strong>what</strong> refers to the <code>permissions</code> section in <code>ServiceRole</code>.</li><li><strong>which conditions</strong> refers to the <code>conditions</code> section you can specify with
the <a href=/v1.0/docs/reference/config/policy-and-telemetry/attribute-vocabulary/>Istio attributes</a>
in either <code>ServiceRole</code> or <code>ServiceRoleBinding</code>.</li></ul><h4 id=servicerole><code>ServiceRole</code></h4><p>A <code>ServiceRole</code> specification includes a list of <code>rules</code>, AKA permissions.
Each rule has the following standard fields:</p><ul><li><p><strong><code>services</code></strong>: A list of service names. You can set the value to <code>*</code> to
include all services in the specified namespace.</p></li><li><p><strong><code>methods</code></strong>: A list of HTTP method names, for permissions on gRPC requests,
the HTTP verb is always <code>POST</code>. You can set the value to <code>*</code> to include all
HTTP methods.</p></li><li><p><strong><code>paths</code></strong>: HTTP paths or gRPC methods. The gRPC methods must be in the
form of <code>/packageName.serviceName/methodName</code> and are case sensitive.</p></li></ul><p>A <code>ServiceRole</code> specification only applies to the namespace specified in the
<code>metadata</code> section. The <code>services</code> and <code>methods</code> fields are required in a
rule. <code>paths</code> is optional. If a rule is not specified or if it is set to <code>*</code>,
it applies to any instance.</p><p>The example below shows a simple role: <code>service-admin</code>, which has full access
to all services in the <code>default</code> namespace.</p><pre><code class=language-yaml>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRole
metadata:
name: service-admin
namespace: default
spec:
rules:
- services: [&#34;*&#34;]
methods: [&#34;*&#34;]</code></pre><p>Here is another role: <code>products-viewer</code>, which has read, <code>"GET"</code> and <code>"HEAD"</code>,
access to the service <code>products.default.svc.cluster.local</code> in the <code>default</code>
namespace.</p><pre><code class=language-yaml>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRole
metadata:
name: products-viewer
namespace: default
spec:
rules:
- services: [&#34;products.default.svc.cluster.local&#34;]
methods: [&#34;GET&#34;, &#34;HEAD&#34;]</code></pre><p>In addition, we support prefix matching and suffix matching for all the fields
in a rule. For example, you can define a <code>tester</code> role with the following
permissions in the <code>default</code> namespace:</p><ul><li>Full access to all services with prefix <code>"test-*"</code>, for example:
<code>test-bookstore</code>, <code>test-performance</code>, <code>test-api.default.svc.cluster.local</code>.</li><li>Read (<code>"GET"</code>) access to all paths with <code>"*/reviews"</code> suffix, for example:
<code>/books/reviews</code>, <code>/events/booksale/reviews</code>, <code>/reviews</code> in service
<code>bookstore.default.svc.cluster.local</code>.</li></ul><pre><code class=language-yaml>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRole
metadata:
name: tester
namespace: default
spec:
rules:
- services: [&#34;test-*&#34;]
methods: [&#34;*&#34;]
- services: [&#34;bookstore.default.svc.cluster.local&#34;]
paths: [&#34;*/reviews&#34;]
methods: [&#34;GET&#34;]</code></pre><p>In a <code>ServiceRole</code>, the combination of <code>namespace</code> + <code>services</code> + <code>paths</code> +
<code>methods</code> defines <strong>how a service or services are accessed</strong>. In some
situations, you may need to specify additional conditions for your rules. For
example, a rule may only apply to a certain <strong>version</strong> of a service, or only
apply to services with a specific <strong>label</strong>, like <code>"foo"</code>. You can easily
specify these conditions using <code>constraints</code>.</p><p>For example, the following <code>ServiceRole</code> definition adds a constraint that
<code>request.headers[version]</code> is either <code>"v1"</code> or <code>"v2"</code> extending the previous
<code>products-viewer</code> role. The supported <code>key</code> values of a constraint are listed
in the <a href=/v1.0/docs/reference/config/authorization/constraints-and-properties/>constraints and properties page</a>.
In the case that the attribute is a <code>map</code>, for example <code>request.headers</code>, the
<code>key</code> is an entry in the map, for example <code>request.headers[version]</code>.</p><pre><code class=language-yaml>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRole
metadata:
name: products-viewer-version
namespace: default
spec:
rules:
- services: [&#34;products.default.svc.cluster.local&#34;]
methods: [&#34;GET&#34;, &#34;HEAD&#34;]
constraints:
- key: request.headers[version]
values: [&#34;v1&#34;, &#34;v2&#34;]</code></pre><h4 id=servicerolebinding><code>ServiceRoleBinding</code></h4><p>A <code>ServiceRoleBinding</code> specification includes two parts:</p><ul><li><strong><code>roleRef</code></strong> refers to a <code>ServiceRole</code> resource in the same namespace.</li><li>A list of <strong><code>subjects</code></strong> that are assigned to the role.</li></ul><p>You can either explicitly specify a <em>subject</em> with a <code>user</code> or with a set of
<code>properties</code>. A <em>property</em> in a <code>ServiceRoleBinding</code> <em>subject</em> is similar to
a <em>constraint</em> in a <code>ServiceRole</code> specification. A <em>property</em> also lets you use
conditions to specify a set of accounts assigned to this role. It contains a
<code>key</code> and its allowed <em>values</em>. The supported <code>key</code> values of a constraint
are listed in the
<a href=/v1.0/docs/reference/config/authorization/constraints-and-properties/>constraints and properties page</a>.</p><p>The following example shows a <code>ServiceRoleBinding</code> named
<code>test-binding-products</code>, which binds two subjects to the <code>ServiceRole</code> named
<code>"product-viewer"</code> and has the following <code>subjects</code></p><ul><li>A service account representing service <strong>a</strong>, <code>"service-account-a"</code>.</li><li>A service account representing the Ingress service
<code>"istio-ingress-service-account"</code> <strong>and</strong> where the JWT <code>email</code> claim is
<code>"a@foo.com"</code>.</li></ul><pre><code class=language-yaml>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRoleBinding
metadata:
name: test-binding-products
namespace: default
spec:
subjects:
- user: &#34;service-account-a&#34;
- user: &#34;istio-ingress-service-account&#34;
properties:
request.auth.claims[email]: &#34;a@foo.com&#34;
roleRef:
kind: ServiceRole
name: &#34;products-viewer&#34;</code></pre><p>In case you want to make a service publicly accessible, you can set the
<code>subject</code> to <code>user: "*"</code>. This value assigns the <code>ServiceRole</code> to <strong>all (both authenticated and
unauthenticated)</strong> users and services, for example:</p><pre><code class=language-yaml>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRoleBinding
metadata:
name: binding-products-allusers
namespace: default
spec:
subjects:
- user: &#34;*&#34;
roleRef:
kind: ServiceRole
name: &#34;products-viewer&#34;</code></pre><p>To assign the <code>ServiceRole</code> to only <strong>authenticated</strong> users and services, use <code>source.principal: "*"</code>
instead, for example:</p><pre><code class=language-yaml>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRoleBinding
metadata:
name: binding-products-all-authenticated-users
namespace: default
spec:
subjects:
- properties:
source.principal: &#34;*&#34;
roleRef:
kind: ServiceRole
name: &#34;products-viewer&#34;</code></pre><h3 id=using-other-authorization-mechanisms>Using other authorization mechanisms</h3><p>While we strongly recommend using the Istio authorization mechanisms,
Istio is flexible enough to allow you to plug in your own authentication and authorization mechanisms via the Mixer component.
To use and configure plugins in Mixer, visit our <a href=/v1.0/docs/concepts/policies-and-telemetry/#adapters>policies and telemetry adapters docs</a>.</p><h2 id=see-also>See also</h2><div class=see-also><div class=container-fluid><div class=row><div class="col-xs-12 col-sm-6 col-xl-4"><p class=link><a href=/v1.0/docs/tasks/security/role-based-access-control/>Authorization</a></p><p class=desc>Shows how to set up role-based access control for services in the mesh.</p></div><div class="col-xs-12 col-sm-6 col-xl-4"><p class=link><a href=/v1.0/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></p><p class=desc>Describe Istio's authorization feature and how to use it in various use cases.</p></div><div class="col-xs-12 col-sm-6 col-xl-4"><p class=link><a href=/v1.0/docs/tasks/security/authn-policy/>Authentication Policy</a></p><p class=desc>Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication.</p></div><div class="col-xs-12 col-sm-6 col-xl-4"><p class=link><a href=/v1.0/help/ops/security/debugging-authorization/>Debugging Authorization</a></p><p class=desc>Demonstrates how to debug authorization.</p></div><div class="col-xs-12 col-sm-6 col-xl-4"><p class=link><a href=/v1.0/docs/tasks/security/mtls-migration/>Mutual TLS Migration</a></p><p class=desc>Shows you how to incrementally migrate your Istio services to mutual TLS.</p></div><div class="col-xs-12 col-sm-6 col-xl-4"><p class=link><a href=/v1.0/docs/tasks/security/health-check/>Citadel health checking</a></p><p class=desc>Shows how to enable Citadel health checking with Kubernetes.</p></div></div></div></div></main><div class="container-fluid d-print-none"><br><div class=row><div class="col-6 pagenav"><p><a title="Describes the various Istio features focused on traffic routing and control." href=/v1.0/docs/concepts/traffic-management/><i class="fa fa-long-arrow-alt-left"></i>Traffic Management</a></p></div><div class="col-6 pagenav" style=text-align:right><p><a title="Describes the policy enforcement and telemetry mechanisms." href=/v1.0/docs/concepts/policies-and-telemetry/>Policies and Telemetry
<i class="fa fa-long-arrow-alt-right"></i></a></p></div></div></div><div class="d-none d-print-block" aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class="col-12 col-md-2 d-none d-xl-block d-print-none"><nav class=toc><div class=spacer></div><div id=toc class=directory role=directory><nav id=TableOfContents><ul><li><a href=#high-level-architecture>High-level architecture</a></li><li><a href=#istio-identity>Istio identity</a></li><ul><li><a href=#istio-security-vs-spiffe>Istio security vs SPIFFE</a></li></ul><li><a href=#pki>PKI</a></li><ul><li><a href=#kubernetes-scenario>Kubernetes scenario</a></li><li><a href=#on-premises-machines-scenario>on-premises machines scenario</a></li><li><a href=#node-agent-in-kubernetes-in-development>Node Agent in Kubernetes (in development)</a></li></ul><li><a href=#best-practices>Best practices</a></li><ul><li><a href=#deployment-guidelines>Deployment guidelines</a></li><li><a href=#example>Example</a></li></ul><li><a href=#authentication>Authentication</a></li><ul><li><a href=#mutual-tls-authentication>Mutual TLS authentication</a></li><ul><li><a href=#secure-naming>Secure naming</a></li></ul><li><a href=#authentication-architecture>Authentication architecture</a></li><li><a href=#authentication-policies>Authentication policies</a></li><ul><li><a href=#policy-storage-scope>Policy storage scope</a></li><li><a href=#target-selectors>Target selectors</a></li><li><a href=#transport-authentication>Transport authentication</a></li><li><a href=#origin-authentication>Origin authentication</a></li><li><a href=#principal-binding>Principal binding</a></li></ul><li><a href=#updating-authentication-policies>Updating authentication policies</a></li></ul><li><a href=#authorization>Authorization</a></li><ul><li><a href=#authorization-architecture>Authorization architecture</a></li><li><a href=#enabling-authorization>Enabling authorization</a></li><li><a href=#authorization-policy>Authorization policy</a></li><ul><li><a href=#servicerole><code>ServiceRole</code></a></li><li><a href=#servicerolebinding><code>ServiceRoleBinding</code></a></li></ul><li><a href=#using-other-authorization-mechanisms>Using other authorization mechanisms</a></li></ul><li><a href=#see-also>See also</a></li></ul></nav></div></nav></div></div></div><footer class="d-print-none container-fluid"><div class=row><div class="col-5 col-lg-4" role=navigation><div class=container-fluid><div class=row><div class=icon><span>discuss</span>
<a title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M225.9 32C103.3 32 0 130.5.0 252.1.0 256 .1 480 .1 480l225.8-.2c122.7.0 222.1-102.3 222.1-223.9S348.6 32 225.9 32zM224 384c-19.4.0-37.9-4.3-54.4-12.1L88.5 392l22.9-75c-9.8-18.1-15.4-38.9-15.4-61 0-70.7 57.3-128 128-128s128 57.3 128 128-57.3 128-128 128z" /></svg></a></div><div class=icon><span>slack</span>
<a title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><svg viewBox="0 0 31.444 31.443"><path d="M31.202 16.369c-.62-1.388-2.249-2.011-3.637-1.391l-1.325.594-3.396-7.591 1.325-.592c1.388-.622 2.01-2.25 1.389-3.637-.62-1.389-2.248-2.012-3.637-1.39l-1.324.593-.593-1.326c-.621-1.388-2.249-2.009-3.637-1.388-1.388.62-2.009 2.247-1.389 3.637l.593 1.325L7.98 8.598 7.388 7.273c-.621-1.39-2.249-2.009-3.637-1.39C2.363 6.504 1.742 8.132 2.362 9.52l.592 1.324L1.63 11.438c-1.388.621-2.01 2.247-1.389 3.636.62 1.388 2.249 2.01 3.637 1.39l1.325-.594 3.394 7.592-1.325.592c-1.388.621-2.009 2.25-1.389 3.637.621 1.389 2.249 2.011 3.637 1.391l1.324-.593.593 1.325c.621 1.389 2.249 2.01 3.637 1.389 1.387-.62 2.009-2.248 1.388-3.636l-.591-1.326 7.591-3.394.592 1.321c.621 1.391 2.248 2.013 3.637 1.392 1.388-.619 2.01-2.248 1.389-3.637l-.592-1.324 1.323-.594C31.201 19.384 31.823 17.757 31.202 16.369zM13.623 21.215l-3.395-7.593 7.591-3.394 3.395 7.591L13.623 21.215z"/></svg></a></div><div class=icon><span>twitter</span>
<a title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><svg viewBox="0 0 310 310"><path d="M302.973 57.388c-4.87 2.16-9.877 3.983-14.993 5.463 6.057-6.85 10.675-14.91 13.494-23.73.632-1.977-.023-4.141-1.648-5.434-1.623-1.294-3.878-1.449-5.665-.39-10.865 6.444-22.587 11.075-34.878 13.783-12.381-12.098-29.197-18.983-46.581-18.983-36.695.0-66.549 29.853-66.549 66.547.0 2.89.183 5.764.545 8.598C101.163 99.244 58.83 76.863 29.76 41.204c-1.036-1.271-2.632-1.956-4.266-1.825-1.635.128-3.104 1.05-3.93 2.467-5.896 10.117-9.013 21.688-9.013 33.461.0 16.035 5.725 31.249 15.838 43.137-3.075-1.065-6.059-2.396-8.907-3.977-1.529-.851-3.395-.838-4.914.033-1.52.871-2.473 2.473-2.513 4.224-.007.295-.007.59-.007.889.0 23.935 12.882 45.484 32.577 57.229-1.692-.169-3.383-.414-5.063-.735-1.732-.331-3.513.276-4.681 1.597-1.17 1.32-1.557 3.16-1.018 4.84 7.29 22.76 26.059 39.501 48.749 44.605-18.819 11.787-40.34 17.961-62.932 17.961-4.714.0-9.455-.277-14.095-.826-2.305-.274-4.509 1.087-5.294 3.279-.785 2.193.047 4.638 2.008 5.895 29.023 18.609 62.582 28.445 97.047 28.445 67.754.0 110.139-31.95 133.764-58.753 29.46-33.421 46.356-77.658 46.356-121.367.0-1.826-.028-3.67-.084-5.508 11.623-8.757 21.63-19.355 29.773-31.536 1.237-1.85 1.103-4.295-.33-5.998C307.394 57.037 305.009 56.486 302.973 57.388z"/></svg></a></div><div class=icon><span>stack overflow</span>
<a title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg viewBox="0 0 120 120"><polygon points="84.4,93.8 84.4,70.6 92.1,70.6 92.1,101.5 22.6,101.5 22.6,70.6 30.3,70.6 30.3,93.8"/><path d="M38.8 68.4l37.8 7.9 1.6-7.6-37.8-7.9L38.8 68.4zM43.8 50.4l35 16.3 3.2-7-35-16.4L43.8 50.4zM53.5 33.2l29.7 24.7 4.9-5.9L58.4 27.3 53.5 33.2zM72.7 14.9l-6.2 4.6 23 31 6.2-4.6-23-31zM38 86h38.6v-7.7H38V86z"/></svg></a></div></div><div class="tag row d-none d-lg-flex">for everyone</div></div></div><div class="col-7 col-lg-4"><p class="text-center copyright" role=contentinfo>Istio
Archive
1.0<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on March 19, 2019</p></div><div class="col-6 col-lg-4 d-none d-lg-flex" role=navigation><div class=container-fluid><div class="row justify-content-end"><div class=icon><span>github</span>
<a title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><svg viewBox="0 0 478.165 478.165"><path d="M349.22 55.768c6.136 14.046 10.241 37.556 4.224 54.69 24.426 20.999 33.073 71.904 21.079 113.704 35.006 2.73 76.666-1.235 103.642 9.484-25.183-3.248-59.651-9.563-91.987-7.431-6.136.458-15.361-.239-14.903 8.408 37.735 3.008 75.092 6.117 105.894 15.779-30.702-4.981-67.74-12.552-105.894-13.668-15.54 30.921-47.239 46.262-90.991 49.49 4.682 10.261 13.847 14.066 15.879 30.702 3.267 24.406-4.881 60.328 3.208 76.686 4.064 7.89 10.579 8.009 14.863 14.604-10.699 12.871-37.257-1.395-40.186-14.604-5.14-22.852 7.89-58.256-6.415-73.737.996 24.865-5.718 59.85.996 82.145 2.789 8.806 10.659 12.113 8.647 20.063-49.809 5.08-28.989-64.373-37.177-105.356-7.471.697-4.204 11.197-4.224 15.76-.199 40.106 8.189 94.836-34.846 89.556-1.315-8.348 5.838-11.217 8.467-19.007 7.91-22.434-1.454-56.045 2.112-83.161-16.417 12.512 1.793 55.666-8.428 77.961-5.838 12.671-24.785 18.27-39.19 12.651 1.873-9.464 11.695-7.989 15.879-16.875 5.818-12.452.02-30.244 2.092-48.494-30.423 6.097-53.993-.877-65.608-20.023-5.12-8.507-6.356-18.708-12.632-26.219-6.117-7.551-16.098-8.507-19.087-18.808 37.755-9.185 39.17 38.771 73.06 39.807 10.44.418 15.799-2.909 25.402-5.16 2.749-12.113 8.428-21.039 16.875-27.494-42.078-5.658-76.865-18.788-93.023-50.466-38.293 1.893-73.339 7.013-105.894 14.843 29.547-10.679 65.807-14.604 104.778-15.819-2.351-13.807-22.434-10.022-34.866-9.543C47.677 227.17 18.449 230.138.0 233.645c26.817-9.543 64.233-8.348 100.454-8.428-11.038-34.767-7.232-90.014 17.015-110.615-6.854-17.254-4.722-45.346 4.184-58.834 27.036 1.175 43.374 12.891 60.388 24.247 21.019-6.017 43.035-9.045 71.904-7.451 12.133.677 24.705 6.097 33.731 5.32 8.906-.877 18.728-10.898 27.534-14.843C326.507 58.099 336.17 56.206 349.22 55.768z"/></svg></a></div><div class=icon><span>drive</span>
<a title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg viewBox="0 0 207.027 207.027"><path d="M69.866 15.557.0 138.919l28.732 52.552 143.288-.029 35.008-59.588L136.39 15.735 69.866 15.557zM17.166 139.046 74.268 38.205 91.21 67.783 33.24 168.447 17.166 139.046zM99.841 82.851l23.805 41.558-47.732-.006L99.841 82.851zM163.434 176.443l-117.332.024 21.53-37.065 64.606.008.067.119 52.865-.085L163.434 176.443zM140.932 124.411 90.157 35.767l-2.966-5.178 40.751.121 57.003 93.706L140.932 124.411z"/></svg></a></div><div class=icon><span>working groups</span>
<a title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><svg viewBox="0 -45 439.833 439.833"><polygon points="246.048,195.833 299.966,235.085 319.497,227.296 276.278,195.833"/><polygon points="193.786,195.833 163.556,195.833 120.33,227.3 139.862,235.089"/><path d="M219.927 11.558c-23.854.0-37.057 12.362-36.814 36.182.348 32.623 14.211 52.414 36.814 52.068.0.0 36.802 1.492 36.802-52.068C256.729 23.918 244.294 11.558 219.927 11.558z"/><path d="M285.017 124.567l-36.77-14.659-8.608-7.256c-2.274-1.922-5.636-1.78-7.741.317l-11.973 11.904-12.008-11.907c-2.109-2.094-5.465-2.229-7.736-.313l-8.611 7.256-36.77 14.661c-11.842 4.715-11.83 46.647-12.848 50.497h155.93C296.866 171.228 296.862 129.28 285.017 124.567z"/><path d="M77.976 228.568s36.801 1.492 36.801-52.068c0-23.82-12.434-36.182-36.801-36.182-23.854.0-37.057 12.362-36.814 36.182C41.509 209.124 55.372 228.915 77.976 228.568z"/><path d="M143.065 253.329l-36.77-14.658-8.609-7.256c-2.275-1.923-5.635-1.781-7.742.315l-11.971 11.904-12.008-11.908c-2.109-2.094-5.465-2.229-7.736-.312l-8.611 7.256-36.77 14.66C1.006 258.045 1.018 299.977.0 303.827h155.93C154.915 299.988 154.911 258.042 143.065 253.329z"/><path d="M361.878 228.568s36.801 1.492 36.801-52.068c0-23.82-12.434-36.182-36.801-36.182-23.854.0-37.057 12.362-36.812 36.182C325.411 209.124 339.274 228.915 361.878 228.568z"/><path d="M426.968 253.329l-36.77-14.658-8.609-7.256c-2.273-1.923-5.635-1.781-7.742.315l-11.971 11.904-12.008-11.908c-2.109-2.094-5.465-2.229-7.736-.312l-8.61 7.256-36.771 14.66c-11.842 4.715-11.83 46.646-12.848 50.497h155.93C438.817 299.988 438.812 258.042 426.968 253.329z"/></svg></a></div></div><div class="tag row justify-content-end text-right">for developers</div></div></div></div></footer><div class="d-xl-none d-print-none"><button id=scroll-to-top aria-hidden=true onclick=scrollToTop() title="Back to top"><i class="fa fa-lg fa-arrow-up"></i></button></div><script src=https://code.jquery.com/jquery-3.2.1.slim.min.js integrity=sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN crossorigin=anonymous></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js integrity=sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl crossorigin=anonymous></script><script src=https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js></script><script src="https://www.google.com/cse/brand?form=search_form"></script><script src=/v1.0/js/all.min.js data-manual></script></body></html>
Reference in New Issue View Git Blame Copy Permalink