istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v0.4/docs/tasks/security/basic-access-control.html

43 lines
23 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html><html lang="en" itemscope itemtype="https://schema.org/WebPage" style="overflow-y: scroll;"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="title" content="Setting up Basic Access Control"><meta name="og:title" content="Setting up Basic Access Control"><meta name="og:image" content="/v0.4/img/logo.png"/><meta name="theme-color" content="#466BB0"/><meta name="description" content="This task shows how to control access to a service using the Kubernetes labels."><meta name="og:description" content="This task shows how to control access to a service using the Kubernetes labels."><title>Istioldie 0.4 / Setting up Basic Access Control</title><script> window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date; ga('create', 'UA-98480406-2', 'auto'); ga('send', 'pageview'); </script> <script async src='https://www.google-analytics.com/analytics.js'></script><link rel="alternate" type="application/rss+xml" title="Istio Blog RSS" href="/v0.4/feed.xml"><link rel="shortcut icon" href="/v0.4/favicons/favicon.ico" ><link rel="apple-touch-icon" href="/v0.4/favicons/apple-touch-icon-180x180.png" sizes="180x180"><link rel="icon" type="image/png" href="/v0.4/favicons/favicon-16x16.png" sizes="16x16"><link rel="icon" type="image/png" href="/v0.4/favicons/favicon-32x32.png" sizes="32x32"><link rel="icon" type="image/png" href="/v0.4/favicons/android-36x36.png" sizes="36x36"><link rel="icon" type="image/png" href="/v0.4/favicons/android-48x48.png" sizes="48x48"><link rel="icon" type="image/png" href="/v0.4/favicons/android-72x72.png" sizes="72x72"><link rel="icon" type="image/png" href="/v0.4/favicons/android-96x196.png" sizes="96x196"><link rel="icon" type="image/png" href="/v0.4/favicons/android-144x144.png" sizes="144x144"><link rel="icon" type="image/png" href="/v0.4/favicons/android-192x192.png" sizes="192x192"><link rel="manifest" href="/v0.4/manifest.json"><meta name="apple-mobile-web-app-title" content="Istio"><meta name="application-name" content="Istio"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic"><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><link rel="stylesheet" href="/v0.4/css/all.css"><link rel="stylesheet" href="/v0.4/css/prism.css"></head><body class="language-unknown"> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script><div class="nav-hero-container" style="z-index: 200000;"><nav id="header-nav" class="navbar navbar-inverse" role="navigation" style="z-index: 200000;"><div class="container"><div class="row"><div class="col-md-11 nofloat center-block "><div class="navbar-header"> <button type="button" class="hamburger navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar-collapse-1" aria-expanded="false"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="/v0.4/"><div> <img src="/v0.4/img/istio-logo.svg" alt="Istio Logo" height="54px"/> <span class="brand-name">Istioldie 0.4</span></div></a></div><div class="collapse navbar-collapse" id="navbar-collapse-1"><ul class="nav navbar-nav navbar-right"><li><a href="/v0.4/about" >About</a></li><li><a href="/v0.4/blog/posts/2017/mixer-spof-myth.html" >Blog</a></li><li><a href="/v0.4/docs/welcome" class='current'>Docs</a></li><li><a href="/v0.4/help" >Help</a></li><li><a href="/v0.4/community" >Community</a></li><li class="dropdown"> <a class="dropdown-toggle" data-toggle="dropdown" href=""> <i class='fa fa-lg fa-cog'></i> <span class="caret"></span> </a><ul class="dropdown-menu"><h6 class="dropdown-header">Other versions of this site</h6><li> <a href="https://istio.io">Current Release</a></li><li> <a href="https://preliminary.istio.io">Next Release</a></li><li> <a href="https://archive.istio.io">Older Releases</a></li></ul></li><li><form name="cse" id="searchbox_demo" class="navbar-form navbar-right" role="search"> <input type="hidden" name="cx" value="013699703217164175118:iwwf17ikgf4" /> <input type="hidden" name="ie" value="utf-8" /> <input type="hidden" name="hl" value="en" /><div class="form-group"><div class="input-group"> <input name="q" class="form-control search-box" type="text" size="30" /><div class="input-group-addon"> <span class="btn-search glyphicon glyphicon-search"></span></div></div></div></form> <script type="text/javascript" src="https://www.google.com/cse/brand?form=searchbox_demo"></script></li></ul></div></div></div></div></nav></div><div class="container"><div class="row"><div class="col-md-11 nofloat center-block" style="margin-top: 3px;"><ul class="col-sm-10 nav nav-tabs"><li role="presentation" ><a href="/v0.4/docs/welcome/">Welcome</a></li><li role="presentation" ><a href="/v0.4/docs/concepts/">Concepts</a></li><li role="presentation" ><a href="/v0.4/docs/setup/">Setup</a></li><li role="presentation" class='active'><a href="/v0.4/docs/tasks/">Tasks</a></li><li role="presentation" ><a href="/v0.4/docs/guides/">Guides</a></li><li role="presentation" ><a href="/v0.4/docs/reference/">Reference</a></li></ul></div></div></div><script src="/v0.4/js/navtree.min.js"></script><div class="container docs"><div class="row"><div class="col-md-11 nofloat center-block"><div class="row"><div id="sidebar-container" class="col-sm-3"><ul class="sidebar"><li><h5 class='sidebar-title'>Tasks</h5></li><script type="text/javascript"> var docs = []; docs.push({path: [ "index.md", ], url: "/docs/tasks/", title: "Tasks", order: 20, overview: "Tasks show you how to do a single specific targeted activity with the Istio system."}); docs.push({path: [ "policy-enforcement", "index.md", ], url: "/docs/tasks/policy-enforcement/", title: "Policy Enforcement", order: 20, overview: "Describes tasks that demonstrate policy enforcement features."}); docs.push({path: [ "policy-enforcement", "rate-limiting.md", ], url: "/docs/tasks/policy-enforcement/rate-limiting.html", title: "Enabling Rate Limits", order: 10, overview: "This task shows you how to use Istio to dynamically limit the traffic to a service."}); docs.push({path: [ "security", "basic-access-control.md", ], url: "/docs/tasks/security/basic-access-control.html", title: "Setting up Basic Access Control", order: 20, overview: "This task shows how to control access to a service using the Kubernetes labels."}); docs.push({path: [ "security", "index.md", ], url: "/docs/tasks/security/", title: "Security", order: 40, overview: "Describes tasks that help securing the service mesh traffic."}); docs.push({path: [ "security", "mutual-tls.md", ], url: "/docs/tasks/security/mutual-tls.html", title: "Testing Istio mutual TLS authentication", order: 10, overview: "This task shows you how to verify and test Istio's automatic mutual TLS authentication."}); docs.push({path: [ "security", "per-service-mtls.md", ], url: "/docs/tasks/security/per-service-mtls.html", title: "Per-service mutual TLS authentication enablement", order: 40, overview: "This task shows how to change mutual TLS authentication for a single service."}); docs.push({path: [ "security", "plugin-ca-cert.md", ], url: "/docs/tasks/security/plugin-ca-cert.html", title: "Plugging in CA certificate and key", order: 40, overview: "This task shows how operators can plug existing certificate and key into Istio CA."}); docs.push({path: [ "security", "secure-access-control.md", ], url: "/docs/tasks/security/secure-access-control.html", title: "Setting up Secure Access Control", order: 30, overview: "This task shows how to securely control access to a service using service accounts."}); docs.push({path: [ "telemetry", "distributed-tracing.md", ], url: "/docs/tasks/telemetry/distributed-tracing.html", title: "Distributed Tracing", order: 10, overview: "How to configure the proxies to send tracing requests to Zipkin or Jaeger"}); docs.push({path: [ "telemetry", "index.md", ], url: "/docs/tasks/telemetry/", title: "Metrics, Logs, and Traces", order: 30, overview: "Describes tasks that demonstrate how to collect telemetry information from the service mesh."}); docs.push({path: [ "telemetry", "metrics-logs.md", ], url: "/docs/tasks/telemetry/metrics-logs.html", title: "Collecting Metrics and Logs", order: 20, overview: "This task shows you how to configure Istio to collect metrics and logs."}); docs.push({path: [ "telemetry", "querying-metrics.md", ], url: "/docs/tasks/telemetry/querying-metrics.html", title: "Querying Metrics from Prometheus", order: 30, overview: "This task shows you how to query for Istio Metrics using Prometheus."}); docs.push({path: [ "telemetry", "servicegraph.md", ], url: "/docs/tasks/telemetry/servicegraph.html", title: "Generating a Service Graph", order: 50, overview: "This task shows you how to generate a graph of services within an Istio mesh."}); docs.push({path: [ "telemetry", "tcp-metrics.md", ], url: "/docs/tasks/telemetry/tcp-metrics.html", title: "Collecting Metrics for TCP services", order: 25, overview: "This task shows you how to configure Istio to collect metrics for TCP services."}); docs.push({path: [ "telemetry", "using-istio-dashboard.md", ], url: "/docs/tasks/telemetry/using-istio-dashboard.html", title: "Visualizing Metrics with Grafana", order: 40, overview: "This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic."}); docs.push({path: [ "traffic-management", "egress.md", ], url: "/docs/tasks/traffic-management/egress.html", title: "Control Egress Traffic", order: 40, overview: "Describes how to configure Istio to route traffic from services in the mesh to external services."}); docs.push({path: [ "traffic-management", "fault-injection.md", ], url: "/docs/tasks/traffic-management/fault-injection.html", title: "Fault Injection", order: 20, overview: "This task shows how to inject delays and test the resiliency of your application."}); docs.push({path: [ "traffic-management", "index.md", ], url: "/docs/tasks/traffic-management/", title: "Traffic Management", order: 10, overview: "Describes tasks that demonstrate traffic routing features of Istio service mesh."}); docs.push({path: [ "traffic-management", "ingress.md", ], url: "/docs/tasks/traffic-management/ingress.html", title: "Istio Ingress Controller", order: 30, overview: "Describes how to configure the Istio ingress controller on Kubernetes."}); docs.push({path: [ "traffic-management", "request-routing.md", ], url: "/docs/tasks/traffic-management/request-routing.html", title: "Configuring Request Routing", order: 10, overview: "This task shows you how to configure dynamic request routing based on weights and HTTP headers."}); docs.push({path: [ "traffic-management", "request-timeouts.md", ], url: "/docs/tasks/traffic-management/request-timeouts.html", title: "Setting Request Timeouts", order: 28, overview: "This task shows you how to setup request timeouts in Envoy using Istio."}); docs.push({path: [ "traffic-management", "traffic-shifting.md", ], url: "/docs/tasks/traffic-management/traffic-shifting.html", title: "Traffic Shifting", order: 25, overview: "This task shows you how to migrate traffic from an old to new version of a service."}); genSideBarTree(docs) </script></ul></div><div id="tab-container" class="col-xs-1 tab-neg-margin pull-left"> <a id="sidebar-tab" class="glyphicon glyphicon-chevron-left" href="javascript:void 0;"> </a></div><div id="content-container" class="thin-left-border col-sm-9 markdown"><div id="toc" class="toc"></div><div id="doc-content"><h1>Setting up Basic Access Control</h1><p>This task shows how to control access to a service using the Kubernetes labels.</p><h2 id="before-you-begin">Before you begin</h2><ul><li><p>Set up Istio on Kubernetes by following the instructions in the <a href="/v0.4/docs/setup/kubernetes/">Installation guide</a>.</p></li><li><p>Deploy the <a href="/v0.4/docs/guides/bookinfo.html">BookInfo</a> sample application.</p></li><li><p>Initialize the application version routing to direct <code>reviews</code> service requests from test user “jason” to version v2 and requests from any other user to v3.</p><pre><code class="language-bash">istioctl create -f samples/bookinfo/kube/route-rule-reviews-test-v2.yaml
istioctl create -f samples/bookinfo/kube/route-rule-reviews-v3.yaml
</code></pre><blockquote><p>Note: if you have conflicting rules that you set in previous tasks, use <code>istioctl replace</code> instead of <code>istioctl create</code>.</p></blockquote><blockquote><p>Note: if you are using a namespace other than <code>default</code>, use <code>istioctl -n namespace ...</code> to specify the namespace.</p></blockquote></li></ul><h2 id="access-control-using-denials">Access control using <em>denials</em></h2><p>Using Istio you can control access to a service based on any attributes that are available within Mixer. This simple form of access control is based on conditionally denying requests using Mixer selectors.</p><p>Consider the <a href="/v0.4/docs/guides/bookinfo.html">BookInfo</a> sample application where the <code>ratings</code> service is accessed by multiple versions of the <code>reviews</code> service. We would like to cut off access to version <code>v3</code> of the <code>reviews</code> service.</p><ol><li><p>Point your browser at the BookInfo <code>productpage</code> (http://$GATEWAY_URL/productpage).</p><p>If you log in as user “jason”, you should see black rating stars with each review, indicating that the <code>ratings</code> service is being called by the “v2” version of the <code>reviews</code> service.</p><p>If you log in as any other user (or logout) you should see red rating stars with each review, indicating that the <code>ratings</code> service is being called by the “v3” version of the <code>reviews</code> service.</p></li><li><p>Explicitly deny access to version <code>v3</code> of the <code>reviews</code> service.</p><p>Run the following command to set up the deny rule along with a handler and an instance.</p><pre><code class="language-bash">istioctl create -f samples/bookinfo/kube/mixer-rule-deny-label.yaml
</code></pre><p>You can expect to see the output similar to the following:</p><pre><code class="language-bash">Created config denier/default/denyreviewsv3handler at revision 2882105
Created config checknothing/default/denyreviewsv3request at revision 2882106
Created config rule/default/denyreviewsv3 at revision 2882107
</code></pre><p>Notice the following in the <code>denyreviewsv3</code> rule:</p><pre><code>match: destination.labels["app"] == "ratings" &amp;&amp; source.labels["app"]=="reviews" &amp;&amp; source.labels["version"] == "v3"
</code></pre><p>It matches requests coming from the service <code>reviews</code> with label <code>v3</code> to the service <code>ratings</code>.</p><p>This rule uses the <code>denier</code> adapter to deny requests coming from version <code>v3</code> of the reviews service. The adapter always denies requests with a pre-configured status code and message. The status code and the message is specified in the <a href="/v0.4/docs/reference/config/mixer/adapters/denier.html">denier</a> adapter configuration.</p></li><li><p>Refresh the <code>productpage</code> in your browser.</p><p>If you are logged out or logged in as any user other than “jason” you will no longer see red ratings stars because the <code>reviews:v3</code> service has been denied access to the <code>ratings</code> service. In contrast, if you log in as user “jason” (the <code>reviews:v2</code> user) you continue to see the black ratings stars.</p></li></ol><h2 id="access-control-using-whitelists">Access control using <em>whitelists</em></h2><p>Istio also supports attribute-based whitelists and blacklists. The following whitelist configuration is equivalent to the <code>denier</code> configuration in the previous section. The rule effectively rejects requests from version <code>v3</code> of the <code>reviews</code> service.</p><ol><li>Remove the denier configuration that you added in the previous section.<pre><code class="language-bash">istioctl delete -f samples/bookinfo/kube/mixer-rule-deny-label.yaml
</code></pre></li><li><p>Verify that when you access the BookInfo <code>productpage</code> (http://$GATEWAY_URL/productpage) without logging in, you see red stars. After performing the following steps you will no longer be able to see stars unless you are logged in as “jason”.</p></li><li><p>Create configuration for the <a href="/v0.4/docs/reference/config/mixer/adapters/list.html"><code>listchecker</code></a> adapter that lists versions <code>v1, v2</code>. Save the following YAML snippet as <code>whitelist-handler.yaml</code>:</p><pre><code class="language-yaml">apiVersion: config.istio.io/v1alpha2
kind: listchecker
metadata:
name: whitelist
spec:
# providerUrl: ordinarily black and white lists are maintained
# externally and fetched asynchronously using the providerUrl.
overrides: ["v1", "v2"] # overrides provide a static list
blacklist: false
</code></pre><p>and then run the following command:</p><pre><code class="language-bash">istioctl create -f whitelist-handler.yaml
</code></pre></li><li><p>Extract the version label by creating an instance of the <a href="/v0.4/docs/reference/config/mixer/template/listentry.html"><code>listentry</code></a> template. Save the following YAML snippet as <code>appversion-instance.yaml</code>:</p><pre><code class="language-yaml">apiVersion: config.istio.io/v1alpha2
kind: listentry
metadata:
name: appversion
spec:
value: source.labels["version"]
</code></pre><p>and then run the following command:</p><pre><code class="language-bash">istioctl create -f appversion-instance.yaml
</code></pre></li><li><p>Enable <code>whitelist</code> checking for the ratings service. Save the following YAML snippet as <code>checkversion-rule.yaml</code>:</p><pre><code class="language-yaml">apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: checkversion
spec:
match: destination.labels["app"] == "ratings"
actions:
- handler: whitelist.listchecker
instances:
- appversion.listentry
</code></pre><p>and then run the following command:</p><pre><code class="language-bash">istioctl create -f checkversion-rule.yaml
</code></pre></li><li>Verify that when you access the BookInfo <code>productpage</code> (http://$GATEWAY_URL/productpage) without logging in, you see <strong>no</strong> stars. Verify that after logging in as “jason” you see black stars.</li></ol><h2 id="cleanup">Cleanup</h2><ul><li><p>Remove the mixer configuration:</p><pre><code class="language-bash">istioctl delete -f checkversion-rule.yaml
istioctl delete -f appversion-instance.yaml
istioctl delete -f whitelist-handler.yaml
</code></pre></li><li><p>Remove the application routing rules:</p><pre><code>istioctl delete -f samples/bookinfo/kube/route-rule-reviews-test-v2.yaml
istioctl delete -f samples/bookinfo/kube/route-rule-reviews-v3.yaml
</code></pre></li><li><p>If you are not planning to explore any follow-on tasks, refer to the <a href="/v0.4/docs/guides/bookinfo.html#cleanup">BookInfo cleanup</a> instructions to shutdown the application.</p></li></ul><h2 id="further-reading">Further reading</h2><ul><li><p>Learn how to securely control access based on the service account <a href="/v0.4/docs/tasks/security/secure-access-control.html">here</a>.</p></li><li><p>Learn more about <a href="/v0.4/docs/concepts/policy-and-control/mixer.html">Mixer</a> and <a href="/v0.4/docs/concepts/policy-and-control/mixer-config.html">Mixer Config</a>.</p></li><li><p>Discover the full <a href="/v0.4/docs/reference/config/mixer/attribute-vocabulary.html">Attribute Vocabulary</a>.</p></li><li><p>Read the reference guide to <a href="/v0.4/docs/reference/writing-config.html">Writing Config</a>.</p></li><li><p>Understand the differences between Kubernetes network policies and Istio access control policies from this <a href="/v0.4/blog/using-network-policy-in-concert-with-istio.html">blog</a>.</p></li></ul></div></div></div></div></div></div><script src="/v0.4/js/sidebar.min.js"></script><footer><div class="container"><div class="row"><div class="col-lg-2 col-md-2 col-sm-2"></div><div class="col-lg-3 col-md-3 col-sm-3 col-xs-12 center-block"><ul><li><a class="header" href="/v0.4/docs/welcome">Docs</a></li><li><a href="/v0.4/docs/concepts">Concepts</a></li><li><a href="/v0.4/docs/setup">Setup</a></li><li><a href="/v0.4/docs/tasks">Tasks</a></li><li><a href="/v0.4/docs/guides">Guides</a></li><li><a href="/v0.4/docs/reference">Reference</a></li></ul></div><div class="col-lg-3 col-md-3 col-sm-3 col-xs-12 center-block"><ul><li><a class="header" href="/v0.4/help">Help</a></li><li><a href="/v0.4/faq">FAQ</a></li><li><a href="/v0.4/glossary">Glossary</a></li><li><a href="/v0.4/troubleshooting">Troubleshooting</a></li><li><a href="/v0.4/bugs">Report Bugs</a></li><li><a href="https://github.com/istio/istio.github.io/issues/new?title=Issue with _docs/tasks/security/basic-access-control.md">Doc Bugs & Gaps</a></li><li><a href="https://github.com/istio/istio.github.io/edit/master/_docs/tasks/security/basic-access-control.md">Edit This Page</a></li></ul></div><div class="col-lg-3 col-md-3 col-sm-3 col-xs-12 center-block"><ul><li> <a class="header" href="/v0.4/community">Community</a></li><li> <a href="https://groups.google.com/forum/#!forum/istio-users" target="_blank" rel="noopener">User</a> | <a href="https://groups.google.com/forum/#!forum/istio-dev" target="_blank" rel="noopener">Dev Mailing Lists</a></li><li><a href="https://twitter.com/IstioMesh" target="_blank" rel="noopener">Twitter</a></li><li><a href="https://stackoverflow.com/questions/tagged/istio" target="_blank" rel="noopener">Stack Overflow</a></li><li><a href="https://github.com/istio/community" target="_blank" rel="noopener">GitHub</a></li><li><a href="https://github.com/istio/community/blob/master/WORKING-GROUPS.md" target="_blank" rel="noopener">Working Groups</a></li></ul></div><div class="col-lg-1 col-md-1 col-sm-1"></div></div><div class="row"><p class="description small text-center"> Istio 0.4, Copyright &copy; 2017 Istio Authors<br> Archived on 20-Dec-2017</p></div></div></footer><script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.15.0/jquery.validate.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery.form/4.2.1/jquery.form.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-visible/1.2.0/jquery.visible.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.6.0/slick.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> <script src="/v0.4/js/common.min.js"></script> <script src="/v0.4/js/search.js"></script> <script src="/v0.4/js/prism.min.js"></script></body></html>
Reference in New Issue View Git Blame Copy Permalink