istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.14/blog/2019/v1beta1-authorization-policy/index.html

285 lines
40 KiB
HTML
Raw Permalink Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Introducing the Istio v1beta1 Authorization Policy"><meta name=description content="Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy."><meta name=author content="Yangmin Zhu (Google)"><meta name=keywords content="microservices,services,mesh,security,RBAC,access control,authorization"><meta property="og:title" content="Introducing the Istio v1beta1 Authorization Policy"><meta property="og:type" content="website"><meta property="og:description" content="Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy."><meta property="og:url" content="/v1.14/blog/2019/v1beta1-authorization-policy/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1024"><meta property="og:image:height" content="1024"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.14 / Introducing the Istio v1beta1 Authorization Policy</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script>
<script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.14/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.14/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.14/feed.xml><link rel="shortcut icon" href=/v1.14/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.14/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.14/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.14/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.14/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.14/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.14/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.14/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.14/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.14/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.14/favicons/favicon.svg><link rel=icon type=image/png href=/v1.14/favicons/favicon.png><link rel=mask-icon href=/v1.14/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.14/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.14/css/all.css><link rel=preconnect href=https://fonts.gstatic.com><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.14/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.14",docTitle="Introducing the Istio v1beta1 Authorization Policy",iconFile="/v1.14/img/icons.svg",buttonCopy="Copy to clipboard",buttonPrint="Print",buttonDownload="Download"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script>
<script src=/v1.14/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.14/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.14/img/icons.svg#menu-hamburger"/></svg></button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.14/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.14/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.14/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.14/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.14/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.14/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.14/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.14/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label="Search this site" placeholder=Search>
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon menu-close"><use xlink:href="/v1.14/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Introducing the Istio v1beta1 Authorization Policy</h1><p>Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy.</p></div><p class=post-author>Nov 14, 2019 <span>|</span> By Yangmin Zhu - Google</p><div><p>Istio 1.4 introduces the
<a href=/v1.14/docs/reference/config/security/authorization-policy/><code>v1beta1</code> authorization policy</a>,
which is a major update to the previous <code>v1alpha1</code> role-based access control
(RBAC) policy. The new policy provides these improvements:</p><ul><li>Aligns with Istio configuration model.</li><li>Improves the user experience by simplifying the API.</li><li>Supports more use cases (e.g. Ingress/Egress gateway support) without
added complexity.</li></ul><p>The <code>v1beta1</code> policy is not backward compatible and requires a one time
conversion. A tool is provided to automate this process. The previous
configuration resources <code>ClusterRbacConfig</code>, <code>ServiceRole</code>, and
<code>ServiceRoleBinding</code> will not be supported from Istio 1.6 onwards.</p><p>This post describes the new <code>v1beta1</code> authorization policy model, its
design goals and the migration from <code>v1alpha1</code> RBAC policies. See the
<a href=/v1.14/docs/concepts/security/#authorization>authorization concept page</a>
for a detailed in-depth explanation of the <code>v1beta1</code> authorization policy.</p><p>We welcome your feedback about the <code>v1beta1</code> authorization policy at
<a href=https://discuss.istio.io/c/security>discuss.istio.io</a>.</p><h2 id=background>Background</h2><p>To date, Istio provided RBAC policies to enforce access control on
<span class=term data-title=Service data-body='<p>A delineated group of related behaviors within a <a href="/docs/reference/glossary/#service-mesh">service mesh</a>. Services are identified using a
<a href="/docs/reference/glossary/#service-name">service name</a>,
and Istio policies such as load balancing and routing are applied using these names.
A service is typically materialized by one or more <a href="/docs/reference/glossary/#service-endpoint">service endpoints</a>, and may consist of multiple
<a href="/docs/reference/glossary/#service-version">service versions</a>.</p>
'>services</span> using three configuration
resources: <code>ClusterRbacConfig</code>, <code>ServiceRole</code> and <code>ServiceRoleBinding</code>.
With this API, users have been able to enforce control access at mesh-level,
namespace-level and service-level. Like other RBAC policies, Istio RBAC uses
the same concept of role and binding for granting permissions to identities.</p><p>Although Istio RBAC has been working reliably, we&rsquo;ve found that many
improvements were possible.</p><p>For example, users have mistakenly assumed that access control enforcement
happens at service-level because <code>ServiceRole</code> uses service to specify where
to apply the policy, however, the policy is actually applied on
<span class=term data-title=Workload data-body='<p>A binary deployed by <a href="/docs/reference/glossary/#operator">operators</a> to deliver some function of a service mesh application.
Workloads have names, namespaces, and unique ids. These properties are available in policy and telemetry configuration
using the following <a href="/docs/reference/glossary/#attribute">attributes</a>:</p>
<ul>
<li><code>source.workload.name</code>, <code>source.workload.namespace</code>, <code>source.workload.uid</code></li>
<li><code>destination.workload.name</code>, <code>destination.workload.namespace</code>, <code>destination.workload.uid</code></li>
</ul>
<p>In Kubernetes, a workload typically corresponds to a Kubernetes deployment,
while a <a href="/docs/reference/glossary/#workload-instance">workload instance</a> corresponds to an individual <a href="/docs/reference/glossary/#pod">pod</a> managed
by the deployment.</p>
'>workloads</span>, the service is only used to
find the corresponding workload. This nuance is significant when multiple
services are referring to the same workload. A <code>ServiceRole</code> for service A
will also affect service B if the two services are referring to the same
workload, which can cause confusion and incorrect configuration.</p><p>An other example is that it&rsquo;s proven difficult for users to maintain and
manage the Istio RBAC configurations because of the need to deeply understand
three related resources.</p><h2 id=design-goals>Design goals</h2><p>The new <code>v1beta1</code> authorization policy had several design goals:</p><ul><li><p>Align with <a href=https://goo.gl/x3STjD>Istio Configuration Model</a> for better
clarity on the policy target. The configuration model provides a unified
configuration hierarchy, resolution and target selection.</p></li><li><p>Improve the user experience by simplifying the API. It&rsquo;s easier to manage
one custom resource definition (CRD) that includes all access control
specifications, instead of multiple CRDs.</p></li><li><p>Support more use cases without added complexity. For example, allow the
policy to be applied on Ingress/Egress gateway to enforce access control
for traffic entering/exiting the mesh.</p></li></ul><h2 id=authorizationpolicy><code>AuthorizationPolicy</code></h2><p>An <a href=/v1.14/docs/reference/config/security/authorization-policy/><code>AuthorizationPolicy</code> custom resource</a>
enables access control on workloads. This section gives an overview of the
changes in the <code>v1beta1</code> authorization policy.</p><p>An <code>AuthorizationPolicy</code> includes a <code>selector</code> and a list of <code>rule</code>.
The <code>selector</code> specifies on which workload to apply the policy and the
list of <code>rule</code> specifies the detailed access control rule for the workload.</p><p>The <code>rule</code> is additive, which means a request is allowed if any <code>rule</code>
allows the request. Each <code>rule</code> includes a list of <code>from</code>, <code>to</code> and
<code>when</code>, which specifies <strong>who</strong> is allowed to do <strong>what</strong> under which
<strong>conditions</strong>.</p><p>The <code>selector</code> replaces the functionality provided by <code>ClusterRbacConfig</code>
and the <code>services</code> field in <code>ServiceRole</code>. The <code>rule</code> replaces the other
fields in the <code>ServiceRole</code> and <code>ServiceRoleBinding</code>.</p><h3 id=example>Example</h3><p>The following authorization policy applies to workloads with <code>app: httpbin</code>
and <code>version: v1</code> label in the <code>foo</code> namespace:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
rules:
- from:
- source:
principals: [&#34;cluster.local/ns/default/sa/sleep&#34;]
to:
- operation:
methods: [&#34;GET&#34;]
when:
- key: request.headers[version]
values: [&#34;v1&#34;, &#34;v2&#34;]
</code></pre><p>The policy allows principal <code>cluster.local/ns/default/sa/sleep</code> to access the
workload using the <code>GET</code> method when the request includes a <code>version</code> header
of value <code>v1</code> or <code>v2</code>. Any requests not matched with the policy will be denied
by default.</p><p>Assuming the <code>httpbin</code> service is defined as:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: v1
kind: Service
metadata:
name: httpbin
namespace: foo
spec:
selector:
app: httpbin
version: v1
ports:
# omitted
</code></pre><p>You would need to configure three resources to achieve the same result in
<code>v1alpha1</code>:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ClusterRbacConfig
metadata:
name: default
spec:
mode: &#39;ON_WITH_INCLUSION&#39;
inclusion:
services: [&#34;httpbin.foo.svc.cluster.local&#34;]
---
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRole
metadata:
name: httpbin
namespace: foo
spec:
rules:
- services: [&#34;httpbin.foo.svc.cluster.local&#34;]
methods: [&#34;GET&#34;]
constraints:
- key: request.headers[version]
values: [&#34;v1&#34;, &#34;v2&#34;]
---
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRoleBinding
metadata:
name: httpbin
namespace: foo
spec:
subjects:
- user: &#34;cluster.local/ns/default/sa/sleep&#34;
roleRef:
kind: ServiceRole
name: &#34;httpbin&#34;
</code></pre><h3 id=workload-selector>Workload selector</h3><p>A major change in the <code>v1beta1</code> authorization policy is that it now uses
workload selector to specify where to apply the policy. This is the same
workload selector used in the <code>Gateway</code>, <code>Sidecar</code> and <code>EnvoyFilter</code>
configurations.</p><p>The workload selector makes it clear that the policy is applied and enforced
on workloads instead of services. If a policy applies to a workload that is
used by multiple different services, the same policy will affect the traffic
to all the different services.</p><p>You can simply leave the <code>selector</code> empty to apply the policy to all
workloads in a namespace. The following policy applies to all workloads in
the namespace <code>bar</code>:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: policy
namespace: bar
spec:
rules:
# omitted
</code></pre><h3 id=root-namespace>Root namespace</h3><p>A policy in the root namespace applies to all workloads in the mesh in every
namespaces. The root namespace is configurable in the
<a href=/v1.14/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig><code>MeshConfig</code></a>
and has the default value of <code>istio-system</code>.</p><p>For example, you installed Istio in <code>istio-system</code> namespace and deployed
workloads in <code>default</code> and <code>bookinfo</code> namespace. The root namespace is
changed to <code>istio-config</code> from the default value. The following policy will
apply to workloads in every namespace including <code>default</code>, <code>bookinfo</code> and
the <code>istio-system</code>:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: policy
namespace: istio-config
spec:
rules:
# omitted
</code></pre><h3 id=ingress-egress-gateway-support>Ingress/Egress Gateway support</h3><p>The <code>v1beta1</code> authorization policy can also be applied on ingress/egress
gateway to enforce access control on traffic entering/leaving the mesh,
you only need to change the <code>selector</code> to make select the ingress/egress
workload.</p><p>The following policy applies to workloads with the
<code>app: istio-ingressgateway</code> label:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
rules:
# omitted
</code></pre><p>Remember the authorization policy only applies to workloads in the same
namespace as the policy, unless the policy is applied in the root namespace:</p><ul><li><p>If you don&rsquo;t change the default root namespace value (i.e. <code>istio-system</code>),
the above policy will apply to workloads with the <code>app: istio-ingressgateway</code>
label in <strong>every</strong> namespace.</p></li><li><p>If you have changed the root namespace to a different value, the above
policy will only apply to workloads with the <code>app: istio-ingressgateway</code>
label <strong>only</strong> in the <code>istio-system</code> namespace.</p></li></ul><h3 id=comparison>Comparison</h3><p>The following table highlights the key differences between the old <code>v1alpha1</code>
RBAC policies and the new <code>v1beta1</code> authorization policy.</p><h4 id=feature>Feature</h4><table><thead><tr><th>Feature</th><th><code>v1alpha1</code> RBAC policy</th><th><code>v1beta1</code> Authorization Policy</th></tr></thead><tbody><tr><td>API stability</td><td><code>alpha</code>: <strong>No</strong> backward compatible</td><td><code>beta</code>: backward compatible <strong>guaranteed</strong></td></tr><tr><td>Number of CRDs</td><td>Three: <code>ClusterRbacConfig</code>, <code>ServiceRole</code> and <code>ServiceRoleBinding</code></td><td>Only One: <code>AuthorizationPolicy</code></td></tr><tr><td>Policy target</td><td><strong>service</strong></td><td><strong>workload</strong></td></tr><tr><td>Deny-by-default behavior</td><td>Enabled <strong>explicitly</strong> by configuring <code>ClusterRbacConfig</code></td><td>Enabled <strong>implicitly</strong> with <code>AuthorizationPolicy</code></td></tr><tr><td>Ingress/Egress gateway support</td><td>Not supported</td><td>Supported</td></tr><tr><td>The <code>"*"</code> value in policy</td><td>Match all contents (empty and non-empty)</td><td>Match non-empty contents only</td></tr></tbody></table><p>The following tables show the relationship between the <code>v1alpha1</code> and <code>v1beta1</code> API.</p><h4 id=clusterrbacconfig><code>ClusterRbacConfig</code></h4><table><thead><tr><th><code>ClusterRbacConfig.Mode</code></th><th><code>AuthorizationPolicy</code></th></tr></thead><tbody><tr><td><code>OFF</code></td><td>No policy applied</td></tr><tr><td><code>ON</code></td><td>A deny-all policy applied in root namespace</td></tr><tr><td><code>ON_WITH_INCLUSION</code></td><td>policies should be applied to namespaces or workloads included by <code>ClusterRbacConfig</code></td></tr><tr><td><code>ON_WITH_EXCLUSION</code></td><td>policies should be applied to namespaces or workloads excluded by <code>ClusterRbacConfig</code></td></tr></tbody></table><h4 id=servicerole><code>ServiceRole</code></h4><table><thead><tr><th><code>ServiceRole</code></th><th><code>AuthorizationPolicy</code></th></tr></thead><tbody><tr><td><code>services</code></td><td><code>selector</code></td></tr><tr><td><code>paths</code></td><td><code>paths</code> in <code>to</code></td></tr><tr><td><code>methods</code></td><td><code>methods</code> in <code>to</code></td></tr><tr><td><code>destination.ip</code> in constraint</td><td>Not supported</td></tr><tr><td><code>destination.port</code> in constraint</td><td><code>ports</code> in <code>to</code></td></tr><tr><td><code>destination.labels</code> in constraint</td><td><code>selector</code></td></tr><tr><td><code>destination.namespace</code> in constraint</td><td>Replaced by the namespace of the policy, i.e. the <code>namespace</code> in metadata</td></tr><tr><td><code>destination.user</code> in constraint</td><td>Not supported</td></tr><tr><td><code>experimental.envoy.filters</code> in constraint</td><td><code>experimental.envoy.filters</code> in <code>when</code></td></tr><tr><td><code>request.headers</code> in constraint</td><td><code>request.headers</code> in <code>when</code></td></tr></tbody></table><h4 id=servicerolebinding><code>ServiceRoleBinding</code></h4><table><thead><tr><th><code>ServiceRoleBinding</code></th><th><code>AuthorizationPolicy</code></th></tr></thead><tbody><tr><td><code>user</code></td><td><code>principals</code> in <code>from</code></td></tr><tr><td><code>group</code></td><td><code>request.auth.claims[group]</code> in <code>when</code></td></tr><tr><td><code>source.ip</code> in property</td><td><code>ipBlocks</code> in <code>from</code></td></tr><tr><td><code>source.namespace</code> in property</td><td><code>namespaces</code> in <code>from</code></td></tr><tr><td><code>source.principal</code> in property</td><td><code>principals</code> in <code>from</code></td></tr><tr><td><code>request.headers</code> in property</td><td><code>request.headers</code> in <code>when</code></td></tr><tr><td><code>request.auth.principal</code> in property</td><td><code>requestPrincipals</code> in <code>from</code> or <code>request.auth.principal</code> in <code>when</code></td></tr><tr><td><code>request.auth.audiences</code> in property</td><td><code>request.auth.audiences</code> in <code>when</code></td></tr><tr><td><code>request.auth.presenter</code> in property</td><td><code>request.auth.presenter</code> in <code>when</code></td></tr><tr><td><code>request.auth.claims</code> in property</td><td><code>request.auth.claims</code> in <code>when</code></td></tr></tbody></table><p>Beyond all the differences, the <code>v1beta1</code> policy is enforced by the same
engine in Envoy and supports the same authenticated identity (mutual TLS or
JWT), condition and other primitives (e.g. IP, port and etc.) as the
<code>v1alpha1</code> policy.</p><h2 id=future-of-the-v1alpha1-policy>Future of the <code>v1alpha1</code> policy</h2><p>The <code>v1alpha1</code> RBAC policy (<code>ClusterRbacConfig</code>, <code>ServiceRole</code>, and
<code>ServiceRoleBinding</code>) is deprecated by the <code>v1beta1</code> authorization policy.</p><p>Istio 1.4 continues to support the <code>v1alpha1</code> RBAC policy to give you
enough time to move away from the alpha policies.</p><h2 id=migration-from-the-v1alpha1-policy>Migration from the <code>v1alpha1</code> policy</h2><p>Istio only supports one of the two versions for a given workload:</p><ul><li>If there is only <code>v1beta1</code> policy for a workload, the <code>v1beta1</code> policy
will be used.</li><li>If there is only <code>v1alpha1</code> policy for a workload, the <code>v1alpha1</code> policy
will be used.</li><li>If there are both <code>v1beta1</code> and <code>v1alpha1</code> policies for a workload,
only the <code>v1beta1</code> policy will be used and the the <code>v1alpha1</code> policy
will be ignored.</li></ul><h3 id=general-guideline>General Guideline</h3><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.14/img/icons.svg#callout-warning"/></svg></div><div class=content>When migrating to use <code>v1beta1</code> policy for a given workload, make sure the
new <code>v1beta1</code> policy covers all the existing <code>v1alpha1</code> policies applied
for the workload, because the <code>v1alpha1</code> policies applied for the workload
will be ignored after you applied the <code>v1beta1</code> policies.</div></aside></div><p>The typical flow of migrating to <code>v1beta1</code> policy is to start by checking the
<code>ClusterRbacConfig</code> to decide which namespace or service is enabled with RBAC.</p><p>For each service enabled with RBAC:</p><ol><li>Get the workload selector from the service definition.</li><li>Create a <code>v1beta1</code> policy with the workload selector.</li><li>Update the <code>v1beta1</code> policy for each <code>ServiceRole</code> and <code>ServiceRoleBinding</code>
applied to the service.</li><li>Apply the <code>v1beta1</code> policy and monitor the traffic to make sure the
policy is working as expected.</li><li>Repeat the process for the next service enabled with RBAC.</li></ol><p>For each namespace enabled with RBAC:</p><ol><li>Apply a <code>v1beta1</code> policy that denies all traffic to the given namespace.</li></ol><h3 id=migration-example>Migration Example</h3><p>Assume you have the following <code>v1alpha1</code> policies for the <code>httpbin</code> service
in the <code>foo</code> namespace:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ClusterRbacConfig
metadata:
name: default
spec:
mode: &#39;ON_WITH_INCLUSION&#39;
inclusion:
namespaces: [&#34;foo&#34;]
---
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRole
metadata:
name: httpbin
namespace: foo
spec:
rules:
- services: [&#34;httpbin.foo.svc.cluster.local&#34;]
methods: [&#34;GET&#34;]
---
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRoleBinding
metadata:
name: httpbin
namespace: foo
spec:
subjects:
- user: &#34;cluster.local/ns/default/sa/sleep&#34;
roleRef:
kind: ServiceRole
name: &#34;httpbin&#34;
</code></pre><p>Migrate the above policies to <code>v1beta1</code> in the following ways:</p><ol><li><p>Assume the <code>httpbin</code> service has the following workload selector:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>selector:
app: httpbin
version: v1
</code></pre></li><li><p>Create a <code>v1beta1</code> policy with the workload selector:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
</code></pre></li><li><p>Update the <code>v1beta1</code> policy with each <code>ServiceRole</code> and <code>ServiceRoleBinding</code>
applied to the service:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
rules:
- from:
- source:
principals: [&#34;cluster.local/ns/default/sa/sleep&#34;]
to:
- operation:
methods: [&#34;GET&#34;]
</code></pre></li><li><p>Apply the <code>v1beta1</code> policy and monitor the traffic to make sure it works
as expected.</p></li><li><p>Apply the following <code>v1beta1</code> policy that denies all traffic to the
<code>foo</code> namespace because the <code>foo</code> namespace is enabled with RBAC:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: foo
spec:
{}
</code></pre></li></ol><p>Make sure the <code>v1beta1</code> policy is working as expected and then you can delete
the <code>v1alpha1</code> policies from the cluster.</p><h3 id=automation-of-the-migration>Automation of the Migration</h3><p>To help ease the migration, the <code>istioctl experimental authz convert</code>
command is provided to automatically convert the <code>v1alpha1</code> policies to
the <code>v1beta1</code> policy.</p><p>You can evaluate the command but it is experimental in Istio 1.4 and doesn&rsquo;t
support the full <code>v1alpha1</code> semantics as of the date of this blog post.</p><p>The command to support the full <code>v1alpha1</code> semantics is expected in a patch
release following Istio 1.4.</p></div><nav class=pagenav><div class=left><a title="Introduction to Istio's new operator-based installation and control plane management feature." href=/v1.14/blog/2019/introducing-istio-operator/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.14/img/icons.svg#left-arrow"/></svg>Introducing the Istio Operator</a></div><div class=right><a title="A more secure way to manage Istio webhooks." href=/v1.14/blog/2019/webhook/ class=next-link>Secure Webhook Management<svg class="icon right-arrow"><use xlink:href="/v1.14/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.14/img/icons.svg#github"/></svg></a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.14/img/icons.svg#drive"/></svg></a><a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.14/img/icons.svg#slack"/></svg></a><a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.14/img/icons.svg#stackoverflow"/></svg></a><a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.14/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.14/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.14/img/icons.svg#tick"/></svg>English</a>
<a tabindex=-1 lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://policies.google.com/privacy>Privacy policy</a> |
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.14/content/en/blog/2019/v1beta1-authorization-policy/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2022 Istio Authors.</span>
<span class=footer-base-version>Version
Archive
1.14.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2019/v1beta1-authorization-policy/"),!1'>current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2019/v1beta1-authorization-policy/"),!1'>next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><script src=https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js defer></script><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top" tabindex=-1><svg class="icon top"><use xlink:href="/v1.14/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink