istio.io/archive/v1.14/blog/2021/better-external-authz/index.html

351 lines
39 KiB
HTML

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Better External Authorization"><meta name=description content="AuthorizationPolicy now supports CUSTOM action to delegate the authorization to external system."><meta name=author content="Yangmin Zhu (Google)"><meta name=keywords content="microservices,services,mesh,authorization,access control,opa,oauth2"><meta property="og:title" content="Better External Authorization"><meta property="og:type" content="website"><meta property="og:description" content="AuthorizationPolicy now supports CUSTOM action to delegate the authorization to external system."><meta property="og:url" content="/v1.14/blog/2021/better-external-authz/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1024"><meta property="og:image:height" content="1024"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.14 / Better External Authorization</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script>
<script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.14/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.14/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.14/feed.xml><link rel="shortcut icon" href=/v1.14/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.14/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.14/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.14/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.14/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.14/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.14/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.14/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.14/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.14/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.14/favicons/favicon.svg><link rel=icon type=image/png href=/v1.14/favicons/favicon.png><link rel=mask-icon href=/v1.14/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.14/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.14/css/all.css><link rel=preconnect href=https://fonts.gstatic.com><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.14/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.14",docTitle="Better External Authorization",iconFile="/v1.14/img/icons.svg",buttonCopy="Copy to clipboard",buttonPrint="Print",buttonDownload="Download"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script>
<script src=/v1.14/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.14/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.14/img/icons.svg#menu-hamburger"/></svg></button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.14/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.14/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.14/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.14/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.14/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.14/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.14/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.14/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.14/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label="Search this site" placeholder=Search>
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon menu-close"><use xlink:href="/v1.14/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Better External Authorization</h1><p>AuthorizationPolicy now supports CUSTOM action to delegate the authorization to external system.</p></div><p class=post-author>Feb 9, 2021 <span>|</span> By Yangmin Zhu - Google</p><div><h2 id=background>Background</h2><p>Istio&rsquo;s authorization policy provides access control for services in the mesh. It is fast, powerful and a widely used
feature. We have made continuous improvements to make policy more flexible since its first release in Istio 1.4, including
the <a href=/v1.14/docs/tasks/security/authorization/authz-deny/><code>DENY</code> action</a>, <a href=/v1.14/docs/tasks/security/authorization/authz-deny/>exclusion semantics</a>,
<a href=/v1.14/docs/tasks/security/authorization/authz-ingress/><code>X-Forwarded-For</code> header support</a>, <a href=/v1.14/docs/tasks/security/authorization/authz-jwt/>nested JWT claim support</a>
and more. These features improve the flexibility of the authorization policy, but there are still many use cases that
cannot be supported with this model, for example:</p><ul><li><p>You have your own in-house authorization system that cannot be easily migrated to, or cannot be easily replaced by, the
authorization policy.</p></li><li><p>You want to integrate with a 3rd-party solution (e.g. <a href=https://www.openpolicyagent.org/docs/latest/envoy-introduction/>Open Policy Agent</a>
or <a href=https://github.com/oauth2-proxy/oauth2-proxy><code>oauth2</code> proxy</a>) which may require use of the
<a href=/v1.14/docs/reference/config/networking/envoy-filter/>low-level Envoy configuration APIs</a> in Istio, or may not be possible
at all.</p></li><li><p>Authorization policy lacks necessary semantics for your use case.</p></li></ul><h2 id=solution>Solution</h2><p>In Istio 1.9, we have implemented extensibility into authorization policy by introducing a <a href=/v1.14/docs/reference/config/security/authorization-policy/#AuthorizationPolicy-Action><code>CUSTOM</code> action</a>,
which allows you to delegate the access control decision to an external authorization service.</p><p>The <code>CUSTOM</code> action allows you to integrate Istio with an external authorization system that implements its own custom
authorization logic. The following diagram shows the high level architecture of this integration:</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:48.573838213459645%><a data-skipendnotes=true href=/v1.14/blog/2021/better-external-authz/external_authz.svg title="External Authorization Architecture"><img class=element-to-stretch src=/v1.14/blog/2021/better-external-authz/external_authz.svg alt="External Authorization Architecture"></a></div><figcaption>External Authorization Architecture</figcaption></figure><p>At configuration time, the mesh admin configures an authorization policy with a <code>CUSTOM</code> action to enable the
external authorization on a proxy (either gateway or sidecar). The admin should verify the external auth service is up
and running.</p><p>At runtime,</p><ol><li><p>A request is intercepted by the proxy, and the proxy will send check requests to the external auth service, as
configured by the user in the authorization policy.</p></li><li><p>The external auth service will make the decision whether to allow it or not.</p></li><li><p>If allowed, the request will continue and will be enforced by any local authorization defined by <code>ALLOW</code>/<code>DENY</code> action.</p></li><li><p>If denied, the request will be rejected immediately.</p></li></ol><p>Let&rsquo;s look at an example authorization policy with the <code>CUSTOM</code> action:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ext-authz
namespace: istio-system
spec:
# The selector applies to the ingress gateway in the istio-system namespace.
selector:
matchLabels:
app: istio-ingressgateway
# The action &#34;CUSTOM&#34; delegates the access control to an external authorizer, this is different from
# the ALLOW/DENY action that enforces the access control right inside the proxy.
action: CUSTOM
# The provider specifies the name of the external authorizer defined in the meshconfig, which tells where and how to
# talk to the external auth service. We will cover this more later.
provider:
name: &#34;my-ext-authz-service&#34;
# The rule specifies that the access control is triggered only if the request path has the prefix &#34;/admin/&#34;.
# This allows you to easily enable or disable the external authorization based on the requests, avoiding the external
# check request if it is not needed.
rules:
- to:
- operation:
paths: [&#34;/admin/*&#34;]
</code></pre><p>It refers to a provider called <code>my-ext-authz-service</code> which is defined in the mesh config:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>extensionProviders:
# The name &#34;my-ext-authz-service&#34; is referred to by the authorization policy in its provider field.
- name: &#34;my-ext-authz-service&#34;
# The &#34;envoyExtAuthzGrpc&#34; field specifies the type of the external authorization service is implemented by the Envoy
# ext-authz filter gRPC API. The other supported type is the Envoy ext-authz filter HTTP API.
# See more in https://www.envoyproxy.io/docs/envoy/v1.16.2/intro/arch_overview/security/ext_authz_filter.
envoyExtAuthzGrpc:
# The service and port specifies the address of the external auth service, &#34;ext-authz.istio-system.svc.cluster.local&#34;
# means the service is deployed in the mesh. It can also be defined out of the mesh or even inside the pod as a separate
# container.
service: &#34;ext-authz.istio-system.svc.cluster.local&#34;
port: 9000
</code></pre><p>The authorization policy of <a href=/v1.14/docs/reference/config/security/authorization-policy/#AuthorizationPolicy-Action><code>CUSTOM</code> action</a>
enables the external authorization in runtime, it could be configured to trigger the external authorization conditionally
based on the request using the same rule that you have already been using with other actions.</p><p>The external authorization service is currently defined in the <a href=/v1.14/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-ExtensionProvider><code>meshconfig</code> API</a>
and referred to by its name. It could be deployed in the mesh with or without proxy. If with the proxy, you could
further use <code>PeerAuthentication</code> to enable mTLS between the proxy and your external authorization service.</p><p>The <code>CUSTOM</code> action is currently in the <strong>experimental stage</strong>; the API might change in a non-backward compatible way based on user feedback.
The authorization policy rules currently don&rsquo;t support authentication fields (e.g. source principal or JWT claim) when used with the
<code>CUSTOM</code> action. Only one provider is allowed for a given workload, but you can still use different providers on different workloads.</p><p>For more information, please see the <a href=https://docs.google.com/document/d/1V4mCQCw7mlGp0zSQQXYoBdbKMDnkPOjeyUb85U07iSI/edit#>Better External Authorization design doc</a>.</p><h2 id=example-with-opa>Example with OPA</h2><p>In this section, we will demonstrate using the <code>CUSTOM</code> action with the Open Policy Agent as the external authorizer on
the ingress gateway. We will conditionally enable the external authorization on all paths except <code>/ip</code>.</p><p>You can also refer to the <a href=/v1.14/docs/tasks/security/authorization/authz-custom/>external authorization task</a> for a more
basic introduction that uses a sample <code>ext-authz</code> server.</p><h3 id=create-the-example-opa-policy>Create the example OPA policy</h3><p>Run the following command create an OPA policy that allows the request if the prefix of the path is matched with the
claim &ldquo;path&rdquo; (base64 encoded) in the JWT token:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat &gt; policy.rego &lt;&lt;EOF
package envoy.authz
import input.attributes.request.http as http_request
default allow = false
token = {&#34;valid&#34;: valid, &#34;payload&#34;: payload} {
[_, encoded] := split(http_request.headers.authorization, &#34; &#34;)
[valid, _, payload] := io.jwt.decode_verify(encoded, {&#34;secret&#34;: &#34;secret&#34;})
}
allow {
is_token_valid
action_allowed
}
is_token_valid {
token.valid
now := time.now_ns() / 1000000000
token.payload.nbf &lt;= now
now &lt; token.payload.exp
}
action_allowed {
startswith(http_request.path, base64url.decode(token.payload.path))
}
EOF
$ kubectl create secret generic opa-policy --from-file policy.rego
</code></pre><h3 id=deploy-httpbin-and-opa>Deploy httpbin and OPA</h3><p>Enable the sidecar injection:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl label ns default istio-injection=enabled
</code></pre><p>Run the following command to deploy the example application httpbin and OPA. The OPA could be deployed either as a
separate container in the httpbin pod or completely in a separate pod:</p><div id=tabset-blog-2021-better-external-authz-1 role=tablist class=tabset><div class=tab-strip data-category-name=opa-deploy><button aria-selected=true data-category-value=opa-same aria-controls=tabset-blog-2021-better-external-authz-1-0-panel id=tabset-blog-2021-better-external-authz-1-0-tab role=tab><span>Deploy OPA in the same pod</span>
</button><button tabindex=-1 data-category-value=opa-standalone aria-controls=tabset-blog-2021-better-external-authz-1-1-panel id=tabset-blog-2021-better-external-authz-1-1-tab role=tab><span>Deploy OPA in a separate pod</span></button></div><div class=tab-content><div id=tabset-blog-2021-better-external-authz-1-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-1-0-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: v1
kind: Service
metadata:
name: httpbin-with-opa
labels:
app: httpbin-with-opa
service: httpbin-with-opa
spec:
ports:
- name: http
port: 8000
targetPort: 80
selector:
app: httpbin-with-opa
---
# Define the service entry for the local OPA service on port 9191.
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: local-opa-grpc
spec:
hosts:
- &#34;local-opa-grpc.local&#34;
endpoints:
- address: &#34;127.0.0.1&#34;
ports:
- name: grpc
number: 9191
protocol: GRPC
resolution: STATIC
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: httpbin-with-opa
labels:
app: httpbin-with-opa
spec:
replicas: 1
selector:
matchLabels:
app: httpbin-with-opa
template:
metadata:
labels:
app: httpbin-with-opa
spec:
containers:
- image: docker.io/kennethreitz/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
ports:
- containerPort: 80
- name: opa
image: openpolicyagent/opa:latest-envoy
securityContext:
runAsUser: 1111
volumeMounts:
- readOnly: true
mountPath: /policy
name: opa-policy
args:
- &#34;run&#34;
- &#34;--server&#34;
- &#34;--addr=localhost:8181&#34;
- &#34;--diagnostic-addr=0.0.0.0:8282&#34;
- &#34;--set=plugins.envoy_ext_authz_grpc.addr=:9191&#34;
- &#34;--set=plugins.envoy_ext_authz_grpc.query=data.envoy.authz.allow&#34;
- &#34;--set=decision_logs.console=true&#34;
- &#34;--ignore=.*&#34;
- &#34;/policy/policy.rego&#34;
livenessProbe:
httpGet:
path: /health?plugins
scheme: HTTP
port: 8282
initialDelaySeconds: 5
periodSeconds: 5
readinessProbe:
httpGet:
path: /health?plugins
scheme: HTTP
port: 8282
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: proxy-config
configMap:
name: proxy-config
- name: opa-policy
secret:
secretName: opa-policy
EOF
</code></pre></div><div hidden id=tabset-blog-2021-better-external-authz-1-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-1-1-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: v1
kind: Service
metadata:
name: opa
labels:
app: opa
spec:
ports:
- name: grpc
port: 9191
targetPort: 9191
selector:
app: opa
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: opa
labels:
app: opa
spec:
replicas: 1
selector:
matchLabels:
app: opa
template:
metadata:
labels:
app: opa
spec:
containers:
- name: opa
image: openpolicyagent/opa:latest-envoy
securityContext:
runAsUser: 1111
volumeMounts:
- readOnly: true
mountPath: /policy
name: opa-policy
args:
- &#34;run&#34;
- &#34;--server&#34;
- &#34;--addr=localhost:8181&#34;
- &#34;--diagnostic-addr=0.0.0.0:8282&#34;
- &#34;--set=plugins.envoy_ext_authz_grpc.addr=:9191&#34;
- &#34;--set=plugins.envoy_ext_authz_grpc.query=data.envoy.authz.allow&#34;
- &#34;--set=decision_logs.console=true&#34;
- &#34;--ignore=.*&#34;
- &#34;/policy/policy.rego&#34;
ports:
- containerPort: 9191
livenessProbe:
httpGet:
path: /health?plugins
scheme: HTTP
port: 8282
initialDelaySeconds: 5
periodSeconds: 5
readinessProbe:
httpGet:
path: /health?plugins
scheme: HTTP
port: 8282
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: proxy-config
configMap:
name: proxy-config
- name: opa-policy
secret:
secretName: opa-policy
EOF
</code></pre><p>Deploy the httpbin as well:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.14/samples/httpbin/httpbin.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f @samples/httpbin/httpbin.yaml@
</code></pre></div></div></div></div><h3 id=define-external-authorizer>Define external authorizer</h3><p>Run the following command to edit the <code>meshconfig</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl edit configmap istio -n istio-system
</code></pre><p>Add the following <code>extensionProviders</code> to the <code>meshconfig</code>:</p><div id=tabset-blog-2021-better-external-authz-2 role=tablist class=tabset><div class=tab-strip data-category-name=opa-deploy><button aria-selected=true data-category-value=opa-same aria-controls=tabset-blog-2021-better-external-authz-2-0-panel id=tabset-blog-2021-better-external-authz-2-0-tab role=tab><span>Deploy OPA in the same pod</span>
</button><button tabindex=-1 data-category-value=opa-standalone aria-controls=tabset-blog-2021-better-external-authz-2-1-panel id=tabset-blog-2021-better-external-authz-2-1-tab role=tab><span>Deploy OPA in a separate pod</span></button></div><div class=tab-content><div id=tabset-blog-2021-better-external-authz-2-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-2-0-tab><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: v1
data:
mesh: |-
# Add the following contents:
extensionProviders:
- name: &#34;opa.local&#34;
envoyExtAuthzGrpc:
service: &#34;local-opa-grpc.local&#34;
port: &#34;9191&#34;
</code></pre></div><div hidden id=tabset-blog-2021-better-external-authz-2-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-2-1-tab><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: v1
data:
mesh: |-
# Add the following contents:
extensionProviders:
- name: &#34;opa.default&#34;
envoyExtAuthzGrpc:
service: &#34;opa.default.svc.cluster.local&#34;
port: &#34;9191&#34;
</code></pre></div></div></div><h3 id=create-an-authorizationpolicy-with-a-custom-action>Create an AuthorizationPolicy with a CUSTOM action</h3><p>Run the following command to create the authorization policy that enables the external authorization on all paths
except <code>/ip</code>:</p><div id=tabset-blog-2021-better-external-authz-3 role=tablist class=tabset><div class=tab-strip data-category-name=opa-deploy><button aria-selected=true data-category-value=opa-same aria-controls=tabset-blog-2021-better-external-authz-3-0-panel id=tabset-blog-2021-better-external-authz-3-0-tab role=tab><span>Deploy OPA in the same pod</span>
</button><button tabindex=-1 data-category-value=opa-standalone aria-controls=tabset-blog-2021-better-external-authz-3-1-panel id=tabset-blog-2021-better-external-authz-3-1-tab role=tab><span>Deploy OPA in a separate pod</span></button></div><div class=tab-content><div id=tabset-blog-2021-better-external-authz-3-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-3-0-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin-opa
spec:
selector:
matchLabels:
app: httpbin-with-opa
action: CUSTOM
provider:
name: &#34;opa.local&#34;
rules:
- to:
- operation:
notPaths: [&#34;/ip&#34;]
EOF
</code></pre></div><div hidden id=tabset-blog-2021-better-external-authz-3-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-3-1-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin-opa
spec:
selector:
matchLabels:
app: httpbin
action: CUSTOM
provider:
name: &#34;opa.default&#34;
rules:
- to:
- operation:
notPaths: [&#34;/ip&#34;]
EOF
</code></pre></div></div></div><h3 id=test-the-opa-policy>Test the OPA policy</h3><ol><li><p>Create a client pod to send the request:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.14/samples/sleep/sleep.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f @samples/sleep/sleep.yaml@
$ export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
</code></pre></div></li><li><p>Use a test JWT token signed by the OPA:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export TOKEN_PATH_HEADERS=&#34;eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXRoIjoiTDJobFlXUmxjbk09IiwibmJmIjoxNTAwMDAwMDAwLCJleHAiOjE5MDAwMDAwMDB9.9yl8LcZdq-5UpNLm0Hn0nnoBHXXAnK4e8RSl9vn6l98&#34;
</code></pre><p>The test JWT token has the following claims:</p><pre><code class=language-json data-expandlinks=true data-repo=istio>{
&#34;path&#34;: &#34;L2hlYWRlcnM=&#34;,
&#34;nbf&#34;: 1500000000,
&#34;exp&#34;: 1900000000
}
</code></pre><p>The <code>path</code> claim has value <code>L2hlYWRlcnM=</code> which is the base64 encode of <code>/headers</code>.</p></li><li><p>Send a request to path <code>/headers</code> without a token. This should be rejected with 403 because there is no JWT token:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/headers -s -o /dev/null -w &#34;%{http_code}\n&#34;
403
</code></pre></li><li><p>Send a request to path <code>/get</code> with a valid token. This should be rejected with 403 because the path <code>/get</code> is not matched with the token <code>/headers</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/get -H &#34;Authorization: Bearer $TOKEN_PATH_HEADERS&#34; -s -o /dev/null -w &#34;%{http_code}\n&#34;
403
</code></pre></li><li><p>Send a request to path <code>/headers</code> with valid token. This should be allowed with 200 because the path is matched with the token:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/headers -H &#34;Authorization: Bearer $TOKEN_PATH_HEADERS&#34; -s -o /dev/null -w &#34;%{http_code}\n&#34;
200
</code></pre></li><li><p>Send request to path <code>/ip</code> without token. This should be allowed with 200 because the path <code>/ip</code> is excluded from
authorization:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/ip -s -o /dev/null -w &#34;%{http_code}\n&#34;
200
</code></pre></li><li><p>Check the proxy and OPA logs to confirm the result.</p></li></ol><h2 id=summary>Summary</h2><p>In Istio 1.9, the <code>CUSTOM</code> action in the authorization policy allows you to easily integrate Istio with any external
authorization system with the following benefits:</p><ul><li><p>First-class support in the authorization policy API</p></li><li><p>Ease of usage: define the external authorizer simply with a URL and enable with the authorization policy, no more
hassle with the <code>EnvoyFilter</code> API</p></li><li><p>Conditional triggering, allowing improved performance</p></li><li><p>Support for various deployment type of the external authorizer:</p><ul><li><p>A normal service and pod with or without proxy</p></li><li><p>Inside the workload pod as a separate container</p></li><li><p>Outside the mesh</p></li></ul></li></ul><p>We&rsquo;re working to promote this feature to a more stable stage in following versions and welcome your feedback at
<a href=https://discuss.istio.io/c/security/>discuss.istio.io</a>.</p><h2 id=acknowledgements>Acknowledgements</h2><p>Thanks to <code>Craig Box</code>, <code>Christian Posta</code> and <code>Limin Wang</code> for reviewing drafts of this blog.</p></div><nav class=pagenav><div class=left><a title="Learn about sessions, panels, workshops and more on the IstioCon website." href=/v1.14/blog/2021/istiocon-2021-program/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.14/img/icons.svg#left-arrow"/></svg>IstioCon 2021: Schedule Is Live!</a></div><div class=right></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.14/img/icons.svg#github"/></svg></a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.14/img/icons.svg#drive"/></svg></a><a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.14/img/icons.svg#slack"/></svg></a><a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.14/img/icons.svg#stackoverflow"/></svg></a><a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.14/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.14/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.14/img/icons.svg#tick"/></svg>English</a>
<a tabindex=-1 lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://policies.google.com/privacy>Privacy policy</a> |
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.14/content/en/blog/2021/better-external-authz/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2022 Istio Authors.</span>
<span class=footer-base-version>Version
Archive
1.14.3</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2021/better-external-authz/"),!1'>current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2021/better-external-authz/"),!1'>next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top" tabindex=-1><svg class="icon top"><use xlink:href="/v1.14/img/icons.svg#top"/></svg></button></div></body></html>