istio.io/archive/v1.21/blog/2021/migrate-alpha-policy/index.html

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Migrate pre-Istio 1.4 Alpha security policy to the current APIs"><meta name=description content="A tutorial to help customers migrate from the deprecated v1alpha1 security policy to the supported v1beta1 version."><meta name=author content="Yangmin Zhu (Google), Craig Box (Google)"><meta name=keywords content="microservices,services,mesh,security,policy,migrate,alpha,beta,deprecate,peer,jwt,authorization"><meta property="og:title" content="Migrate pre-Istio 1.4 Alpha security policy to the current APIs"><meta property="og:type" content="website"><meta property="og:description" content="A tutorial to help customers migrate from the deprecated v1alpha1 security policy to the supported v1beta1 version."><meta property="og:url" content="/v1.21/blog/2021/migrate-alpha-policy/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-social.png"><meta property="og:image:alt" content="The Istio sailboat logo"><meta property="og:image:width" content="4096"><meta property="og:image:height" content="2048"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary_large_image"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.21 / Migrate pre-Istio 1.4 Alpha security policy to the current APIs</title>
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.21/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.21/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.21/feed.xml><link rel="shortcut icon" href=/v1.21/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.21/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.21/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.21/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.21/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.21/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.21/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.21/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.21/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.21/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.21/favicons/favicon.svg><link rel=icon type=image/png href=/v1.21/favicons/favicon.png><link rel=mask-icon href=/v1.21/favicons/safari-pinned-tab.svg color=#466BB0><link rel=manifest href=/v1.21/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.21/css/all.css><link rel=preconnect href=https://fonts.googleapis.com><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.21/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.21",docTitle="Migrate pre-Istio 1.4 Alpha security policy to the current APIs",iconFile="/v1.21//img/icons.svg",buttonCopy="Copy to clipboard",buttonPrint="Print",buttonDownload="Download"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.21/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.21/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span>
</a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation">
<svg class="icon menu-hamburger"><use xlink:href="/v1.21/img/icons.svg#menu-hamburger"/></svg>
</button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.21/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.21/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.21/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.21/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.21/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.21/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.21/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.21/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.21/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.21/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.21/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.21/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title='Search this site' aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.21/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.21/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label='Search this site' placeholder=Search>
<button id=search-close title='Cancel search' type=reset aria-label='Cancel search'><svg class="icon menu-close"><use xlink:href="/v1.21/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Migrate pre-Istio 1.4 Alpha security policy to the current APIs</h1><p>A tutorial to help customers migrate from the deprecated v1alpha1 security policy to the supported v1beta1 version.</p></div><p class=post-author>Mar 3, 2021 <span>| </span>By Yangmin Zhu - Google, Craig Box - Google</p><div><p>In versions of Istio prior to 1.4, security policy was configured using <code>v1alpha1</code> APIs (<code>MeshPolicy</code>, <code>Policy</code>, <code>ClusterRbacConfig</code>, <code>ServiceRole</code> and <code>ServiceRoleBinding</code>). After consulting with our early adopters, we made <a href=/v1.21/blog/2019/v1beta1-authorization-policy/>major improvements to the policy system</a> and released <code>v1beta1</code> APIs along with Istio 1.4. These refreshed APIs (<code>PeerAuthentication</code>, <code>RequestAuthentication</code> and <code>AuthorizationPolicy</code>) helped standardize how we define policy targets in Istio, helped users understand where policies were applied, and cut the number of configuration objects required.</p><p>The old APIs were deprecated in Istio 1.4. Two releases after the <code>v1beta1</code> APIs were introduced, Istio 1.6 removed support for the <code>v1alpha1</code> APIs.</p><p>If you are using a version of Istio prior to 1.6 and you want to upgrade, you will have to migrate your alpha security policy objects to the beta API. This tutorial will help you make that move.</p><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.21/img/icons.svg#callout-tip"/></svg></div><div class=content>If you adopted Istio after version 1.6, or you&rsquo;re not using <code>v1alpha1</code> security APIs, you can stop reading.</div></aside></div><h2 id=overview>Overview</h2><p>Your control plane must first be upgraded to a version that supports the <code>v1beta1</code> security policy.</p><p>It is recommended to first upgrade to Istio 1.5 as a transitive version, because it is the only version that supports both
<code>v1alpha1</code> and <code>v1beta1</code> security policies. You will complete the security policy migration in Istio 1.5, remove the
<code>v1alpha1</code> security policy, and then continue to upgrade to later Istio versions. For a given workload, the <code>v1beta1</code>
version will take precedence over the <code>v1alpha1</code> version.</p><p>Alternatively, if you want to do a skip-level upgrade directly from Istio 1.4 to 1.6 or later, you should use the
<a href=/v1.21/docs/setup/upgrade/canary/>canary upgrade</a> method to install a new Istio version as a separate control plane, and
gradually migrate your workloads to the new control plane completing the security policy migration at the same time.</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.21/img/icons.svg#callout-warning"/></svg></div><div class=content>Skip-level upgrades are not supported by Istio and there might be other issues in this process. Istio 1.6 does not support
the <code>v1alpha1</code> security policy, and if you do not migrate your old policies before the upgrade, you are essentially removing
all your security policies.</div></aside></div><p>In either case, it is recommended to migrate using namespace granularity: for each namespace, find all the
<code>v1alpha1</code> policies that have an effect on workloads in the namespace and migrate all the policies to <code>v1beta1</code>
at the same time. This allows a safer migration as you can make sure everything is working as expected,
and then move forward to the next namespace.</p><h2 id=major-differences>Major differences</h2><p>Before starting the migration, read through the <code>v1beta1</code> <a href=/v1.21/docs/concepts/security/#authentication>authentication</a>
and <a href=/v1.21/docs/concepts/security/#authorization>authorization</a> documentation to understand the <code>v1beta1</code> policy.</p><p>You should examine all of your existing <code>v1alpha1</code> security policies, find out what fields are used and which policies
need migration, compare the findings with the major differences listed below and confirm there are no blocking issues
(e.g., using an alpha feature that is no longer supported in beta):</p><table><thead><tr><th>Major Differences</th><th><code>v1alpha1</code></th><th><code>v1beta1</code></th></tr></thead><tbody><tr><td>API stability</td><td>not backward compatible</td><td>backward compatible</td></tr><tr><td>mTLS</td><td><code>MeshPolicy</code> and <code>Policy</code></td><td><code>PeerAuthentication</code></td></tr><tr><td>JWT</td><td><code>MeshPolicy</code> and <code>Policy</code></td><td><code>RequestAuthentication</code></td></tr><tr><td>Authorization</td><td><code>ClusterRbacConfig</code>, <code>ServiceRole</code> and <code>ServiceRoleBinding</code></td><td><code>AuthorizationPolicy</code></td></tr><tr><td>Policy target</td><td>service name based</td><td>workload selector based</td></tr><tr><td>Port number</td><td>service ports</td><td>workload ports</td></tr></tbody></table><p>Although <code>RequestAuthentication</code> in <code>v1beta1</code> security policy is similar to the <code>v1alpha1</code> JWT policy, there is a notable
semantics change. The <code>v1alpha1</code> JWT policy needs to be migrated to two <code>v1beta1</code> resources: <code>RequestAuthentication</code> and
<code>AuthorizationPolicy</code>. This will change the JWT deny message due to the use of <code>AuthorizationPolicy</code>. In the alpha version,
the HTTP code 401 is returned with the body <code>Origin authentication failed</code>. In the beta version, the HTTP code 403 is
returned with the body <code>RBAC: access denied</code>.</p><p>The <code>v1alpha1</code> JWT policy <a href=https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#Jwt-TriggerRule><code>triggerRule</code> field</a>
is replaced by the <code>AuthorizationPolicy</code> with the exception that the <a href=https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#StringMatch><code>regex</code> field</a>
is no longer supported.</p><h2 id=migration-flow>Migration flow</h2><p>This section describes in detail how to migrate a <code>v1alpha1</code> security policy.</p><h3 id=step-1-find-related-policies>Step 1: Find related policies</h3><p>For each namespace, find all <code>v1alpha1</code> security policies that have an effect on workloads in the namespace. The result
could include:</p><ul><li>a single <code>MeshPolicy</code> that applies to all services in the mesh;</li><li>a single namespace-level <code>Policy</code> that applies to all workloads in the namespace;</li><li>multiple service-level <code>Policy</code> objects that apply to the selected services in the namespace;</li><li>a single <code>ClusterRbacConfig</code> that enables the RBAC on the whole namespace or some services in the namespace;</li><li>multiple namespace-level <code>ServiceRole</code> and <code>ServiceRoleBinding</code> objects that apply to all services in the namespace;</li><li>multiple service-level <code>ServiceRole</code> and <code>ServiceRoleBinding</code> objects that apply to the selected services in the namespace;</li></ul><h3 id=step-2-convert-service-name-to-workload-selector>Step 2: Convert service name to workload selector</h3><p>The <code>v1alpha1</code> policy selects targets using their service name. You should refer to the corresponding service definition to decide
the workload selector that should be used in the <code>v1beta1</code> policy.</p><p>A single <code>v1alpha1</code> policy may include multiple services. It will need to be migrated to multiple <code>v1beta1</code> policies
because the <code>v1beta1</code> policy currently only supports at most one workload selector per policy.</p><p>Also note the <code>v1alpha1</code> policy uses service port but the <code>v1beta1</code> policy uses the workload port. This means the port number might be
different in the migrated <code>v1beta1</code> policy.</p><h3 id=step-3-migrate-authentication-policy>Step 3: Migrate authentication policy</h3><p>For each <code>v1alpha1</code> authentication policy, migrate with the following rules:</p><ol><li><p>If the whole namespace is enabled with mTLS or JWT, create the <code>PeerAuthentication</code>, <code>RequestAuthentication</code> and
<code>AuthorizationPolicy</code> without a workload selector for the whole namespace. Fill out the policy based on the
semantics of the corresponding <code>MeshPolicy</code> or <code>Policy</code> for the namespace.</p></li><li><p>If a workload is enabled with mTLS or JWT, create the <code>PeerAuthentication</code>, <code>RequestAuthentication</code> and
<code>AuthorizationPolicy</code> with a corresponding workload selector for the workload. Fill out the policy based on the
semantics of the corresponding <code>MeshPolicy</code> or <code>Policy</code> for the workload.</p></li><li><p>For mTLS related configuration, use <code>STRICT</code> mode if the alpha policy is using <code>STRICT</code>, or use <code>PERMISSIVE</code> in all other cases.</p></li><li><p>For JWT related configuration, refer to the <a href=/v1.21/docs/tasks/security/authentication/authn-policy/#end-user-authentication><code>end-user authentication</code> documentation</a>
to learn how to migrate to <code>RequestAuthentication</code> and <code>AuthorizationPolicy</code>.</p></li></ol><p>A <a href=https://github.com/istio-ecosystem/security-policy-migrate>security policy migration tool</a> is provided to
automatically migrate authentication policy automatically. Please refer to the tool&rsquo;s README for its usage.</p><h3 id=step-4-migrate-rbac-policy>Step 4: Migrate RBAC policy</h3><p>For each <code>v1alpha1</code> RBAC policy, migrate with the following rules:</p><ol><li><p>If the whole namespace is enabled with RBAC, create an <code>AuthorizationPolicy</code> without a workload selector for the whole
namespace. Add an empty rule so that it will deny all requests to the namespace by default.</p></li><li><p>If a workload is enabled with RBAC, create an <code>AuthorizationPolicy</code> with a corresponding workload selector for the workload.
Add rules based on the semantics of the corresponding <code>ServiceRole</code> and <code>ServiceRoleBinding</code> for the workload.</p></li></ol><h3 id=step-5-verify-migrated-policy>Step 5: Verify migrated policy</h3><ol><li><p>Double check the migrated <code>v1beta1</code> policies: make sure there are no policies with duplicate names, the namespace
is specified correctly and all <code>v1alpha1</code> policies for the given namespace are migrated.</p></li><li><p>Dry-run the <code>v1beta1</code> policy with the command <code>kubectl apply --dry-run=server -f beta-policy.yaml</code> to make sure it
is valid.</p></li><li><p>Apply the <code>v1beta1</code> policy to the given namespace and closely monitor the effect. Make sure to test both allow and
deny scenarios if JWT or authorization are used.</p></li><li><p>Migrate the next namespace. Only remove the <code>v1alpha1</code> policy after completing migration for all namespaces successfully.</p></li></ol><h2 id=example>Example</h2><h3 id=v1alpha1-policy><code>v1alpha1</code> policy</h3><p>This section gives a full example showing the migration for namespace <code>foo</code>. Assume the namespace <code>foo</code> has the following
<code>v1alpha1</code> policies that affect the workloads in it:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio># A MeshPolicy that enables mTLS globally, including the whole foo namespace
apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;MeshPolicy&#34;
metadata:
  name: &#34;default&#34;
spec:
  peers:
  - mtls: {}
---
# A Policy that enables mTLS permissive mode and enables JWT for the httpbin service on port 8000
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: httpbin
  namespace: foo
spec:
  targets:
  - name: httpbin
    ports:
    - number: 8000
  peers:
  - mtls:
      mode: PERMISSIVE
  origins:
  - jwt:
      issuer: testing@example.com
      jwksUri: https://www.example.com/jwks.json
      triggerRules:
      - includedPaths:
        - prefix: /admin/
        excludedPaths:
        - exact: /admin/status
  principalBinding: USE_ORIGIN
---
# A ClusterRbacConfig that enables RBAC globally, including the foo namespace
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ClusterRbacConfig
metadata:
  name: default
spec:
  mode: &#39;ON&#39;
---
# A ServiceRole that enables RBAC for the httpbin service
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRole
metadata:
  name: httpbin
  namespace: foo
spec:
  rules:
  - services: [&#34;httpbin.foo.svc.cluster.local&#34;]
    methods: [&#34;GET&#34;]
---
# A ServiceRoleBinding for the above ServiceRole
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRoleBinding
metadata:
  name: httpbin
  namespace: foo
spec:
  subjects:
  - user: cluster.local/ns/foo/sa/sleep
    roleRef:
      kind: ServiceRole
      name: httpbin
</code></pre><h3 id=httpbin-service><code>httpbin</code> service</h3><p>The <code>httpbin</code> service has the following definition:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: v1
kind: Service
metadata:
  name: httpbin
  namespace: foo
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
</code></pre><p>This means the service name <code>httpbin</code> should be replaced by the workload selector <code>app: httpbin</code>, and the service port 8000
should be replaced by the workload port 80.</p><h3 id=v1beta1-authentication-policy><code>v1beta1</code> authentication policy</h3><p>The migrated <code>v1beta1</code> policies for the <code>v1alpha1</code> authentication policies in <code>foo</code> namespace are listed below:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio># A PeerAuthentication that enables mTLS for the foo namespace, migrated from the MeshPolicy
# Alternatively the MeshPolicy could also be migrated to a PeerAuthentication at mesh level
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: foo
spec:
  mtls:
    mode: STRICT
---
# A PeerAuthentication that enables mTLS for the httpbin workload, migrated from the Policy
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: httpbin
  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
  # port level mtls set for the workload port 80 corresponding to the service port 8000
  portLevelMtls:
    80:
      mode: PERMISSIVE
--
# A RequestAuthentication that enables JWT for the httpbin workload, migrated from the Policy
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: httpbin
  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
  jwtRules:
  - issuer: testing@example.com
    jwksUri: https://www.example.com/jwks.json
---
# An AuthorizationPolicy that enforces to require JWT validation for the httpbin workload, migrated from the Policy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin-jwt
  namespace: foo
spec:
  # Use DENY action to explicitly deny requests without JWT token
  action: DENY
  selector:
    matchLabels:
      app: httpbin
  rules:
  - from:
    - source:
        # This makes sure requests without JWT token will be denied
        notRequestPrincipals: [&#34;*&#34;]
    to:
    - operation:
        # This should be the workload port 80, not the service port 8000
        ports: [&#34;80&#34;]
        # The path and notPath is converted from the trigger rule in the Policy
        paths: [&#34;/admin/*&#34;]
        notPaths: [&#34;/admin/status&#34;]
</code></pre><h3 id=v1beta1-authorization-policy><code>v1beta1</code> authorization policy</h3><p>The migrated <code>v1beta1</code> policies for the <code>v1alpha1</code> RBAC policies in <code>foo</code> namespace are listed below:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio># An AuthorizationPolicy that denies by default, migrated from the ClusterRbacConfig
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: default
  namespace: foo
spec:
  # An empty rule that allows nothing
  {}
---
# An AuthorizationPolicy that enforces to authorization for the httpbin workload, migrated from the ServiceRole and ServiceRoleBinding
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin
  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
      version: v1
  action: ALLOW
  rules:
  - from:
    - source:
        principals: [&#34;cluster.local/ns/foo/sa/sleep&#34;]
    to:
    - operation:
        methods: [&#34;GET&#34;]
</code></pre><h2 id=finish-the-upgrade>Finish the upgrade</h2><p>Congratulations; having reached this point, you should only have <code>v1beta1</code> policy objects, and you will be able to continue upgrading Istio to 1.6 and beyond.</p></div><nav class=pagenav><div class=left><a title="An update on Envoy and Istio's WebAssembly-based extensibility effort." href=/v1.21/blog/2021/wasm-progress/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.21/img/icons.svg#left-arrow"/></svg>Istio and Envoy WebAssembly Extensibility, One Year On</a></div><div class=right><a title="Understanding the benefits Istio brings, even when no configuration is used." href=/v1.21/blog/2021/zero-config-istio/ class=next-link>Zero Configuration Istio<svg class="icon right-arrow"><use xlink:href="/v1.21/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title='GitHub is where development takes place on Istio code' href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.21/img/icons.svg#github"/></svg>
</a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.21/img/icons.svg#drive"/></svg>
</a><a class=channel title='Interactively discuss issues with the Istio community on Slack' href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.21/img/icons.svg#slack"/></svg>
</a><a class=channel title='Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio' href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.21/img/icons.svg#stackoverflow"/></svg>
</a><a class=channel title='Follow us on Twitter to get the latest news' href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.21/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.21/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.21/img/icons.svg#tick"/></svg>
English
</a><a tabindex=-1 lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://www.linuxfoundation.org/legal/terms>Terms and Conditions
</a>|
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/privacy-policy>Privacy policy
</a>|
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/trademark-usage>Trademarks
</a>|
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.21/content/en/index>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2024 the Istio Authors.</span>
<span class=footer-base-version>Version
Archive
1.21.2</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2021/migrate-alpha-policy/"),!1'>current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2021/migrate-alpha-policy/"),!1'>next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title='Back to top' tabindex=-1><svg class="icon top"><use xlink:href="/v1.21/img/icons.svg#top"/></svg></button></div></body></html>