istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.9/blog/2019/v1beta1-authorization-policy/index.html

294 lines
57 KiB
HTML
Raw Permalink Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Introducing the Istio v1beta1 Authorization Policy"><meta name=description content="Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy."><meta name=author content="Yangmin Zhu (Google)"><meta name=keywords content="microservices,services,mesh,security,RBAC,access control,authorization"><meta property="og:title" content="Introducing the Istio v1beta1 Authorization Policy"><meta property="og:type" content="website"><meta property="og:description" content="Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy."><meta property="og:url" content="/v1.9/blog/2019/v1beta1-authorization-policy/"><meta property="og:image" content="/v1.9/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="112"><meta property="og:image:height" content="150"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.9 / Introducing the Istio v1beta1 Authorization Policy</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.9/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.9/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.9/feed.xml><link rel="shortcut icon" href=/v1.9/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.9/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.9/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.9/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.9/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.9/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.9/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.9/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.9/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.9/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.9/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.9/css/all.css><script src=/v1.9/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.9";const docTitle="Introducing the Istio v1beta1 Authorization Policy";const iconFile="\/v1.9/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.9/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.9/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2"/><polygon points="65 240 225 240 125 270"/><polygon points="65 230 125 220 125 110"/><polygon points="135 220 225 230 135 30"/></svg></span><span class=name>Istioldie 1.9</span></a><div id=hamburger><svg class="icon hamburger"><use xlink:href="/v1.9/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.9/docs/>Docs</a>
<a class=current title="Posts about using Istio." href=/v1.9/blog/2021/>Blog<i class=dot data-prefix=/blog></i></a>
<a title="Timely news about the Istio project." href=/v1.9/news/>News<i class=dot data-prefix=/news></i></a>
<a title="Frequently Asked Questions about Istio." href=/v1.9/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.9/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon gear"><use xlink:href="/v1.9/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/blog\/2019\/v1beta1-authorization-policy\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/blog\/2019\/v1beta1-authorization-policy\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://istio.io/archive>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.9/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.9/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon cancel-x"><use xlink:href="/v1.9/img/icons.svg#cancel-x"/></svg></button></form></nav></header><div class=banner-container></div><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card0 title="Blog posts for 2021." aria-controls=card0-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2021 Posts</button><div class=body aria-labelledby=card0 role=region id=card0-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card0><li role=none><a role=treeitem title="The Product Security working group announces Patch Tuesdays, how 0-days and embargoes are handled, updates to the security best practices page and the notification of the early disclosure list (May 11, 2021)" href=/v1.9/blog/2021/patch-tuesdays/>Updates to how Istio security releases are handled: Patch Tuesday, embargoes, and 0-days</a></li><li role=none><a role=treeitem title="Learn how to use discovery selectors and how they intersect with Sidecar resources (April 30, 2021)" href=/v1.9/blog/2021/discovery-selectors/>Use discovery selectors to configure namespaces for your Istio service mesh</a></li><li role=none><a role=treeitem title="Understanding the upcoming changes to Istio networking, how they may impact your cluster, and what action to take (April 15, 2021)" href=/v1.9/blog/2021/upcoming-networking-changes/>Upcoming networking changes in Istio 1.10</a></li><li role=none><a role=treeitem title="An update on Envoy and Istio's WebAssembly-based extensibility effort (March 5, 2021)" href=/v1.9/blog/2021/wasm-progress/>Istio and Envoy WebAssembly Extensibility, One Year On</a></li><li role=none><a role=treeitem title="A tutorial to help customers migrate from the deprecated v1alpha1 security policy to the supported v1beta1 version (March 3, 2021)" href=/v1.9/blog/2021/migrate-alpha-policy/>Migrate pre-Istio 1.4 Alpha security policy to the current APIs</a></li><li role=none><a role=treeitem title="Understanding the benefits Istio brings, even when no configuration is used (February 25, 2021)" href=/v1.9/blog/2021/zero-config-istio/>Zero Configuration Istio</a></li><li role=none><a role=treeitem title="Learn about sessions, panels, workshops and more on the IstioCon website (February 16, 2021)" href=/v1.9/blog/2021/istiocon-2021-program/>IstioCon 2021: Schedule Is Live!</a></li><li role=none><a role=treeitem title="AuthorizationPolicy now supports CUSTOM action to delegate the authorization to external system (February 9, 2021)" href=/v1.9/blog/2021/better-external-authz/>Better External Authorization</a></li></ul></div></div><div class=card><button class="header dynamic" id=card1 title="Blog posts for 2020." aria-controls=card1-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2020 Posts</button><div class=body aria-labelledby=card1 role=region id=card1-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card1><li role=none><a role=treeitem title="Deploy multiple Istio egress gateways independently to have fine-grained control of egress communication from the mesh (December 16, 2020)" href=/v1.9/blog/2020/proxying-legacy-services-using-egress-gateways/>Proxying legacy services using Istio egress gateways</a></li><li role=none><a role=treeitem title="How to enable proxy protocol on AWS NLB and Istio ingress gateway (December 11, 2020)" href=/v1.9/blog/2020/show-source-ip/>Proxy protocol on AWS NLB and Istio ingress gateway</a></li><li role=none><a role=treeitem title="The inaugural conference for Istio will take place at the end of February (December 8, 2020)" href=/v1.9/blog/2020/istiocon-2021/>Join us for the first IstioCon in 2021!</a></li><li role=none><a role=treeitem title="How to ensure your clusters are not impacted by Docker Hub rate limiting (December 7, 2020)" href=/v1.9/blog/2020/docker-rate-limit/>Handling Docker Hub rate limiting</a></li><li role=none><a role=treeitem title="Workload Local DNS resolution to simplify VM integration, multicluster, and more (November 12, 2020)" href=/v1.9/blog/2020/dns-proxy/>Expanding into New Frontiers - Smart DNS Proxying in Istio</a></li><li role=none><a role=treeitem title="Announcing the four newest Istio Steering Committee members (September 29, 2020)" href=/v1.9/blog/2020/steering-election-results/>2020 Steering Committee Election Results</a></li><li role=none><a role=treeitem title="The effect of security policies on latency of requests (September 15, 2020)" href=/v1.9/blog/2020/large-scale-security-policy-performance-tests/>Large Scale Security Policy Performance Tests</a></li><li role=none><a role=treeitem title="A new deployment model for Istio (August 27, 2020)" href=/v1.9/blog/2020/new-deployment-model/>Deploying Istio Control Planes Outside the Mesh</a></li><li role=none><a role=treeitem title="The Istio Steering Committee is now in part proportionally allocated to companies based on contribution, and in part elected by community members (August 24, 2020)" href=/v1.9/blog/2020/steering-changes/>Introducing the new Istio steering committee</a></li><li role=none><a role=treeitem title="An alternative sidecar proxy for Istio (July 28, 2020)" href=/v1.9/blog/2020/mosn-proxy/>Using MOSN with Istio: an alternative data plane</a></li><li role=none><a role=treeitem title="An update on trademarks and project governance (July 8, 2020)" href=/v1.9/blog/2020/open-usage/>Open and neutral: transferring our trademarks to the Open Usage Commons</a></li><li role=none><a role=treeitem title="A new way to manage installation of telemetry addons (June 4, 2020)" href=/v1.9/blog/2020/addon-rework/>Reworking our Addon Integrations</a></li><li role=none><a role=treeitem title="Describing the new functionality of Workload Entries (May 21, 2020)" href=/v1.9/blog/2020/workload-entry/>Introducing Workload Entries</a></li><li role=none><a role=treeitem title="Simplifying Istio upgrades by offering safe canary deployments of the control plane (May 19, 2020)" href=/v1.9/blog/2020/multiple-control-planes/>Safely Upgrade Istio using a Canary Control Plane Deployment</a></li><li role=none><a role=treeitem title="Configure the IBM Cloud Kubernetes Service Application Load Balancer to direct traffic to the Istio Ingress gateway with mutual TLS (May 15, 2020)" href=/v1.9/blog/2020/alb-ingress-gateway-iks/>Direct encrypted traffic from IBM Cloud Kubernetes Service Ingress to Istio Ingress Gateway</a></li><li role=none><a role=treeitem title="Community partner tooling of Wasm for Istio by Solo.io (March 25, 2020)" href=/v1.9/blog/2020/wasmhub-istio/>Extended and Improved WebAssemblyHub to Bring the Power of WebAssembly to Envoy and Istio</a></li><li role=none><a role=treeitem title="A mechanism to acquire and share an application certificate and key through mounted files (March 25, 2020)" href=/v1.9/blog/2020/proxy-cert/>Provision a certificate and key for an application without sidecars</a></li><li role=none><a role=treeitem title="Istiod consolidates the Istio control plane components into a single binary (March 19, 2020)" href=/v1.9/blog/2020/istiod/>Introducing istiod: simplifying the control plane</a></li><li role=none><a role=treeitem title="Configuring Wasm extensions for Envoy and Istio declaratively (March 16, 2020)" href=/v1.9/blog/2020/deploy-wasm-declarative/>Declarative WebAssembly deployment for Istio</a></li><li role=none><a role=treeitem title="The future of Istio extensibility using WASM (March 5, 2020)" href=/v1.9/blog/2020/wasm-announce/>Redefining extensibility in proxies - introducing WebAssembly to Envoy and Istio</a></li><li role=none><a role=treeitem title="A vision statement and roadmap for Istio in 2020 (March 3, 2020)" href=/v1.9/blog/2020/tradewinds-2020/>Istio in 2020 - Following the Trade Winds</a></li><li role=none><a role=treeitem title="A more secure way to manage secrets (February 20, 2020)" href=/v1.9/blog/2020/istio-agent/>Remove cross-pod unix domain sockets</a></li><li role=none><a role=treeitem title="Automating Istio configuration for Istio deployments (clusters) that work as a single mesh (January 5, 2020)" href=/v1.9/blog/2020/multi-cluster-mesh-automation/>Multicluster Istio configuration and service discovery using Admiral</a></li></ul></div></div><div class=card><button class="header dynamic" id=card2 title="Blog posts for 2019." aria-controls=card2-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2019 Posts</button><div class="body default" aria-labelledby=card2 role=region id=card2-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card2><li role=none><a role=treeitem title="Provision and manage DNS certificates in Istio (November 14, 2019)" href=/v1.9/blog/2019/dns-cert/>DNS Certificate Management</a></li><li role=none><a role=treeitem title="Analyze your Istio configuration to detect potential issues and get general insights (November 14, 2019)" href=/v1.9/blog/2019/introducing-istioctl-analyze/>Introducing istioctl analyze</a></li><li role=none><a role=treeitem title="Introduction to Istio's new operator-based installation and control plane management feature (November 14, 2019)" href=/v1.9/blog/2019/introducing-istio-operator/>Introducing the Istio Operator</a></li><li role=none><span role=treeitem class=current title="Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy (November 14, 2019)">Introducing the Istio v1beta1 Authorization Policy</span></li><li role=none><a role=treeitem title="Getting programmatic access to Istio resources (November 14, 2019)" href=/v1.9/blog/2019/announcing-istio-client-go/>Announcing Istio client-go</a></li><li role=none><a role=treeitem title="A more secure way to manage Istio webhooks (November 14, 2019)" href=/v1.9/blog/2019/webhook/>Secure Webhook Management</a></li><li role=none><a role=treeitem title="Configure Istio ingress gateway to act as a proxy for external services (October 15, 2019)" href=/v1.9/blog/2019/proxy/>Istio as a Proxy for External Services</a></li><li role=none><a role=treeitem title="Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation (October 2, 2019)" href=/v1.9/blog/2019/isolated-clusters/>Multi-Mesh Deployments for Isolation and Boundary Protection</a></li><li role=none><a role=treeitem title="How can you use Istio to monitor blocked and passthrough external traffic (September 28, 2019)" href=/v1.9/blog/2019/monitoring-external-service-traffic/>Monitoring Blocked and Passthrough External Service Traffic</a></li><li role=none><a role=treeitem title="Using Istio to secure multi-cloud Kubernetes applications with zero code changes (September 18, 2019)" href=/v1.9/blog/2019/app-identity-and-access-adapter/>App Identity and Access Adapter</a></li><li role=none><a role=treeitem title="Demonstrates a Mixer out-of-process adapter which implements the Knative scale-from-zero logic (September 18, 2019)" href=/v1.9/blog/2019/knative-activator-adapter/>Mixer Adapter for Knative</a></li><li role=none><a role=treeitem title="Taking advantage of Kubernetes trustworthy JWTs to issue certificates for workload instances more securely (September 10, 2019)" href=/v1.9/blog/2019/trustworthy-jwt-sds/>Change in Secret Discovery Service in Istio 1.3</a></li><li role=none><a role=treeitem title="The design principles behind Istio's APIs and how those APIs are evolving (August 5, 2019)" href=/v1.9/blog/2019/evolving-istios-apis/>The Evolution of Istio's APIs</a></li><li role=none><a role=treeitem title="Comparison of alternative solutions to control egress traffic including performance considerations (July 22, 2019)" href=/v1.9/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></li><li role=none><a role=treeitem title="Use Istio Egress Traffic Control to prevent attacks involving egress traffic (July 10, 2019)" href=/v1.9/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></li><li role=none><a role=treeitem title="Tools and guidance for evaluating Istio's data plane performance (July 9, 2019)" href=/v1.9/blog/2019/performance-best-practices/>Best Practices: Benchmarking Service Mesh Performance</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of Istio self-signed root certificate (June 7, 2019)" href=/v1.9/blog/2019/root-transition/>Extending Istio Self-Signed Root Certificate Lifetime</a></li><li role=none><a role=treeitem title="Attacks involving egress traffic and requirements for egress traffic control (May 22, 2019)" href=/v1.9/blog/2019/egress-traffic-control-in-istio-part-1/>Secure Control of Egress Traffic in Istio, part 1</a></li><li role=none><a role=treeitem title="An overview of Istio 1.1 performance (March 19, 2019)" href=/v1.9/blog/2019/istio1.1_perf/>Architecting Istio 1.1 for Performance</a></li><li role=none><a role=treeitem title="Configuring Istio route rules in a multicluster service mesh (February 7, 2019)" href=/v1.9/blog/2019/multicluster-version-routing/>Version Routing in a Multicluster Service Mesh</a></li><li role=none><a role=treeitem title="Announces the new Istio blog policy (February 5, 2019)" href=/v1.9/blog/2019/sail-the-blog/>Sail the Blog!</a></li><li role=none><a role=treeitem title="De-mystify how Istio manages to plugin its data-plane components into an existing deployment (January 31, 2019)" href=/v1.9/blog/2019/data-plane-setup/>Demystifying Istio's Sidecar Injection Model</a></li><li role=none><a role=treeitem title="Verifies the performance impact of adding an egress gateway (January 31, 2019)" href=/v1.9/blog/2019/egress-performance/>Egress Gateway Performance Investigation</a></li><li role=none><a role=treeitem title="Addressing application startup ordering and startup latency using AppSwitch (January 14, 2019)" href=/v1.9/blog/2019/appswitch/>Sidestepping Dependency Ordering with AppSwitch</a></li><li role=none><a role=treeitem title="Describes how to deploy a custom ingress gateway using cert-manager manually (January 10, 2019)" href=/v1.9/blog/2019/custom-ingress-gateway/>Deploy a Custom Ingress Gateway Using Cert-Manager</a></li><li role=none><a role=treeitem title="Istio has a new discussion board (January 10, 2019)" href=/v1.9/blog/2019/announcing-discuss.istio.io/>Announcing discuss.istio.io</a></li></ul></div></div><div class=card><button class="header dynamic" id=card3 title="Blog posts for 2018." aria-controls=card3-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2018 Posts</button><div class=body aria-labelledby=card3 role=region id=card3-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card3><li role=none><a role=treeitem title="How to use Istio for traffic management without deploying sidecar proxies (November 21, 2018)" href=/v1.9/blog/2018/incremental-traffic-management/>Incremental Istio Part 1, Traffic Management</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (November 16, 2018)" href=/v1.9/blog/2018/egress-mongo/>Consuming External MongoDB Services</a></li><li role=none><a role=treeitem title="Istio hosting an all day Twitch stream to celebrate the 1.0 release (August 3, 2018)" href=/v1.9/blog/2018/istio-twitch-stream/>All Day Istio Twitch Stream</a></li><li role=none><a role=treeitem title="How HP is building its next-generation footwear personalization platform on Istio (July 31, 2018)" href=/v1.9/blog/2018/hp/>Istio a Game Changer for HP's FitStation Platform</a></li><li role=none><a role=treeitem title="Automatic application onboarding and latency optimizations using AppSwitch (July 30, 2018)" href=/v1.9/blog/2018/delayering-istio/>Delayering Istio with AppSwitch</a></li><li role=none><a role=treeitem title="Describe Istio's authorization feature and how to use it in various use cases (July 20, 2018)" href=/v1.9/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></li><li role=none><a role=treeitem title="How to export Istio Access Logs to different sinks like BigQuery, GCS, Pub/Sub through Stackdriver (July 9, 2018)" href=/v1.9/blog/2018/export-logs-through-stackdriver/>Exporting Logs to BigQuery, GCS, Pub/Sub through Stackdriver</a></li><li role=none><a role=treeitem title="Describes how to configure Istio for monitoring and access policies of HTTP egress traffic (June 22, 2018)" href=/v1.9/blog/2018/egress-monitoring-access-control/>Monitoring and Access Policies for HTTP Egress Traffic</a></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1alpha3 routing API (April 25, 2018)" href=/v1.9/blog/2018/v1alpha3-routing/>Introducing the Istio v1alpha3 routing API</a></li><li role=none><a role=treeitem title="Describes how to configure Istio ingress with a network load balancer on AWS (April 20, 2018)" href=/v1.9/blog/2018/aws-nlb/>Configuring Istio Ingress with AWS NLB</a></li><li role=none><a role=treeitem title="Using Kubernetes namespaces and RBAC to create an Istio soft multi-tenancy environment (April 19, 2018)" href=/v1.9/blog/2018/soft-multitenancy/>Istio Soft Multi-Tenancy Support</a></li><li role=none><a role=treeitem title="An introduction to safer, lower-risk deployments and release to production (February 8, 2018)" href=/v1.9/blog/2018/traffic-mirroring/>Traffic Mirroring with Istio for Testing in Production</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (February 6, 2018)" href=/v1.9/blog/2018/egress-tcp/>Consuming External TCP Services</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (January 31, 2018)" href=/v1.9/blog/2018/egress-https/>Consuming External Web Services</a></li></ul></div></div><div class=card><button class="header dynamic" id=card4 title="Blog posts for 2017." aria-controls=card4-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2017 Posts</button><div class=body aria-labelledby=card4 role=region id=card4-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card4><li role=none><a role=treeitem title="Improving availability and reducing latency (December 7, 2017)" href=/v1.9/blog/2017/mixer-spof-myth/>Mixer and the SPOF Myth</a></li><li role=none><a role=treeitem title="Provides an overview of Mixer's plug-in architecture (November 3, 2017)" href=/v1.9/blog/2017/adapter-model/>Mixer Adapter Model</a></li><li role=none><a role=treeitem title="How Kubernetes Network Policy relates to Istio policy (August 10, 2017)" href=/v1.9/blog/2017/0.1-using-network-policy/>Using Network Policy with Istio</a></li><li role=none><a role=treeitem title="Using Istio to create autoscaled canary deployments (June 14, 2017)" href=/v1.9/blog/2017/0.1-canary/>Canary Deployments using Istio</a></li><li role=none><a role=treeitem title="Istio Authentication 0.1 announcement (May 25, 2017)" href=/v1.9/blog/2017/0.1-auth/>Using Istio to Improve End-to-End Security</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon pull"><use xlink:href="/v1.9/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.9/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.9/blog/ title="Posts about using Istio.">Blog</a></li><li><a href=/v1.9/blog/2019/ title="Blog posts for 2019.">2019 Posts</a></li><li>Introducing the Istio v1beta1 Authorization Policy</li></ol></nav><article aria-labelledby=title><div class=title-area><div style=width:100%><h1 id=title>Introducing the Istio v1beta1 Authorization Policy</h1><p class=byline><span>By</span>
<span class=attribution>Yangmin Zhu (Google)</span><span> | </span><span><svg class="icon calendar"><use xlink:href="/v1.9/img/icons.svg#calendar"/></svg><span>&nbsp;</span>November 14, 2019</span><span> | </span><span title="1918 words"><svg class="icon clock"><use xlink:href="/v1.9/img/icons.svg#clock"/></svg><span>&nbsp;</span>10 minute read</span>
<span>&nbsp;</span>
<span></span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label=Background><a href=#background>Background</a><li role=none aria-label="Design goals"><a href=#design-goals>Design goals</a><li role=none aria-label=AuthorizationPolicy><a href=#authorizationpolicy><code>AuthorizationPolicy</code></a><ol><li role=none aria-label=Example><a href=#example>Example</a><li role=none aria-label="Workload selector"><a href=#workload-selector>Workload selector</a><li role=none aria-label="Root namespace"><a href=#root-namespace>Root namespace</a><li role=none aria-label="Ingress/Egress Gateway support"><a href=#ingress-egress-gateway-support>Ingress/Egress Gateway support</a><li role=none aria-label=Comparison><a href=#comparison>Comparison</a><ol><li role=none aria-label=Feature><a href=#feature>Feature</a><li role=none aria-label=ClusterRbacConfig><a href=#clusterrbacconfig><code>ClusterRbacConfig</code></a><li role=none aria-label=ServiceRole><a href=#servicerole><code>ServiceRole</code></a><li role=none aria-label=ServiceRoleBinding><a href=#servicerolebinding><code>ServiceRoleBinding</code></a></ol></li></ol></li><li role=none aria-label="Future of the v1alpha1 policy"><a href=#future-of-the-v1alpha1-policy>Future of the <code>v1alpha1</code> policy</a><li role=none aria-label="Migration from the v1alpha1 policy"><a href=#migration-from-the-v1alpha1-policy>Migration from the <code>v1alpha1</code> policy</a><ol><li role=none aria-label="General Guideline"><a href=#general-guideline>General Guideline</a><li role=none aria-label="Migration Example"><a href=#migration-example>Migration Example</a><li role=none aria-label="Automation of the Migration"><a href=#automation-of-the-migration>Automation of the Migration</a></ol></li><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.9/img/icons.svg#callout-warning"/></svg></div><div class=content>This blog post was written assuming Istio 1.4, so some of this content may now be outdated.</div></aside></div><p>Istio 1.4 introduces the
<a href=/v1.9/docs/reference/config/security/authorization-policy/><code>v1beta1</code> authorization policy</a>,
which is a major update to the previous <code>v1alpha1</code> role-based access control
(RBAC) policy. The new policy provides these improvements:</p><ul><li>Aligns with Istio configuration model.</li><li>Improves the user experience by simplifying the API.</li><li>Supports more use cases (e.g. Ingress/Egress gateway support) without
added complexity.</li></ul><p>The <code>v1beta1</code> policy is not backward compatible and requires a one time
conversion. A tool is provided to automate this process. The previous
configuration resources <code>ClusterRbacConfig</code>, <code>ServiceRole</code>, and
<code>ServiceRoleBinding</code> will not be supported from Istio 1.6 onwards.</p><p>This post describes the new <code>v1beta1</code> authorization policy model, its
design goals and the migration from <code>v1alpha1</code> RBAC policies. See the
<a href=/v1.9/docs/concepts/security/#authorization>authorization concept page</a>
for a detailed in-depth explanation of the <code>v1beta1</code> authorization policy.</p><p>We welcome your feedback about the <code>v1beta1</code> authorization policy at
<a href=https://discuss.istio.io/c/security>discuss.istio.io</a>.</p><h2 id=background>Background</h2><p>To date, Istio provided RBAC policies to enforce access control on
<span class=term data-title=Service data-body='<p>A delineated group of related behaviors within a <a href="/docs/reference/glossary/#service-mesh">service mesh</a>. Services are identified using a
<a href="/docs/reference/glossary/#service-name">service name</a>,
and Istio policies such as load balancing and routing are applied using these names.
A service is typically materialized by one or more <a href="/docs/reference/glossary/#service-endpoint">service endpoints</a>, and may consist of multiple
<a href="/docs/reference/glossary/#service-version">service versions</a>.</p>'>services</span> using three configuration
resources: <code>ClusterRbacConfig</code>, <code>ServiceRole</code> and <code>ServiceRoleBinding</code>.
With this API, users have been able to enforce control access at mesh-level,
namespace-level and service-level. Like other RBAC policies, Istio RBAC uses
the same concept of role and binding for granting permissions to identities.</p><p>Although Istio RBAC has been working reliably, we&rsquo;ve found that many
improvements were possible.</p><p>For example, users have mistakenly assumed that access control enforcement
happens at service-level because <code>ServiceRole</code> uses service to specify where
to apply the policy, however, the policy is actually applied on
<span class=term data-title=Workload data-body='<p>A binary deployed by <a href="/docs/reference/glossary/#operator">operators</a> to deliver some function of a service mesh application.
Workloads have names, namespaces, and unique ids. These properties are available in policy and telemetry configuration
using the following <a href="/docs/reference/glossary/#attribute">attributes</a>:</p>
<ul>
<li><code>source.workload.name</code>, <code>source.workload.namespace</code>, <code>source.workload.uid</code></li>
<li><code>destination.workload.name</code>, <code>destination.workload.namespace</code>, <code>destination.workload.uid</code></li>
</ul>
<p>In Kubernetes, a workload typically corresponds to a Kubernetes deployment,
while a <a href="/docs/reference/glossary/#workload-instance">workload instance</a> corresponds to an individual <a href="/docs/reference/glossary/#pod">pod</a> managed
by the deployment.</p>'>workloads</span>, the service is only used to
find the corresponding workload. This nuance is significant when multiple
services are referring to the same workload. A <code>ServiceRole</code> for service A
will also affect service B if the two services are referring to the same
workload, which can cause confusion and incorrect configuration.</p><p>An other example is that it&rsquo;s proven difficult for users to maintain and
manage the Istio RBAC configurations because of the need to deeply understand
three related resources.</p><h2 id=design-goals>Design goals</h2><p>The new <code>v1beta1</code> authorization policy had several design goals:</p><ul><li><p>Align with <a href=https://goo.gl/x3STjD>Istio Configuration Model</a> for better
clarity on the policy target. The configuration model provides a unified
configuration hierarchy, resolution and target selection.</p></li><li><p>Improve the user experience by simplifying the API. It&rsquo;s easier to manage
one custom resource definition (CRD) that includes all access control
specifications, instead of multiple CRDs.</p></li><li><p>Support more use cases without added complexity. For example, allow the
policy to be applied on Ingress/Egress gateway to enforce access control
for traffic entering/exiting the mesh.</p></li></ul><h2 id=authorizationpolicy><code>AuthorizationPolicy</code></h2><p>An <a href=/v1.9/docs/reference/config/security/authorization-policy/><code>AuthorizationPolicy</code> custom resource</a>
enables access control on workloads. This section gives an overview of the
changes in the <code>v1beta1</code> authorization policy.</p><p>An <code>AuthorizationPolicy</code> includes a <code>selector</code> and a list of <code>rule</code>.
The <code>selector</code> specifies on which workload to apply the policy and the
list of <code>rule</code> specifies the detailed access control rule for the workload.</p><p>The <code>rule</code> is additive, which means a request is allowed if any <code>rule</code>
allows the request. Each <code>rule</code> includes a list of <code>from</code>, <code>to</code> and
<code>when</code>, which specifies <strong>who</strong> is allowed to do <strong>what</strong> under which
<strong>conditions</strong>.</p><p>The <code>selector</code> replaces the functionality provided by <code>ClusterRbacConfig</code>
and the <code>services</code> field in <code>ServiceRole</code>. The <code>rule</code> replaces the other
fields in the <code>ServiceRole</code> and <code>ServiceRoleBinding</code>.</p><h3 id=example>Example</h3><p>The following authorization policy applies to workloads with <code>app: httpbin</code>
and <code>version: v1</code> label in the <code>foo</code> namespace:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
rules:
- from:
- source:
principals: [&#34;cluster.local/ns/default/sa/sleep&#34;]
to:
- operation:
methods: [&#34;GET&#34;]
when:
- key: request.headers[version]
values: [&#34;v1&#34;, &#34;v2&#34;]
</code></pre><p>The policy allows principal <code>cluster.local/ns/default/sa/sleep</code> to access the
workload using the <code>GET</code> method when the request includes a <code>version</code> header
of value <code>v1</code> or <code>v2</code>. Any requests not matched with the policy will be denied
by default.</p><p>Assuming the <code>httpbin</code> service is defined as:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: v1
kind: Service
metadata:
name: httpbin
namespace: foo
spec:
selector:
app: httpbin
version: v1
ports:
# omitted
</code></pre><p>You would need to configure three resources to achieve the same result in
<code>v1alpha1</code>:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ClusterRbacConfig
metadata:
name: default
spec:
mode: &#39;ON_WITH_INCLUSION&#39;
inclusion:
services: [&#34;httpbin.foo.svc.cluster.local&#34;]
---
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRole
metadata:
name: httpbin
namespace: foo
spec:
rules:
- services: [&#34;httpbin.foo.svc.cluster.local&#34;]
methods: [&#34;GET&#34;]
constraints:
- key: request.headers[version]
values: [&#34;v1&#34;, &#34;v2&#34;]
---
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRoleBinding
metadata:
name: httpbin
namespace: foo
spec:
subjects:
- user: &#34;cluster.local/ns/default/sa/sleep&#34;
roleRef:
kind: ServiceRole
name: &#34;httpbin&#34;
</code></pre><h3 id=workload-selector>Workload selector</h3><p>A major change in the <code>v1beta1</code> authorization policy is that it now uses
workload selector to specify where to apply the policy. This is the same
workload selector used in the <code>Gateway</code>, <code>Sidecar</code> and <code>EnvoyFilter</code>
configurations.</p><p>The workload selector makes it clear that the policy is applied and enforced
on workloads instead of services. If a policy applies to a workload that is
used by multiple different services, the same policy will affect the traffic
to all the different services.</p><p>You can simply leave the <code>selector</code> empty to apply the policy to all
workloads in a namespace. The following policy applies to all workloads in
the namespace <code>bar</code>:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: policy
namespace: bar
spec:
rules:
# omitted
</code></pre><h3 id=root-namespace>Root namespace</h3><p>A policy in the root namespace applies to all workloads in the mesh in every
namespaces. The root namespace is configurable in the
<a href=/v1.9/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig><code>MeshConfig</code></a>
and has the default value of <code>istio-system</code>.</p><p>For example, you installed Istio in <code>istio-system</code> namespace and deployed
workloads in <code>default</code> and <code>bookinfo</code> namespace. The root namespace is
changed to <code>istio-config</code> from the default value. The following policy will
apply to workloads in every namespace including <code>default</code>, <code>bookinfo</code> and
the <code>istio-system</code>:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: policy
namespace: istio-config
spec:
rules:
# omitted
</code></pre><h3 id=ingress-egress-gateway-support>Ingress/Egress Gateway support</h3><p>The <code>v1beta1</code> authorization policy can also be applied on ingress/egress
gateway to enforce access control on traffic entering/leaving the mesh,
you only need to change the <code>selector</code> to make select the ingress/egress
workload.</p><p>The following policy applies to workloads with the
<code>app: istio-ingressgateway</code> label:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
rules:
# omitted
</code></pre><p>Remember the authorization policy only applies to workloads in the same
namespace as the policy, unless the policy is applied in the root namespace:</p><ul><li><p>If you don&rsquo;t change the default root namespace value (i.e. <code>istio-system</code>),
the above policy will apply to workloads with the <code>app: istio-ingressgateway</code>
label in <strong>every</strong> namespace.</p></li><li><p>If you have changed the root namespace to a different value, the above
policy will only apply to workloads with the <code>app: istio-ingressgateway</code>
label <strong>only</strong> in the <code>istio-system</code> namespace.</p></li></ul><h3 id=comparison>Comparison</h3><p>The following table highlights the key differences between the old <code>v1alpha1</code>
RBAC policies and the new <code>v1beta1</code> authorization policy.</p><h4 id=feature>Feature</h4><table><thead><tr><th>Feature</th><th><code>v1alpha1</code> RBAC policy</th><th><code>v1beta1</code> Authorization Policy</th></tr></thead><tbody><tr><td>API stability</td><td><code>alpha</code>: <strong>No</strong> backward compatible</td><td><code>beta</code>: backward compatible <strong>guaranteed</strong></td></tr><tr><td>Number of CRDs</td><td>Three: <code>ClusterRbacConfig</code>, <code>ServiceRole</code> and <code>ServiceRoleBinding</code></td><td>Only One: <code>AuthorizationPolicy</code></td></tr><tr><td>Policy target</td><td><strong>service</strong></td><td><strong>workload</strong></td></tr><tr><td>Deny-by-default behavior</td><td>Enabled <strong>explicitly</strong> by configuring <code>ClusterRbacConfig</code></td><td>Enabled <strong>implicitly</strong> with <code>AuthorizationPolicy</code></td></tr><tr><td>Ingress/Egress gateway support</td><td>Not supported</td><td>Supported</td></tr><tr><td>The <code>"*"</code> value in policy</td><td>Match all contents (empty and non-empty)</td><td>Match non-empty contents only</td></tr></tbody></table><p>The following tables show the relationship between the <code>v1alpha1</code> and <code>v1beta1</code> API.</p><h4 id=clusterrbacconfig><code>ClusterRbacConfig</code></h4><table><thead><tr><th><code>ClusterRbacConfig.Mode</code></th><th><code>AuthorizationPolicy</code></th></tr></thead><tbody><tr><td><code>OFF</code></td><td>No policy applied</td></tr><tr><td><code>ON</code></td><td>A deny-all policy applied in root namespace</td></tr><tr><td><code>ON_WITH_INCLUSION</code></td><td>policies should be applied to namespaces or workloads included by <code>ClusterRbacConfig</code></td></tr><tr><td><code>ON_WITH_EXCLUSION</code></td><td>policies should be applied to namespaces or workloads excluded by <code>ClusterRbacConfig</code></td></tr></tbody></table><h4 id=servicerole><code>ServiceRole</code></h4><table><thead><tr><th><code>ServiceRole</code></th><th><code>AuthorizationPolicy</code></th></tr></thead><tbody><tr><td><code>services</code></td><td><code>selector</code></td></tr><tr><td><code>paths</code></td><td><code>paths</code> in <code>to</code></td></tr><tr><td><code>methods</code></td><td><code>methods</code> in <code>to</code></td></tr><tr><td><code>destination.ip</code> in constraint</td><td>Not supported</td></tr><tr><td><code>destination.port</code> in constraint</td><td><code>ports</code> in <code>to</code></td></tr><tr><td><code>destination.labels</code> in constraint</td><td><code>selector</code></td></tr><tr><td><code>destination.namespace</code> in constraint</td><td>Replaced by the namespace of the policy, i.e. the <code>namespace</code> in metadata</td></tr><tr><td><code>destination.user</code> in constraint</td><td>Not supported</td></tr><tr><td><code>experimental.envoy.filters</code> in constraint</td><td><code>experimental.envoy.filters</code> in <code>when</code></td></tr><tr><td><code>request.headers</code> in constraint</td><td><code>request.headers</code> in <code>when</code></td></tr></tbody></table><h4 id=servicerolebinding><code>ServiceRoleBinding</code></h4><table><thead><tr><th><code>ServiceRoleBinding</code></th><th><code>AuthorizationPolicy</code></th></tr></thead><tbody><tr><td><code>user</code></td><td><code>principals</code> in <code>from</code></td></tr><tr><td><code>group</code></td><td><code>request.auth.claims[group]</code> in <code>when</code></td></tr><tr><td><code>source.ip</code> in property</td><td><code>ipBlocks</code> in <code>from</code></td></tr><tr><td><code>source.namespace</code> in property</td><td><code>namespaces</code> in <code>from</code></td></tr><tr><td><code>source.principal</code> in property</td><td><code>principals</code> in <code>from</code></td></tr><tr><td><code>request.headers</code> in property</td><td><code>request.headers</code> in <code>when</code></td></tr><tr><td><code>request.auth.principal</code> in property</td><td><code>requestPrincipals</code> in <code>from</code> or <code>request.auth.principal</code> in <code>when</code></td></tr><tr><td><code>request.auth.audiences</code> in property</td><td><code>request.auth.audiences</code> in <code>when</code></td></tr><tr><td><code>request.auth.presenter</code> in property</td><td><code>request.auth.presenter</code> in <code>when</code></td></tr><tr><td><code>request.auth.claims</code> in property</td><td><code>request.auth.claims</code> in <code>when</code></td></tr></tbody></table><p>Beyond all the differences, the <code>v1beta1</code> policy is enforced by the same
engine in Envoy and supports the same authenticated identity (mutual TLS or
JWT), condition and other primitives (e.g. IP, port and etc.) as the
<code>v1alpha1</code> policy.</p><h2 id=future-of-the-v1alpha1-policy>Future of the <code>v1alpha1</code> policy</h2><p>The <code>v1alpha1</code> RBAC policy (<code>ClusterRbacConfig</code>, <code>ServiceRole</code>, and
<code>ServiceRoleBinding</code>) is deprecated by the <code>v1beta1</code> authorization policy.</p><p>Istio 1.4 continues to support the <code>v1alpha1</code> RBAC policy to give you
enough time to move away from the alpha policies.</p><h2 id=migration-from-the-v1alpha1-policy>Migration from the <code>v1alpha1</code> policy</h2><p>Istio only supports one of the two versions for a given workload:</p><ul><li>If there is only <code>v1beta1</code> policy for a workload, the <code>v1beta1</code> policy
will be used.</li><li>If there is only <code>v1alpha1</code> policy for a workload, the <code>v1alpha1</code> policy
will be used.</li><li>If there are both <code>v1beta1</code> and <code>v1alpha1</code> policies for a workload,
only the <code>v1beta1</code> policy will be used and the the <code>v1alpha1</code> policy
will be ignored.</li></ul><h3 id=general-guideline>General Guideline</h3><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.9/img/icons.svg#callout-warning"/></svg></div><div class=content>When migrating to use <code>v1beta1</code> policy for a given workload, make sure the
new <code>v1beta1</code> policy covers all the existing <code>v1alpha1</code> policies applied
for the workload, because the <code>v1alpha1</code> policies applied for the workload
will be ignored after you applied the <code>v1beta1</code> policies.</div></aside></div><p>The typical flow of migrating to <code>v1beta1</code> policy is to start by checking the
<code>ClusterRbacConfig</code> to decide which namespace or service is enabled with RBAC.</p><p>For each service enabled with RBAC:</p><ol><li>Get the workload selector from the service definition.</li><li>Create a <code>v1beta1</code> policy with the workload selector.</li><li>Update the <code>v1beta1</code> policy for each <code>ServiceRole</code> and <code>ServiceRoleBinding</code>
applied to the service.</li><li>Apply the <code>v1beta1</code> policy and monitor the traffic to make sure the
policy is working as expected.</li><li>Repeat the process for the next service enabled with RBAC.</li></ol><p>For each namespace enabled with RBAC:</p><ol><li>Apply a <code>v1beta1</code> policy that denies all traffic to the given namespace.</li></ol><h3 id=migration-example>Migration Example</h3><p>Assume you have the following <code>v1alpha1</code> policies for the <code>httpbin</code> service
in the <code>foo</code> namespace:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ClusterRbacConfig
metadata:
name: default
spec:
mode: &#39;ON_WITH_INCLUSION&#39;
inclusion:
namespaces: [&#34;foo&#34;]
---
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRole
metadata:
name: httpbin
namespace: foo
spec:
rules:
- services: [&#34;httpbin.foo.svc.cluster.local&#34;]
methods: [&#34;GET&#34;]
---
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
kind: ServiceRoleBinding
metadata:
name: httpbin
namespace: foo
spec:
subjects:
- user: &#34;cluster.local/ns/default/sa/sleep&#34;
roleRef:
kind: ServiceRole
name: &#34;httpbin&#34;
</code></pre><p>Migrate the above policies to <code>v1beta1</code> in the following ways:</p><ol><li><p>Assume the <code>httpbin</code> service has the following workload selector:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>selector:
app: httpbin
version: v1
</code></pre></li><li><p>Create a <code>v1beta1</code> policy with the workload selector:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
</code></pre></li><li><p>Update the <code>v1beta1</code> policy with each <code>ServiceRole</code> and <code>ServiceRoleBinding</code>
applied to the service:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
rules:
- from:
- source:
principals: [&#34;cluster.local/ns/default/sa/sleep&#34;]
to:
- operation:
methods: [&#34;GET&#34;]
</code></pre></li><li><p>Apply the <code>v1beta1</code> policy and monitor the traffic to make sure it works
as expected.</p></li><li><p>Apply the following <code>v1beta1</code> policy that denies all traffic to the
<code>foo</code> namespace because the <code>foo</code> namespace is enabled with RBAC:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: foo
spec:
{}
</code></pre></li></ol><p>Make sure the <code>v1beta1</code> policy is working as expected and then you can delete
the <code>v1alpha1</code> policies from the cluster.</p><h3 id=automation-of-the-migration>Automation of the Migration</h3><p>To help ease the migration, the <code>istioctl experimental authz convert</code>
command is provided to automatically convert the <code>v1alpha1</code> policies to
the <code>v1beta1</code> policy.</p><p>You can evaluate the command but it is experimental in Istio 1.4 and doesn&rsquo;t
support the full <code>v1alpha1</code> semantics as of the date of this blog post.</p><p>The command to support the full <code>v1alpha1</code> semantics is expected in a patch
release following Istio 1.4.</p><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/blog/2021/migrate-alpha-policy/>Migrate pre-Istio 1.4 Alpha security policy to the current APIs</a></p><p class=desc>A tutorial to help customers migrate from the deprecated v1alpha1 security policy to the supported v1beta1 version.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/blog/2021/better-external-authz/>Better External Authorization</a></p><p class=desc>AuthorizationPolicy now supports CUSTOM action to delegate the authorization to external system.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></p><p class=desc>Describe Istio's authorization feature and how to use it in various use cases.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/docs/tasks/security/authorization/authz-deny/>Explicit Deny</a></p><p class=desc>Shows how to set up access control to deny traffic explicitly.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/docs/tasks/security/authorization/authz-custom/>External Authorization</a></p><p class=desc>Shows how to integrate and delegate access control to an external authorization system.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/docs/tasks/security/authorization/authz-http/>HTTP Traffic</a></p><p class=desc>Shows how to set up access control for HTTP traffic.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="Introduction to Istio's new operator-based installation and control plane management feature." href=/v1.9/blog/2019/introducing-istio-operator/><svg class="icon left-arrow"><use xlink:href="/v1.9/img/icons.svg#left-arrow"/></svg>Introducing the Istio Operator</a></div><div class=right><a title="A more secure way to manage Istio webhooks." href=/v1.9/blog/2019/webhook/>Secure Webhook Management<svg class="icon right-arrow"><use xlink:href="/v1.9/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>Was this information useful?<br><button class="btn feedback" onclick="sendFeedback('en',1)">Yes</button>
<button class="btn feedback" onclick="sendFeedback('en',0)">No</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder="Help us improve..." data-lang=en></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label=Background><a href=#background>Background</a><li role=none aria-label="Design goals"><a href=#design-goals>Design goals</a><li role=none aria-label=AuthorizationPolicy><a href=#authorizationpolicy><code>AuthorizationPolicy</code></a><ol><li role=none aria-label=Example><a href=#example>Example</a><li role=none aria-label="Workload selector"><a href=#workload-selector>Workload selector</a><li role=none aria-label="Root namespace"><a href=#root-namespace>Root namespace</a><li role=none aria-label="Ingress/Egress Gateway support"><a href=#ingress-egress-gateway-support>Ingress/Egress Gateway support</a><li role=none aria-label=Comparison><a href=#comparison>Comparison</a><ol><li role=none aria-label=Feature><a href=#feature>Feature</a><li role=none aria-label=ClusterRbacConfig><a href=#clusterrbacconfig><code>ClusterRbacConfig</code></a><li role=none aria-label=ServiceRole><a href=#servicerole><code>ServiceRole</code></a><li role=none aria-label=ServiceRoleBinding><a href=#servicerolebinding><code>ServiceRoleBinding</code></a></ol></li></ol></li><li role=none aria-label="Future of the v1alpha1 policy"><a href=#future-of-the-v1alpha1-policy>Future of the <code>v1alpha1</code> policy</a><li role=none aria-label="Migration from the v1alpha1 policy"><a href=#migration-from-the-v1alpha1-policy>Migration from the <code>v1alpha1</code> policy</a><ol><li role=none aria-label="General Guideline"><a href=#general-guideline>General Guideline</a><li role=none aria-label="Migration Example"><a href=#migration-example>Migration Example</a><li role=none aria-label="Automation of the Migration"><a href=#automation-of-the-migration>Automation of the Migration</a></ol></li><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.9.5 now" href=/v1.9/docs/setup/getting-started/#download aria-label="Download Istio"><span>download</span><svg class="icon download"><use xlink:href="/v1.9/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon discourse"><use xlink:href="/v1.9/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon stackoverflow"><use xlink:href="/v1.9/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><span>slack</span><svg class="icon slack"><use xlink:href="/v1.9/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon twitter"><use xlink:href="/v1.9/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.9.5<br>&copy; 2020 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on May 18, 2021</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon github"><use xlink:href="/v1.9/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon drive"><use xlink:href="/v1.9/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon working-groups"><use xlink:href="/v1.9/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><script src=https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js defer></script><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon top"><use xlink:href="/v1.9/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink