istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.9/blog/2021/better-external-authz/index.html

362 lines
55 KiB
HTML
Raw Permalink Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Better External Authorization"><meta name=description content="AuthorizationPolicy now supports CUSTOM action to delegate the authorization to external system."><meta name=author content="Yangmin Zhu (Google)"><meta name=keywords content="microservices,services,mesh,authorization,access control,opa,oauth2"><meta property="og:title" content="Better External Authorization"><meta property="og:type" content="website"><meta property="og:description" content="AuthorizationPolicy now supports CUSTOM action to delegate the authorization to external system."><meta property="og:url" content="/v1.9/blog/2021/better-external-authz/"><meta property="og:image" content="/v1.9/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="112"><meta property="og:image:height" content="150"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.9 / Better External Authorization</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.9/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.9/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.9/feed.xml><link rel="shortcut icon" href=/v1.9/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.9/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.9/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.9/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.9/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.9/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.9/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.9/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.9/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.9/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.9/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.9/css/all.css><script src=/v1.9/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.9";const docTitle="Better External Authorization";const iconFile="\/v1.9/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.9/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.9/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2"/><polygon points="65 240 225 240 125 270"/><polygon points="65 230 125 220 125 110"/><polygon points="135 220 225 230 135 30"/></svg></span><span class=name>Istioldie 1.9</span></a><div id=hamburger><svg class="icon hamburger"><use xlink:href="/v1.9/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.9/docs/>Docs</a>
<a class=current title="Posts about using Istio." href=/v1.9/blog/2021/>Blog<i class=dot data-prefix=/blog></i></a>
<a title="Timely news about the Istio project." href=/v1.9/news/>News<i class=dot data-prefix=/news></i></a>
<a title="Frequently Asked Questions about Istio." href=/v1.9/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.9/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon gear"><use xlink:href="/v1.9/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/blog\/2021\/better-external-authz\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/blog\/2021\/better-external-authz\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://istio.io/archive>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.9/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.9/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon cancel-x"><use xlink:href="/v1.9/img/icons.svg#cancel-x"/></svg></button></form></nav></header><div class=banner-container></div><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card0 title="Blog posts for 2021." aria-controls=card0-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2021 Posts</button><div class="body default" aria-labelledby=card0 role=region id=card0-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card0><li role=none><a role=treeitem title="The Product Security working group announces Patch Tuesdays, how 0-days and embargoes are handled, updates to the security best practices page and the notification of the early disclosure list (May 11, 2021)" href=/v1.9/blog/2021/patch-tuesdays/>Updates to how Istio security releases are handled: Patch Tuesday, embargoes, and 0-days</a></li><li role=none><a role=treeitem title="Learn how to use discovery selectors and how they intersect with Sidecar resources (April 30, 2021)" href=/v1.9/blog/2021/discovery-selectors/>Use discovery selectors to configure namespaces for your Istio service mesh</a></li><li role=none><a role=treeitem title="Understanding the upcoming changes to Istio networking, how they may impact your cluster, and what action to take (April 15, 2021)" href=/v1.9/blog/2021/upcoming-networking-changes/>Upcoming networking changes in Istio 1.10</a></li><li role=none><a role=treeitem title="An update on Envoy and Istio's WebAssembly-based extensibility effort (March 5, 2021)" href=/v1.9/blog/2021/wasm-progress/>Istio and Envoy WebAssembly Extensibility, One Year On</a></li><li role=none><a role=treeitem title="A tutorial to help customers migrate from the deprecated v1alpha1 security policy to the supported v1beta1 version (March 3, 2021)" href=/v1.9/blog/2021/migrate-alpha-policy/>Migrate pre-Istio 1.4 Alpha security policy to the current APIs</a></li><li role=none><a role=treeitem title="Understanding the benefits Istio brings, even when no configuration is used (February 25, 2021)" href=/v1.9/blog/2021/zero-config-istio/>Zero Configuration Istio</a></li><li role=none><a role=treeitem title="Learn about sessions, panels, workshops and more on the IstioCon website (February 16, 2021)" href=/v1.9/blog/2021/istiocon-2021-program/>IstioCon 2021: Schedule Is Live!</a></li><li role=none><span role=treeitem class=current title="AuthorizationPolicy now supports CUSTOM action to delegate the authorization to external system (February 9, 2021)">Better External Authorization</span></li></ul></div></div><div class=card><button class="header dynamic" id=card1 title="Blog posts for 2020." aria-controls=card1-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2020 Posts</button><div class=body aria-labelledby=card1 role=region id=card1-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card1><li role=none><a role=treeitem title="Deploy multiple Istio egress gateways independently to have fine-grained control of egress communication from the mesh (December 16, 2020)" href=/v1.9/blog/2020/proxying-legacy-services-using-egress-gateways/>Proxying legacy services using Istio egress gateways</a></li><li role=none><a role=treeitem title="How to enable proxy protocol on AWS NLB and Istio ingress gateway (December 11, 2020)" href=/v1.9/blog/2020/show-source-ip/>Proxy protocol on AWS NLB and Istio ingress gateway</a></li><li role=none><a role=treeitem title="The inaugural conference for Istio will take place at the end of February (December 8, 2020)" href=/v1.9/blog/2020/istiocon-2021/>Join us for the first IstioCon in 2021!</a></li><li role=none><a role=treeitem title="How to ensure your clusters are not impacted by Docker Hub rate limiting (December 7, 2020)" href=/v1.9/blog/2020/docker-rate-limit/>Handling Docker Hub rate limiting</a></li><li role=none><a role=treeitem title="Workload Local DNS resolution to simplify VM integration, multicluster, and more (November 12, 2020)" href=/v1.9/blog/2020/dns-proxy/>Expanding into New Frontiers - Smart DNS Proxying in Istio</a></li><li role=none><a role=treeitem title="Announcing the four newest Istio Steering Committee members (September 29, 2020)" href=/v1.9/blog/2020/steering-election-results/>2020 Steering Committee Election Results</a></li><li role=none><a role=treeitem title="The effect of security policies on latency of requests (September 15, 2020)" href=/v1.9/blog/2020/large-scale-security-policy-performance-tests/>Large Scale Security Policy Performance Tests</a></li><li role=none><a role=treeitem title="A new deployment model for Istio (August 27, 2020)" href=/v1.9/blog/2020/new-deployment-model/>Deploying Istio Control Planes Outside the Mesh</a></li><li role=none><a role=treeitem title="The Istio Steering Committee is now in part proportionally allocated to companies based on contribution, and in part elected by community members (August 24, 2020)" href=/v1.9/blog/2020/steering-changes/>Introducing the new Istio steering committee</a></li><li role=none><a role=treeitem title="An alternative sidecar proxy for Istio (July 28, 2020)" href=/v1.9/blog/2020/mosn-proxy/>Using MOSN with Istio: an alternative data plane</a></li><li role=none><a role=treeitem title="An update on trademarks and project governance (July 8, 2020)" href=/v1.9/blog/2020/open-usage/>Open and neutral: transferring our trademarks to the Open Usage Commons</a></li><li role=none><a role=treeitem title="A new way to manage installation of telemetry addons (June 4, 2020)" href=/v1.9/blog/2020/addon-rework/>Reworking our Addon Integrations</a></li><li role=none><a role=treeitem title="Describing the new functionality of Workload Entries (May 21, 2020)" href=/v1.9/blog/2020/workload-entry/>Introducing Workload Entries</a></li><li role=none><a role=treeitem title="Simplifying Istio upgrades by offering safe canary deployments of the control plane (May 19, 2020)" href=/v1.9/blog/2020/multiple-control-planes/>Safely Upgrade Istio using a Canary Control Plane Deployment</a></li><li role=none><a role=treeitem title="Configure the IBM Cloud Kubernetes Service Application Load Balancer to direct traffic to the Istio Ingress gateway with mutual TLS (May 15, 2020)" href=/v1.9/blog/2020/alb-ingress-gateway-iks/>Direct encrypted traffic from IBM Cloud Kubernetes Service Ingress to Istio Ingress Gateway</a></li><li role=none><a role=treeitem title="Community partner tooling of Wasm for Istio by Solo.io (March 25, 2020)" href=/v1.9/blog/2020/wasmhub-istio/>Extended and Improved WebAssemblyHub to Bring the Power of WebAssembly to Envoy and Istio</a></li><li role=none><a role=treeitem title="A mechanism to acquire and share an application certificate and key through mounted files (March 25, 2020)" href=/v1.9/blog/2020/proxy-cert/>Provision a certificate and key for an application without sidecars</a></li><li role=none><a role=treeitem title="Istiod consolidates the Istio control plane components into a single binary (March 19, 2020)" href=/v1.9/blog/2020/istiod/>Introducing istiod: simplifying the control plane</a></li><li role=none><a role=treeitem title="Configuring Wasm extensions for Envoy and Istio declaratively (March 16, 2020)" href=/v1.9/blog/2020/deploy-wasm-declarative/>Declarative WebAssembly deployment for Istio</a></li><li role=none><a role=treeitem title="The future of Istio extensibility using WASM (March 5, 2020)" href=/v1.9/blog/2020/wasm-announce/>Redefining extensibility in proxies - introducing WebAssembly to Envoy and Istio</a></li><li role=none><a role=treeitem title="A vision statement and roadmap for Istio in 2020 (March 3, 2020)" href=/v1.9/blog/2020/tradewinds-2020/>Istio in 2020 - Following the Trade Winds</a></li><li role=none><a role=treeitem title="A more secure way to manage secrets (February 20, 2020)" href=/v1.9/blog/2020/istio-agent/>Remove cross-pod unix domain sockets</a></li><li role=none><a role=treeitem title="Automating Istio configuration for Istio deployments (clusters) that work as a single mesh (January 5, 2020)" href=/v1.9/blog/2020/multi-cluster-mesh-automation/>Multicluster Istio configuration and service discovery using Admiral</a></li></ul></div></div><div class=card><button class="header dynamic" id=card2 title="Blog posts for 2019." aria-controls=card2-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2019 Posts</button><div class=body aria-labelledby=card2 role=region id=card2-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card2><li role=none><a role=treeitem title="Provision and manage DNS certificates in Istio (November 14, 2019)" href=/v1.9/blog/2019/dns-cert/>DNS Certificate Management</a></li><li role=none><a role=treeitem title="Analyze your Istio configuration to detect potential issues and get general insights (November 14, 2019)" href=/v1.9/blog/2019/introducing-istioctl-analyze/>Introducing istioctl analyze</a></li><li role=none><a role=treeitem title="Introduction to Istio's new operator-based installation and control plane management feature (November 14, 2019)" href=/v1.9/blog/2019/introducing-istio-operator/>Introducing the Istio Operator</a></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy (November 14, 2019)" href=/v1.9/blog/2019/v1beta1-authorization-policy/>Introducing the Istio v1beta1 Authorization Policy</a></li><li role=none><a role=treeitem title="Getting programmatic access to Istio resources (November 14, 2019)" href=/v1.9/blog/2019/announcing-istio-client-go/>Announcing Istio client-go</a></li><li role=none><a role=treeitem title="A more secure way to manage Istio webhooks (November 14, 2019)" href=/v1.9/blog/2019/webhook/>Secure Webhook Management</a></li><li role=none><a role=treeitem title="Configure Istio ingress gateway to act as a proxy for external services (October 15, 2019)" href=/v1.9/blog/2019/proxy/>Istio as a Proxy for External Services</a></li><li role=none><a role=treeitem title="Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation (October 2, 2019)" href=/v1.9/blog/2019/isolated-clusters/>Multi-Mesh Deployments for Isolation and Boundary Protection</a></li><li role=none><a role=treeitem title="How can you use Istio to monitor blocked and passthrough external traffic (September 28, 2019)" href=/v1.9/blog/2019/monitoring-external-service-traffic/>Monitoring Blocked and Passthrough External Service Traffic</a></li><li role=none><a role=treeitem title="Using Istio to secure multi-cloud Kubernetes applications with zero code changes (September 18, 2019)" href=/v1.9/blog/2019/app-identity-and-access-adapter/>App Identity and Access Adapter</a></li><li role=none><a role=treeitem title="Demonstrates a Mixer out-of-process adapter which implements the Knative scale-from-zero logic (September 18, 2019)" href=/v1.9/blog/2019/knative-activator-adapter/>Mixer Adapter for Knative</a></li><li role=none><a role=treeitem title="Taking advantage of Kubernetes trustworthy JWTs to issue certificates for workload instances more securely (September 10, 2019)" href=/v1.9/blog/2019/trustworthy-jwt-sds/>Change in Secret Discovery Service in Istio 1.3</a></li><li role=none><a role=treeitem title="The design principles behind Istio's APIs and how those APIs are evolving (August 5, 2019)" href=/v1.9/blog/2019/evolving-istios-apis/>The Evolution of Istio's APIs</a></li><li role=none><a role=treeitem title="Comparison of alternative solutions to control egress traffic including performance considerations (July 22, 2019)" href=/v1.9/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></li><li role=none><a role=treeitem title="Use Istio Egress Traffic Control to prevent attacks involving egress traffic (July 10, 2019)" href=/v1.9/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></li><li role=none><a role=treeitem title="Tools and guidance for evaluating Istio's data plane performance (July 9, 2019)" href=/v1.9/blog/2019/performance-best-practices/>Best Practices: Benchmarking Service Mesh Performance</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of Istio self-signed root certificate (June 7, 2019)" href=/v1.9/blog/2019/root-transition/>Extending Istio Self-Signed Root Certificate Lifetime</a></li><li role=none><a role=treeitem title="Attacks involving egress traffic and requirements for egress traffic control (May 22, 2019)" href=/v1.9/blog/2019/egress-traffic-control-in-istio-part-1/>Secure Control of Egress Traffic in Istio, part 1</a></li><li role=none><a role=treeitem title="An overview of Istio 1.1 performance (March 19, 2019)" href=/v1.9/blog/2019/istio1.1_perf/>Architecting Istio 1.1 for Performance</a></li><li role=none><a role=treeitem title="Configuring Istio route rules in a multicluster service mesh (February 7, 2019)" href=/v1.9/blog/2019/multicluster-version-routing/>Version Routing in a Multicluster Service Mesh</a></li><li role=none><a role=treeitem title="Announces the new Istio blog policy (February 5, 2019)" href=/v1.9/blog/2019/sail-the-blog/>Sail the Blog!</a></li><li role=none><a role=treeitem title="De-mystify how Istio manages to plugin its data-plane components into an existing deployment (January 31, 2019)" href=/v1.9/blog/2019/data-plane-setup/>Demystifying Istio's Sidecar Injection Model</a></li><li role=none><a role=treeitem title="Verifies the performance impact of adding an egress gateway (January 31, 2019)" href=/v1.9/blog/2019/egress-performance/>Egress Gateway Performance Investigation</a></li><li role=none><a role=treeitem title="Addressing application startup ordering and startup latency using AppSwitch (January 14, 2019)" href=/v1.9/blog/2019/appswitch/>Sidestepping Dependency Ordering with AppSwitch</a></li><li role=none><a role=treeitem title="Describes how to deploy a custom ingress gateway using cert-manager manually (January 10, 2019)" href=/v1.9/blog/2019/custom-ingress-gateway/>Deploy a Custom Ingress Gateway Using Cert-Manager</a></li><li role=none><a role=treeitem title="Istio has a new discussion board (January 10, 2019)" href=/v1.9/blog/2019/announcing-discuss.istio.io/>Announcing discuss.istio.io</a></li></ul></div></div><div class=card><button class="header dynamic" id=card3 title="Blog posts for 2018." aria-controls=card3-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2018 Posts</button><div class=body aria-labelledby=card3 role=region id=card3-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card3><li role=none><a role=treeitem title="How to use Istio for traffic management without deploying sidecar proxies (November 21, 2018)" href=/v1.9/blog/2018/incremental-traffic-management/>Incremental Istio Part 1, Traffic Management</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (November 16, 2018)" href=/v1.9/blog/2018/egress-mongo/>Consuming External MongoDB Services</a></li><li role=none><a role=treeitem title="Istio hosting an all day Twitch stream to celebrate the 1.0 release (August 3, 2018)" href=/v1.9/blog/2018/istio-twitch-stream/>All Day Istio Twitch Stream</a></li><li role=none><a role=treeitem title="How HP is building its next-generation footwear personalization platform on Istio (July 31, 2018)" href=/v1.9/blog/2018/hp/>Istio a Game Changer for HP's FitStation Platform</a></li><li role=none><a role=treeitem title="Automatic application onboarding and latency optimizations using AppSwitch (July 30, 2018)" href=/v1.9/blog/2018/delayering-istio/>Delayering Istio with AppSwitch</a></li><li role=none><a role=treeitem title="Describe Istio's authorization feature and how to use it in various use cases (July 20, 2018)" href=/v1.9/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></li><li role=none><a role=treeitem title="How to export Istio Access Logs to different sinks like BigQuery, GCS, Pub/Sub through Stackdriver (July 9, 2018)" href=/v1.9/blog/2018/export-logs-through-stackdriver/>Exporting Logs to BigQuery, GCS, Pub/Sub through Stackdriver</a></li><li role=none><a role=treeitem title="Describes how to configure Istio for monitoring and access policies of HTTP egress traffic (June 22, 2018)" href=/v1.9/blog/2018/egress-monitoring-access-control/>Monitoring and Access Policies for HTTP Egress Traffic</a></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1alpha3 routing API (April 25, 2018)" href=/v1.9/blog/2018/v1alpha3-routing/>Introducing the Istio v1alpha3 routing API</a></li><li role=none><a role=treeitem title="Describes how to configure Istio ingress with a network load balancer on AWS (April 20, 2018)" href=/v1.9/blog/2018/aws-nlb/>Configuring Istio Ingress with AWS NLB</a></li><li role=none><a role=treeitem title="Using Kubernetes namespaces and RBAC to create an Istio soft multi-tenancy environment (April 19, 2018)" href=/v1.9/blog/2018/soft-multitenancy/>Istio Soft Multi-Tenancy Support</a></li><li role=none><a role=treeitem title="An introduction to safer, lower-risk deployments and release to production (February 8, 2018)" href=/v1.9/blog/2018/traffic-mirroring/>Traffic Mirroring with Istio for Testing in Production</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (February 6, 2018)" href=/v1.9/blog/2018/egress-tcp/>Consuming External TCP Services</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example (January 31, 2018)" href=/v1.9/blog/2018/egress-https/>Consuming External Web Services</a></li></ul></div></div><div class=card><button class="header dynamic" id=card4 title="Blog posts for 2017." aria-controls=card4-body><svg class="icon blog"><use xlink:href="/v1.9/img/icons.svg#blog"/></svg>2017 Posts</button><div class=body aria-labelledby=card4 role=region id=card4-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card4><li role=none><a role=treeitem title="Improving availability and reducing latency (December 7, 2017)" href=/v1.9/blog/2017/mixer-spof-myth/>Mixer and the SPOF Myth</a></li><li role=none><a role=treeitem title="Provides an overview of Mixer's plug-in architecture (November 3, 2017)" href=/v1.9/blog/2017/adapter-model/>Mixer Adapter Model</a></li><li role=none><a role=treeitem title="How Kubernetes Network Policy relates to Istio policy (August 10, 2017)" href=/v1.9/blog/2017/0.1-using-network-policy/>Using Network Policy with Istio</a></li><li role=none><a role=treeitem title="Using Istio to create autoscaled canary deployments (June 14, 2017)" href=/v1.9/blog/2017/0.1-canary/>Canary Deployments using Istio</a></li><li role=none><a role=treeitem title="Istio Authentication 0.1 announcement (May 25, 2017)" href=/v1.9/blog/2017/0.1-auth/>Using Istio to Improve End-to-End Security</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon pull"><use xlink:href="/v1.9/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.9/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.9/blog/ title="Posts about using Istio.">Blog</a></li><li><a href=/v1.9/blog/2021/ title="Blog posts for 2021.">2021 Posts</a></li><li>Better External Authorization</li></ol></nav><article aria-labelledby=title><div class=title-area><div style=width:100%><h1 id=title>Better External Authorization</h1><p class=subtitle>Integrate external authorization system (e.g. OPA, oauth2-proxy, etc.) with Istio using AuthorizationPolicy</p><p class=byline><span>By</span>
<span class=attribution>Yangmin Zhu (Google)</span><span> | </span><span><svg class="icon calendar"><use xlink:href="/v1.9/img/icons.svg#calendar"/></svg><span>&nbsp;</span>February 9, 2021</span><span> | </span><span title="1823 words"><svg class="icon clock"><use xlink:href="/v1.9/img/icons.svg#clock"/></svg><span>&nbsp;</span>9 minute read</span>
<span>&nbsp;</span>
<span></span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label=Background><a href=#background>Background</a><li role=none aria-label=Solution><a href=#solution>Solution</a><li role=none aria-label="Example with OPA"><a href=#example-with-opa>Example with OPA</a><ol><li role=none aria-label="Create the example OPA policy"><a href=#create-the-example-opa-policy>Create the example OPA policy</a><li role=none aria-label="Deploy httpbin and OPA"><a href=#deploy-httpbin-and-opa>Deploy httpbin and OPA</a><li role=none aria-label="Define external authorizer"><a href=#define-external-authorizer>Define external authorizer</a><li role=none aria-label="Create an AuthorizationPolicy with a CUSTOM action"><a href=#create-an-authorizationpolicy-with-a-custom-action>Create an AuthorizationPolicy with a CUSTOM action</a><li role=none aria-label="Test the OPA policy"><a href=#test-the-opa-policy>Test the OPA policy</a></ol></li><li role=none aria-label=Summary><a href=#summary>Summary</a><li role=none aria-label=Acknowledgements><a href=#acknowledgements>Acknowledgements</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><h2 id=background>Background</h2><p>Istio&rsquo;s authorization policy provides access control for services in the mesh. It is fast, powerful and a widely used
feature. We have made continuous improvements to make policy more flexible since its first release in Istio 1.4, including
the <a href=/v1.9/docs/tasks/security/authorization/authz-deny/><code>DENY</code> action</a>, <a href=/v1.9/docs/tasks/security/authorization/authz-deny/>exclusion semantics</a>,
<a href=/v1.9/docs/tasks/security/authorization/authz-ingress/><code>X-Forwarded-For</code> header support</a>, <a href=/v1.9/docs/tasks/security/authorization/authz-jwt/>nested JWT claim support</a>
and more. These features improve the flexibility of the authorization policy, but there are still many use cases that
cannot be supported with this model, for example:</p><ul><li><p>You have your own in-house authorization system that cannot be easily migrated to, or cannot be easily replaced by, the
authorization policy.</p></li><li><p>You want to integrate with a 3rd-party solution (e.g. <a href=https://www.openpolicyagent.org/docs/latest/envoy-authorization/>Open Policy Agent</a>
or <a href=https://github.com/oauth2-proxy/oauth2-proxy><code>oauth2</code> proxy</a>) which may require use of the
<a href=/v1.9/docs/reference/config/networking/envoy-filter/>low-level Envoy configuration APIs</a> in Istio, or may not be possible
at all.</p></li><li><p>Authorization policy lacks necessary semantics for your use case.</p></li></ul><h2 id=solution>Solution</h2><p>In Istio 1.9, we have implemented extensibility into authorization policy by introducing a <a href=/v1.9/docs/reference/config/security/authorization-policy/#AuthorizationPolicy-Action><code>CUSTOM</code> action</a>,
which allows you to delegate the access control decision to an external authorization service.</p><p>The <code>CUSTOM</code> action allows you to integrate Istio with an external authorization system that implements its own custom
authorization logic. The following diagram shows the high level architecture of this integration:</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:48.57376397295984%><a data-skipendnotes=true href=/v1.9/blog/2021/better-external-authz/external_authz.svg title="External Authorization Architecture"><img class=element-to-stretch src=/v1.9/blog/2021/better-external-authz/external_authz.svg alt="External Authorization Architecture"></a></div><figcaption>External Authorization Architecture</figcaption></figure><p>At configuration time, the mesh admin configures an authorization policy with a <code>CUSTOM</code> action to enable the
external authorization on a proxy (either gateway or sidecar). The admin should verify the external auth service is up
and running.</p><p>At runtime,</p><ol><li><p>A request is intercepted by the proxy, and the proxy will send check requests to the external auth service, as
configured by the user in the authorization policy.</p></li><li><p>The external auth service will make the decision whether to allow it or not.</p></li><li><p>If allowed, the request will continue and will be enforced by any local authorization defined by <code>ALLOW</code>/<code>DENY</code> action.</p></li><li><p>If denied, the request will be rejected immediately.</p></li></ol><p>Let&rsquo;s look at an example authorization policy with the <code>CUSTOM</code> action:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ext-authz
namespace: istio-system
spec:
# The selector applies to the ingress gateway in the istio-system namespace.
selector:
matchLabels:
app: istio-ingressgateway
# The action &#34;CUSTOM&#34; delegates the access control to an external authorizer, this is different from
# the ALLOW/DENY action that enforces the access control right inside the proxy.
action: CUSTOM
# The provider specifies the name of the external authorizer defined in the meshconfig, which tells where and how to
# talk to the external auth service. We will cover this more later.
provider:
name: &#34;my-ext-authz-service&#34;
# The rule specifies that the access control is triggered only if the request path has the prefix &#34;/admin/&#34;.
# This allows you to easily enable or disable the external authorization based on the requests, avoiding the external
# check request if it is not needed.
rules:
- to:
- operation:
paths: [&#34;/admin/*&#34;]
</code></pre><p>It refers to a provider called <code>my-ext-authz-service</code> which is defined in the mesh config:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>extensionProviders:
# The name &#34;my-ext-authz-service&#34; is referred to by the authorization policy in its provider field.
- name: &#34;my-ext-authz-service&#34;
# The &#34;envoyExtAuthzGrpc&#34; field specifies the type of the external authorization service is implemented by the Envoy
# ext-authz filter gRPC API. The other supported type is the Envoy ext-authz filter HTTP API.
# See more in https://www.envoyproxy.io/docs/envoy/v1.16.2/intro/arch_overview/security/ext_authz_filter.
envoyExtAuthzGrpc:
# The service and port specifies the address of the external auth service, &#34;ext-authz.istio-system.svc.cluster.local&#34;
# means the service is deployed in the mesh. It can also be defined out of the mesh or even inside the pod as a separate
# container.
service: &#34;ext-authz.istio-system.svc.cluster.local&#34;
port: 9000
</code></pre><p>The authorization policy of <a href=/v1.9/docs/reference/config/security/authorization-policy/#AuthorizationPolicy-Action><code>CUSTOM</code> action</a>
enables the external authorization in runtime, it could be configured to trigger the external authorization conditionally
based on the request using the same rule that you have already been using with other actions.</p><p>The external authorization service is currently defined in the <a href=/v1.9/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-ExtensionProvider><code>meshconfig</code> API</a>
and referred to by its name. It could be deployed in the mesh with or without proxy. If with the proxy, you could
further use <code>PeerAuthentication</code> to enable mTLS between the proxy and your external authorization service.</p><p>The <code>CUSTOM</code> action is currently in the <strong>experimental stage</strong>; the API might change in a non-backward compatible way based on user feedback.
The rule currently does not support authentication related fields (e.g. source principal or JWT claim) and only one
provider is allowed for a given workload, but you can still use different providers on different workloads.</p><p>For more information, please see the <a href=https://docs.google.com/document/d/1V4mCQCw7mlGp0zSQQXYoBdbKMDnkPOjeyUb85U07iSI/edit#>Better External Authorization design doc</a>.</p><h2 id=example-with-opa>Example with OPA</h2><p>In this section, we will demonstrate using the <code>CUSTOM</code> action with the Open Policy Agent as the external authorizer on
the ingress gateway. We will conditionally enable the external authorization on all paths except <code>/ip</code>.</p><p>You can also refer to the <a href=/v1.9/docs/tasks/security/authorization/authz-custom/>external authorization task</a> for a more
basic introduction that uses a sample <code>ext-authz</code> server.</p><h3 id=create-the-example-opa-policy>Create the example OPA policy</h3><p>Run the following command create an OPA policy that allows the request if the prefix of the path is matched with the
claim &ldquo;path&rdquo; (base64 encoded) in the JWT token:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat &gt; policy.rego &lt;&lt;EOF
package envoy.authz
import input.attributes.request.http as http_request
default allow = false
token = {&#34;valid&#34;: valid, &#34;payload&#34;: payload} {
[_, encoded] := split(http_request.headers.authorization, &#34; &#34;)
[valid, _, payload] := io.jwt.decode_verify(encoded, {&#34;secret&#34;: &#34;secret&#34;})
}
allow {
is_token_valid
action_allowed
}
is_token_valid {
token.valid
now := time.now_ns() / 1000000000
token.payload.nbf &lt;= now
now &lt; token.payload.exp
}
action_allowed {
startswith(http_request.path, base64url.decode(token.payload.path))
}
EOF
$ kubectl create secret generic opa-policy --from-file policy.rego
</code></pre><h3 id=deploy-httpbin-and-opa>Deploy httpbin and OPA</h3><p>Enable the sidecar injection:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl label ns default istio-injection=enabled
</code></pre><p>Run the following command to deploy the example application httpbin and OPA. The OPA could be deployed either as a
separate container in the httpbin pod or completely in a separate pod:</p><div id=tabset-blog-2021-better-external-authz-1 role=tablist class=tabset><div class=tab-strip data-category-name=opa-deploy><button aria-selected=true data-category-value=opa-same aria-controls=tabset-blog-2021-better-external-authz-1-0-panel id=tabset-blog-2021-better-external-authz-1-0-tab role=tab><span>Deploy OPA in the same pod</span>
</button><button tabindex=-1 data-category-value=opa-standalone aria-controls=tabset-blog-2021-better-external-authz-1-1-panel id=tabset-blog-2021-better-external-authz-1-1-tab role=tab><span>Deploy OPA in a separate pod</span></button></div><div class=tab-content><div id=tabset-blog-2021-better-external-authz-1-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-1-0-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: v1
kind: Service
metadata:
name: httpbin-with-opa
labels:
app: httpbin-with-opa
service: httpbin-with-opa
spec:
ports:
- name: http
port: 8000
targetPort: 80
selector:
app: httpbin-with-opa
---
# Define the service entry for the local OPA service on port 9191.
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: local-opa-grpc
spec:
hosts:
- &#34;local-opa-grpc.local&#34;
endpoints:
- address: &#34;127.0.0.1&#34;
ports:
- name: grpc
number: 9191
protocol: GRPC
resolution: STATIC
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: httpbin-with-opa
labels:
app: httpbin-with-opa
spec:
replicas: 1
selector:
matchLabels:
app: httpbin-with-opa
template:
metadata:
labels:
app: httpbin-with-opa
spec:
containers:
- image: docker.io/kennethreitz/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
ports:
- containerPort: 80
- name: opa
image: openpolicyagent/opa:latest-envoy
securityContext:
runAsUser: 1111
volumeMounts:
- readOnly: true
mountPath: /policy
name: opa-policy
args:
- &#34;run&#34;
- &#34;--server&#34;
- &#34;--addr=localhost:8181&#34;
- &#34;--diagnostic-addr=0.0.0.0:8282&#34;
- &#34;--set=plugins.envoy_ext_authz_grpc.addr=:9191&#34;
- &#34;--set=plugins.envoy_ext_authz_grpc.query=data.envoy.authz.allow&#34;
- &#34;--set=decision_logs.console=true&#34;
- &#34;--ignore=.*&#34;
- &#34;/policy/policy.rego&#34;
livenessProbe:
httpGet:
path: /health?plugins
scheme: HTTP
port: 8282
initialDelaySeconds: 5
periodSeconds: 5
readinessProbe:
httpGet:
path: /health?plugins
scheme: HTTP
port: 8282
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: proxy-config
configMap:
name: proxy-config
- name: opa-policy
secret:
secretName: opa-policy
EOF
</code></pre></div><div hidden id=tabset-blog-2021-better-external-authz-1-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-1-1-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: v1
kind: Service
metadata:
name: opa
labels:
app: opa
spec:
ports:
- name: grpc
port: 9191
targetPort: 9191
selector:
app: opa
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: opa
labels:
app: opa
spec:
replicas: 1
selector:
matchLabels:
app: opa
template:
metadata:
labels:
app: opa
spec:
containers:
- name: opa
image: openpolicyagent/opa:latest-envoy
securityContext:
runAsUser: 1111
volumeMounts:
- readOnly: true
mountPath: /policy
name: opa-policy
args:
- &#34;run&#34;
- &#34;--server&#34;
- &#34;--addr=localhost:8181&#34;
- &#34;--diagnostic-addr=0.0.0.0:8282&#34;
- &#34;--set=plugins.envoy_ext_authz_grpc.addr=:9191&#34;
- &#34;--set=plugins.envoy_ext_authz_grpc.query=data.envoy.authz.allow&#34;
- &#34;--set=decision_logs.console=true&#34;
- &#34;--ignore=.*&#34;
- &#34;/policy/policy.rego&#34;
ports:
- containerPort: 9191
livenessProbe:
httpGet:
path: /health?plugins
scheme: HTTP
port: 8282
initialDelaySeconds: 5
periodSeconds: 5
readinessProbe:
httpGet:
path: /health?plugins
scheme: HTTP
port: 8282
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: proxy-config
configMap:
name: proxy-config
- name: opa-policy
secret:
secretName: opa-policy
EOF
</code></pre><p>Deploy the httpbin as well:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.9/samples/httpbin/httpbin.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f @samples/httpbin/httpbin.yaml@
</code></pre></div></div></div></div><h3 id=define-external-authorizer>Define external authorizer</h3><p>Run the following command to edit the <code>meshconfig</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl edit configmap istio -n istio-system
</code></pre><p>Add the following <code>extensionProviders</code> to the <code>meshconfig</code>:</p><div id=tabset-blog-2021-better-external-authz-2 role=tablist class=tabset><div class=tab-strip data-category-name=opa-deploy><button aria-selected=true data-category-value=opa-same aria-controls=tabset-blog-2021-better-external-authz-2-0-panel id=tabset-blog-2021-better-external-authz-2-0-tab role=tab><span>Deploy OPA in the same pod</span>
</button><button tabindex=-1 data-category-value=opa-standalone aria-controls=tabset-blog-2021-better-external-authz-2-1-panel id=tabset-blog-2021-better-external-authz-2-1-tab role=tab><span>Deploy OPA in a separate pod</span></button></div><div class=tab-content><div id=tabset-blog-2021-better-external-authz-2-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-2-0-tab><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: v1
data:
mesh: |-
# Add the following contents:
extensionProviders:
- name: &#34;opa.local&#34;
envoyExtAuthzGrpc:
service: &#34;local-opa-grpc.local&#34;
port: &#34;9191&#34;
</code></pre></div><div hidden id=tabset-blog-2021-better-external-authz-2-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-2-1-tab><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: v1
data:
mesh: |-
# Add the following contents:
extensionProviders:
- name: &#34;opa.default&#34;
envoyExtAuthzGrpc:
service: &#34;opa.default.svc.cluster.local&#34;
port: &#34;9191&#34;
</code></pre></div></div></div><h3 id=create-an-authorizationpolicy-with-a-custom-action>Create an AuthorizationPolicy with a CUSTOM action</h3><p>Run the following command to create the authorization policy that enables the external authorization on all paths
except <code>/ip</code>:</p><div id=tabset-blog-2021-better-external-authz-3 role=tablist class=tabset><div class=tab-strip data-category-name=opa-deploy><button aria-selected=true data-category-value=opa-same aria-controls=tabset-blog-2021-better-external-authz-3-0-panel id=tabset-blog-2021-better-external-authz-3-0-tab role=tab><span>Deploy OPA in the same pod</span>
</button><button tabindex=-1 data-category-value=opa-standalone aria-controls=tabset-blog-2021-better-external-authz-3-1-panel id=tabset-blog-2021-better-external-authz-3-1-tab role=tab><span>Deploy OPA in a separate pod</span></button></div><div class=tab-content><div id=tabset-blog-2021-better-external-authz-3-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-3-0-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin-opa
spec:
selector:
matchLabels:
app: httpbin-with-opa
action: CUSTOM
provider:
name: &#34;opa.local&#34;
rules:
- to:
- operation:
notPaths: [&#34;/ip&#34;]
EOF
</code></pre></div><div hidden id=tabset-blog-2021-better-external-authz-3-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2021-better-external-authz-3-1-tab><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f - &lt;&lt;EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin-opa
spec:
selector:
matchLabels:
app: httpbin
action: CUSTOM
provider:
name: &#34;opa.default&#34;
rules:
- to:
- operation:
notPaths: [&#34;/ip&#34;]
EOF
</code></pre></div></div></div><h3 id=test-the-opa-policy>Test the OPA policy</h3><ol><li><p>Create a client pod to send the request:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.9/samples/sleep/sleep.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f @samples/sleep/sleep.yaml@
$ export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
</code></pre></div></li><li><p>Use a test JWT token signed by the OPA:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export TOKEN_PATH_HEADERS=&#34;eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXRoIjoiTDJobFlXUmxjbk09IiwibmJmIjoxNTAwMDAwMDAwLCJleHAiOjE5MDAwMDAwMDB9.9yl8LcZdq-5UpNLm0Hn0nnoBHXXAnK4e8RSl9vn6l98&#34;
</code></pre><p>The test JWT token has the following claims:</p><pre><code class=language-json data-expandlinks=true data-repo=istio>{
&#34;path&#34;: &#34;L2hlYWRlcnM=&#34;,
&#34;nbf&#34;: 1500000000,
&#34;exp&#34;: 1900000000
}
</code></pre><p>The <code>path</code> claim has value <code>L2hlYWRlcnM=</code> which is the base64 encode of <code>/headers</code>.</p></li><li><p>Send a request to path <code>/headers</code> without a token. This should be rejected with 403 because there is no JWT token:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/headers -s -o /dev/null -w &#34;%{http_code}\n&#34;
403
</code></pre></li><li><p>Send a request to path <code>/get</code> with a valid token. This should be rejected with 403 because the path <code>/get</code> is not matched with the token <code>/headers</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/get -H &#34;Authorization: Bearer $TOKEN_PATH_HEADERS&#34; -s -o /dev/null -w &#34;%{http_code}\n&#34;
403
</code></pre></li><li><p>Send a request to path <code>/headers</code> with valid token. This should be allowed with 200 because the path is matched with the token:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/headers -H &#34;Authorization: Bearer $TOKEN_PATH_HEADERS&#34; -s -o /dev/null -w &#34;%{http_code}\n&#34;
200
</code></pre></li><li><p>Send request to path <code>/ip</code> without token. This should be allowed with 200 because the path <code>/ip</code> is excluded from
authorization:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/ip -s -o /dev/null -w &#34;%{http_code}\n&#34;
200
</code></pre></li><li><p>Check the proxy and OPA logs to confirm the result.</p></li></ol><h2 id=summary>Summary</h2><p>In Istio 1.9, the <code>CUSTOM</code> action in the authorization policy allows you to easily integrate Istio with any external
authorization system with the following benefits:</p><ul><li><p>First-class support in the authorization policy API</p></li><li><p>Ease of usage: define the external authorizer simply with a URL and enable with the authorization policy, no more
hassle with the <code>EnvoyFilter</code> API</p></li><li><p>Conditional triggering, allowing improved performance</p></li><li><p>Support for various deployment type of the external authorizer:</p><ul><li><p>A normal service and pod with or without proxy</p></li><li><p>Inside the workload pod as a separate container</p></li><li><p>Outside the mesh</p></li></ul></li></ul><p>We&rsquo;re working to promote this feature to a more stable stage in following versions and welcome your feedback at
<a href=https://discuss.istio.io/c/security/>discuss.istio.io</a>.</p><h2 id=acknowledgements>Acknowledgements</h2><p>Thanks to <code>Craig Box</code>, <code>Christian Posta</code> and <code>Limin Wang</code> for reviewing drafts of this blog.</p><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/blog/2019/v1beta1-authorization-policy/>Introducing the Istio v1beta1 Authorization Policy</a></p><p class=desc>Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/docs/tasks/security/authorization/authz-custom/>External Authorization</a></p><p class=desc>Shows how to integrate and delegate access control to an external authorization system.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/blog/2021/migrate-alpha-policy/>Migrate pre-Istio 1.4 Alpha security policy to the current APIs</a></p><p class=desc>A tutorial to help customers migrate from the deprecated v1alpha1 security policy to the supported v1beta1 version.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></p><p class=desc>Describe Istio's authorization feature and how to use it in various use cases.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/docs/tasks/security/authorization/authz-deny/>Explicit Deny</a></p><p class=desc>Shows how to set up access control to deny traffic explicitly.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.9/docs/tasks/security/authorization/authz-http/>HTTP Traffic</a></p><p class=desc>Shows how to set up access control for HTTP traffic.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="Learn about sessions, panels, workshops and more on the IstioCon website." href=/v1.9/blog/2021/istiocon-2021-program/><svg class="icon left-arrow"><use xlink:href="/v1.9/img/icons.svg#left-arrow"/></svg>IstioCon 2021: Schedule Is Live!</a></div><div class=right></div></nav><div id=feedback><div id=feedback-initial>Was this information useful?<br><button class="btn feedback" onclick="sendFeedback('en',1)">Yes</button>
<button class="btn feedback" onclick="sendFeedback('en',0)">No</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder="Help us improve..." data-lang=en></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label=Background><a href=#background>Background</a><li role=none aria-label=Solution><a href=#solution>Solution</a><li role=none aria-label="Example with OPA"><a href=#example-with-opa>Example with OPA</a><ol><li role=none aria-label="Create the example OPA policy"><a href=#create-the-example-opa-policy>Create the example OPA policy</a><li role=none aria-label="Deploy httpbin and OPA"><a href=#deploy-httpbin-and-opa>Deploy httpbin and OPA</a><li role=none aria-label="Define external authorizer"><a href=#define-external-authorizer>Define external authorizer</a><li role=none aria-label="Create an AuthorizationPolicy with a CUSTOM action"><a href=#create-an-authorizationpolicy-with-a-custom-action>Create an AuthorizationPolicy with a CUSTOM action</a><li role=none aria-label="Test the OPA policy"><a href=#test-the-opa-policy>Test the OPA policy</a></ol></li><li role=none aria-label=Summary><a href=#summary>Summary</a><li role=none aria-label=Acknowledgements><a href=#acknowledgements>Acknowledgements</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.9.5 now" href=/v1.9/docs/setup/getting-started/#download aria-label="Download Istio"><span>download</span><svg class="icon download"><use xlink:href="/v1.9/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon discourse"><use xlink:href="/v1.9/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon stackoverflow"><use xlink:href="/v1.9/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><span>slack</span><svg class="icon slack"><use xlink:href="/v1.9/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon twitter"><use xlink:href="/v1.9/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.9.5<br>&copy; 2020 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on May 18, 2021</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon github"><use xlink:href="/v1.9/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon drive"><use xlink:href="/v1.9/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon working-groups"><use xlink:href="/v1.9/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon top"><use xlink:href="/v1.9/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink