istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/docs/tasks/security/authz-http/index.md

563 lines
24 KiB
Markdown
Raw Blame History

---
title: Authorization for HTTP services
description: Shows how to set up role-based access control for HTTP services.
weight: 40
keywords: [security,access-control,rbac,authorization]
aliases:
- /docs/tasks/security/role-based-access-control.html
---
This task covers the activities you might need to perform to set up Istio authorization, also known
as Istio Role Based Access Control (RBAC), for HTTP services in an Istio mesh. You can read more in
[authorization](/docs/concepts/security/#authorization) and get started with
a basic tutorial in Istio Security Basics.
## Before you begin
The activities in this task assume that you:
* Understand [authorization](/docs/concepts/security/#authorization) concepts.
* Have set up Istio on Kubernetes **with authentication enabled** by following the instructions in the
[quick start](/docs/setup/kubernetes/quick-start/), this tutorial requires mutual TLS to work. Mutual TLS
authentication should be enabled in the [installation steps](/docs/setup/kubernetes/quick-start/#installation-steps).
* Deploy the [Bookinfo](/docs/examples/bookinfo/) sample application.
* In this task, we will enable access control based on Service Accounts, which are cryptographically authenticated in the mesh.
In order to give different microservices different access privileges, we will create some service accounts and redeploy Bookinfo
microservices running under them.
Run the following command to
* Create service account `bookinfo-productpage`, and redeploy the service `productpage` with the service account.
* Create service account `bookinfo-reviews`, and redeploy the services `reviews` (deployments `reviews-v2` and `reviews-v3`)
with the service account.
{{< text bash >}}
$ kubectl apply -f <(istioctl kube-inject -f @samples/bookinfo/platform/kube/bookinfo-add-serviceaccount.yaml@)
{{< /text >}}
> If you are using a namespace other than `default`, use `kubectl -n namespace ...` to specify the namespace.
* There is a major update to RBAC in Istio 1.0. Please make sure to remove any existing RBAC configuration before continuing.
* Run the following commands to disable the old RBAC functionality, these are no longer needed in Istio 1.0:
{{< text bash >}}
$ kubectl delete authorization requestcontext -n istio-system
$ kubectl delete rbac handler -n istio-system
$ kubectl delete rule rbaccheck -n istio-system
{{< /text >}}
* Run the following commands to remove any existing RBAC policies:
> You could keep existing policies but you will need to make some changes to the `constraints` and `properties` field
in the policy, see [constraints and properties](/docs/reference/config/authorization/constraints-and-properties/)
for the list of supported keys in `constraints` and `properties`.
{{< text bash >}}
$ kubectl delete servicerole --all
$ kubectl delete servicerolebinding --all
{{< /text >}}
* Point your browser at the Bookinfo `productpage` (`http://$GATEWAY_URL/productpage`). You should see:
* The "Book Details" section in the lower left part of the page, including type, pages, publisher, etc.
* The "Book Reviews" section in the lower right part of the page.
If you refresh the page several times, you should see different versions of reviews shown in the product page,
presented in a round robin style (red stars, black stars, no stars)
## Authorization permissive mode
The authorization permissive mode is an experimental feature in Istio's 1.1 release. Its interface can change in future releases.
You can skip enabling the permissive mode and directly [enable Istio authorization](#enabling-istio-authorization)
if you do not want to try out the permissive mode feature.
This section shows how to use authorization permissive mode in below two scenarios:
* In environment without authorization, test whether it's safe to enable authorization.
* In environment already with authorization enabled, test whether it's safe to add a new authorization policy.
### Testing whether it's safe to turn on authorization globally
This tasks show how to use authorization permissive mode to test whether it's safe to
turn on authorization globally.
Before you start, please make sure that you have finished [preparation task](#before-you-begin).
1. Set the global authorization configuration to permissive mode.
Run the following command:
{{< text bash >}}
$ kubectl apply -f - <<EOF
apiVersion: "rbac.istio.io/v1alpha1"
kind: ClusterRbacConfig
metadata:
name: default
spec:
mode: 'ON_WITH_INCLUSION'
inclusion:
namespaces: ["default"]
enforcement_mode: PERMISSIVE
EOF
{{< /text >}}
Point your browser at the Bookinfo `productpage` (`http://$GATEWAY_URL/productpage`), you should
see everything works fine, same as in [preparation task](#before-you-begin).
1. Apply YAML file for the permissive mode metric collection.
Run the following command:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
logentry.config.istio.io/rbacsamplelog created
stdio.config.istio.io/rbacsamplehandler created
rule.config.istio.io/rabcsamplestdio created
{{< /text >}}
1. Send traffic to the sample application.
For the Bookinfo sample, visit `http://$GATEWAY_URL/productpage` in your web
browser or issue the following command:
{{< text bash >}}
$ curl http://$GATEWAY_URL/productpage
{{< /text >}}
Point your browser at the Bookinfo `productpage` (`http://$GATEWAY_URL/productpage`), you should
see everything works fine.
1. Verify the logs stream has been created and check `permissiveResponseCode`.
In a Kubernetes environment, search through the logs for the istio-telemetry
pods as follows:
{{< text bash json >}}
$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep \"instance\":\"rbacsamplelog.logentry.istio-system\"
{"level":"warn","time":"2018-08-30T21:53:42.059444Z","instance":"rbacsamplelog.logentry.istio-system","destination":"ratings","latency":"9.158879ms","permissiveResponseCode":"403","permissiveResponsePolicyID":"","responseCode":200,"responseSize":48,"source":"reviews","user":"cluster.local/ns/default/sa/bookinfo-reviews"}
{"level":"warn","time":"2018-08-30T21:53:41.037824Z","instance":"rbacsamplelog.logentry.istio-system","destination":"reviews","latency":"1.091670916s","permissiveResponseCode":"403","permissiveResponsePolicyID":"","responseCode":200,"responseSize":379,"source":"productpage","user":"cluster.local/ns/default/sa/bookinfo-productpage"}
{"level":"warn","time":"2018-08-30T21:53:41.019851Z","instance":"rbacsamplelog.logentry.istio-system","destination":"productpage","latency":"1.112521495s","permissiveResponseCode":"403","permissiveResponsePolicyID":"","responseCode":200,"responseSize":5723,"source":"istio-ingressgateway","user":"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"}
{{< /text >}}
In telemetry logs above, the `responseCode` is 200 which is what user see now.
The `permissiveResponseCode` is 403 which is what user will see after switching
global authorization configuration from `PERMISSIVE` mode to `ENFORCED` mode, which
indicates the global authorization configuration will work as expected after rolling
to production.
1. Before rolling out a new authorization policy in production, apply it in permissive mode.
`Note`, when global authorization configuration is in permissive mode, all policies will be in
permissive mode by default.
Run the following command:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
{{< /text >}}
1. Send traffic to the sample application again.
For the Bookinfo sample, visit `http://$GATEWAY_URL/productpage` in your web
browser or issue the following command:
{{< text bash >}}
$ curl http://$GATEWAY_URL/productpage
{{< /text >}}
Point your browser at the Bookinfo `productpage` (`http://$GATEWAY_URL/productpage`), you should
see everything works fine.
1. Verify the logs and check `permissiveResponseCode` again.
In a Kubernetes environment, search through the logs for the istio-telemetry
pods as follows:
{{< text bash json >}}
$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep \"instance\":\"rbacsamplelog.logentry.istio-system\"
{"level":"warn","time":"2018-08-30T21:55:53.590430Z","instance":"rbacsamplelog.logentry.istio-system","destination":"ratings","latency":"4.415633ms","permissiveResponseCode":"403","permissiveResponsePolicyID":"","responseCode":200,"responseSize":48,"source":"reviews","user":"cluster.local/ns/default/sa/bookinfo-reviews"}
{"level":"warn","time":"2018-08-30T21:55:53.565914Z","instance":"rbacsamplelog.logentry.istio-system","destination":"reviews","latency":"32.97524ms","permissiveResponseCode":"403","permissiveResponsePolicyID":"","responseCode":200,"responseSize":379,"source":"productpage","user":"cluster.local/ns/default/sa/bookinfo-productpage"}
{"level":"warn","time":"2018-08-30T21:55:53.544441Z","instance":"rbacsamplelog.logentry.istio-system","destination":"productpage","latency":"57.800056ms","permissiveResponseCode":"200","permissiveResponsePolicyID":"productpage-viewer","responseCode":200,"responseSize":5723,"source":"istio-ingressgateway","user":"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"}
{{< /text >}}
In telemetry logs above, the `responseCode` is 200 which is what user see now.
The `permissiveResponseCode` is 200 for productpage service, 403 for ratings
and reviews services, which are what user will see after switching
policy mode from `PERMISSIVE` mode to `ENFORCED` mode; the result aligns with
[step 1](#step-1-allowing-access-to-the-productpage-service).
1. Remove permissive mode related yaml files:
{{< text bash >}}
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-config-on-permissive.yaml@
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
{{< /text >}}
1. Now we have verified authorization will work as expected when turning it on,
it's safe following below [Enabling Istio authorization](#enabling-istio-authorization) to turn on authorization.
### Testing new authorization policy works as expected before rolling to production
This tasks shows how to use authorization permissive mode to test a new authorization policy works
as expected in environment with authorization already enabled.
Before you start, please make sure that you have finished [step 1](#step-1-allowing-access-to-the-productpage-service).
1. Before applying a new policy, test it by setting its mode to permissive:
Run the following command:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy-permissive.yaml@
{{< /text >}}
The policy is the same as defined in [allowing access to the details and
reviews services](#step-2-allowing-access-to-the-details-and-reviews-services), except `PERMISSIVE` mode is set in ServiceRoleBinding.
{{< text yaml >}}
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: bind-details-reviews
namespace: default
spec:
subjects:
- user: "cluster.local/ns/default/sa/bookinfo-productpage"
roleRef:
kind: ServiceRole
name: "details-reviews-viewer"
mode: PERMISSIVE
{{< /text >}}
Point your browser at the Bookinfo `productpage` (`http://$GATEWAY_URL/productpage`), you should still
see there are errors `Error fetching product details` and `Error fetching
product reviews` on the page. These errors are expected because the policy is
in `PERMISSIVE` mode.
1. Apply YAML file for the permissive mode metric collection.
Run the following command:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
{{< /text >}}
1. Send traffic to the sample application.
For the Bookinfo sample, visit `http://$GATEWAY_URL/productpage` in your web
browser or issue the following command:
{{< text bash >}}
$ curl http://$GATEWAY_URL/productpage
{{< /text >}}
1. Verify the logs and check `permissiveResponseCode` again.
In a Kubernetes environment, search through the logs for the istio-telemetry
pods as follows:
{{< text bash json >}}
$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep \"instance\":\"rbacsamplelog.logentry.istio-system\"
{"level":"warn","time":"2018-08-30T22:59:42.707093Z","instance":"rbacsamplelog.logentry.istio-system","destination":"details","latency":"423.381µs","permissiveResponseCode":"200","permissiveResponsePolicyID":"details-reviews-viewer","responseCode":403,"responseSize":19,"source":"productpage","user":"cluster.local/ns/default/sa/bookinfo-productpage"}
{"level":"warn","time":"2018-08-30T22:59:42.763423Z","instance":"rbacsamplelog.logentry.istio-system","destination":"reviews","latency":"237.333µs","permissiveResponseCode":"200","permissiveResponsePolicyID":"details-reviews-viewer","responseCode":403,"responseSize":19,"source":"productpage","user":"cluster.local/ns/default/sa/bookinfo-productpage"}
{{< /text >}}
In telemetry logs above, the `responseCode` is 403 for ratings
and reviews services, which is what users see now.
The `permissiveResponseCode` is 200 for ratings and reviews services,
which is what users will see after switching policy mode from `PERMISSIVE` mode
to `ENFORCED` mode; it indicates the new authorization policy will work as expected
after rolling to production.
1. Remove permissive mode related yaml files:
{{< text bash >}}
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy-permissive.yaml@
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
{{< /text >}}
1. Now we have verified the new policy will work as expected, it's safe
following [step 2](#step-2-allowing-access-to-the-details-and-reviews-services) to apply the policy.
## Enabling Istio authorization
Run the following command to enable Istio authorization for the `default` namespace:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-config-ON.yaml@
{{< /text >}}
Point your browser at the Bookinfo `productpage` (`http://$GATEWAY_URL/productpage`). Now you should see
`"RBAC: access denied"`. This is because Istio authorization is "deny by default", which means that you need to
explicitly define access control policy to grant access to any service.
> There may be some delays due to caching and other propagation overhead.
## Namespace-level access control
Using Istio authorization, you can easily setup namespace-level access control by specifying all (or a collection of) services
in a namespace are accessible by services from another namespace.
In our Bookinfo sample, the `productpage`, `reviews`, `details`, `ratings` services are deployed in the `default` namespace.
The Istio components like `istio-ingressgateway` service are deployed in the `istio-system` namespace. We can define a policy that
any service in the `default` namespace that has the `app` label set to one of the values of
`productpage`, `details`, `reviews`, or `ratings`
is accessible by services in the same namespace (i.e., `default`) and services in the `istio-system` namespace.
Run the following command to create a namespace-level access control policy:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/namespace-policy.yaml@
{{< /text >}}
The policy does the following:
* Creates a `ServiceRole` `service-viewer` which allows read access to any service in the `default` namespace that has
the `app` label
set to one of the values `productpage`, `details`, `reviews`, or `ratings`. Note that there is a
constraint specifying that
the services must have one of the listed `app` labels.
{{< text yaml >}}
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: service-viewer
namespace: default
spec:
rules:
- services: ["*"]
methods: ["GET"]
constraints:
- key: "destination.labels[app]"
values: ["productpage", "details", "reviews", "ratings"]
{{< /text >}}
* Creates a `ServiceRoleBinding` that assign the `service-viewer` role to all services in the `istio-system` and `default` namespaces.
{{< text yaml >}}
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: bind-service-viewer
namespace: default
spec:
subjects:
- properties:
source.namespace: "istio-system"
- properties:
source.namespace: "default"
roleRef:
kind: ServiceRole
name: "service-viewer"
{{< /text >}}
You can expect to see output similar to the following:
{{< text plain >}}
servicerole "service-viewer" created
servicerolebinding "bind-service-viewer" created
{{< /text >}}
Now if you point your browser at Bookinfo's `productpage` (`http://$GATEWAY_URL/productpage`). You should see the "Bookinfo Sample" page,
with the "Book Details" section in the lower left part and the "Book Reviews" section in the lower right part.
> There may be some delays due to caching and other propagation overhead.
### Cleanup namespace-level access control
Remove the following configuration before you proceed to the next task:
{{< text bash >}}
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/namespace-policy.yaml@
{{< /text >}}
## Service-level access control
This task shows you how to set up service-level access control using Istio authorization. Before you start, please make sure that:
* You have [enabled Istio authorization](#enabling-istio-authorization).
* You have [removed namespace-level authorization policy](#cleanup-namespace-level-access-control).
Point your browser at the Bookinfo `productpage` (`http://$GATEWAY_URL/productpage`). You should see `"RBAC: access denied"`.
We will incrementally add access permission to the services in the Bookinfo sample.
### Step 1. allowing access to the `productpage` service
In this step, we will create a policy that allows external requests to access the `productpage` service via Ingress.
Run the following command:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
{{< /text >}}
The policy does the following:
* Creates a `ServiceRole` `productpage-viewer` which allows read access to the `productpage` service.
{{< text yaml >}}
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: productpage-viewer
namespace: default
spec:
rules:
- services: ["productpage.default.svc.cluster.local"]
methods: ["GET"]
{{< /text >}}
* Creates a `ServiceRoleBinding` `bind-productpager-viewer` which assigns the `productpage-viewer` role to all
users and services.
{{< text yaml >}}
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: bind-productpager-viewer
namespace: default
spec:
subjects:
- user: "*"
roleRef:
kind: ServiceRole
name: "productpage-viewer"
{{< /text >}}
Point your browser at the Bookinfo `productpage` (`http://$GATEWAY_URL/productpage`). Now you should see the "Bookinfo Sample"
page. But there are errors `Error fetching product details` and `Error fetching product reviews` on the page. These errors
are expected because we have not granted the `productpage` service access to the `details` and `reviews` services. We will fix the errors
in the following steps.
> There may be some delays due to caching and other propagation overhead.
### Step 2. allowing access to the `details` and `reviews` services
We will create a policy to allow the `productpage` service to access the `details` and `reviews` services. Note that in the
[setup step](#before-you-begin), we created the `bookinfo-productpage` service account for the `productpage` service. This
`bookinfo-productpage` service account is the authenticated identify for the `productpage` service.
Run the following command:
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy.yaml@
{{< /text >}}
The policy does the following:
* Creates a `ServiceRole` `details-reviews-viewer` which allows access to the `details` and `reviews` services.
{{< text yaml >}}
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: details-reviews-viewer
namespace: default
spec:
rules:
- services: ["details.default.svc.cluster.local", "reviews.default.svc.cluster.local"]
methods: ["GET"]
{{< /text >}}
* Creates a `ServiceRoleBinding` `bind-details-reviews` which assigns the `details-reviews-viewer` role to the
`cluster.local/ns/default/sa/bookinfo-productpage` service account (representing the `productpage` service).
{{< text yaml >}}
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: bind-details-reviews
namespace: default
spec:
subjects:
- user: "cluster.local/ns/default/sa/bookinfo-productpage"
roleRef:
kind: ServiceRole
name: "details-reviews-viewer"
{{< /text >}}
Point your browser at the Bookinfo `productpage` (`http://$GATEWAY_URL/productpage`). Now you should see the "Bookinfo Sample"
page with "Book Details" on the lower left part, and "Book Reviews" on the lower right part. However, in the "Book Reviews" section,
there is an error `Ratings service currently unavailable`. This is because "reviews" service does not have permission to access
"ratings" service. To fix this issue, you need to grant the `reviews` service access to the `ratings` service.
We will show how to do that in the next step.
> There may be some delays due to caching and other propagation overhead.
### Step 3. allowing access to the `ratings` service
We will create a policy to allow the `reviews` service to access the `ratings` service. Note that in the
[setup step](#before-you-begin), we created a `bookinfo-reviews` service account for the `reviews` service. This
service account is the authenticated identify for the `reviews` service.
Run the following command to create a policy that allows the `reviews` service to access the `ratings` service.
{{< text bash >}}
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/ratings-policy.yaml@
{{< /text >}}
The policy does the following:
* Creates a `ServiceRole` `ratings-viewer\` which allows access to the `ratings` service.
{{< text yaml >}}
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: ratings-viewer
namespace: default
spec:
rules:
- services: ["ratings.default.svc.cluster.local"]
methods: ["GET"]
{{< /text >}}
* Creates a `ServiceRoleBinding` `bind-ratings` which assigns `ratings-viewer` role to the
`cluster.local/ns/default/sa/bookinfo-reviews` service account, which represents the `reviews` service.
{{< text yaml >}}
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: bind-ratings
namespace: default
spec:
subjects:
- user: "cluster.local/ns/default/sa/bookinfo-reviews"
roleRef:
kind: ServiceRole
name: "ratings-viewer"
{{< /text >}}
Point your browser at the Bookinfo `productpage` (`http://$GATEWAY_URL/productpage`). Now you should see
the "black" and "red" ratings in the "Book Reviews" section.
> There may be some delays due to caching and other propagation overhead.
## Cleanup
* Remove Istio authorization policy configuration:
{{< text bash >}}
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/ratings-policy.yaml@
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy.yaml@
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
{{< /text >}}
Alternatively, you can delete all `ServiceRole` and `ServiceRoleBinding` resources by running the following commands:
{{< text bash >}}
$ kubectl delete servicerole --all
$ kubectl delete servicerolebinding --all
{{< /text >}}
* Disable Istio authorization:
{{< text bash >}}
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-config-ON.yaml@
{{< /text >}}
Reference in New Issue View Git Blame Copy Permalink