istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.4/docs/concepts/security/index.html

420 lines
111 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content=Security><meta name=description content="Describes Istio's authorization and authentication functionality."><meta name=keywords content=microservices,services,mesh,security,policy,policies,authentication,authorization,rbac,access-control><meta property=og:title content=Security><meta property=og:type content=website><meta property=og:description content="Describes Istio's authorization and authentication functionality."><meta property=og:url content=/v1.4/docs/concepts/security/><meta property=og:image content=/v1.4/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.4 / Security</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.4/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.4/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.4/feed.xml><link rel="shortcut icon" href=/v1.4/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.4/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.4/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.4/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.4/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.4/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.4/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.4/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.4/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.4/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.4/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.4/css/all.css><script src=/v1.4/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.4";const docTitle="Security";const iconFile="\/v1.4/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.4/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.4/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2"/><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.4</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#hamburger"/></svg></div><div id=header-links><a class=current title="Learn how to deploy, use, and operate Istio." href=/v1.4/docs/>Docs</a>
<a title="Posts about using Istio." href=/v1.4/blog/2020/>Blog<i class=dot data-prefix=/blog></i></a>
<a title="Timely news about the Istio project." href=/v1.4/news/>News<i class=dot data-prefix=/news></i></a>
<a title="Frequently Asked Questions about Istio." href=/v1.4/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.4/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/docs\/concepts\/security\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/docs\/concepts\/security\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://istio.io/archive>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.4/search>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#cancel-x"/></svg></button></form></nav></header><div class=banner-container></div><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card25 title="Learn about the different parts of the Istio system and the abstractions it uses." aria-controls=card25-body><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#concepts"/></svg>Concepts</button><div class="body default" aria-labelledby=card25 role=region id=card25-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card25><li role=none><a role=treeitem title="Introduces Istio, the problems it solves, its high-level architecture, and its design goals." href=/v1.4/docs/concepts/what-is-istio/>What is Istio?</a></li><li role=none><a role=treeitem title="Describes the various Istio features focused on traffic routing and control." href=/v1.4/docs/concepts/traffic-management/>Traffic Management</a></li><li role=none><span role=treeitem class=current title="Describes Istio's authorization and authentication functionality.">Security</span></li><li role=none><a role=treeitem title="Describes Istio's policy management functionality." href=/v1.4/docs/concepts/policies/>Policies</a></li><li role=none><a role=treeitem title="Describes the telemetry and monitoring features provided by Istio." href=/v1.4/docs/concepts/observability/>Observability</a></li></ul></div></div><div class=card><button class="header dynamic" id=card52 title="Instructions for installing the Istio control plane on Kubernetes." aria-controls=card52-body><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#setup"/></svg>Setup</button><div class=body aria-labelledby=card52 role=region id=card52-body><ul role=tree aria-expanded=true aria-labelledby=card52><li role=none><a role=treeitem title="Download, install, and learn how to evaluate and try Istios basic features quickly." href=/v1.4/docs/setup/getting-started/>Getting Started</a></li><li role=treeitem aria-label="Platform Setup"><button aria-hidden=true></button><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.4/docs/setup/platform-setup/>Platform Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to setup an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.4/docs/setup/platform-setup/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup an Azure cluster for Istio." href=/v1.4/docs/setup/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="Instructions to setup Docker Desktop for Istio." href=/v1.4/docs/setup/platform-setup/docker/>Docker Desktop</a></li><li role=none><a role=treeitem title="Instructions to setup a Google Kubernetes Engine cluster for Istio." href=/v1.4/docs/setup/platform-setup/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to setup an IBM Cloud cluster for Istio." href=/v1.4/docs/setup/platform-setup/ibm/>IBM Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup a Gardener cluster for Istio." href=/v1.4/docs/setup/platform-setup/gardener/>Kubernetes Gardener</a></li><li role=none><a role=treeitem title="Instructions to setup MicroK8s for use with Istio." href=/v1.4/docs/setup/platform-setup/microk8s/>MicroK8s</a></li><li role=none><a role=treeitem title="Instructions to setup minikube for Istio." href=/v1.4/docs/setup/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="Instructions to setup an OpenShift cluster for Istio." href=/v1.4/docs/setup/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="Instructions to setup an OKE cluster for Istio." href=/v1.4/docs/setup/platform-setup/oci/>Oracle Cloud Infrastructure</a></li></ul></li><li role=treeitem aria-label=Install><button aria-hidden=true></button><a title="Choose the guide that best suits your needs and platform." href=/v1.4/docs/setup/install/>Install</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Install and customize any Istio configuration profile for in-depth evaluation or production use." href=/v1.4/docs/setup/install/istioctl/>Customizable Install with Istioctl</a></li><li role=none><a role=treeitem title="Install and configure Istio for in-depth evaluation or production use." href=/v1.4/docs/setup/install/helm/>Customizable Install with Helm</a></li><li role=none><a role=treeitem title="Instructions to install Istio in a Kubernetes cluster using the Istio operator." href=/v1.4/docs/setup/install/standalone-operator/>Standalone Operator Install [Experimental]</a></li><li role=treeitem aria-label="Multicluster Installation"><button aria-hidden=true></button><a title="Configure an Istio mesh spanning multiple Kubernetes clusters." href=/v1.4/docs/setup/install/multicluster/>Multicluster Installation</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configure an Istio mesh spanning multiple Kubernetes clusters." href=/v1.4/docs/setup/install/multicluster/simplified/>Simplified Multicluster Install [Experimental]</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters with replicated control plane instances." href=/v1.4/docs/setup/install/multicluster/gateways/>Replicated control planes</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters with a shared control plane and VPN connectivity between clusters." href=/v1.4/docs/setup/install/multicluster/shared-vpn/>Shared control plane (single-network)</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters using a shared control plane for disconnected cluster networks." href=/v1.4/docs/setup/install/multicluster/shared-gateways/>Shared control plane (multi-network)</a></li></ul></li></ul></li><li role=treeitem aria-label=Upgrade><button aria-hidden=true></button><a title="Choose the upgrade guide that corresponds to the approach you previously used to install Istio." href=/v1.4/docs/setup/upgrade/>Upgrade</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Upgrade or downgrade Istio using the istioctl upgrade command." href=/v1.4/docs/setup/upgrade/istioctl-upgrade/>Upgrade Istio using istioctl [Experimental]</a></li><li role=none><a role=treeitem title="Upgrade the Istio control plane, and optionally, the CNI plug-in using Helm." href=/v1.4/docs/setup/upgrade/cni-helm-upgrade/>Upgrade using Helm</a></li></ul></li><li role=treeitem aria-label="More Guides"><button aria-hidden=true></button><a title="More information on additional setup tasks." href=/v1.4/docs/setup/additional-setup/>More Guides</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the built-in Istio installation configuration profiles." href=/v1.4/docs/setup/additional-setup/config-profiles/>Installation Configuration Profiles</a></li><li role=none><a role=treeitem title="Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.4/docs/setup/additional-setup/sidecar-injection/>Installing the Sidecar</a></li><li role=none><a role=treeitem title="Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege." href=/v1.4/docs/setup/additional-setup/cni/>Install Istio with the Istio CNI plugin</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card83 title="How to do single specific targeted activities with the Istio system." aria-controls=card83-body><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#tasks"/></svg>Tasks</button><div class=body aria-labelledby=card83 role=region id=card83-body><ul role=tree aria-expanded=true aria-labelledby=card83><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.4/docs/tasks/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.4/docs/tasks/traffic-management/request-routing/>Request Routing</a></li><li role=none><a role=treeitem title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.4/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li role=none><a role=treeitem title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.4/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li role=none><a role=treeitem title="Shows you how to migrate TCP traffic from an old to new version of a TCP service." href=/v1.4/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP Traffic Shifting</a></li><li role=none><a role=treeitem title="This task shows you how to setup request timeouts in Envoy using Istio." href=/v1.4/docs/tasks/traffic-management/request-timeouts/>Request Timeouts</a></li><li role=none><a role=treeitem title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.4/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li role=none><a role=treeitem title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.4/docs/tasks/traffic-management/mirroring/>Mirroring</a></li><li role=treeitem aria-label=Ingress><button aria-hidden=true></button><a title="Controlling ingress traffic for an Istio service mesh." href=/v1.4/docs/tasks/traffic-management/ingress/>Ingress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure an Istio gateway to expose a service outside of the service mesh." href=/v1.4/docs/tasks/traffic-management/ingress/ingress-control/>Ingress Gateways</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS using file-mounted certificates." href=/v1.4/docs/tasks/traffic-management/ingress/secure-ingress-mount/>Secure Gateways (File Mount)</a></li><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS using the secret discovery service (SDS)." href=/v1.4/docs/tasks/traffic-management/ingress/secure-ingress-sds/>Secure Gateways (SDS)</a></li><li role=none><a role=treeitem title="Describes how to configure SNI passthrough for an ingress gateway." href=/v1.4/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/>Ingress Gateway without TLS Termination</a></li><li role=none><a role=treeitem title="Demonstrates how to obtain Let's Encrypt TLS certificates for Kubernetes Ingress automatically using Cert-Manager." href=/v1.4/docs/tasks/traffic-management/ingress/ingress-certmgr/>Kubernetes Ingress with Cert-Manager</a></li></ul></li><li role=treeitem aria-label=Egress><button aria-hidden=true></button><a title="Controlling egress traffic for an Istio service mesh." href=/v1.4/docs/tasks/traffic-management/egress/>Egress</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.4/docs/tasks/traffic-management/egress/egress-control/>Accessing External Services</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.4/docs/tasks/traffic-management/egress/egress-tls-origination/>Egress TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.4/docs/tasks/traffic-management/egress/egress-gateway/>Egress Gateways</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services." href=/v1.4/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateways with TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately." href=/v1.4/docs/tasks/traffic-management/egress/wildcard-egress-hosts/>Egress using Wildcard Hosts</a></li><li role=none><a role=treeitem title="Describes how to configure SNI monitoring and apply policies on TLS egress traffic." href=/v1.4/docs/tasks/traffic-management/egress/egress_sni_monitoring_and_policies/>Monitoring and Policies for TLS Egress</a></li><li role=none><a role=treeitem title="Shows how to configure Istio Kubernetes External Services." href=/v1.4/docs/tasks/traffic-management/egress/egress-kubernetes-services/>Kubernetes Services for Egress Traffic</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to let applications use an external HTTPS proxy." href=/v1.4/docs/tasks/traffic-management/egress/http-proxy/>Using an External HTTPS Proxy</a></li></ul></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Demonstrates how to secure the mesh." href=/v1.4/docs/tasks/security/>Security</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Authentication><button aria-hidden=true></button><a title="Controlling mutual TLS and end-user authentication for mesh services." href=/v1.4/docs/tasks/security/authentication/>Authentication</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="A simplified workflow to adopt mutual TLS with minimal configuration overhead." href=/v1.4/docs/tasks/security/authentication/auto-mtls/>Automatic mutual TLS</a></li><li role=none><a role=treeitem title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href=/v1.4/docs/tasks/security/authentication/authn-policy/>Authentication Policy</a></li><li role=none><a role=treeitem title="Shows you how to verify and test Istio's automatic mutual TLS authentication." href=/v1.4/docs/tasks/security/authentication/mutual-tls/>Mutual TLS Deep-Dive</a></li><li role=none><a role=treeitem title="Shows how to enable mutual TLS on HTTPS services." href=/v1.4/docs/tasks/security/authentication/https-overlay/>Mutual TLS over HTTPS</a></li><li role=none><a role=treeitem title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.4/docs/tasks/security/authentication/mtls-migration/>Mutual TLS Migration</a></li></ul></li><li role=treeitem aria-label="Citadel Configuration"><button aria-hidden=true></button><a title="Customizing the Citadel certificate authority." href=/v1.4/docs/tasks/security/citadel-config/>Citadel Configuration</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows how operators can configure Citadel with existing root certificate, signing certificate and key." href=/v1.4/docs/tasks/security/citadel-config/plugin-ca-cert/>Plugging in External CA Key and Certificate</a></li><li role=none><a role=treeitem title="Shows how to enable Citadel health checking with Kubernetes." href=/v1.4/docs/tasks/security/citadel-config/health-check/>Citadel Health Checking</a></li><li role=none><a role=treeitem title="Shows how to enable SDS (secret discovery service) for Istio identity provisioning." href=/v1.4/docs/tasks/security/citadel-config/auth-sds/>Provisioning Identity through SDS</a></li><li role=none><a role=treeitem title="Configure which namespaces Citadel should generate service account secrets for." href=/v1.4/docs/tasks/security/citadel-config/ca-namespace-targeting/>Configure Citadel Service Account Secret Generation</a></li></ul></li><li role=treeitem aria-label=Authorization><button aria-hidden=true></button><a title="Shows how to control access to Istio services." href=/v1.4/docs/tasks/security/authorization/>Authorization</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Shows how to set up role-based access control for HTTP traffic." href=/v1.4/docs/tasks/security/authorization/authz-http/>Authorization for HTTP traffic</a></li><li role=none><a role=treeitem title="Shows how to set up access control for TCP traffic." href=/v1.4/docs/tasks/security/authorization/authz-tcp/>Authorization for TCP traffic</a></li><li role=none><a role=treeitem title="Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio." href=/v1.4/docs/tasks/security/authorization/rbac-groups/>Authorization for groups and list claims</a></li><li role=none><a role=treeitem title="Shows how to migrate from one trust domain to another without changing authorization policy." href=/v1.4/docs/tasks/security/authorization/authz-td-migration/>Authorization Policy Trust Domain Migration</a></li></ul></li><li role=none><a role=treeitem title="Shows how to provision and manage DNS certificates in Istio." href=/v1.4/docs/tasks/security/dns-cert/>Istio DNS Certificate Management</a></li><li role=none><a role=treeitem title="How to manage webhooks in Istio through istioctl." href=/v1.4/docs/tasks/security/webhook/>Istio Webhook Management [Experimental]</a></li></ul></li><li role=treeitem aria-label=Policies><button aria-hidden=true></button><a title="Demonstrates policy enforcement features." href=/v1.4/docs/tasks/policy-enforcement/>Policies</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to enable Istio policy enforcement." href=/v1.4/docs/tasks/policy-enforcement/enabling-policy/>Enabling Policy Enforcement</a></li><li role=none><a role=treeitem title="This task shows you how to use Istio to dynamically limit the traffic to a service." href=/v1.4/docs/tasks/policy-enforcement/rate-limiting/>Enabling Rate Limits</a></li><li role=none><a role=treeitem title="Shows how to modify request headers and routing using policy adapters." href=/v1.4/docs/tasks/policy-enforcement/control-headers/>Control Headers and Routing</a></li><li role=none><a role=treeitem title="Shows how to control access to a service using simple denials or white/black listing." href=/v1.4/docs/tasks/policy-enforcement/denial-and-list/>Denials and White/Black Listing</a></li></ul></li><li role=treeitem aria-label=Observability><button aria-hidden=true></button><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.4/docs/tasks/observability/>Observability</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Metrics><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh metrics." href=/v1.4/docs/tasks/observability/metrics/>Metrics</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize metrics." href=/v1.4/docs/tasks/observability/metrics/collecting-metrics/>Collecting Metrics</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.4/docs/tasks/observability/metrics/tcp-metrics/>Collecting Metrics for TCP services</a></li><li role=none><a role=treeitem title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.4/docs/tasks/observability/metrics/querying-metrics/>Querying Metrics from Prometheus</a></li><li role=none><a role=treeitem title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href=/v1.4/docs/tasks/observability/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li></ul></li><li role=treeitem aria-label=Logs><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh logs." href=/v1.4/docs/tasks/observability/logs/>Logs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize logs." href=/v1.4/docs/tasks/observability/logs/collecting-logs/>Collecting Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to print access log to their standard output." href=/v1.4/docs/tasks/observability/logs/access-log/>Getting Envoy&#39;s Access Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to log to a Fluentd daemon." href=/v1.4/docs/tasks/observability/logs/fluentd/>Logging with Fluentd</a></li></ul></li><li role=treeitem aria-label="Distributed Tracing"><button aria-hidden=true></button><a title="This task shows you how to configure Istio-enabled applications to collect trace spans." href=/v1.4/docs/tasks/observability/distributed-tracing/>Distributed Tracing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Overview of distributed tracing in Istio." href=/v1.4/docs/tasks/observability/distributed-tracing/overview/>Overview</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Jaeger." href=/v1.4/docs/tasks/observability/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Zipkin." href=/v1.4/docs/tasks/observability/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="How to configure the proxies to send tracing requests to LightStep." href=/v1.4/docs/tasks/observability/distributed-tracing/lightstep/>LightStep</a></li></ul></li><li role=none><a role=treeitem title="This task shows you how to visualize your services within an Istio mesh." href=/v1.4/docs/tasks/observability/kiali/>Visualizing Your Mesh</a></li><li role=none><a role=treeitem title="This task shows you how to configure external access to the set of Istio telemetry addons." href=/v1.4/docs/tasks/observability/gateways/>Remotely Accessing Telemetry Addons</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card104 title="A variety of fully working example uses for Istio that you can experiment with." aria-controls=card104-body><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#examples"/></svg>Examples</button><div class=body aria-labelledby=card104 role=region id=card104-body><ul role=tree aria-expanded=true aria-labelledby=card104><li role=none><a role=treeitem title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.4/docs/examples/bookinfo/>Bookinfo Application</a></li><li role=none><a role=treeitem title="Deploys a sample application across a multicluster mesh." href=/v1.4/docs/examples/bookinfo-multicluster/>Bookinfo Application - Multicluster</a></li><li role=treeitem aria-label="Virtual Machines"><button aria-hidden=true></button><a title="Examples that add workloads running on virtual machines to an Istio mesh." href=/v1.4/docs/examples/virtual-machines/>Virtual Machines</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Learn how to add a service running on a virtual machine to your single network Istio mesh." href=/v1.4/docs/examples/virtual-machines/single-network/>Virtual Machines in Single-Network Meshes</a></li><li role=none><a role=treeitem title="Learn how to add a service running on a virtual machine to your multi-network Istio mesh." href=/v1.4/docs/examples/virtual-machines/multi-network/>Virtual Machines in Multi-Network Meshes</a></li><li role=none><a role=treeitem title="Run the Bookinfo application with a MySQL service running on a virtual machine within your mesh." href=/v1.4/docs/examples/virtual-machines/bookinfo/>Bookinfo with a Virtual Machine</a></li></ul></li><li role=treeitem aria-label="Learn Microservices using Kubernetes and Istio"><button aria-hidden=true></button><a title="This modular tutorial provides new users with hands-on experience using Istio for common microservices scenarios, one step at a time." href=/v1.4/docs/examples/microservices-istio/>Learn Microservices using Kubernetes and Istio</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem href=/v1.4/docs/examples/microservices-istio/prereq/>Prerequisites</a></li><li role=none><a role=treeitem href=/v1.4/docs/examples/microservices-istio/setup-kubernetes-cluster/>Setup a Kubernetes Cluster</a></li><li role=none><a role=treeitem href=/v1.4/docs/examples/microservices-istio/setup-local-computer/>Setup a Local Computer</a></li><li role=none><a role=treeitem href=/v1.4/docs/examples/microservices-istio/single/>Run a Microservice Locally</a></li></ul></li><li role=treeitem aria-label="Platform-specific Examples (Deprecated)"><button aria-hidden=true></button><a title="Examples for specific platform installations of Istio." href=/v1.4/docs/examples/platform/>Platform-specific Examples (Deprecated)</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Explains how to manually integrate Google Cloud Endpoints services with Istio." href=/v1.4/docs/examples/platform/endpoints/>Install Istio for Google Cloud Endpoints Services</a></li><li role=none><a role=treeitem title="Set up a multicluster mesh over two GKE clusters." href=/v1.4/docs/examples/platform/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Example multicluster mesh over two IBM Cloud Private clusters." href=/v1.4/docs/examples/platform/icp/>IBM Cloud Private</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card125 title="Concepts, tools, and techniques to deploy and manage an Istio mesh." aria-controls=card125-body><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#guide"/></svg>Operations</button><div class=body aria-labelledby=card125 role=region id=card125-body><ul role=tree aria-expanded=true aria-labelledby=card125><li role=treeitem aria-label=Deployment><button aria-hidden=true></button><a title="Requirements, concepts, and considerations for setting up an Istio deployment." href=/v1.4/docs/ops/deployment/>Deployment</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes Istio's high-level architecture and design goals." href=/v1.4/docs/ops/deployment/architecture/>Architecture</a></li><li role=none><a role=treeitem title="Describes the options and considerations when configuring your Istio deployment." href=/v1.4/docs/ops/deployment/deployment-models/>Deployment Models</a></li><li role=none><a role=treeitem title="Istio performance and scalability summary." href=/v1.4/docs/ops/deployment/performance-and-scalability/>Performance and Scalability</a></li><li role=none><a role=treeitem title="Prepare your Kubernetes pods and services to run in an Istio-enabled cluster." href=/v1.4/docs/ops/deployment/requirements/>Pods and Services</a></li></ul></li><li role=treeitem aria-label=Configuration><button aria-hidden=true></button><a title="Advanced concepts and features for configuring a running Istio mesh." href=/v1.4/docs/ops/configuration/>Configuration</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Mesh Configuration"><button aria-hidden=true></button><a title="Helps you manage the global mesh configuration." href=/v1.4/docs/ops/configuration/mesh/>Mesh Configuration</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Provides a general overview of Istio's use of Kubernetes webhooks and the related issues that can arise." href=/v1.4/docs/ops/configuration/mesh/webhook/>Dynamic Admission Webhooks Overview</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.4/docs/ops/configuration/mesh/injection-concepts/>Automatic Sidecar Injection</a></li><li role=none><a role=treeitem title="Describes how Citadel determines whether to create service account secrets." href=/v1.4/docs/ops/configuration/mesh/secret-creation/>Service Account Secret Creation</a></li><li role=none><a role=treeitem title="Describes Istio's use of Kubernetes webhooks for server-side configuration validation." href=/v1.4/docs/ops/configuration/mesh/validation/>Configuration Validation Webhook</a></li><li role=none><a role=treeitem title="Shows how to do health checking for Istio services." href=/v1.4/docs/ops/configuration/mesh/app-health-check/>Health Checking of Istio Services</a></li></ul></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Helps you manage the networking aspects of a running mesh." href=/v1.4/docs/ops/configuration/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Information on how to specify protocols." href=/v1.4/docs/ops/configuration/traffic-management/protocol-selection/>Protocol Selection</a></li><li role=none><a role=treeitem title="Information on how to enable and understand Locality Load Balancing." href=/v1.4/docs/ops/configuration/traffic-management/locality-load-balancing/>Locality Load Balancing</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Helps you manage the security aspects of a running mesh." href=/v1.4/docs/ops/configuration/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Use hardened container images to reduce Istio's attack surface." href=/v1.4/docs/ops/configuration/security/harden-docker-images/>Harden Docker Container Images</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of the Istio self-signed root certificate." href=/v1.4/docs/ops/configuration/security/root-transition/>Extending Self-Signed Certificate Lifetime</a></li></ul></li><li role=treeitem aria-label=Observability><button aria-hidden=true></button><a title="Helps you manage telemetry collection and visualization in a running mesh." href=/v1.4/docs/ops/configuration/telemetry/>Observability</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Fine-grained control of Envoy statistics." href=/v1.4/docs/ops/configuration/telemetry/envoy-stats/>Envoy Statistics</a></li><li role=none><a role=treeitem title="How to enable in-proxy generation of HTTP service-level metrics." href=/v1.4/docs/ops/configuration/telemetry/in-proxy-service-telemetry/>Generate Istio Metrics Without Mixer [Alpha]</a></li></ul></li></ul></li><li role=treeitem aria-label="Best Practices"><button aria-hidden=true></button><a title="Best practices for setting up and managing an Istio service mesh." href=/v1.4/docs/ops/best-practices/>Best Practices</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="General best practices when setting up an Istio service mesh." href=/v1.4/docs/ops/best-practices/deployment/>Deployment Best Practices</a></li><li role=none><a role=treeitem title="Configuration best practices to avoid networking or traffic management issues." href=/v1.4/docs/ops/best-practices/traffic-management/>Traffic Management Best Practices</a></li><li role=none><a role=treeitem title="Best practices for securing applications using Istio." href=/v1.4/docs/ops/best-practices/security/>Security Best Practices</a></li></ul></li><li role=treeitem aria-label="Common Problems"><button aria-hidden=true></button><a title="Describes how to identify and resolve common problems in Istio." href=/v1.4/docs/ops/common-problems/>Common Problems</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Techniques to address common Istio traffic management and network problems." href=/v1.4/docs/ops/common-problems/network-issues/>Traffic Management Problems</a></li><li role=none><a role=treeitem title="Techniques to address common Istio authentication, authorization, and general security-related problems." href=/v1.4/docs/ops/common-problems/security-issues/>Security Problems</a></li><li role=none><a role=treeitem title="Dealing with telemetry collection issues." href=/v1.4/docs/ops/common-problems/observability-issues/>Observability Problems</a></li><li role=none><a role=treeitem title="Resolve common problems with Istio's use of Kubernetes webhooks for automatic sidecar injection." href=/v1.4/docs/ops/common-problems/injection/>Sidecar Injection Problems</a></li><li role=none><a role=treeitem title="Describes how to resolve Galley configuration problems." href=/v1.4/docs/ops/common-problems/validation/>Galley Configuration Problems</a></li></ul></li><li role=treeitem aria-label="Diagnostic Tools"><button aria-hidden=true></button><a title="Tools and techniques to help troubleshoot an Istio mesh." href=/v1.4/docs/ops/diagnostic-tools/>Diagnostic Tools</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Istio includes a supplemental tool that provides debugging and diagnosis for Istio service mesh deployments." href=/v1.4/docs/ops/diagnostic-tools/istioctl/>Using the Istioctl Command-line Tool</a></li><li role=none><a role=treeitem title="Describes tools and techniques to diagnose Envoy configuration issues related to traffic management." href=/v1.4/docs/ops/diagnostic-tools/proxy-cmd/>Debugging Envoy and Pilot</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl describe to verify the configurations of a pod in your mesh." href=/v1.4/docs/ops/diagnostic-tools/istioctl-describe/>Understand your Mesh with Istioctl Describe</a></li><li role=none><a role=treeitem title="Shows you how to use istioctl analyze to identify potential issues with your configuration." href=/v1.4/docs/ops/diagnostic-tools/istioctl-analyze/>Diagnose your Configuration with Istioctl Analyze</a></li><li role=none><a role=treeitem title="Describes how to use ControlZ to get insight into individual running components." href=/v1.4/docs/ops/diagnostic-tools/controlz/>Component Introspection</a></li><li role=none><a role=treeitem title="Describes how to use component-level logging to get insights into a running component's behavior." href=/v1.4/docs/ops/diagnostic-tools/component-logging/>Component Logging</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card160 title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." aria-controls=card160-body><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#reference"/></svg>Reference</button><div class=body aria-labelledby=card160 role=region id=card160-body><ul role=tree aria-expanded=true aria-labelledby=card160><li role=treeitem aria-label=Configuration><button aria-hidden=true></button><a title="Detailed information on configuration options." href=/v1.4/docs/reference/config/>Configuration</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Configuration options for Istio control plane installation using istioctl." href=/v1.4/docs/reference/config/istio.operator.v1alpha12.pb/>Installation Options (istioctl)</a></li><li role=none><a role=treeitem title="Describes the options available when installing Istio using Helm charts." href=/v1.4/docs/reference/config/installation-options/>Installation Options (Helm)</a></li><li role=none><a role=treeitem title="Configuration affecting the service mesh as a whole." href=/v1.4/docs/reference/config/istio.mesh.v1alpha1/>Global Mesh Options</a></li><li role=none><a role=treeitem title="Resource annotations used by Istio." href=/v1.4/docs/reference/config/annotations/>Resource Annotations</a></li><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Describes how to configure HTTP/TCP routing features." href=/v1.4/docs/reference/config/networking/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.4/docs/reference/config/networking/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Customizing Envoy configuration generated by Istio." href=/v1.4/docs/reference/config/networking/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.4/docs/reference/config/networking/gateway/>Gateway</a></li><li role=none><a role=treeitem title="Configuration affecting label/content routing, sni routing, etc." href=/v1.4/docs/reference/config/networking/virtual-service/>Virtual Service</a></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.4/docs/reference/config/networking/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Configuration affecting service registry." href=/v1.4/docs/reference/config/networking/service-entry/>Service Entry</a></li></ul></li><li role=treeitem aria-label=Security><button aria-hidden=true></button><a title="Describes how to configure Istio's security features." href=/v1.4/docs/reference/config/security/>Security</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Authentication policy for Istio services." href=/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/>Authentication Policy</a></li><li role=none><a role=treeitem title="Configuration for access control on workloads." href=/v1.4/docs/reference/config/security/authorization-policy/>Authorization Policy</a></li><li role=none><a role=treeitem title="Describes the supported conditions in authorization policies." href=/v1.4/docs/reference/config/security/conditions/>Authorization Policy Conditions</a></li><li role=none><a role=treeitem title="Configuration for Role Based Access Control." href=/v1.4/docs/reference/config/security/istio.rbac.v1alpha1/>RBAC (deprecated)</a></li><li role=none><a role=treeitem title="Describes the supported constraints and properties." href=/v1.4/docs/reference/config/security/constraints-and-properties/>RBAC Constraints and Properties (deprecated)</a></li></ul></li><li role=treeitem aria-label="Policies and Telemetry"><button aria-hidden=true></button><a title="Describes how to configure Istio's policy and telemetry features." href=/v1.4/docs/reference/config/policy-and-telemetry/>Policies and Telemetry</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Configuration state for the Mixer client library." href=/v1.4/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/>Mixer Client</a></li><li role=none><a role=treeitem title="Describes the rules used to configure Mixer's policy and telemetry features." href=/v1.4/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/>Rules</a></li><li role=none><a role=treeitem title="Describes the configuration model for Istio's policy enforcement and telemetry mechanisms." href=/v1.4/docs/reference/config/policy-and-telemetry/mixer-overview/>Mixer Configuration Model</a></li><li role=none><a role=treeitem title="Describes the base attribute vocabulary used for policy and control." href=/v1.4/docs/reference/config/policy-and-telemetry/attribute-vocabulary/>Attribute Vocabulary</a></li><li role=none><a role=treeitem title="Mixer configuration expression language reference." href=/v1.4/docs/reference/config/policy-and-telemetry/expression-language/>Expression Language</a></li><li role=treeitem aria-label=Adapters><button aria-hidden=true></button><a title="Mixer adapters allow Istio to interface to a variety of infrastructure backends for such things as metrics and logs." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/>Adapters</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Adapter to deliver metrics to Apache SkyWalking." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/apache-skywalking/>Apache SkyWalking</a></li><li role=none><a role=treeitem title="Adapter for Apigee's distributed policy checks and analytics." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/apigee/>Apigee</a></li><li role=none><a role=treeitem title="Adapter to enforce authentication and authorization policies for web apps and APIs." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/app-identity-access-adapter/>App Identity and Access</a></li><li role=none><a role=treeitem title="Adapter for circonus.com's monitoring solution." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/circonus/>Circonus</a></li><li role=none><a role=treeitem title="Adapter for cloudmonitor metrics." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/cloudmonitor/>CloudMonitor</a></li><li role=none><a role=treeitem title="Adapter for cloudwatch metrics." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/>CloudWatch</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a dogstatsd agent for delivery to DataDog." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/datadog/>Datadog</a></li><li role=none><a role=treeitem title="Adapter to deliver tracing data to Zipkin." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="Adapter that always returns a precondition denial." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/denier/>Denier</a></li><li role=none><a role=treeitem title="Adapter that delivers logs to a Fluentd daemon." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/fluentd/>Fluentd</a></li><li role=none><a role=treeitem title="Adapter that extracts information from a Kubernetes environment." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/kubernetesenv/>Kubernetes Env</a></li><li role=none><a role=treeitem title="Adapter that performs whitelist or blacklist checks." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/list/>List</a></li><li role=none><a role=treeitem title="Adapter for a simple in-memory quota management system." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/memquota/>Memory quota</a></li><li role=none><a role=treeitem title="An Istio Mixer adapter to send telemetry data to New Relic." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/newrelic/>New Relic</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to Wavefront by VMware." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/wavefront/>Wavefront by VMware</a></li><li role=none><a role=treeitem title="Adapter to locally output logs and metrics." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/stdio/>Stdio</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a StatsD backend." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/statsd/>StatsD</a></li><li role=none><a role=treeitem title="Adapter to deliver logs, metrics, and traces to Stackdriver." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/stackdriver/>Stackdriver</a></li><li role=none><a role=treeitem title="Adapter to deliver logs and metrics to Papertrail and AppOptics backends." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/solarwinds/>SolarWinds</a></li><li role=none><a role=treeitem title="Adapter that implements an Open Policy Agent engine." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/opa/>OPA</a></li><li role=none><a role=treeitem title="Adapter for a Redis-based quota management system." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/redisquota/>Redis Quota</a></li><li role=none><a role=treeitem title="Adapter that exposes Istio metrics for ingestion by a Prometheus harvester." href=/v1.4/docs/reference/config/policy-and-telemetry/adapters/prometheus/>Prometheus</a></li></ul></li><li role=treeitem aria-label=Templates><button aria-hidden=true></button><a title="Mixer templates are used to send data to individual adapters." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/>Templates</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="A template that represents a single API key." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/apikey/>API Key</a></li><li role=none><a role=treeitem title="A template used to represent an access control query." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/authorization/>Authorization</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/checknothing/>Check Nothing</a></li><li role=none><a role=treeitem title="A template designed to report observed communication edges between workloads." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/edge/>Edge</a></li><li role=none><a role=treeitem title="A template that is used to control the production of Kubernetes-specific attributes." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/kubernetes/>Kubernetes</a></li><li role=none><a role=treeitem title="A template designed to let you perform list checking operations." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/listentry/>List Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime log entry." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/logentry/>Log Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime metric." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/metric/>Metric</a></li><li role=none><a role=treeitem title="A template that represents an individual span within a distributed trace." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/tracespan/>Trace Span</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/reportnothing/>Report Nothing</a></li><li role=none><a role=treeitem title="A template that represents a quota allocation request." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/quota/>Quota</a></li><li role=none><a role=treeitem title="The Analytics template is used to dispatch runtime telemetry to Apigee." href=/v1.4/docs/reference/config/policy-and-telemetry/templates/analytics/>Analytics</a></li></ul></li><li role=none><a role=treeitem title="Default Metrics exported from Istio through Mixer." href=/v1.4/docs/reference/config/policy-and-telemetry/metrics/>Default Metrics</a></li></ul></li><li role=treeitem aria-label="Configuration Analysis Messages"><button aria-hidden=true></button><a title="Documents the individual error and warning messages produced during configurarion analysis." href=/v1.4/docs/reference/config/analysis/>Configuration Analysis Messages</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/message-format/>Analyzer Message Format</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0109/>ConflictingMeshGatewayVirtualServiceHosts</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0110/>ConflictingSidecarWorkloadSelectors</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0002/>Deprecated</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0104/>GatewayPortNotOnWorkload</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0001/>InternalError</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0105/>IstioProxyVersionMismatch</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0119/>JwtFailureDueToInvalidServicePortPrefix</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0107/>MisplacedAnnotation</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0111/>MultipleSidecarsWithoutWorkloadSelectors</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0102/>NamespaceNotInjected</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0112/>VirtualServiceDestinationPortSelectorRequired</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0108/>UnknownAnnotation</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0106/>SchemaValidationError</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0101/>ReferencedResourceNotFound</a></li><li role=none><a role=treeitem href=/v1.4/docs/reference/config/analysis/ist0103/>PodMissingProxy</a></li></ul></li></ul></li><li role=treeitem aria-label=Commands><button aria-hidden=true></button><a title="Describes usage and options of the Istio commands and utilities." href=/v1.4/docs/reference/commands/>Commands</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Galley provides configuration management services for Istio." href=/v1.4/docs/reference/commands/galley/>galley</a></li><li role=none><a role=treeitem title="Istio Certificate Authority (CA)." href=/v1.4/docs/reference/commands/istio_ca/>istio_ca</a></li><li role=none><a role=treeitem title="Istio control interface." href=/v1.4/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="Mixer is Istio's abstraction on top of infrastructure backends." href=/v1.4/docs/reference/commands/mixs/>mixs</a></li><li role=none><a role=treeitem title="Kubernetes webhook for automatic Istio sidecar injection." href=/v1.4/docs/reference/commands/sidecar-injector/>sidecar-injector</a></li><li role=none><a role=treeitem title="Istio security per-node agent." href=/v1.4/docs/reference/commands/node_agent/>node_agent</a></li><li role=none><a role=treeitem title="The Istio operator." href=/v1.4/docs/reference/commands/operator/>operator</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.4/docs/reference/commands/pilot-agent/>pilot-agent</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.4/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li></ul></li><li role=none><a role=treeitem title="A glossary of common Istio terms." href=/v1.4/docs/reference/glossary/>Glossary</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.4/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.4/docs/ title="Learn how to deploy, use, and operate Istio.">Docs</a></li><li><a href=/v1.4/docs/concepts/ title="Learn about the different parts of the Istio system and the abstractions it uses.">Concepts</a></li><li>Security</li></ol></nav><article aria-labelledby=title><div class=title-area><div style=width:100%><h1 id=title>Security</h1><p class=byline><span title="4500 words"><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#clock"/></svg><span>&nbsp;</span>22 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="High-level architecture"><a href=#high-level-architecture>High-level architecture</a><li role=none aria-label="Istio identity"><a href=#istio-identity>Istio identity</a><ol><li role=none aria-label="Istio security vs SPIFFE"><a href=#istio-security-vs-spiffe>Istio security vs SPIFFE</a></ol></li><li role=none aria-label=PKI><a href=#pki>PKI</a><ol><li role=none aria-label="Kubernetes scenario"><a href=#kubernetes-scenario>Kubernetes scenario</a><li role=none aria-label="On-premises machines scenario"><a href=#on-premises-machines-scenario>On-premises machines scenario</a><li role=none aria-label="Node agent in Kubernetes"><a href=#node-agent-in-kubernetes>Node agent in Kubernetes</a></ol></li><li role=none aria-label=Authentication><a href=#authentication>Authentication</a><ol><li role=none aria-label="Mutual TLS authentication"><a href=#mutual-tls-authentication>Mutual TLS authentication</a><ol><li role=none aria-label="Permissive mode"><a href=#permissive-mode>Permissive mode</a><li role=none aria-label="Secure naming"><a href=#secure-naming>Secure naming</a></ol></li><li role=none aria-label="Authentication architecture"><a href=#authentication-architecture>Authentication architecture</a><li role=none aria-label="Authentication policies"><a href=#authentication-policies>Authentication policies</a><ol><li role=none aria-label="Policy storage scope"><a href=#policy-storage-scope>Policy storage scope</a><li role=none aria-label="Target selectors"><a href=#target-selectors>Target selectors</a><li role=none aria-label="Transport authentication"><a href=#transport-authentication>Transport authentication</a><li role=none aria-label="Origin authentication"><a href=#origin-authentication>Origin authentication</a><li role=none aria-label="Principal binding"><a href=#principal-binding>Principal binding</a></ol></li><li role=none aria-label="Updating authentication policies"><a href=#updating-authentication-policies>Updating authentication policies</a></ol></li><li role=none aria-label=Authorization><a href=#authorization>Authorization</a><ol><li role=none aria-label="Authorization architecture"><a href=#authorization-architecture>Authorization architecture</a><li role=none aria-label="Implicit enablement"><a href=#implicit-enablement>Implicit enablement</a><li role=none aria-label="Authorization policy"><a href=#authorization-policy>Authorization policy</a><ol><li role=none aria-label="Policy Target"><a href=#policy-target>Policy Target</a><li role=none aria-label="Value matching"><a href=#value-matching>Value matching</a><li role=none aria-label="Allow-all and deny-all"><a href=#allow-all-and-deny-all>Allow-all and deny-all</a><li role=none aria-label="Custom conditions"><a href=#custom-conditions>Custom conditions</a><li role=none aria-label="Authenticated and unauthenticated identity"><a href=#authenticated-and-unauthenticated-identity>Authenticated and unauthenticated identity</a></ol></li><li role=none aria-label="Using Istio authorization on plain TCP protocols"><a href=#using-istio-authorization-on-plain-tcp-protocols>Using Istio authorization on plain TCP protocols</a><li role=none aria-label="Dependency on mutual TLS"><a href=#dependency-on-mutual-tls>Dependency on mutual TLS</a><li role=none aria-label="Using other authorization mechanisms"><a href=#using-other-authorization-mechanisms>Using other authorization mechanisms</a></ol></li><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>Breaking down a monolithic application into atomic services offers various benefits, including better agility, better scalability
and better ability to reuse services.
However, microservices also have particular security needs:</p><ul><li><p>To defend against the man-in-the-middle attack, they need traffic encryption.</p></li><li><p>To provide flexible service access control, they need mutual TLS and fine-grained access policies.</p></li><li><p>To audit who did what at what time, they need auditing tools.</p></li></ul><p>Istio Security tries to provide a comprehensive security solution to solve all these issues.</p><p>This page gives an overview on how you can use Istio security features to secure your services, wherever you run them.
In particular, Istio security mitigates both insider and external threats against your data, endpoints, communication and platform.</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:56.25%><a data-skipendnotes=true href=/v1.4/docs/concepts/security/./overview.svg title="Istio Security Overview"><img class=element-to-stretch src=/v1.4/docs/concepts/security/./overview.svg alt="Istio Security Overview"></a></div><figcaption>Istio Security Overview</figcaption></figure><p>The Istio security features provide strong identity, powerful policy, transparent TLS encryption, and authentication, authorization
and audit (AAA) tools to protect your services and data. The goals of Istio security are:</p><ul><li><p><strong>Security by default</strong>: no changes needed for application code and infrastructure</p></li><li><p><strong>Defense in depth</strong>: integrate with existing security systems to provide multiple layers of defense</p></li><li><p><strong>Zero-trust network</strong>: build security solutions on untrusted networks</p></li></ul><p>Visit our <a href=/v1.4/docs/tasks/security/authentication/mtls-migration/>Mutual TLS Migration docs</a> to start using Istio security features with your deployed services.
Visit our <a href=/v1.4/docs/tasks/security/>Security Tasks</a> for detailed instructions to use the security features.</p><h2 id=high-level-architecture>High-level architecture</h2><p>Security in Istio involves multiple components:</p><ul><li><p><strong>Citadel</strong> for key and certificate management</p></li><li><p><strong>Sidecar and perimeter proxies</strong> to implement secure communication and authorization between clients and servers</p></li><li><p><strong>Pilot</strong> to distribute <a href=/v1.4/docs/concepts/security/#authentication-policies>authentication policies</a>
and <a href=/v1.4/docs/concepts/security/#secure-naming>secure naming information</a> to the proxies</p></li><li><p><strong>Mixer</strong> to manage auditing</p></li></ul><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:56.25%><a data-skipendnotes=true href=/v1.4/docs/concepts/security/./architecture.svg title="Istio Security Architecture"><img class=element-to-stretch src=/v1.4/docs/concepts/security/./architecture.svg alt="Istio Security Architecture"></a></div><figcaption>Istio Security Architecture</figcaption></figure><p>In the following sections, we introduce the Istio security features in detail.</p><h2 id=istio-identity>Istio identity</h2><p>Identity is a fundamental concept of any security infrastructure. At the beginning of a service-to-service communication,
the two parties must exchange credentials with their identity information for mutual authentication purposes.
On the client side, the server&rsquo;s identity is checked against the <a href=/v1.4/docs/concepts/security/#secure-naming>secure naming</a>
information to see if it is an authorized runner of the service.
On the server side, the server can determine what information the client can access based on the
<a href=/v1.4/docs/concepts/security/#authorization-policy>authorization policies</a>,
audit who accessed what at what time, charge clients based on the services they used,
and reject any clients who failed to pay their bill from accessing the services.</p><p>In the Istio identity model, Istio uses the first-class service identity to determine the identity of a service.
This gives great flexibility and granularity to represent a human user, an individual service, or a group of services.
On platforms that do not have such identity available,
Istio can use other identities that can group service instances, such as service names.</p><p>Istio service identities on different platforms:</p><ul><li><p><strong>Kubernetes</strong>: Kubernetes service account</p></li><li><p><strong>GKE/GCE</strong>: may use GCP service account</p></li><li><p><strong>GCP</strong>: GCP service account</p></li><li><p><strong>AWS</strong>: AWS IAM user/role account</p></li><li><p><strong>On-premises (non-Kubernetes)</strong>: user account, custom service account, service name, Istio service account, or GCP service account.
The custom service account refers to the existing service account just like the identities that the customer&rsquo;s Identity Directory manages.</p></li></ul><h3 id=istio-security-vs-spiffe>Istio security vs SPIFFE</h3><p>The <a href=https://spiffe.io/>SPIFFE</a> standard provides a specification for a framework capable of bootstrapping and issuing identities to services
across heterogeneous environments.</p><p>Istio and SPIFFE share the same identity document: <a href=https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md>SVID</a> (SPIFFE Verifiable Identity Document).
For example, in Kubernetes, the X.509 certificate has the URI field in the format of
<code>spiffe://&lt;domain&gt;/ns/&lt;namespace&gt;/sa/&lt;serviceaccount&gt;</code>.
This enables Istio services to establish and accept connections with other SPIFFE-compliant systems.</p><p>Istio security and <a href=https://spiffe.io/spire/>SPIRE</a>, which is the implementation of SPIFFE, differ in the PKI implementation details.
Istio provides a more comprehensive security solution, including authentication, authorization, and auditing.</p><h2 id=pki>PKI</h2><p>The Istio PKI is built on top of Istio Citadel and securely provisions strong identities to every workload.
Istio uses X.509 certificates to carry the identities in <a href=https://spiffe.io/>SPIFFE</a> format.
The PKI also automates the key &amp; certificate rotation at scale.</p><p>Istio supports services running on both Kubernetes pods and on-premises machines.
Currently we use different certificate key provisioning mechanisms for each scenario.</p><h3 id=kubernetes-scenario>Kubernetes scenario</h3><ol><li><p>Citadel watches the Kubernetes <code>apiserver</code>, creates a SPIFFE certificate and key pair for each of the existing and new service accounts.
Citadel stores the certificate and key pairs as
<a href=https://kubernetes.io/docs/concepts/configuration/secret/>Kubernetes secrets</a>.</p></li><li><p>When you create a pod, Kubernetes mounts the certificate and key pair to the pod according to its service account via
<a href=https://kubernetes.io/docs/concepts/storage/volumes/#secret>Kubernetes secret volume</a>.</p></li><li><p>Citadel watches the lifetime of each certificate, and automatically rotates the certificates by rewriting the Kubernetes secrets.</p></li><li><p>Pilot generates the <a href=/v1.4/docs/concepts/security/#secure-naming>secure naming</a> information,
which defines what service account or accounts can run a certain service.
Pilot then passes the secure naming information to the sidecar Envoy.</p></li></ol><h3 id=on-premises-machines-scenario>On-premises machines scenario</h3><ol><li><p>Citadel creates a gRPC service to take <a href=https://en.wikipedia.org/wiki/Certificate_signing_request>Certificate Signing Requests</a> (CSRs).</p></li><li><p>Node agent generates a private key and CSR, and sends the CSR with its credentials to Citadel for signing.</p></li><li><p>Citadel validates the credentials carried with the CSR, and signs the CSR to generate the certificate.</p></li><li><p>The node agent sends both the certificate received from Citadel and the
private key to Envoy.</p></li><li><p>The above CSR process repeats periodically for certificate and key rotation.</p></li></ol><h3 id=node-agent-in-kubernetes>Node agent in Kubernetes</h3><p>Istio provides the option of using node agent in Kubernetes for certificate and key provisioning, as shown in the figure below.
Note that the identity provisioning flow for on-premises machines will be similar in the near future, we only describe the Kubernetes scenario here.</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:56.25%><a data-skipendnotes=true href=/v1.4/docs/concepts/security/./node_agent.svg title="PKI with node agents in Kubernetes"><img class=element-to-stretch src=/v1.4/docs/concepts/security/./node_agent.svg alt="PKI with node agents in Kubernetes"></a></div><figcaption>PKI with node agents in Kubernetes</figcaption></figure><p>The flow goes as follows:</p><ol><li><p>Citadel creates a gRPC service to take CSR requests.</p></li><li><p>Envoy sends a certificate and key request via Envoy secret discovery service (SDS) API.</p></li><li><p>Upon receiving the SDS request, the node agent creates the private key and CSR before sending the CSR with its credentials to Citadel for signing.</p></li><li><p>Citadel validates the credentials carried in the CSR and signs the CSR to generate the certificate.</p></li><li><p>The node agent sends the certificate received from Citadel and the private key to Envoy via the Envoy SDS API.</p></li><li><p>The above CSR process repeats periodically for certificate and key rotation.</p></li></ol><div><aside class="callout idea"><div class=type><svg class="large-icon"><use xlink:href="/v1.4/img/icons.svg#callout-idea"/></svg></div><div class=content>Use the node agent debug endpoint to view the secrets a node agent is actively serving to its client proxies. Navigate to <code>/debug/sds/workload</code> on the agent&rsquo;s port <code>8080</code> to dump active workload secrets, or <code>/debug/sds/gateway</code> to dump active gateway secrets.</div></aside></div><h2 id=authentication>Authentication</h2><p>Istio provides two types of authentication:</p><ul><li><p><strong>Transport authentication</strong>, also known as <strong>service-to-service authentication</strong>:
verifies the direct client making the connection. Istio offers <a href=https://en.wikipedia.org/wiki/Mutual_authentication>mutual TLS</a>
as a full stack solution for transport authentication. You can
easily turn on this feature without requiring service code changes. This
solution:</p><ul><li>Provides each service with a strong identity representing its role to
enable interoperability across clusters and clouds.</li><li>Secures service-to-service communication and end-user-to-service
communication.</li><li>Provides a key management system to automate key and certificate
generation, distribution, and rotation.</li></ul></li><li><p><strong>Origin authentication</strong>, also known as <strong>end-user authentication</strong>: verifies the
original client making the request as an end-user or device.
Istio enables request-level authentication with JSON Web Token (JWT) validation
and a streamlined developer experience for open source OpenID Connect provider
<a href=https://www.ory.sh>ORY Hydra</a>, <a href=https://www.keycloak.org>Keycloak</a>,
<a href=https://auth0.com/>Auth0</a>,
<a href=https://firebase.google.com/docs/auth/>Firebase Auth</a>,
<a href=https://developers.google.com/identity/protocols/OpenIDConnect>Google Auth</a>, and custom auth.</p></li></ul><p>In both cases, Istio stores the authentication policies in the <code>Istio config store</code> via a custom Kubernetes API.
Pilot keeps them up-to-date for each proxy, along with the keys where appropriate.
Additionally, Istio supports authentication in permissive mode to help you understand how a policy change can affect your security posture
before it becomes effective.</p><h3 id=mutual-tls-authentication>Mutual TLS authentication</h3><p>Istio tunnels service-to-service communication through the client side and server side <a href=https://envoyproxy.github.io/envoy/>Envoy proxies</a>.
For a client to call a server with mutual TLS authentication:</p><ol><li><p>Istio re-routes the outbound traffic from a client to the client&rsquo;s local sidecar Envoy.</p></li><li><p>The client side Envoy starts a mutual TLS handshake with the server side Envoy.
During the handshake, the client side Envoy also does a <a href=/v1.4/docs/concepts/security/#secure-naming>secure naming</a> check to verify that
the service account presented in the server certificate is authorized to run the target service.</p></li><li><p>The client side Envoy and the server side Envoy establish a mutual TLS connection,
and Istio forwards the traffic from the client side Envoy to the server side Envoy.</p></li><li><p>After authorization, the server side Envoy forwards the traffic to the server service through local TCP connections.</p></li></ol><h4 id=permissive-mode>Permissive mode</h4><p>Istio mutual TLS has a permissive mode, which allows a service to accept
both plaintext traffic and mutual TLS traffic at the same time. This
feature greatly improves the mutual TLS onboarding experience.</p><p>Many non-Istio clients communicating with a non-Istio server presents a
problem for an operator who wants to migrate that server to Istio with
mutual TLS enabled. Commonly, the operator cannot install an Istio sidecar
for all clients at the same time or does not even have the permissions to
do so on some clients. Even after installing the Istio sidecar on the
server, the operator cannot enable mutual TLS without breaking existing
communications.</p><p>With the permissive mode enabled, the server accepts both plaintext and
mutual TLS traffic. The mode provides great flexibility for the
on-boarding process. The server&rsquo;s installed Istio sidecar takes mutual TLS
traffic immediately without breaking existing plaintext traffic. As a
result, the operator can gradually install and configure the client&rsquo;s
Istio sidecars to send mutual TLS traffic. Once the configuration of the
clients is complete, the operator can configure the server to mutual TLS
only mode. For more information, visit the
<a href=/v1.4/docs/tasks/security/authentication/mtls-migration>Mutual TLS Migration tutorial</a>.</p><h4 id=secure-naming>Secure naming</h4><p>The secure naming information contains <em>N-to-N</em> mappings from the server identities, which are encoded in certificates,
to the service names that are referred by discovery service or DNS.
A mapping from identity <code>A</code> to service name <code>B</code> means &ldquo;<code>A</code> is allowed and authorized to run service <code>B</code>&rdquo;.
Pilot watches the Kubernetes <code>apiserver</code>, generates the secure naming information, and distributes it securely to the sidecar Envoys.
The following example explains why secure naming is critical in authentication.</p><p>Suppose the legitimate servers that run the service <code>datastore</code> only use the <code>infra-team</code> identity.
A malicious user has certificate and key for the <code>test-team</code> identity.
The malicious user intends to impersonate the service to inspect the data sent from the clients.
The malicious user deploys a forged server with the certificate and key for the <code>test-team</code> identity.
Suppose the malicious user successfully hijacked (through DNS spoofing, BGP/route hijacking, ARP
spoofing, etc.) the traffic sent to the <code>datastore</code> and redirected it to the forged server.</p><p>When a client calls the <code>datastore</code> service, it extracts the <code>test-team</code> identity from the server&rsquo;s certificate,
and checks whether <code>test-team</code> is allowed to run <code>datastore</code> with the secure naming information.
The client detects that <code>test-team</code> is <strong>not</strong> allowed to run the <code>datastore</code> service and the authentication fails.</p><p>Secure naming is able to protect against general network hijackings for HTTPS traffic. It can also
protect TCP traffic from general network hijackings except for DNS spoofing. It would fail to work
for TCP traffic if the attacker hijacks the DNS and modifies the IP address of the destination. This
is because TCP traffic does not contain the hostname information and we can only rely on the IP
address for routing. And this DNS hijack can happen even before the client-side Envoy receives the
traffic.</p><h3 id=authentication-architecture>Authentication architecture</h3><p>You can specify authentication requirements for services receiving requests in
an Istio mesh using authentication policies. The mesh operator uses <code>.yaml</code>
files to specify the policies. The policies are saved in the Istio
configuration storage once deployed. Pilot, the Istio controller, watches the
configuration storage. Upon any policy changes, Pilot translates the new policy
to the appropriate configuration telling the Envoy sidecar proxy how to perform
the required authentication mechanisms. Pilot may fetch the public key and
attach it to the configuration for JWT validation. Alternatively, Pilot
provides the path to the keys and certificates the Istio system manages and
installs them to the application pod for mutual TLS. You can find more info in
the <a href=/v1.4/docs/concepts/security/#pki>PKI section</a>.
Istio sends configurations to the targeted endpoints asynchronously. Once the
proxy receives the configuration, the new authentication requirement takes
effect immediately on that pod.</p><p>Client services, those that send requests, are responsible for following
the necessary authentication mechanism. For origin authentication (JWT), the
application is responsible for acquiring and attaching the JWT credential to
the request. For mutual TLS, Istio provides a <a href=/v1.4/docs/concepts/traffic-management/#destination-rules>destination rule</a>.
The operator can use the destination rule to instruct client proxies to make
initial connections using TLS with the certificates expected on the server
side. You can find out more about how mutual TLS works in Istio in
<a href=/v1.4/docs/concepts/security/#mutual-tls-authentication>Mutual TLS authentication</a>.</p><figure style=width:60%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:67.12183354511649%><a data-skipendnotes=true href=/v1.4/docs/concepts/security/./authn.svg title="Authentication Architecture"><img class=element-to-stretch src=/v1.4/docs/concepts/security/./authn.svg alt="Authentication Architecture"></a></div><figcaption>Authentication Architecture</figcaption></figure><p>Istio outputs identities with both types of authentication, as well as other
claims in the credential if applicable, to the next layer:
<a href=/v1.4/docs/concepts/security/#authorization>authorization</a>. Additionally,
operators can specify which identity, either from transport or origin
authentication, should Istio use as the principal&rsquo;.</p><h3 id=authentication-policies>Authentication policies</h3><p>This section provides more details about how Istio authentication policies
work. As you&rsquo;ll remember from the <a href=/v1.4/docs/concepts/security/#authentication-architecture>Architecture section</a>,
authentication policies apply to requests that a service <strong>receives</strong>. To
specify client-side authentication rules in mutual TLS, you need to specify the
<code>TLSSettings</code> in the <code>DestinationRule</code>. You can find more information in our
<a href=/v1.4/docs/reference/config/networking/destination-rule/#TLSSettings>TLS settings reference docs</a>.
Like other Istio configuration, you can specify authentication policies in
<code>.yaml</code> files. You deploy policies using <code>kubectl</code>.</p><p>The following example authentication policy specifies that transport
authentication for the <code>reviews</code> service must use mutual TLS:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;Policy&#34;
metadata:
name: &#34;reviews&#34;
spec:
targets:
- name: reviews
peers:
- mtls: {}
</code></pre><h4 id=policy-storage-scope>Policy storage scope</h4><p>Istio can store authentication policies in namespace-scope or mesh-scope
storage:</p><ul><li><p>Mesh-scope policy is specified with a value of <code>MeshPolicy</code> for the <code>kind</code>
field and the name <code>&quot;default&quot;</code>. For example:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;MeshPolicy&#34;
metadata:
name: &#34;default&#34;
spec:
peers:
- mtls: {}
</code></pre></li><li><p>Namespace-scope policy is specified with a value of <code>&quot;Policy&quot;</code> for the <code>kind</code>
field and a specified namespace. If unspecified, the default namespace is
used. For example for namespace <code>ns1</code>:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
kind: &#34;Policy&#34;
metadata:
name: &#34;default&#34;
namespace: &#34;ns1&#34;
spec:
peers:
- mtls: {}
</code></pre></li></ul><p>Policies in the namespace-scope storage can only affect services in the same
namespace. Policies in mesh-scope can affect all services in the mesh. To
prevent conflict and misuse, only one policy can be defined in mesh-scope
storage. That policy must be named <code>default</code> and have an empty
<code>targets:</code> section. You can find more information on our
<a href=/v1.4/docs/concepts/security/#target-selectors>target selectors section</a>.</p><p>Kubernetes currently implements the Istio configuration on Custom Resource
Definitions (CRDs). These CRDs correspond to namespace-scope and
cluster-scope <code>CRDs</code> and automatically inherit access protection via the
Kubernetes RBAC. You can read more on the
<a href=https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions>Kubernetes CRD documentation</a></p><h4 id=target-selectors>Target selectors</h4><p>An authentication policy&rsquo;s targets specify the service or services to which the
policy applies. The following example shows a <code>targets:</code> section specifying
that the policy applies to:</p><ul><li>The <code>product-page</code> service on any port.</li><li>The reviews service on port <code>9000</code>.</li></ul><pre><code class=language-yaml data-expandlinks=true data-repo=istio>targets:
- name: product-page
- name: reviews
ports:
- number: 9000
</code></pre><p>If you don&rsquo;t provide a <code>targets:</code> section, Istio matches the policy to all
services in the storage scope of the policy. Thus, the <code>targets:</code> section can
help you specify the scope of the policies:</p><ul><li><p>Mesh-wide policy: A policy defined in the mesh-scope storage with no target
selector section. There can be at most <strong>one</strong> mesh-wide policy <strong>in the
mesh</strong>.</p></li><li><p>Namespace-wide policy: A policy defined in the namespace-scope storage with
name <code>default</code> and no target selector section. There can be at most <strong>one</strong>
namespace-wide policy <strong>per namespace</strong>.</p></li><li><p>Service-specific policy: a policy defined in the namespace-scope storage,
with non-empty target selector section. A namespace can have <strong>zero, one, or
many</strong> service-specific policies.</p></li></ul><p>For each service, Istio applies the narrowest matching policy. The order is:
<strong>service-specific &gt; namespace-wide &gt; mesh-wide</strong>. If more than one
service-specific policy matches a service, Istio selects one of them at
random. Operators must avoid such conflicts when configuring their policies.</p><p>To enforce uniqueness for mesh-wide and namespace-wide policies, Istio accepts
only one authentication policy per mesh and one authentication policy per
namespace. Istio also requires mesh-wide and namespace-wide policies to have
the specific name <code>default</code>.</p><p>If a service has no matching policies, both transport authentication and
origin authentication are disabled.</p><h4 id=transport-authentication>Transport authentication</h4><p>The <code>peers:</code> section defines the authentication methods and associated
parameters supported for transport authentication in a policy. The section can
list more than one method and only one method must be satisfied for the
authentication to pass. However, as of the Istio 0.7 release, the only
transport authentication method currently supported is mutual TLS.</p><p>The following example shows the <code>peers:</code> section enabling transport
authentication using mutual TLS.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>peers:
- mtls: {}
</code></pre><p>The mutual TLS setting has an optional <code>mode</code> parameter that defines the
strictness of the peer transport authentication. These modes are documented
in the <a href=/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#MutualTls-Mode>Authentication Policy reference document</a>.</p><p>The default mutual TLS mode is <code>STRICT</code>. Therefore, <code>mode: STRICT</code> is equivalent to all of the following:</p><ul><li><code>- mtls: {}</code></li><li><code>- mtls:</code></li><li><code>- mtls: null</code></li></ul><p>When you do not specify a mutual TLS mode, peers cannot use transport
authentication, and Istio rejects mutual TLS connections bound for the sidecar.
At the application layer, services may still handle their own mutual TLS sessions.</p><h4 id=origin-authentication>Origin authentication</h4><p>The <code>origins:</code> section defines authentication methods and associated parameters
supported for origin authentication. Istio only supports JWT origin
authentication. You can specify allowed JWT issuers, and enable or disable JWT authentication for a
specific path. If all JWTs are disabled for a request path, authentication also passes as if there is
none defined.
Similar to peer authentication, only one of the listed methods must be
satisfied for the authentication to pass.</p><p>The following example policy specifies an <code>origins:</code> section for origin authentication that accepts
JWTs issued by Google. JWT authentication for path <code>/health</code> is disabled.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>origins:
- jwt:
issuer: &#34;https://accounts.google.com&#34;
jwksUri: &#34;https://www.googleapis.com/oauth2/v3/certs&#34;
trigger_rules:
- excluded_paths:
- exact: /health
</code></pre><h4 id=principal-binding>Principal binding</h4><p>The principal binding key-value pair defines the principal authentication for a
policy. By default, Istio uses the authentication configured in the <code>peers:</code>
section. If no authentication is configured in the <code>peers:</code> section, Istio
leaves the authentication unset. Policy writers can overwrite this behavior
with the <code>USE_ORIGIN</code> value. This value configures Istio to use the origin&rsquo;s
authentication as the principal authentication instead. In future, we will
support conditional binding, for example: <code>USE_PEER</code> when peer is X, otherwise
<code>USE_ORIGIN</code>.</p><p>The following example shows the <code>principalBinding</code> key with a value of
<code>USE_ORIGIN</code>:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>principalBinding: USE_ORIGIN
</code></pre><h3 id=updating-authentication-policies>Updating authentication policies</h3><p>You can change an authentication policy at any time and Istio pushes the change
to the endpoints almost in real time. However, Istio cannot guarantee that all
endpoints receive a new policy at the same time. The following are
recommendations to avoid disruption when updating your authentication policies:</p><ul><li>To enable or disable mutual TLS: Use a temporary policy with a <code>mode:</code> key
and a <code>PERMISSIVE</code> value. This configures receiving services to accept both
types of traffic: plaintext and TLS. Thus, no request is dropped. Once all
clients switch to the expected protocol, with or without mutual TLS, you can
replace the <code>PERMISSIVE</code> policy with the final policy. For more information,
visit the <a href=/v1.4/docs/tasks/security/authentication/mtls-migration>Mutual TLS Migration tutorial</a>.</li></ul><pre><code class=language-yaml data-expandlinks=true data-repo=istio>peers:
- mtls:
mode: PERMISSIVE
</code></pre><ul><li>For JWT authentication migration: requests should contain new JWT before
changing policy. Once the server side has completely switched to the new
policy, the old JWT, if there is any, can be removed. Client applications
need to be changed for these changes to work.</li></ul><h2 id=authorization>Authorization</h2><p>Istio&rsquo;s authorization feature provides mesh-level, namespace-level, and workload-level
access control on workloads in an Istio Mesh. It provides:</p><ul><li><strong>Workload-to-workload and end-user-to-workload authorization</strong>.</li><li><strong>A Simple API</strong>, it includes a single <a href=/v1.4/docs/reference/config/security/authorization-policy/><code>AuthorizationPolicy</code> CRD</a>, which is easy to use and maintain.</li><li><strong>Flexible semantics</strong>, operators can define custom conditions on Istio attributes.</li><li><strong>High performance</strong>, as Istio authorization is enforced natively on Envoy.</li><li><strong>High compatibility</strong>, supports HTTP, HTTPS and HTTP2 natively, as well as any plain TCP protocols.</li></ul><h3 id=authorization-architecture>Authorization architecture</h3><figure style=width:90%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:80%><a data-skipendnotes=true href=/v1.4/docs/concepts/security/./authz.svg title="Istio Authorization Architecture"><img class=element-to-stretch src=/v1.4/docs/concepts/security/./authz.svg alt="Istio Authorization"></a></div><figcaption>Istio Authorization Architecture</figcaption></figure><p>The above diagram shows the basic Istio authorization architecture. Operators
specify Istio authorization policies using <code>.yaml</code> files.</p><p>Each Envoy proxy runs an authorization engine that authorizes requests at
runtime. When a request comes to the proxy, the authorization engine evaluates
the request context against the current authorization policies, and returns the
authorization result, <code>ALLOW</code> or <code>DENY</code>.</p><h3 id=implicit-enablement>Implicit enablement</h3><p>There is no need to explicitly enable Istio&rsquo;s authorization feature, you just apply
the <code>AuthorizationPolicy</code> on <strong>workloads</strong> to enforce access control.</p><p>If no <code>AuthorizationPolicy</code> applies to a workload, no access control will be enforced,
In other words, all requests will be allowed.</p><p>If any <code>AuthorizationPolicy</code> applies to a workload, access to that workload is
denied by default, unless explicitly allowed by a rule declared in the policy.</p><p>Currently <code>AuthorizationPolicy</code> only supports <code>ALLOW</code> action. This means that if
multiple authorization policies apply to the same workload, the effect is additive.</p><h3 id=authorization-policy>Authorization policy</h3><p>To configure an Istio authorization policy, you create an
<a href=/v1.4/docs/reference/config/security/authorization-policy/><code>AuthorizationPolicy</code> resource</a>.</p><p>An authorization policy includes a selector and a list of rules. The selector
specifies the <strong>target</strong> that the policy applies to, while the rules specify <strong>who</strong>
is allowed to do <strong>what</strong> under which <strong>conditions</strong>. Specifically:</p><ul><li><strong>target</strong> refers to the <code>selector</code> section in the <code>AuthorizationPolicy</code>.</li><li><strong>who</strong> refers to the <code>from</code> section in the <code>rule</code> of the <code>AuthorizationPolicy</code>.</li><li><strong>what</strong> refers to the <code>to</code> section in the <code>rule</code> of the <code>AuthorizationPolicy</code>.</li><li><strong>conditions</strong> refers to the <code>when</code> section in the <code>rule</code> of the <code>AuthorizationPolicy</code>.</li></ul><p>Each rule has the following standard fields:</p><ul><li><strong><code>from</code></strong>: A list of sources.</li><li><strong><code>to</code></strong>: A list of operations.</li><li><strong><code>when</code></strong>: A list of custom conditions.</li></ul><p>The following example shows an <code>AuthorizationPolicy</code> that allows two sources
(service account <code>cluster.local/ns/default/sa/sleep</code> and namespace <code>dev</code>) to access the
workloads with labels <code>app: httpbin</code> and <code>version: v1</code> in namespace foo when the request
is sent with a valid JWT token.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
rules:
- from:
- source:
principals: [&#34;cluster.local/ns/default/sa/sleep&#34;]
- source:
namespaces: [&#34;dev&#34;]
to:
- operation:
methods: [&#34;GET&#34;]
when:
- key: request.auth.claims[iss]
values: [&#34;https://accounts.google.com&#34;]
</code></pre><h4 id=policy-target>Policy Target</h4><p>Policy scope (target) is determined by <code>metadata/namespace</code> and an optional <code>selector</code>.</p><p>The <code>metadata/namespace</code> tells which namespace the policy applies to. If set to the
root namespace, the policy applies to all namespaces in a mesh. The value of
root namespace is configurable, and the default is <code>istio-system</code>. If set to a
normal namespace, the policy will only apply to the specified namespace.</p><p>A workload <code>selector</code> can be used to further restrict where a policy applies.
The <code>selector</code> uses pod labels to select the target workload. The workload
selector contains a list of <code>{key: value}</code> pairs, where the <code>key</code> is the name of the label.
If not set, the authorization policy will be applied to all workloads in the same namespace
as the authorization policy.</p><p>The following example policy <code>allow-read</code> allows <code>&quot;GET&quot;</code> and <code>&quot;HEAD&quot;</code> access to
the workload with label <code>app: products</code> in the <code>default</code> namespace.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-read
namespace: default
spec:
selector:
matchLabels:
app: products
rules:
- to:
- operation:
methods: [&#34;GET&#34;, &#34;HEAD&#34;]
</code></pre><h4 id=value-matching>Value matching</h4><p>Exact match, prefix match, suffix match, and presence match are supported for most
of the field with a few exceptions (e.g., the <code>key</code> field under the <code>when</code> section,
the <code>ipBlocks</code> under the <code>source</code> section and the <code>ports</code> field under the <code>to</code> section only support exact match).</p><ul><li><strong>Exact match</strong>. i.e., exact string match.</li><li><strong>Prefix match</strong>. A string with an ending <code>&quot;*&quot;</code>. For example, <code>&quot;test.abc.*&quot;</code> matches <code>&quot;test.abc.com&quot;</code>, <code>&quot;test.abc.com.cn&quot;</code>, <code>&quot;test.abc.org&quot;</code>, etc.</li><li><strong>Suffix match</strong>. A string with a starting <code>&quot;*&quot;</code>. For example, <code>&quot;*.abc.com&quot;</code> matches <code>&quot;eng.abc.com&quot;</code>, <code>&quot;test.eng.abc.com&quot;</code>, etc.</li><li><strong>Presence match</strong>. <code>*</code> is used to specify anything but not empty. You can specify a field must be present using the format <code>fieldname: [&quot;*&quot;]</code>.
This means that the field can match any value, but it cannot be empty. Note that it is different from leaving a field unspecified, which means anything including empty.</li></ul><p>The following example policy allows access at paths with prefix <code>&quot;/test/&quot;</code> or suffix <code>&quot;/info&quot;</code>.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: tester
namespace: default
spec:
selector:
matchLabels:
app: products
rules:
- to:
- operation:
paths: [&#34;/test/*&#34;, &#34;*/info&#34;]
</code></pre><h4 id=allow-all-and-deny-all>Allow-all and deny-all</h4><p>The example below shows a simple policy <code>allow-all</code> which allows full access to all
workloads in the <code>default</code> namespace.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-all
namespace: default
spec:
rules:
- {}
</code></pre><p>The example below shows a simple policy <code>deny-all</code> which denies access to all workloads
in the <code>admin</code> namespace.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: admin
spec:
{}
</code></pre><h4 id=custom-conditions>Custom conditions</h4><p>You can also use the <code>when</code> section to specify additional conditions. For example, the following
<code>AuthorizationPolicy</code> definition includes a condition that <code>request.headers[version]</code> is either <code>&quot;v1&quot;</code> or <code>&quot;v2&quot;</code>.
In this case, the key is <code>request.headers[version]</code>, which is an entry in the Istio attribute <code>request.headers</code>,
which is a map.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
rules:
- from:
- source:
principals: [&#34;cluster.local/ns/default/sa/sleep&#34;]
to:
- operation:
methods: [&#34;GET&#34;]
when:
- key: request.headers[version]
values: [&#34;v1&#34;, &#34;v2&#34;]
</code></pre><p>The supported <code>key</code> values of a condition are listed in the
<a href=/v1.4/docs/reference/config/security/conditions/>conditions page</a>.</p><h4 id=authenticated-and-unauthenticated-identity>Authenticated and unauthenticated identity</h4><p>If you want to make a workload publicly accessible, you need to leave the
<code>source</code> section empty. This allows sources from <strong>all (both authenticated and
unauthenticated)</strong> users and workloads, for example:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
rules:
- to:
- operation:
methods: [&#34;GET&#34;, &#34;POST&#34;]
</code></pre><p>To allow only <strong>authenticated</strong> users, set <code>principal</code> to <code>&quot;*&quot;</code> instead, for example:</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
version: v1
rules:
- from:
- source:
principals: [&#34;*&#34;]
to:
- operation:
methods: [&#34;GET&#34;, &#34;POST&#34;]
</code></pre><h3 id=using-istio-authorization-on-plain-tcp-protocols>Using Istio authorization on plain TCP protocols</h3><p>Istio authorization supports workloads using any plain TCP protocols, such as MongoDB. In this case,
you configure the authorization policy in the same way you did for the HTTP workloads.
The difference is that certain fields and conditions are only applicable to HTTP workloads.
These fields include:</p><ul><li>The <code>request_principals</code> field in the source section of the authorization policy object</li><li>The <code>hosts</code>, <code>methods</code> and <code>paths</code> fields in the operation section of the authorization policy object</li></ul><p>The supported conditions are listed in the <a href=/v1.4/docs/reference/config/security/conditions/>conditions page</a>.</p><p>If you use any HTTP only fields for a TCP workload, Istio will ignore HTTP only fields in the
authorization policy.</p><p>Assuming you have a MongoDB service on port 27017, the following example configures an authorization
policy to only allow the <code>bookinfo-ratings-v2</code> service in the Istio mesh to access the MongoDB workload.</p><pre><code class=language-yaml data-expandlinks=true data-repo=istio>apiVersion: &#34;security.istio.io/v1beta1&#34;
kind: AuthorizationPolicy
metadata:
name: mongodb-policy
namespace: default
spec:
selector:
matchLabels:
app: mongodb
rules:
- from:
- source:
principals: [&#34;cluster.local/ns/default/sa/bookinfo-ratings-v2&#34;]
to:
- operation:
ports: [&#34;27017&#34;]
</code></pre><h3 id=dependency-on-mutual-tls>Dependency on mutual TLS</h3><p>Istio uses mutual TLS to securely pass some information from the client to the
server. Mutual TLS must be enabled before using any of the following fields in
the authorization policy:</p><ul><li>the <code>principals</code> field under the <code>source</code> section</li><li>the <code>namespaces</code> field under the <code>source</code> section</li><li>the <code>source.principal</code> custom condition</li><li>the <code>source.namespace</code> custom condition</li><li>the <code>connection.sni</code> custom condition</li></ul><p>Mutual TLS is not required if you don&rsquo;t use any of the above fields in the
authorization policy.</p><h3 id=using-other-authorization-mechanisms>Using other authorization mechanisms</h3><p>While we strongly recommend using the Istio authorization mechanisms,
Istio is flexible enough to allow you to plug in your own authentication and authorization mechanisms via the Mixer component.
To use and configure plugins in Mixer, visit our <a href=/v1.4/docs/reference/config/policy-and-telemetry/adapters>policies and telemetry adapters docs</a>.</p><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/docs/tasks/security/authorization/authz-td-migration/>Authorization Policy Trust Domain Migration</a></p><p class=desc>Shows how to migrate from one trust domain to another without changing authorization policy.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/docs/tasks/security/authorization/authz-http/>Authorization for HTTP traffic</a></p><p class=desc>Shows how to set up role-based access control for HTTP traffic.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/docs/tasks/security/authorization/authz-tcp/>Authorization for TCP traffic</a></p><p class=desc>Shows how to set up access control for TCP traffic.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></p><p class=desc>Describe Istio&#39;s authorization feature and how to use it in various use cases.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/blog/2019/v1beta1-authorization-policy/>Introducing the Istio v1beta1 Authorization Policy</a></p><p class=desc>Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.4/blog/2019/app-identity-and-access-adapter/>App Identity and Access Adapter</a></p><p class=desc>Using Istio to secure multi-cloud Kubernetes applications with zero code changes.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="Describes the various Istio features focused on traffic routing and control." href=/v1.4/docs/concepts/traffic-management/><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#left-arrow"/></svg>Traffic Management</a></div><div class=right><a title="Describes Istio's policy management functionality." href=/v1.4/docs/concepts/policies/>Policies<svg class="icon"><use xlink:href="/v1.4/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=feedback><div id=feedback-initial>Was this information useful?<br><button class="btn feedback" onclick="sendFeedback('en',1)">Yes</button>
<button class="btn feedback" onclick="sendFeedback('en',0)">No</button></div><div id=feedback-comment>Do you have any suggestions for improvement?<br><br><input id=feedback-textbox type=text placeholder="Help us improve..." data-lang=en></div><div id=feedback-thankyou>Thanks for your feedback!</div></div><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="High-level architecture"><a href=#high-level-architecture>High-level architecture</a><li role=none aria-label="Istio identity"><a href=#istio-identity>Istio identity</a><ol><li role=none aria-label="Istio security vs SPIFFE"><a href=#istio-security-vs-spiffe>Istio security vs SPIFFE</a></ol></li><li role=none aria-label=PKI><a href=#pki>PKI</a><ol><li role=none aria-label="Kubernetes scenario"><a href=#kubernetes-scenario>Kubernetes scenario</a><li role=none aria-label="On-premises machines scenario"><a href=#on-premises-machines-scenario>On-premises machines scenario</a><li role=none aria-label="Node agent in Kubernetes"><a href=#node-agent-in-kubernetes>Node agent in Kubernetes</a></ol></li><li role=none aria-label=Authentication><a href=#authentication>Authentication</a><ol><li role=none aria-label="Mutual TLS authentication"><a href=#mutual-tls-authentication>Mutual TLS authentication</a><ol><li role=none aria-label="Permissive mode"><a href=#permissive-mode>Permissive mode</a><li role=none aria-label="Secure naming"><a href=#secure-naming>Secure naming</a></ol></li><li role=none aria-label="Authentication architecture"><a href=#authentication-architecture>Authentication architecture</a><li role=none aria-label="Authentication policies"><a href=#authentication-policies>Authentication policies</a><ol><li role=none aria-label="Policy storage scope"><a href=#policy-storage-scope>Policy storage scope</a><li role=none aria-label="Target selectors"><a href=#target-selectors>Target selectors</a><li role=none aria-label="Transport authentication"><a href=#transport-authentication>Transport authentication</a><li role=none aria-label="Origin authentication"><a href=#origin-authentication>Origin authentication</a><li role=none aria-label="Principal binding"><a href=#principal-binding>Principal binding</a></ol></li><li role=none aria-label="Updating authentication policies"><a href=#updating-authentication-policies>Updating authentication policies</a></ol></li><li role=none aria-label=Authorization><a href=#authorization>Authorization</a><ol><li role=none aria-label="Authorization architecture"><a href=#authorization-architecture>Authorization architecture</a><li role=none aria-label="Implicit enablement"><a href=#implicit-enablement>Implicit enablement</a><li role=none aria-label="Authorization policy"><a href=#authorization-policy>Authorization policy</a><ol><li role=none aria-label="Policy Target"><a href=#policy-target>Policy Target</a><li role=none aria-label="Value matching"><a href=#value-matching>Value matching</a><li role=none aria-label="Allow-all and deny-all"><a href=#allow-all-and-deny-all>Allow-all and deny-all</a><li role=none aria-label="Custom conditions"><a href=#custom-conditions>Custom conditions</a><li role=none aria-label="Authenticated and unauthenticated identity"><a href=#authenticated-and-unauthenticated-identity>Authenticated and unauthenticated identity</a></ol></li><li role=none aria-label="Using Istio authorization on plain TCP protocols"><a href=#using-istio-authorization-on-plain-tcp-protocols>Using Istio authorization on plain TCP protocols</a><li role=none aria-label="Dependency on mutual TLS"><a href=#dependency-on-mutual-tls>Dependency on mutual TLS</a><li role=none aria-label="Using other authorization mechanisms"><a href=#using-other-authorization-mechanisms>Using other authorization mechanisms</a></ol></li><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.4.6 now" href=/v1.4/docs/setup/getting-started/#download aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.4.6<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on March 5, 2020</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.4/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink