Skip to content

Commit

Permalink
update istio envoy tutorial to use AuthorizationPolicy
Browse files Browse the repository at this point in the history
Signed-off-by: tjons <[email protected]>
  • Loading branch information
tjons committed Nov 30, 2023
1 parent 7a32e8f commit f33aa68
Showing 1 changed file with 32 additions and 11 deletions.
43 changes: 32 additions & 11 deletions docs/content/envoy-tutorial-istio.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,22 +5,23 @@ weight: 11
---

[Istio](https://istio.io/latest/) is an open source service mesh for managing the different microservices that make
up a cloud-native application. Istio provides a mechanism to customize the Envoy configuration generated by Istio Pilot
using [EnvoyFilter](https://istio.io/latest/docs/reference/config/networking/envoy-filter/).
up a cloud-native application. Istio provides a mechanism to use a service as an external authorizer with the
[AuthorizationPolicy API](https://istio.io/latest/docs/tasks/security/authorization/authz-custom/).

This tutorial shows how Istio's EnvoyFilter can be configured to include Envoy's [External Authorization
filter](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ext_authz_filter.html) to delegate
authorization decisions to OPA.
This tutorial shows how Istio's AuthorizationPolicy can be configured to delegate authorization decisions to OPA.

## Prerequisites

This tutorial requires Kubernetes 1.20 or later. To run the tutorial locally ensure you start a cluster with Kubernetes
version 1.20+, we recommend using [minikube](https://kubernetes.io/docs/getting-started-guides/minikube) or
[KIND](https://kind.sigs.k8s.io/).

The tutorial also requires Istio v1.8.0 or later. It assumes you have Istio deployed on top of Kubernetes.
The tutorial also requires Istio v1.19.0 or later. It assumes you have Istio deployed on top of Kubernetes.
See Istio's [Quick Start](https://istio.io/docs/setup/kubernetes/install/kubernetes/) page to get started.

If you are using an earlier version of Istio (1.9+), you will have to customize the `AuthorizationPolicy` in the
`quick_start.yaml` file to use the `security.istio.io/v1beta1` API version instead of `security.istio.io/v1`.

## Steps

### 1. Install OPA-Envoy
Expand All @@ -31,7 +32,9 @@ kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/opa-envoy-p

The `quick_start.yaml` manifest defines the following resources:

* External Authorization Filter to direct authorization checks to the OPA-Envoy sidecar. See `kubectl -n istio-system get envoyfilter ext-authz` for details.
* AuthorizationPolicy to direct authorization checks to the OPA-Envoy sidecar. See `kubectl -n {$NAMESPACE} get authorizationpolicy ext-authz` for details.

* ServiceEntry to allow Istio to find the OPA-Envoy sidecars. See `kubectl -n {$NAMESPACE} get serviceentry opa-ext-authz-grpc-local` for details.

* Kubernetes namespace (`opa-istio`) for OPA-Envoy control plane components.

Expand Down Expand Up @@ -128,14 +131,32 @@ The `quick_start.yaml` manifest defines the following resources:
> API](https://www.openpolicyagent.org/docs/latest/bundles/). ConfigMaps are
> used in this tutorial for test purposes.
### 2. Enable automatic injection of the Istio Proxy and OPA-Envoy sidecars in the namespace where the app will be deployed, e.g., `default`
### 2. Configure the mesh to define the external authorizer
Edit the mesh configmap with `kubectl edit configmap -n istio-system istio` and define the external provider:
```yaml
data:
mesh: |-
# Add the following lines to define the ServiceEntry previously created as an external authorizer:
extensionProviders:
- name: opa-ext-authz-grpc
envoyExtAuthzGrpc:
service: opa-ext-authz-grpc.local
port: "9191"
```

See [the Istio Docs for AuthorizationPolicy](https://istio.io/latest/docs/tasks/security/authorization/authz-custom/#define-the-external-authorizer) for
more details.

### 3. Enable automatic injection of the Istio Proxy and OPA-Envoy sidecars in the namespace where the app will be deployed, e.g., `default`

```bash
kubectl label namespace default opa-istio-injection="enabled"
kubectl label namespace default istio-injection="enabled"
```

### 3. Deploy the BookInfo application and make it accessible outside the cluster
### 4. Deploy the BookInfo application and make it accessible outside the cluster

```bash
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml
Expand All @@ -145,7 +166,7 @@ kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bo
kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml
```

### 4. Set the `SERVICE_HOST` environment variable in your shell to the public IP/port of the Istio Ingress gateway
### 5. Set the `SERVICE_HOST` environment variable in your shell to the public IP/port of the Istio Ingress gateway

Run this command in a new terminal window to start a Minikube tunnel that sends traffic to your Istio Ingress Gateway:

Expand All @@ -171,7 +192,7 @@ export SERVICE_HOST=$(kubectl -n istio-system get service istio-ingressgateway -
For other platforms see the [Istio documentation on determining ingress IP and ports.](https://istio.io/docs/tasks/traffic-management/ingress/#determining-the-ingress-ip-and-ports)


### 5. Exercise the OPA policy
### 6. Exercise the OPA policy

Check that **alice** can access `/productpage` **BUT NOT** `/api/v1/products`.

Expand Down

0 comments on commit f33aa68

Please sign in to comment.