-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move Istio from EnvoyFilter to AuthorizationPolicy #5911
Move Istio from EnvoyFilter to AuthorizationPolicy #5911
Comments
@howardjohn thanks so much for opening this issue and offering to help. Would you be able to swap out the EnvoyFilter from this example manifest and submit a PR? Also we'd need to verify the steps documented in this tutorial still work after the update. Please let us know if you need any help. |
This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue. |
@ashutosh-narkar I can take this over... I work a lot with istio and am familiar with the changes required here. Would be nice to get these docs updated so folks are using latest APIs |
Sounds good. Thanks @tjons! |
@ashutosh-narkar this will require a bit of a rewrite of the tutorial to move to using @howardjohn can you confirm my understanding is correct? If we want to use an |
That seems like quite a deviation from how OPA — or any authorization service in a zero trust environment — normally operates. Maybe I'm reading this wrong, but is the suggestion here to go from OPA making authorization decisions for each service to OPA being used as a form of centalized gateway authorizer? |
No, you can do either approach. The API need not determine the deployment pattern. This issue is about moving from an unstable API to a stable one. There should be no architectural changes. You just need to make the service point to 127.0.0.1 |
Thanks @howardjohn, that's reassuring. I probably misread, or misunderstood @tjons then. |
Just to clarify we can still deploy OPA as sidecar next to each service if we use |
@howardjohn Are you suggesting that the service registered in the meshconfig point to 127.0.0.1 and we use that to route traffic to the injected OPA sidecar in each pod that's selected by the authorizationpolicy? this tutorial is based around injecting the opa-envoy-plugin as a sidecar to each istio-injected service. I think it probably makes sense to have another accompanying tutorial that shows using OPA as a cluster-wide authorizer with a single deployment too, but that can be another issue. |
Exactly. The final output architecture/config should be the same, just using a supported API (AuthorizationPolicy) instead of an unstable one (EnvoyFilter) |
cool, thanks for your input @howardjohn. @ashutosh-narkar @anderseknert I'll make and push the changes today. |
Currently OPAs Istio docs are using EnvoyFilter which is fragile/alpha/not recommended where possible. Authorization Policy has first class support for ext_authz now: https://istio.io/latest/docs/tasks/security/authorization/authz-custom/.
The different between the two seems to be usage of google_grpc in the EnvoyFilter:
However, I think this is just a misconfiguration of Istio likely, missing the declaration of the service as HTTP. See https://istio.io/latest/docs/tasks/security/authorization/authz-custom/#deploy-the-external-authorizer.
I think it would be great to move this over, and we (Istio team; I am a maintainer) are happy to help.
The text was updated successfully, but these errors were encountered: