From c23ef54fa4c0fc2f567d79b027ebd70fc53f5d35 Mon Sep 17 00:00:00 2001 From: Neal Timpe Date: Thu, 14 Jan 2021 14:14:33 -0500 Subject: [PATCH] rbac --- modules/ossm-security-auth-policy.adoc | 181 +++++++++++++++++++++++++ service_mesh/v2x/ossm-security.adoc | 2 + 2 files changed, 183 insertions(+) create mode 100644 modules/ossm-security-auth-policy.adoc diff --git a/modules/ossm-security-auth-policy.adoc b/modules/ossm-security-auth-policy.adoc new file mode 100644 index 0000000000..db5828dc75 --- /dev/null +++ b/modules/ossm-security-auth-policy.adoc @@ -0,0 +1,181 @@ +//// +Module included in the following assemblies: +-service_mesh/v2x/ossm-security.adoc +//// + +[id="ossm-vs-istio_{context}"] += Configuring Role Based Access Control (RBAC) + +Role-based access control (RBAC) objects determine whether a user or service is allowed to perform a given action within a project. You can define mesh-, namespace-, and workload-wide access control for your workloads in the mesh. + +To configure RBAC, create an `AuthorizationPolicy` resource in the namespace for which you are configuring access. If you are configuring mesh-wide access, use `istio-system`. + +For example, with RBAC, you can create policies that: + +* Configure intra-project communication. +* Allow or deny full access to all workloads in the default namespace. +* Allow or deny ingress gateway access. +* Require a token for access. + +An authorization policy includes a selector, an action, and a list of rules: + +* The `selector` field specifies the target of the policy. +* The `action` field specifies whether to allow or deny the request. +* The `rules` field specifies when to trigger the action. +** The `from` field specifies constraints on the request origin. +** The `to` field specifies constraints on request target and parameters. +** The `when` field specifies additional conditions that to apply the rule. + +.Procedure + +. Create your `AuthorizationPolicy` resource. The following example shows a resource that updates the ingress-policy `AuthorizationPolicy` to deny an IP address from accessing the ingress gateway. ++ +[source,yaml] +---- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: ingress-policy + namespace: istio-system +spec: + selector: + matchLabels: + app: istio-ingressgateway + action: DENY + rules: + - from: + - source: + ipBlocks: ["1.2.3.4"] +---- ++ +. Run the following command after you write your resource to create your resource in your namespace. The namespace must match your `metadata.namespace` field in your `AuthorizationPolicy` resource. ++ +[source,terminal] +---- +$ oc create -n istio-system -f +---- + +.Next steps + +Consider the following examples for other common configurations. + +== Configure intra-project communication + +You can use `AuthorizationPolicy` to configure your control plane to allow or deny the traffic communicating with your mesh or services in your mesh. + +=== Restrict access to services outside a namespace + +You can deny requests from any source that is not in the `bookinfo` namespace with the following `AuthorizationPolicy` resource example. + +[source,yaml] +---- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: httpbin-deny + namespace: bookinfo +spec: + selector: + matchLabels: + app: httpbin + version: v1 + action: DENY + rules: + - from: + - source: + notNamespaces: ["bookinfo"] +---- + +=== Creating allow-all and default deny-all authorization policies + +The following example shows an allow-all authorization policy that allows full access to all workloads in the `bookinfo` namespace. + +[source,yaml] +---- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: allow-all + namespace: bookinfo +spec: + action: ALLOW + rules: + - {} +---- + +The following example shows a policy that denies any access to all workloads in the `bookinfo` namespace. + +[source,yaml] +---- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: deny-all + namespace: bookinfo +spec: + {} +---- + +== Allow or deny access to the ingress gateway + +You can set an authorization policy to add allow or deny lists based on IP addresses. + +[source,yaml] +---- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: ingress-policy + namespace: istio-system +spec: + selector: + matchLabels: + app: istio-ingressgateway + action: ALLOW + rules: + - from: + - source: + ipBlocks: ["1.2.3.4", "5.6.7.0/24"] +---- + +== Restrict access with JSON Web Token + +You can restrict what can access your mesh with a JSON Web Token (JWT). After authentication, a user or service can access routes, services that are associated with that token. + +Create a `RequestAuthentication` resource, which defines the authentication methods that are supported by a workload. The following example accepts a JWT issued by `http://localhost:8080/auth/realms/master`. + +[source,yaml] +---- +apiVersion: "security.istio.io/v1beta1" +kind: "RequestAuthentication" +metadata: + name: "jwt-example" + namespace: bookinfo +spec: + selector: + matchLabels: + app: httpbin + jwtRules: + - issuer: "http://localhost:8080/auth/realms/master" + jwksUri: "http://keycloak.default.svc:8080/auth/realms/master/protocol/openid-connect/certs" +---- + +Then, create an `AuthorizationPolicy` resource in the same namespace to work with `RequestAuthentication` resource you created. The following example requires a JWT to be present in the `Authorization` header when sending a request to `httpbin` workloads. + +[source,yaml] +---- +apiVersion: "security.istio.io/v1beta1" +kind: "AuthorizationPolicy" +metadata: + name: "frontend-ingress" + namespace: bookinfo +spec: + selector: + matchLabels: + app: httpbin + action: DENY + rules: + - from: + - source: + notRequestPrincipals: ["*"] +---- diff --git a/service_mesh/v2x/ossm-security.adoc b/service_mesh/v2x/ossm-security.adoc index 4d5d74484e..e7d13bb987 100644 --- a/service_mesh/v2x/ossm-security.adoc +++ b/service_mesh/v2x/ossm-security.adoc @@ -20,6 +20,8 @@ If you don't have a project, install the xref:../../service_mesh/v2x/prepare-to- include::modules/ossm-security-mtls.adoc[leveloffset=+1] +include::modules/ossm-security-auth-policy.adoc[leveloffset=+1] + include::modules/ossm-security-cipher.adoc[leveloffset=+1] include::modules/ossm-security-cert-manage.adoc[leveloffset=+1]