Let’s take it over where we left in the previous article, We have familiarized with the MeshPolicy and Policy concepts in the Istio world. The system reached the inter-services security standards by implementing mutual TLS. However, There were limitations to the setup where such as Authorization aspect but fortunately Istio comes with a baked in AuthorizationPolicy .

AuthorizationPolicy

To set the record straight Authentication answers to the Who can access questions and Authorization answers to the What can you do once you gain access, So in general authorization brings along a set of permissions and actions. In our context, We will enforce access rules through Istio policy and make sure that only specific services can perform specific actions.

Authorization Policy Overview

A couple of facts around authorization in Istio

  • Authorization policy supports both allow and deny policies.
  • The deny policies are evaluated first.
  • The scope is determined by “metadata/namespace” and to further restrict “selector” can be used.
  • Authorization policy is decoupled from the authentication mechanism.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: rev-authz
  namespace: default  #Apply to default namespace
spec:
  selector:
    matchLabels:
      app: reviews
  rules:  # [default] If no rules then deny all
  - from:
    - source:
        principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]  #Allow req from this service account 
    to:
    - operation:
        methods: ["GET"]  #Allow Get

Architecture Refinement

Application Architeciture

Although mTLS is configured and the connection between the details and the reviews is secured, the service is not able/allowed to send requests over because of the AuthorizationPolicy.