I'm testing the istio AuthorizationPolicy. Specifically, I aim to restrict access so that pods in the producer namespace can only access specific API paths exposed by services in the consumer namespace, based on their service accounts.
NB: we're already using Kong Ingress with some plugins like rate limits
A sample of the current setup:
Namespaces:
producer: Contains podscurl-pod-1(using service accountgroup1) andcurl-pod-2(using service accountgroup2).consumer: Hosts thekongingress gateway with defined API paths/api/group1and/api/group2.
Pods in
producerNamespace:apiVersion: v1 kind: Pod metadata: name: curl-pod-1 namespace: producer annotations: sidecar.istio.io/inject: "true" spec: containers: - name: curl image: curlimages/curl:latest command: ["sleep", "infinity"] serviceAccountName: group1 --- apiVersion: v1 kind: Pod metadata: name: curl-pod-2 namespace: producer annotations: sidecar.istio.io/inject: "true" spec: containers: - name: curl image: curlimages/curl:latest command: ["sleep", "infinity"] serviceAccountName: group2Kong Ingress in
consumerNamespace:apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-group1 namespace: consumer annotations: konghq/plugins: rate-limit-api-group1 spec: ingressClassName: kong rules: - http: paths: - path: /api/group1 pathType: Prefix backend: service: name: proxy-service port: number: 80 --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress-group2 namespace: consumer annotations: konghq/plugins: rate-limit-api-group2 spec: ingressClassName: kong rules: - http: paths: - path: /api/group2 pathType: Prefix backend: service: name: proxy-service port: number: 80
Objective:
I want to enforce that:
curl-pod-1(service accountgroup1) can only access/api/group1/*.curl-pod-2(service accountgroup2) can only access/api/group2/*.
Authorization Policies Applied:
In the kong namespace, I applied the following policies:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-group1-access-apigroup1
namespace: kong
spec:
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/producer/sa/group1"]
to:
- operation:
paths: ["/api/group1/*"]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-group2-access-apigroup2
namespace: kong
spec:
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/producer/sa/group2"]
to:
- operation:
paths: ["/api/group2/*"]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: default-deny
namespace: kong
spec:
action: DENY
rules:
- {}
Mutual TLS Configuration:
Additionally, I've enforced mTLS in both kong and producer namespaces:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: kong
spec:
mtls:
mode: STRICT
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: producer
spec:
mtls:
mode: STRICT
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: kong-mtls
namespace: kong
spec:
host: kong-gateway-proxy.kong.svc.cluster.local
trafficPolicy:
tls:
mode: DISABLE
Issue Encountered:
Despite these configurations, from within curl-pod-1, I'm able to access both
curl :80/api/group1/test
and
curl :80/api/group2/test,
which contradicts the intended restrictions.
I'm seeking guidance on:
Potential misconfigurations or overlooked aspects in my current setup that might cause the
AuthorizationPolicyto not enforce the desired restrictions.Best practices for implementing such inter-namespace access controls using Istio.
Any debugging steps or tools that could help identify the root cause of this issue.
Any insights or recommendations would be greatly appreciated. Thank you.
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1744272140a4566152.html
评论列表(0条)