Security¶
Policy¶
Authentication policy¶
Policy defines what authentication methods can be accepted on workload(s), and if authenticated, which method/certificate will set the request principal (i.e request.auth.principal attribute).
Policy to enable mTLS for all services in namespace frod.
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default
namespace: frod
spec:
peers:
- mtls:
Policy to disable mTLS for “productpage” service
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: productpage-mTLS-disable
namespace: frod
spec:
targets:
- name: productpage
Authorization¶
Istio Authorization Policy enables access control on workloads in the mesh.
Authorization policy supports both allow and deny policies. When allow and deny policies are used for a workload at the same time, the deny policies are evaluated first. The evaluation is determined by the following rules:
- If there are any DENY policies that match the request, deny the request.
- If there are no ALLOW policies for the workload, allow the request.
- If any of the ALLOW policies match the request, allow the request.
- Deny the request.
example that sets action to “DENY” to create a deny policy. It denies requests from the “dev” namespace to the “POST” method on all workloads in the “foo” namespace.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: httpbin
namespace: foo
spec:
action: DENY
rules:
- from:
- source:
namespaces: ["dev"]
to:
- operation:
methods: ["POST"]