I’m having difficulty with authorization policies, and can’t seem to achieve what I want. I’m looking to use an authorization policy(s) to deny access to anyone and anything (e.g., external requests, internal service requests) for one path on a service unless a specific jwt claim is present. So permit requests to app/service on all paths for all methods except one, but on the one path only permit if jwt claim is present. I’ve tried many combinations but I cannot seem to get it to work, only in pieces. Do I need multiple policies (i.e., one to allow all and another to deny one path when ‘notValues’). This is what I thought would work but it does not. Here I’ve got a policy to ALLOW everything for namespace but then a DENY for one path on one service unless (i.e., notValues) the oid claim is all zeros. I know the ‘when’ clause works as I can get it to work in other contexts but not this one. Any ideas - thanks? Seems like a simple requirement (i.e., allow everything except one path which requires a specific claim). Using Istion V1.4.2.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: myAllowPolicyName
namespace: myNamespace
spec:
action: ALLOW
selector:
matchLabels:
app: myService
rules:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: myDenyPolicyName
namespace: myNamespace
spec:
action: DENY
selector:
matchLabels:
app: myService
rules:
- to:
- operation:
paths: ["/myPath*"]
when:
- key: request.auth.claims[oid]
notValues: [“00000000-0000-0000-0000-000000000000”]
Hi
action field include in istio1.5 Which is opional. In istio1.4 there is no Such Deny semantics
It is added in istio1.5. istio1.4 only support allow policy(not having action field). Here is the Link (https://istio.io/news/releases/1.5.x/announcing-1.5/change-notes/#security).
Istio support Multiple Authorization Policy so in istio 1.4 you can apply multipal allow authorization policy. If you use above yaml(Which you mention) you upgrade to istio1.5
May be this helps you.
Thanks very much that explains a lot of my confusion. Do you know how to achieve my objective with just multiple allow policies. Do I have one allow policy to allow everything and another to allow a specific path only if claim is specific
claim? Something like
Thanks very much that explains a lot of my confusion. Do you know how to achieve my objective with just multiple allow policies. Do I have one allow policy to allow everything and another to allow a specific path only if claim is specific claim? Something like
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: myAllowAllPolicyName
namespace: myNamespace
spec:
selector:
matchLabels:
app: myService
rules:
{}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: myRestrictiveAllowPolicyName
namespace: myNamespace
spec:
selector:
matchLabels:
app: myService
rules:
- to:
- operation:
paths: ["/myPath*"]
when:
- key: request.auth.claims[oid]
values: [“00000000-0000-0000-0000-000000000000”]
you want to allow everything plus /path with specific claim using version istio 1.4
you should apply both of them. because we apply more than one authorizzation policy.
(https://archive.istio.io/v1.4/docs/concepts/security/#implicit-enablement)
May be this will help you…
I was unable to make this work with Istio 1.4. When I allow the policy with the claim, only that policy applies – when I then add the policy to allow everything, the first policy is ignored and everything is allowed (i.e., the second policy
overrides the first). Has anyone made this work or does anyone have any other suggestions? I think my problem is that I’m allowing everything on all paths, then allowing one particular path access only with a claim.
Thanks.
You can achieve it using a deny and allow-all policy. Deny policy is introduced in Istio 1.5. And deny policy has higher priority than allow policies.
You deny policy example looks correct to me. The allow-all policy seems missing “-” before “{}”. Take a look at https://istio.io/docs/concepts/security/#allow-all-and-default-deny-all-authorization-policies.