Authorization Policy - ISTIO

Sabyasachi2k · June 9, 2020, 1:46pm

Hi,
I have a requirement where the traffic for pods in a namespace must originate from that namespace or a specific url if hit from postman. I put in the following auth rule and it blocks traffic to all pods. mTLS is enabled.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: istio-deny
 namespace: dev
spec:
 action: DENY
 rules:
 - from:
   - source:
       notNamespaces: ["dev"]
 - to:
   - operation:
       notHosts: ["dev.mydomain.com"]

I tried the folllowing and it allows traffic from the host but not from within the namespaces
apiVersion: security.istio.io/v1beta1

kind: AuthorizationPolicy
metadata:
 name: istio-deny
 namespace: dev
spec:
 action: DENY
 rules:
 - to:
   - operation:
       notHosts: ["dev.svc.cluster.local","dev.mydomain.com"]

Anh help please.

incfly · June 11, 2020, 8:36pm

Can you explain what you would like to see vs what you actually see?

If i understand correctly, the first policy would block all request if they are not coming from dev namespace, and with HOST header not equal to dev.mydomain.com.

The second one would block all access except dev.svc.cluster.local and dev.mydomain.com.

What requests are denied/allowed unexpectedly?

Also what does it mean traffic from HOST, request with what host header?

Sabyasachi2k · June 11, 2020, 9:45pm

@incfly The first one does not allow traffic from dev.mydomain.com or the namespace.
the second one allows traffic from dev.mydomain.com but not dev.svc.cluster.local.

I would have thought that the first one should have allowed traffic originating from the dev namespace and traffic with the having the domain name dev.mydomain.com, but that is not the case.

Sabyasachi2k · June 11, 2020, 10:06pm

wierdly this works as expected

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: istio-deny
 namespace: dev
spec:
 action: ALLOW
 rules:
 - from:
   - source:
       namespaces: ["dev"]
 - to:
   - operation:
       hosts: ["dev.mydomain.com"]

incfly · June 11, 2020, 10:16pm

Yes. It should work as that expectation. And I’m glad you also got the results!

Sabyasachi2k · June 11, 2020, 10:17pm

@incfly wonder why the 1st rule was not working? any idea?
The one with the DENY when the namespace is not “dev” and the host is not “dev.domain.com”

Arvind_Kumar · July 2, 2020, 2:10am

I’ve the similar case, where if I put DENY action, that action is not honoured.

envoy dump is as below

{
    "name": "envoy.filters.http.rbac",
    "typed_config": {
      "@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC",
      "rules": {
        "policies": {
          "ns[authpns]-policy[allow-path-abc]-rule[0]": {
            "permissions": [
              {
                "and_rules": {
                  "rules": [
                    {
                      "or_rules": {
                        "rules": [
                          {
                            "header": {
                              "name": ":path",
                              "exact_match": "/authp/abc"
                            }
                          }
                        ]
                      }
                    }
                  ]
                }
              }
            ],
            "principals": [
              {
                "and_ids": {
                  "ids": [
                    {
                      "any": true
                    }
                  ]
                }
              }
            ]
          },
          "ns[authpns]-policy[deny-get]-rule[0]": {
            "permissions": [
              {
                "and_rules": {
                  "rules": [
                    {
                      "or_rules": {
                        "rules": [
                          {
                            "header": {
                              "name": ":method",
                              "exact_match": "GET"
                            }
                          }
                        ]
                      }
                    }
                  ]
                }
              }
            ],
            "principals": [
              {
                "and_ids": {
                  "ids": [
                    {
                      "any": true
                    }
                  ]
                }
              }
            ]
          }
        }
      }
    }
  },

Corresponding AuthorizationPolicy is below

---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-all
  namespace: authpns
spec: {}
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-get
  namespace: authpns
spec:
  selector:
    matchLabels:
      app: authp
  action: DENY
  rules:
  - to:
    - operation:
        methods: ["GET"]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allow-path-abc
  namespace: authpns
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        paths: ["/authp/abc"]

Can someone suggest, what may be wrong here and why DENY is still served as ALLOW ?

Topic		Replies	Views
Another AuthorizationPolicy Question - IP Whitelist for VirtualService Security	5	2034	February 11, 2021
Authorization Policies having unexpected results on istio-1.9.0 Networking security	1	546	February 23, 2021
AuthorizationPolicy and Namespaces Security	1	2234	February 21, 2020
Restrict pod to pod communication using Istio authorization Security security	0	1560	December 6, 2021
Istio 1.6.4: Authorisation policy ALLOW is denying Security	9	1095	August 10, 2020

Authorization Policy - ISTIO

Related Topics