AuthorizationPolicy for gRPC Istio Ingress

aposo · December 6, 2020, 7:44pm

I’ve successfully used AuthorizationPolicy with HTTP services behind Istio’s ingress gateway to limit requests heading for a particular Host header.

However, it seems that gRPC doesn’t have the Host header, and I can’t see how to allow requests to a gRPC service without enumerating every single method in the service. Any ideas?

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: my-service
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: ingressgateway
  action: ALLOW
  rules:
  - {}
  # This doesn't work for gRPC...Not sure how else we can deal with this
  # - to:
  #   - operation:
  #       hosts: ["subdomain.example.com"]

YangminZhu · December 22, 2020, 11:26pm

Could you try to use the request.headers[:authority] attribute in the when section? The value might be in a bit different format, something like outbound|9000||someservice.default.svc.cluster.local if the request is sent from proxy in the mesh, I haven’t tried this on ingress gateway though.

Topic		Replies	Views
Ingress gateway IP whitelist with AuthorizationPolicy	7	3440	March 11, 2020
VirtualService header routing from AuthorizationPolicy Networking security	0	922	September 7, 2022
External AuthrorizationPolicy for IgressGateway Networking	0	313	May 30, 2022
Gateway httpsRedirect and AuthorizationPolicy prescedence with external auth Networking	1	1178	December 14, 2021
Restricting access from one workload to other workload in the same mesh Security	2	433	December 12, 2022

AuthorizationPolicy for gRPC Istio Ingress

Related Topics