Hi there, I’m trying to apply the security example tutorial found here against a solution that i’m trying to deploy.
The use case is that i would deploy Elasticseach + Kibana into the mesh and configure End-User outside of Kubernetes to access Elasticsearch API with JWT Authentication. While i was successful in configuring and applying that I found that my Kibana deployment to be failing. I know it has something to do with the RequestAuthentication + AuthorizationPolicy defined I get a RBAC: access denied error when I tried CURLing elasticsearch from my kibana’s istio-proxy sidecar.
Have I misconfigured something here? Is there the option of just enabling end-user JWT for client requests outside of kubernetes and disabling it for internal service to service communication?
Could you give out more info like the configuration file or the pod log info?
Hi William, here are the yamls that would be of interests. It’s no diff from the istio security examples provided. In fact everything is working as I expected until i introduce the Kibana client application that would essentially be trying to access the elasticsearch-master service which would essentially fail due to JWT / RBAC security. So what i needed was a mechanism where i could essentially allow access internal service access to bypass JWT authentication and only apply that only to those outside the mesh. *** Just a note that I’ve implemented a workaround by applying the RequestAuthentication / AuthorizationPolicy against the istio-ingressgateway and istio-system namespace which seems to do the trick for the most part.
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: elk-api-server
namespace: my-test-namespace
spec:
selector:
matchLabels:
app: elasticsearch-master
jwtRules:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: elk-auth-policy
namespace: my-test-namespace
spec:
selector:
matchLabels:
app: elasticsearch-master
action: DENY
rules:
-
from:
-
source:
notRequestPrincipals:
@YangminZhu could you take a look?
In short, I guess my usecase is that if i set a RequestAuthentication against my elasticsearch service that’s inside the mesh I would like to set an AuthorizationPolicy that’s only applicable to client applications tryiing to call it outside the mesh and allow those inside the mesh to bypass having to have JWT Authentication.
@yangminzhu, let me know what kind of logs you would need and i can set things up to duplicate.
Thanks for reaching out, if I’m understanding correctly, you want to enforce the JWT/AuthZ policy only for external requests but not for the requests from internal service? And currently you workaround this by applying the policy to ingress gateway?
It’s totally valid to apply policies on ingress gateway and that’s actually one of the common use cases, why do you think it’s workaround for you?
If you really want to apply the policies on workload, you can do it like the following:
-
Apply PeerAuthentication to enable mTLS when accessing elasticsearch-master. After this, both ingress gateway and your internal services should use mTLS when accessing elasticsearch-master
-
Apply the RequestAuthentication on elasticsearch-master as usual
-
Apply the AuthorizationPolicy on elasticsearch-master like the following:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: elk-auth-policy
namespace: my-test-namespace
spec:
selector:
matchLabels:
app: elasticsearch-master
action: DENY
rules:
- from:
- source:
notRequestPrincipals: ["*"]
principals: ["cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"]
The authZ policy will deny the request if it doesn’t have JWT and is from the istio-ingressgateway.
Hi YangminZhu, thanks for getting back to me. I’m fairly new to istio so forgive such beginner question. I just learned and was able to get the RequestAuthentication and AuthorizationPolicy against my-test-namespace working properly. Only I used the AuthorizationPolicy defined:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: elastic-auth-policy
namespace: my-test-namespace
spec:
selector:
matchLabels:
app: elasticsearch-master
action: DENY
rules:
-
from:
-
source:
notRequestPrincipals:
when:
-
key: source.namespace
notValues:
This basically excluded my kibana service which also lives in the same namespace to access the elasticsearch
Yangmin, can you further advise how i can go troubleshooting if my authorization policy is not working as expected.
I’m not sure which part of the authorization policy is not working as expected, could you elaborate a little bit what is the expected behavior here?
Also when you copy/paste any policies could you enclose it with ``` so that it will have the proper formatting? thanks.