One question, I already set a requestauthentication for deploy servicetest in namespace test-namespace.
I am setting authorizationpolicy, requirement is
1 Only istio-system istio-ingressgateway, with correct token can access this servicetest.
2 Other deploy in this namespace can access this deploy servicetest without token
3 The other namespaces cannot access this namespace: test-namespace
Thanks a lot
I fixed this out, as below. FYI
···
Requirment:
There is a deploy servicetest in namespace newtestproject-newdev-default.
1 Only istio-system istio-ingressgateway, with correct token can access this servicetest api.
2 Other deploy in this namespace(tenant) can access servicetest api without token
3 The other namespaces cannot access this namespace: test-namespace
4 Health api can be access without token anywhere. (i.e. istio-system, different namespaces)
Test Command:
Request from outside k8s:
https://newtestproject-newdev.xxexample.com/servicetest/v1/file
testenv_file
https://newtestproject-newdev.xxexample.com/servicetest/v1/health
Hello, Kathy.
https://newtestproject-newdev.xxexample.com/servicetest/v1/user
Hello, Kathy.
Request from k8s (same namespace)
k exec -ti nginx -n testns – curl -k servicetest.newtestproject-newdev-default/servicetest/v1/user --header “Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjYyZDIxMGU1LTc3NWMtNGxxxmDUKatQWyeQdYExaJmZtXmwU_0sWjl26lJ8H6Z20CoflqwqIjt9qFcrzKYVcr8FFypkau0sGuW_6jTsyaLB3vMr5yerkjg”
k exec -ti nginx -n testns -- curl -k servicetest.newtestproject-newdev-default/servicetest/v1/user
k exec -ti nginx -n testns -- curl -k servicetest.newtestproject-newdev-default/servicetest/v1/healthservicetest.newtestproject-newdev-default
Request from k8s (other namespace)
k exec -ti nginx -n newtestproject-newdev-default – curl -k servicetest.newtestproject-newdev-default/servicetest/v1/health
k exec -ti nginx -n newtestproject-newdev-default -- curl -k servicetest.newtestproject-newdev-default/servicetest/v1/user
Try successful ----------------0001----------
view docs success001.
Good point: Outside request need token now – Only istio-system istio-ingressgateway, with correct token can access this servicetest api.
Problem: Same namespace cannot access each other well.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: newtestproject-newdev-default
spec: {}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: newtestproject-dev-external
namespace: newtestproject-newdev-default
spec:
rules:
- from:
- source:
namespaces:
- istio-system
when:
- key: request.auth.principal
values: ["*"]
selector:
matchLabels:
level: public
Try successful ----------------0002----------
Good point: the same namespace(tenant) can access each other without token
Note: the namespace of this tenant will start with newtestproject-newdev-
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: newtestproject-newdev-same-tenant
namespace: newtestproject-newdev-default
spec:
rules:
- from:
- source:
namespaces:
- newtestproject-newdev-*
Try successful ----------------0003----------
Good point: health can be access anywhere. {For each service, need add additional path for specified paths}
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-health
namespace: newtestproject-newdev-default
spec:
rules:
- to:
- operation:
methods:
- GET
paths:
- '*/v1/health'
···
After test, it works for all my requirments.