Istio Authorization with Internal Service

Bastian_Ubilla1 · January 6, 2020, 3:21pm

Hi everyone.
I currently need that every time a service is required to be accessed, you must first verify in another internal service if you are logged in.
There is currently the logon logic within my service.
My question is: how can I do that if I want to consume another service within my network? First I will validate that the login exists. The service offers a 200 or a 401.

I’m looking for options with EnvoyFilter but I can’t find a solution.

It is something similar to an authentication with Auth0 but this time I must validate against an internal service.

If you can help me, I would greatly appreciate it.

YangminZhu · January 6, 2020, 7:37pm

I think you can use EnvoyFilter to deploy an ext_authz filter to talk to your other service.

Bastian_Ubilla1 · January 6, 2020, 7:42pm

Do you have any examples of what I need? I tried to implement EnvoyFilter but it doesn’t work as it should.

Bastian_Ubilla1 · January 6, 2020, 7:43pm

Do you have any examples of what I need?

YangminZhu · January 6, 2020, 10:41pm

I don’t have a working example, but a quick search on discuss.io shows some examples: EnvoyFilter - ext_authz for istio 1.3

Bastian_Ubilla1 · January 7, 2020, 11:59am

I have applied the yaml making the respective modifications based on my service.
But I don’t see that it’s working. Do you know how I can see if there is an error?

obelisk · January 7, 2020, 1:41pm

I have just gone over this myself, was not able to get it to work on the GATEWAY, which is what I had wanted, but did work on the SIDECAR. The response to that thread is pretty much what I have working. I had some logging on the 2 service to see the requests. To verify I removed the active login (flushed redis cache backing the authentication) and was logged out from the front end.

Bastian_Ubilla1 · January 7, 2020, 1:56pm

You can show me what you have done, I am very lost in this filter that I require

obelisk · January 7, 2020, 1:58pm

---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: service
spec:
  workloadSelector:
    labels:
      app: service
  configPatches: 
    - applyTo: HTTP_FILTER
      match:
        context: SIDECAR_INBOUND
        listener:
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
              subFilter:
                name: "envoy.router"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.ext_authz
          config:
             http_service:
              authorizationRequest:
                allowedHeaders:
                  patterns:
                  - exact: authorization
                  - exact: cookie
                  - exact: x-envoy-external-address
                  - exact: x-forwarded-for
              authorizationResponse:
                allowedClientHeaders:
                  patterns:
                  - exact: authorization
                  - exact: location
                  - exact: proxy-authenticate
                  - exact: set-cookie
                  - exact: www-authenticate
                allowedUpstreamHeaders:
                  patterns:
                  - exact: authorization
                  - exact: location
                  - exact: proxy-authenticate
                  - exact: set-cookie
                  - exact: www-authenticate          
              path_prefix: /authroute
              server_uri:
                uri: http://auth.ns.svc.cluster.local:1234
                cluster: outbound|1234||auth.ns.svc.cluster.local
                timeout: 1s

Bastian_Ubilla1 · January 7, 2020, 2:01pm

In the workloadSelector, when you call the app, is the name of the app you are referring to a service? Is it the same EnfoyFilter?

obelisk · January 7, 2020, 2:04pm

service == app

This is the app that needs authentication. auth is the name of the service doing the authentication and ns is the name of the namespace where the auth server lives. just put the filter in the same namespace as your app.

Bastian_Ubilla1 · January 7, 2020, 2:09pm

I have copied your code and add my service. But I still have the doubt of the app inside the workloadSelector

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: service
spec:
  workloadSelector:
    labels:
      app: service
  configPatches: 
    - applyTo: HTTP_FILTER
      match:
        context: SIDECAR_INBOUND
        listener:
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
              subFilter:
                name: "envoy.router"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.ext_authz
          config:
             http_service:
              authorizationRequest:
                allowedHeaders:
                  patterns:
                  - exact: authorization
                  - exact: cookie
                  - exact: x-envoy-external-address
                  - exact: x-forwarded-for
              authorizationResponse:
                allowedClientHeaders:
                  patterns:
                  - exact: authorization
                  - exact: location
                  - exact: proxy-authenticate
                  - exact: set-cookie
                  - exact: www-authenticate
                allowedUpstreamHeaders:
                  patterns:
                  - exact: authorization
                  - exact: location
                  - exact: proxy-authenticate
                  - exact: set-cookie
                  - exact: www-authenticate          
              path_prefix: /authroute
              server_uri:
                uri: http://autenticacion-back-authservices.testing.svc.cluster.local:80
                cluster: outbound|80||autenticacion-back-authservices.testing.svc.cluster.local
                timeout: 1s

obelisk · January 7, 2020, 2:12pm

that is a label on your app. any pod that has that label will have the envoyfilter applied.

it doesn’t have to be app, you could label all your workloads with:
auth: true

Bastian_Ubilla1 · January 7, 2020, 2:14pm

So, if I want to apply the lock to another service, in the app I only put in the name of this service. Is that correct?

Bastian_Ubilla1 · January 7, 2020, 2:24pm

So is my EnvoyFilter.
But when I see the logs of my istio gateway, I only get a 200 response. At no time does it access the filtering service.
It’s wrong ? Or am I misunderstanding how it works?

apiVersion: networking.istio.io/v1alpha3
    kind: EnvoyFilter
    metadata:
      name: service
      namespace: testing
    spec:
      workloadSelector:
        labels:
          app: back-test #this is other service
      configPatches: 
        - applyTo: HTTP_FILTER
          match:
            context: SIDECAR_INBOUND
            listener:
              filterChain:
                filter:
                  name: "envoy.http_connection_manager"
                  subFilter:
                    name: "envoy.router"
          patch:
            operation: INSERT_BEFORE
            value:
              name: envoy.ext_authz
              config:
                 http_service:
                  authorizationRequest:
                    allowedHeaders:
                      patterns:
                      - exact: authorization
                      - exact: cookie
                      - exact: x-envoy-external-address
                      - exact: x-forwarded-for
                  authorizationResponse:
                    allowedClientHeaders:
                      patterns:
                      - exact: authorization
                      - exact: location
                      - exact: proxy-authenticate
                      - exact: set-cookie
                      - exact: www-authenticate
                    allowedUpstreamHeaders:
                      patterns:
                      - exact: authorization
                      - exact: location
                      - exact: proxy-authenticate
                      - exact: set-cookie
                      - exact: www-authenticate          
                  path_prefix: /validate
                  server_uri:
                    uri: http://autenticacion-back-authservices.testing.svc.cluster.local:80
                    cluster: outbound|80||autenticacion-back-authservices.testing.svc.cluster.local
                    timeout: 1s

obelisk · January 7, 2020, 3:45pm

so both your app and the authentication service are in the testing namespace. you have envoy sidecar added to the back-test pod? I am using auto sidecar injection. this seems like it should be working.

Bastian_Ubilla1 · January 7, 2020, 4:26pm

I currently have no sidecar configured. Should I create a yaml sidecar to make it work?

Bastian_Ubilla1 · January 7, 2020, 4:31pm

in namespace I only have istio-injection = enabled

obelisk · January 7, 2020, 11:48pm

do your pods have an istio-proxy container added? they should. if so you can log on to them and curl localhost:15001/clusters to make sure your auth cluster is available.

Bastian_Ubilla1 · January 8, 2020, 11:29am

how can i do that ? Im new in this theme

Topic		Replies	Views
Cannot get EnvoyFilter ext_authz to work Networking	11	3712	April 25, 2022
EnvoyFilter - ext_authz for istio 1.3 Security	1	2151	November 19, 2019
Envoy.ext_authz filter config for Istio 1.1.3 Networking	4	2493	January 15, 2020
EnvoyFilter for ext-authz Security	5	2048	August 26, 2019
With Istio-1.3 the envoyFilter for external-Auth (INBOUND) doesn't work Networking	0	555	October 7, 2019

Istio Authorization with Internal Service

Related Topics