Istio Deployment Deny All Default

Security
1

Hi,

I’d like to deploy Istio so every service that is added to the mesh has an incoming deny-all policy by default. I see there is a way to create a deny-all authorization policy after the fact but I need a way to make this the default behavior until an allowed policy is explicitly applied.

Thanks in advance!

2

Would it work to create an AuthorizationPolicy that:

  1. has an action of ALLOW and matches nothing,
  2. has no selector (or a selector with any empty label-match list), and
  3. is in Istio’s root namespace (/root/ namespace, not Istio /system/ namespace)?

Part 1 should implement deny-all-by-default behavior for whatever workloads the AuthorizationPolicy is applied to.

Part 2, if that’s allowed, should apply to all workloads in the AuthorizationPolicy’s namespace.

Part 3, /if it works/, would cause the AuthorizationPolicy to apply to all namespaces.

Tell us if that works and gets you want you want.

Daniel

3

(Note: I notice that Discuss screws up formatting of replies sent by responding via e-mail. My previous message one doesn’t look so bad, but a recent one dropped (or hid) text I sent.)

4

Hi Daniel,

Thanks for the suggestion! I now have a deny-all authz policy inherited from the root namespace to all leaf namespaces. What I’m trying to achieve now is to allow the developer in a leaf namespace to create an explicit ALLOW authz policy for their services. So leaving the deny-all rule except for the new ALLOW authz policy within the leaf namespace.

So I deployed the following:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-all
  namespace: istio-config
spec:
  {}

So I do see the following:

$ istioctl x authz check ratings-v1-d46bbc45f-hj2sn -n default
ACTION   AuthorizationPolicy     RULES
ALLOW    deny-all.istio-config   1

Then I applied:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: "ratings-viewer"
  namespace: default
spec:
  selector:
    matchLabels:
      app: ratings
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/default/sa/bookinfo-reviews"]
    to:
    - operation:
        methods: ["GET"]

and see:

$ istioctl x authz check ratings-v1-d46bbc45f-hj2sn -n default
ACTION   AuthorizationPolicy      RULES
ALLOW    deny-all.istio-config    1
ALLOW    ratings-viewer.default   1

Hoping it would supersede the deny-all for just that one service authz policy.

Is this possible?

Thanks again!

5

Another attempt…

I applied this global authz policy:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: deny-all
  namespace: istio-config
spec:
  action: DENY
  # the rules field has an empty rule, and the policy will always match.
  rules:
  - {}

resulting in:

$ istioctl x authz check ratings-v1-d46bbc45f-hj2sn -n default
ACTION   AuthorizationPolicy         RULES
DENY     deny-all.istio-config       1

then applied local ns authz:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: "ratings-viewer"
  namespace: default
spec:
  selector:
    matchLabels:
      app: ratings
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/default/sa/bookinfo-reviews"]
    to:
    - operation:
        methods: ["GET"]

resulting in:

$ istioctl x authz check ratings-v1-d46bbc45f-hj2sn -n default
ACTION   AuthorizationPolicy         RULES
DENY     deny-all.istio-config       1
ALLOW    ratings-viewer.default      1
ALLOW    _anonymous_match_nothing_   1

not sure what the " anonymous_match_nothing " means.

6

I used your first option it seems that if you use a deny all
apiVersion: security.istio.io/v1beta1

kind: AuthorizationPolicy

metadata:

name: deny-all

spec:

action: DENY

rules:

  • {}

it does not allow spoecific traffic when applying an ALLOW policy this although the docs say it should