mTLS PeerAuthentication: allowing specific sources/clients using AuthorizationPolicy?

Smeedy · December 1, 2020, 1:59pm

Hi there,

Just rather new to Istio so bear with me as I’m trying to understand from a conceptual point of view. I’ve set up the PeerAuthentication successful in a couple of namespaces and this works all as expected. I can also work with RequestAuthorization without any problems.

Allowing clients from a certain principle on the mTLS/Peer is done from the AuthorizationPolicy as well specifying the mTLS principle right? So having a strict policy on PeerAuthentication guarantees the identity which in turn enables the specification and the authenticity of the principle?

I want to make sure I can control who’s able to access who as a first line of control using mTLS. More fine grained control can be done using RequestAuthorization using JWT and AuthorizationPolicy on requestPrincipals.

Is this a sane strategy? Or am I approaching this backwards?

Thanks,
Martijn

nick_tetrate · December 1, 2020, 7:05pm

Yes your approach sounds good, typically mTLS is used for app to app communication. So you use mTLS to help determine where traffic can come from and RequestAuthorization helps determine the “who” can talk to your application.

Smeedy · December 9, 2020, 4:00pm

Thanks for getting back. Did a small demo on some sandbox cluster. This will have a huge impact on how we will think about deployments from a dev perspective.

Topic		Replies	Views
Using AuthorizationPolicy for access control of legacy clients located outside of Istio	2	1444	October 25, 2021
Clarification for istio authentication policy with origin and peer mtls authentication	4	916	July 2, 2019
Authorization polices issue Security	1	154	November 15, 2023
Authorization Policy issue with 503 Networking	12	3626	June 15, 2020
Policy or PeerAuthentication?	1	307	April 17, 2020

mTLS PeerAuthentication: allowing specific sources/clients using AuthorizationPolicy?

Related Topics