Terminating MTLS in ingressgateway - what about authorization?

jesper · September 25, 2020, 1:14pm

Well, nothing yet I see

Partially inspired by this:

I’ve played with an envoy filter in my AuthorizationPolicy:

apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
  name: ingressgateway-authz
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: ALLOW
  rules:
  - to:
    - operation:
        ports: ["443","9443"]
        hosts:
        - "pow.servicemesh.mybox"
    when:
    - key: experimental.envoy.filters.network.client_ssl_auth[certificates]
      values:
      - "[[fingerprint_sha256, 5234981512daca66a79ba1cc2cc5c759d636af07a6dd360077ae42d209b3306a]]"

But alas no success yet. I’m definitely still using the filter in wrong way. Any insight on this?

Even when I fix the envoy filter request I would still very much like to request built in Istio functionality to do authorization on certificates after authenticating them via SDS. E.g. via the hash value.

Best regards
Jesper Berggren

Topic		Replies	Views
End User Certificate Authentication Security	6	2441	August 13, 2021
mTLS + JWT authentication Security	1	3207	July 10, 2020
Both mTLS and non-mTLS traffic on same host Security security	0	508	April 5, 2021
Pass TLS through Ingress and terminate it on the workload's proxy Networking	0	381	November 10, 2020
Istio IngressGateway mTLS only for select paths Networking	0	198	October 12, 2023

Terminating MTLS in ingressgateway - what about authorization?

Related topics