TCP Authorization
This task shows you how to set up authorization policy for TCP traffic in Kmesh.
Before you begin
-
Understand the AuthorizationPolicy
-
Install Kmesh
Please refer quickstart
-
Deploy the Sample Applications
Please refer deploy applications
Modify the replicas o to 2 in sleep deployment.
apiVersion: apps/v1 kind: Deployment metadata: name: sleep spec: replicas: 2 selector: matchLabels: app: sleep template: metadata: labels: app: sleep spec: terminationGracePeriodSeconds: 0 serviceAccountName: sleep containers: - name: sleep image: curlimages/curl command: ["/bin/sleep", "infinity"] imagePullPolicy: IfNotPresent volumeMounts: - mountPath: /etc/sleep/tls name: secret-volume volumes: - name: secret-volume secret: secretName: sleep-secret optional: true
-
Check app status and ensure that the service application is managed by Kmesh
kubectl get pod NAME READY STATUS RESTARTS AGE kubectl get pod -o wide | grep sleep sleep-78ff5975c6-phhll 1/1 Running 0 30h 10.244.2.22 ambient-worker <none> <none> sleep-78ff5975c6-plh7r 1/1 Running 0 30h 10.244.1.46 ambient-worker2 <none> <none> kubectl describe po httpbin-65975d4c6f-96kgw | grep Annotations Annotations: kmesh.net/redirection: enabled
Configure ALLOW authorization policy
-
Create an “allow-by-srcip” authorization policy for the httpbin workload within the corresponding namespace, apply the policy by running the following command, which allows requests from a specified IP address. In this example, the IP address
10.244.1.46/32
corresponds to the podsleep-78ff5975c6-plh7r
kubectl apply -f - <<EOF apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: allow-by-srcip namespace: default spec: selector: matchLabels: app: httpbin action: ALLOW rules: - from: - source: ipBlocks: - 10.244.1.46/32 EOF
-
Verify whether requests from the corresponding IP are being allowed.
kubectl exec sleep-78ff5975c6-plh7r -c sleep -- curl http://httpbin:8000/headers % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0{ "headers": { "Accept": "*/*", "Host": "httpbin:8000", "User-Agent": "curl/8.5.0" } } 100 105 100 105 0 0 18078 0 --:--:-- --:--:-- --:--:-- 21000
-
Verify if requests from other IPs are being denied.
kubectl exec sleep-78ff5975c6-phhll -c sleep -- curl http://httpbin:8000/headers % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 105 0 0 0 0 0 0 --:--:-- 0:01:00 --:--:-- 0 curl: (56) Recv failure: Connection reset by peer
-
Clean up the AuthorizationPolicy.
kubectl delete AuthorizationPolicy allow-by-srcip -n default
Configure DENY authorization policy
-
Create a “deny-by-srcip” authorization policy for the httpbin workload within the specified namespace, which denies requests from a particular IP address, execute the following command
kubectl apply -f - <<EOF apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: deny-by-srcip namespace: default spec: selector: matchLabels: app: httpbin action: DENY rules: - from: - source: ipBlocks: - 10.244.1.46/32 EOF
-
Verify whether requests from the corresponding IP are being denied.
kubectl exec sleep-78ff5975c6-plh7r -c sleep -- curl "http://httpbin:8000/headers" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 105 0 0 0 0 0 0 --:--:-- 0:01:04 --:--:-- 0 curl: (56) Recv failure: Connection reset by peer
-
Verify if requests from other IPs are being allowed.
kubectl exec sleep-78ff5975c6-phhll -c sleep -- curl "http://httpbin:8000/headers" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0{ "headers": { "Accept": "*/*", "Host": "httpbin:8000", "User-Agent": "curl/8.5.0" } } 100 105 100 105 0 0 11284 0 --:--:-- --:--:-- --:--:-- 11666
-
Clean up the AuthorizationPolicy.
kubectl delete AuthorizationPolicy deny-by-srcip -n default
Clean up
Please refer cleanup
AuthorizationPolicy
Field | Type | Description | Required |
---|---|---|---|
rules |
Rule[] |
Optional. A list of rules to match the request. A match occurs when at least one rule matches the request.If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads if the action is ALLOW. | No |
Rule
Rule matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, one operation and all conditions matches the request. An empty rule is always matched.
Field | Type | Description | Required |
---|---|---|---|
from |
From[] |
Optional. from specifies the source of a request.If not set, any source is allowed. |
No |
to |
To[] |
Optional. to specifies the operation of a request.If not set, any operation is allowed. |
No |
Rule.From
From includes a list of sources.
Field | Type | Description | Required |
---|---|---|---|
source |
Source |
Source specifies the source of a request. | No |
Rule.To
To includes a list of operations.
Field | Type | Description | Required |
---|---|---|---|
operation |
Operation |
Operation specifies the operation of a request. | No |
Source
Source specifies the source identities of a request. Fields in the source are ANDed together.
For example, the following source matches if the principal is admin
or dev
and the namespace is prod
or test
and the ip is not 203.0.113.4
.
principals: ["admin", "dev"]
namespaces: ["prod", "test"]
notIpBlocks: ["203.0.113.4"]
Field | Type | Description | Required |
---|---|---|---|
principals |
string[] |
Optional. A list of peer identities derived from the peer certificate. The peer identity is in the format of "<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>" , for example, "cluster.local/ns/default/sa/productpage" . This field requires mTLS enabled and is the same as the source.principal attribute.If not set, any principal is allowed. |
No |
notPrincipals |
string[] |
Optional. A list of negative match of peer identities. | No |
namespaces |
string[] |
Optional. A list of namespaces derived from the peer certificate. This field requires mTLS enabled and is the same as the source.namespace attribute.If not set, any namespace is allowed. |
No |
notNamespaces |
string[] |
Optional. A list of negative match of namespaces. | No |
ipBlocks |
string[] |
Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. 203.0.113.4 ) and CIDR (e.g. 203.0.113.0/24 ) are supported. This is the same as the source.ip attribute.If not set, any IP is allowed. |
No |
notIpBlocks |
string[] |
Optional. A list of negative match of IP blocks. | No |
Operation
Operation specifies the operations of a request. Fields in the operation are ANDed together.
Field | Type | Description | Required |
---|---|---|---|
ports |
string[] |
Optional. A list of ports as specified in the connection.If not set, any port is allowed. | No |
notPorts |
string[] |
Optional. A list of negative match of ports as specified in the connection. | No |