(Optional) Exercise 3: Authorization with Istio
Last updated
Was this helpful?
Last updated
Was this helpful?
This is an optional lab, run through it if time permits.
Besides authentication using mTLS, Istio can also provide authorization services:
End-user to workload
Workload to workload
The end-user to workload
authentication we handle in our example in the application code itself, you will learn about it in the last section of our workshop (Application security with Keycloak and Quarkus).
In this exercise we will learn how to apply authorization policies to further secure communication within the service mesh, workload to workload. In our example we will use to perform the authorization.
When you create a pod, if you do not specify a service account, it is automatically assigned the default
service account in the same namespace. You can check this for the articles
service:
Example output:
serviceAccount
:Result:
The articles pod indeed uses the default
service account.
Note: The image shows you in the
Kubernetes Dashboard
the two new service accounts. This is not a part of your hands-on tasks.
Result:
If you test the application in the browser it should work exactly the same as before.
First we apply an incomplete authorization policy to the articles service. It looks like this:
Istio documentation specifies: If any allow policies are applied to a workload, access to that workload is denied by default, unless explicitly allowed by the rule in the policy.
We have an "ALLOW" policy but no rule is specified which makes it effectively a "DENY ALL" rule.
Example output:
AuthorizationPolicy
Now we use a correct authorization poliy. It looks like this:
It allows GET
and POST
access to the articles service for the service account (sa) web-api
in namespace (ns) default
.
Apply with:
Check the application in the browser again. It may take a while for the policy to propagate to the Envoy but eventually you will see that the application works.
Now we using Istio
and Keycloak
at the same time.
Note: The image shows you in Kiali there is
AuthorizationPolicy
defined This is not a part of your hands-on tasks.
"Kiali is an observability console for Istio with service mesh configuration capabilities. It helps you to understand the structure of your service mesh by inferring the topology, and also provides the health of your mesh."
Execute following script to setup telemetry
Open a second IBM Cloud Shell terminal session
Execute the port-forward command in the new terminal session:
Result should indicate forwarding from port 3000 to port 20001.
Click on the "Eye" icon in the upper right corner of Cloud Shell and select port 3000.
This will open a new browser tab with the Kiali dashboard.
Log in with admin/admin
.
Open the Graph
tab, in Namespaces select all namespaces and in display ensure you have selected
security`
This graph shows the components of your microservices architecture. Explore the other tabs.
Congratulations, you have successfully completed this optional lab and you did the extra mile for
Platform security with mTLS
section of the workshop. Awesome :star: