Deploying and protecting gRPC services
Instructions on how to deploy and protect gRPC services.
About gRPC
gRPC is an open source Remote Procedure Call (RPC) framework that allows you to efficiently connect services to data centers while maintaining a high performance results. gRPC uses protocol buffers as both its Interface Definition Language (IDL) and as its underlying message interchange format.
It makes it easier to create a distributed applications and services system with gRPC, as your client applications can directly call methods on the server application that resides on a different machine as they were local objects. Most of the RPCs, including gRPC, are based on the solution to define a service and to specify the methods that can be called remotely with their parameters and return types. On the server side (in this case, ACP), the server implements those interfaces and runs a gRPC server that handles the requests coming from client applications.
Prerequisites
Deploy and protect sample service
-
Deploy a sample grpc service using the following command:
kubectl apply -f https://raw.githubusercontent.com/cloudentity/acp-on-k8s/master/examples/fortune-teller/deployment.yaml
-
Apply the policy:
kubectl apply -f - <<EOF apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: acp-authorizer namespace: default spec: action: CUSTOM provider: name: acp-authorizer rules: - {} EOF
Note
In the example above, the policy is applied to all services in the default namespace. Take a look at Authorization Policy if you would like to protect only a specific service.
Connect a service
There are two ways to connect Istio API groups to ACP services: starting from the gateway to be connected or starting from the service that you want to connect.
From the gateway
-
From the list of available gateways, select your newly-created Istio gateway and go to its APIs tab.
Result
A list of imported API groups opens.
-
From the list of API groups available, select an API group and, from its drop-down menu, pick a service to which you’d like to connect the API group.
Note
You can connect the API group to an existing service or a new one you create, both options available from the same service drop-down menu.
From the service
-
Select APIs from the left sidebar and go to the AUTHORIZATION tab.
-
Pick a service that you want to connect and select ADD GATEWAY API for the selected service.
-
In the Connect Istio API Group popup window, select an API gateway and an API group to be connected. Click CONNECT to proceed.
Result
In the APIS tab of the Gateway Management view, you can see specific API groups integrated to services.
Apply a sample policy
-
Select APIs from the left sidebar and go to the AUTHORIZATION tab.
-
Select a service protected by Istio and any API with authorization status None.
-
In the Edit API popup window, select Policy from the dropdown list and click Update to proceed.
Result
You have successfully assigned a policy to your API.
Call deployed and protected service
To test your deployed and protected service, change the variables and execute the command:
kubectl apply -f https://raw.githubusercontent.com/cloudentity/acp-on-k8s/master/examples/grpcurl/deployment.yaml
export SLEEP_POD=$(kubectl get pod -l app=grpcurl -o jsonpath={.items..metadata.name})
kubectl exec -it $SLEEP_POD -c grpcurl -- /grpcurl -plaintext {YOUR_SERVICE_URL} {METHOD}
Example
kubectl apply -f https://raw.githubusercontent.com/cloudentity/acp-on-k8s/master/examples/grpcurl/deployment.yaml export SLEEP_POD=$(kubectl get pod -l app=grpcurl -o jsonpath={.items..metadata.name}) kubectl exec -it $SLEEP_POD -c grpcurl -- /grpcurl -plaintext fortune-teller-service.default:50051 build.stack.fortune.FortuneTeller/Predict
Note
grpcurl
is using reflection to be able to call gRPC service endpoints. By default the authorizer blocks calls to unknown APIs (APIs that were not discovered). To be able to use thegrpcurl
run the authorizer with the--do-not-fail-on-non-matching-requests true
flag. Use this for testing purposes only.