Discovering APIs on Istio

Instructions on how to discover your APIs deployed on Kubernetes with Istio

API discovery with Istio Authorizer

The ACP Istio Authorizer supports the automatic service discovery based on OpenAPI specification. A service can use the services.k8s.cloudentity.com/spec-url annotation on a deployment resource to specify an url where its OpenAPI or Proto specification is available, for example:

kind: Deployment
metadata:
  name: hello
  labels:
    app: hello
  namespace: default
  annotations:
    services.k8s.cloudentity.com/spec-url: "https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v3.0/petstore.yaml"

Istio Authorizer scans deployments and once it finds the annotation described above, it fetches the specification, parses it to get a list of APIs that a service is exposing, and then it’s sending this information to ACP.

By default, Istio Authorizer is configured to perform the service discovery only in the default namespace. To make Istio Authorizer perform the service discovery in more namespaces, configure them by adding the --namespace default,my-custom-ns flag to args of the istio-authorizer deployment in manifest.yaml.

Further reading

The ACP Istio Authorizer is using Istio external authorization with custom action and Authorization Policy features.