Discovering APIs on Istio
Instructions on how to discover your APIs deployed on Kubernetes with Istio
API discovery with Istio Authorizer
The ACP Istio Authorizer supports the automatic service discovery based on OpenAPI specification.
A service can use the services.k8s.cloudentity.com/spec-url
annotation on a deployment resource
to specify an url where its OpenAPI or Proto specification is available, for example:
kind: Deployment
metadata:
name: hello
labels:
app: hello
namespace: default
annotations:
services.k8s.cloudentity.com/spec-url: "https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v3.0/petstore.yaml"
Istio Authorizer scans deployments and once it finds the annotation described above, it fetches the specification, parses it to get a list of APIs that a service is exposing, and then it’s sending this information to ACP.
By default, Istio Authorizer is configured to perform the service
discovery only in the default namespace. To make Istio Authorizer perform the service
discovery in more namespaces, configure them by adding the --namespace default,my-custom-ns
flag to args
of the istio-authorizer
deployment in
manifest.yaml
.
Further reading
The ACP Istio Authorizer is using Istio external authorization with custom action and Authorization Policy features.