Dynamic Authorization and API Discovery for Istio

Discover the use of dynamic authorization and API discovery for Istio

In a nutshell

Istio service mesh is designed to address the challenges that come with the transition of monolythic applications towards a distributed microservice architecture by providing the right infrastructure.

Istio as a service mesh implementation offloads developers from solving repeatable problems within microservices themselves. It also provides DevOps engineers and administrators with tools they need to effectively operate, manage, and secure distributed applications at scale.

ACP-Istio Integration

Key benefits

Below, you can find a list of key benefits that come with integrating ACP and Istio:

  • Dynamic externalized authorization for the service mesh,
  • Microservice level API discovery,
  • Unified authorization for microservices in the mesh and beyond,
  • Authorization server integration.

Istio and externalized authorization

Istio provides necessary infrastructure required for building zero trust network for applications running on the container orchestration platforms. It encompasses service identity provisioning as well as authentication and authorization to provide secure service-to-service communication within the mesh.

Service identity provisioning and service-to-service authentication are inherent Istio capabilities. Istio comes with its own basic authorization engine, but it allows externalized authorization decisioning.

Authorization is vast enough to be addressed by specialized products. Its requirements are in particular driven by frequently non-trivial real-life use cases and security requirements. To satisfy those requirements authorization products need a much broader context and become part of a much broader ecosystem than a service mesh. Istio externalizes authorization decisioning so that those requirements may be easily satisfied by products built for that. It delivers elements related to the service mesh that authorization decisioning needs, for example, service identity, authentication, enforcement points, and infrastructure to pass the context to the authorization engine.

Cloudentity is focused on authorization for APIs. It integrates with Istio and acts as an externalized authorization engine for distributed applications running on Istio and Kubernetes.

Authorization and microservices API

ACP Api Gateway Management with Istio

An effective authorization policy that controls resource access is usually distributed between an authorization server and a resource server. In a distributed application system, resource servers are composed of microservices that expose certain APIs for external consumption. It implies that an effective authorization policy is not limited to the edge gateway, but spans deeper into an individual microservice participating in the request handling and its API.

Authorization Control Plane provides comprehensive and easy to govern authorization for APIs. Policies at the authorization server level and those applicable at edge APIs, or microservice APIs, are managed centrally.

ACP needs to know about all APIs to let easily assign authorization policies to each one of them, and to provide visibility and governance. It discovers APIs by pulling this information from the API management software or by importing Swagger files during deployment pipeline execution.

Below, you can find a screenshot of the ACP API Gateway Management screen.

ACP Gateway Management

Istio is not an API management tool and APIs are not Istio first subject of concern. Istio authorization policies are assigned to workloads and not APIs. Policies include filtering based on the request paths and methods.

ACP provides authorization for microservice APIs and edge APIs maintaining unified developer experience. Istio is one of the API gateways that ACP integrates with out of the box. To learn more about it, see the Creating the Istio Gateway documentation. In fact, when ACP integrates with Istio, it pulls information about microservices managed by it from Kubernetes. As Istio does not provide information about APIs exposed by the microservices, it is extracted from the provided OpenAPI specification. By doing that, ACP provides a tool for DevSecOps engineers that lets them effectively manage and govern authorization that spans across the service mesh and beyond.

Bringing dynamic authorization to Istio

ACP-Istio integration brings advanced authorization capabilities offered by ACP to distributed applications running on Istio.

The most notable capabilities are the following:

  • Distributed authorization with centralized management,
  • ABAC, RBAC, Fine-grained authorization,
  • Authorization policy governance,
  • API authorization unification across diversified environments,
  • WYSIWYG policy editor with ready to use building blocks, policy versioning, REGO based policies,
  • Policy decisioning context (for example, user, security feed, request, threat analytics),
  • Policy callouts to external APIs.

ACP policies

Unified authorization for microservices in the mesh and beyond

ACP is comprehensively focused on APIs authorization irrespective of what type of service exposes them and how it is deployed. Integration with Istio does not impact availability of other integration patterns with microservices and services that are not part of the zero trust network.

APIs of services that are not a part of the zero trust network may be protected by other enforcement points. Services may also make calls to the policy decision point APIs directly themselves. It can be managed using a single ACP workspace or distributed among multiple workspaces and tenants if needed.

Authorization server and Istio

ACP provides comprehensive authorization for APIs. Each ACP workspace contains an authorization server instance. Each workspace has a collection of authorization polices and APIs exposed through the gateways that the workspace is connected to. Authorization policies can be assigned and enforced at the authorization server level and/or endpoint level. It is sole solution implementer’s decision whether Cloudentity is used for the first, the latter, or both.

When ACP is integrated with Istio, it primarily does externalized policy decisioning at the endpoint level enforced by the proxies provided by Istio. Beyond this service-to-service authorization use case, it also covers authorization and authentication use cases related to the consumption of externally exposed APIs.

To do that, ACP is integrated as an authorization server/OpenID Connect Provider that mints tokens utilized for request authentication by Istio. Authorization server instance associated with each ACP workspace comes with rich authorization capabilities and attribute mapping capabilities. It gives freedom in shaping subject attributes delivered to externally facing APIs.

Application of both integration patterns in conjunction is recommended to get the most value out of ACP in terms of access control and authorization governance. It is because, in such a setup, ACP allows to manage effective API authorization centrally and enforce it in a distributed fashion. Such API authorization includes also “preauthorization” happening at the authorization server level that may encompass user consent, transaction authorization, ABAC, RBAC, and others.

GitOps

ACP, when integrated with Istio, brings GitOps approach microservice mesh authorization making it an ideal tool for DevSecOpses. Authorization policies are stored in Git repositories, and when a policy is changed, ACP will pull the changes from the Git repository. This practice makes policies easy to version and use in DevSecOps pipelines. At the same time, policies are easy to audit and design using a visual editor.