Discovering APIs on Istio
Understand the principles behind the discovery of APIs deployed on Kubernetes with Istio by ACP.
API discovery with Istio Authorizer
ACP Istio Authorizer supports automatic service discovery based on the OpenAPI specification.
Services hosting OpenAPI endpoints
For services that host an OpenAPI endpoint, it is possible to provide this endpoint’s path as the value for the
openAPIEndpoint
parameter in Istio Authorizer’s configuration. By doing so, you can instruct Istio Authorizer to add this path to the whitelist enabling the API discovery functionality to work without being blocked by the authorization layer.
A service can use the services.k8s.cloudentity.com/spec-url
annotation on a deployed k8s resource
to specify a URL where its OpenAPI or Proto specification is available, for example:
kind: Deployment
metadata:
name: hello
labels:
app: hello
namespace: default
annotations:
services.k8s.cloudentity.com/spec-url: "https://raw.githubusercontent.com/OAI/OpenAPI-Specification/master/examples/v3.0/petstore.yaml"
Istio Authorizer scans k8s deployments and, once it has found the annotation described above, it fetches the specification, parses it to get a list of APIs that a service is exposing, and then it’s sending this information to ACP.
By default, Istio Authorizer is configured to perform service
discovery only in the default namespace. To make Istio Authorizer perform the service
discovery in other namespaces, edit the values.yaml
file. In th data.config
section, add your namespaces:
discovery:
namespaces:
- default
- namespace1
- namespace2
With the above settings, Istio performs service discovery in all of the following namespaces:
default
, namespace1
, and namespace2
.
Istio Authorizer API discovery configuration
To learn how you can configure API discovery for Istio Authorizer, see it’s configuration reference.
Further reading
The ACP Istio Authorizer is using Istio external authorization with custom action and Authorization Policy features.