Deploying and protecting HTTP services

Instructions on how to deploy and protect HTTP services.

Prerequisites

Deploy and protect sample service

Deploy a sample HTTP service using the following command:

kubectl apply -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin
spec:
  selector:
    app: httpbin
  ports:
  - port: 80
    name: http
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin
  labels:
    app: httpbin
  annotations:
    services.k8s.cloudentity.com/spec-url: "http://httpbin.org/spec.json"
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
  template:
    metadata:
      labels:
        app: httpbin
    spec:
      serviceAccountName: httpbin
      containers:
      - name: httpbin
        image: "kennethreitz/httpbin"
        ports:
        - containerPort: 80
          name: http
EOF

Connect a service

There are two ways to connect Istio API groups to ACP services: starting from the gateway to be connected or starting from the service that you want to connect.

From the gateway

  1. From the list of available gateways, select your newly-created Istio gateway and go to its APIs tab.

    Result

    A list of imported API groups opens.

  2. From the list of API groups available, select an API group and, from its drop-down menu, pick a service to which you’d like to connect the API group.

Note

You can connect the API group to an existing service or a new one you create, both options available from the same service drop-down menu.

From the service

  1. Select APIs from the left sidebar and go to the AUTHORIZATION tab.

  2. Pick a service that you want to connect and select ADD GATEWAY API for the selected service.

  3. In the Connect Istio API Group popup window, select an API gateway and an API group to be connected. Click CONNECT to proceed.

Result

In the APIS tab of the Gateway Management view, you can see specific API groups integrated to services.

Apply a policy

Once ACP has discovered the APIs deployed behind your Istio gateway, you can protect those APIs with an ACP policy.

  1. Create an API policy:

  2. Select APIs from the left sidebar and go to the AUTHORIZATION tab.

  3. Select any Istio-protected API with authorization status Unrestricted. The policy selection form opens.

  4. In the policy selection form, select a policy from the dropdown list and click Update to proceed.

Result

You have successfully assigned a policy to your Istio API.

Call the deployed and protected service

To test your deployed and protected service, change the variables and execute the command:

kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.9/samples/sleep/sleep.yaml
export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
kubectl exec -it $SLEEP_POD -c sleep curl {YOUR_SERVICE_URL}/{ENDPOINT}

Example

kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.9/samples/sleep/sleep.yaml
export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
kubectl exec -it $SLEEP_POD -c sleep curl http://httpbin:80/deny

Verify that the request is blocked or passing in accordance with your applied policy.

Having deployed a HTTP service, you can now proceed to protecting its APIs using ACP policies using either Rego policies or the Cloudentity policy engine.