Installing Istio Authorizer
This article provides instructions on how to install ACP's Istio Authorizer in Kubernetes to enforce access control for services and APIs deployed behind the Istio Service Mesh.
Installation alternative
As an alternative to this procedure, you can install both Istio Service Mesh and Istio Authorizer using the ACP on k8s repository which provides simple deployment commands you can use out of the box.
Prerequisites
-
Kubernetes version 1.14 or subsequent
-
Kubernetes cluster is set up.
Setting up k8s cluster
You can set up a Kubernetes cluster locally using kind.
GO111MODULE="on" go get sigs.k8s.io/kind@v0.9.0 && kind create cluster
-
Istio version 1.9 or subsequent is installed and up and running.
-
Istio Sidecar is installed.
Injecting Istio Sidecar
To configure Istio proxies, you need to inject Istio Sidecar to pods running in your Istio Service Mesh. It can be done either automatically at pod creation and using admission controller, or manually at any given time.
Cloudentity recommends using automatic sidecar injection and setting the
istio-injection
flag toenabled
for any namespace that contains the services you wish to protect with Istio Authorizer. -
Helm version 3.0 or subsequent
Create Istio Authorizer in ACP
-
In the workspace of your choice, select go to ENFORCEMENT > AUTHORIZERS > CREATE GATEWAY.
-
Select Istio, enter the name and the description for your authorizer, and select NEXT.
-
In the Gateway Management view, go to the QUICK START tab and proceed as follows:
-
Install Istio Authorizer using Helm chart:
helm repo add acp https://charts.cloudentity.io && helm repo update helm upgrade --install istio-authorizer acp/istio-authorizer \ --set clientCredentials.clientID={yourClientIdentifier} \ --set clientCredentials.clientSecret={yourClientSecret} \ --set issuerURL={yourIssuerURL} \ --set "discovery.namespaces={default}" \ --namespace acp-istio-authorizer \ --create-namespace
You can find this command with the arguments filled for you in the QUICKSTART view for your authorizer instance.
The
clientCredentials.clientID
,clientCredentials.clientSecret
, andissuerURL
parameters are used in the client credentials OAuth grant type to authenticate your authorizer’s requests to, for example, fetch authorization policies from ACP.The
clientCredentials.clientID
argument should point to the client identifier of the client application created for your authorizer in the System workspace of your tenant. You can find the client identifier in the Settings view for your authorizer.The
clientCredentials.clientSecret
argument should point to the client secret of the client application created for your authorizer in the System workspace of your tenant. You can find the client secret in the Settings view for your authorizer.Credentials security
For production environments, you should create Kubernetes secrets manually that are responsible for storing your credentials values.
To increase security of secrets stored in your repository, it is recommended to encrypt your Kubernetes secrets. You can use tools like Mozilla SOPS or Bitnami Sealed Secrets to encrypt your secrets.
When the secrets are applied to your Kubernetes deployment, the secrets are visible as plain text. Anyone who is authorized to create a Pod in a namespace can read any secret in that namespace; this includes indirect access such as the ability to create a Deployment. To mitigate the risks, Kubernetes recommends to:
-
Enable encryption at Rest for secrets.
-
Enable or configure RBAC rules that restrict reading data in secrets.
-
Where appropriate, use mechanisms such as RBAC to limit which principals are allowed to create or replace secrets.
To learn more, visit Kubernetes secrets documentation.
The
issuerURL
argument should point to the issuer URL of your Istio Authorizer client application created within the System workspace of your tenant. You can find the issuer URL in the Settings view for your authorizer. If you are using a vanity domain for your ACP tenant and it is impossible to retrieve the tenant’s and server’s identifier from the URL, provide values for thetenantID
andserverID
parameters in yourvalues.yaml
file.The
discovery.namespaces={default}
parameter is responsible for providing the namespaces where Istio Authorizer performs the service discovery. By default, Istio Authorizer performs discovery only in thedefault
namespace. You can add a comma-separated list of namespaces as the value for thediscovery.namespaces
parameter provided that those namespaces already exist, for example,discovery.namespaces={default,example1,example2}
. If you wish to know more, see the Discovering APIs on Istio article.Configuration reference
If you need to change your Istio Authorizer settings, see configuration reference.
Result
Istio Authorizer scans deployments in configured namespaces and funnels information about discovered APIs to ACP. Note that if you didn’t deploy any services yet, there’s nothing to discover. To quickly deploy a sample HTTP/gPRC service, follow:
-
-
Add Istio Authorizer as extension provider to Istio
To delegate access control enforcement to your Istio Authorizer, you need to define it as an external authorization provider for your Istio Service Mesh.
-
Edit the mesh configuration using the following command:
kubectl edit configmap istio -n istio-system
-
Define ACP Authorizer using extension providers, for example:
data: mesh: |- extensionProviders: - name: "acp-authorizer" envoyExtAuthzGrpc: service: "istio-authorizer.acp-istio-authorizer.{cluster-name}" port: "9001"
The
{cluster-name}
variable should point to your cluster name, for example,svc.cluster.local
. -
Restart Istio to apply the changes:
kubectl rollout restart deployment/istiod -n istio-system
Deploy and protect services
With Istio Authorizer installed and attached to Istio Service Mesh as an external authorization provider, you can:
Parsing request bodies
For HTTP services, ACP supports parsing request bodies. It can be used, for example, to write an authorization policy that checks request bodies.
If you wish to parse request bodies, you need to set the parseBody.enabled
flag to
true
in the values.yaml
file for your authorizer.
Related articles
Having created a k8s cluster with Istio, you can