Istio Authorizer configuration reference
Learn how to configure your Istio Authorizer's settings to adjust the authorizer's behavior to your needs.
About Istio Authorizer configuration
Istio Authorizer configuration changes are done by adjusting the Istio Authorizer’s values.yaml file and upgrading your Helm Chart release. To know which settings are available for your authorizer, see the Configuration reference section.
Commonly used properties like, for example, issuerURL
, client credentials, and more
are easily available top-level properties.
The following snippet shows a simple configuration with some of the popular options tuned.
parseBody:
enabled: true
discovery:
enabled: true
namespaces:
- default
extraConfig:
acp:
reload_interval: 1m0s # reload interval
enforcement:
allow_unkown: false
Values case
Note that top-level settings are provided using camelCase and settings in the
extraConfig
value are provided with underscores.
If you want to change more advanced settings of the authorizer, you can
use the extraConfig
value.
Properties in the extraConfig
value correspond to the raw configuration passed to the
istio-authorizer binary.
Configuration order
Properties defined through top-level properties take precedence over configuration provided in the
extraConfig
value.
You can apply your changes to the configuration using the
helm upgrade release-name chart-name -f ValuesYamlFile
. See example below:
helm upgrade istio-authorizer acp/istio-authorizer \
--values ./values/istio-authorizer.yaml \
--namespace acp-istio-authorizer \
--timeout 5m \
--wait
Helm upgrade help
If you need help with upgrading Helm Charts, use the
helm upgrade --help
command in your terminal.
Use policy and request metrics
To enable the metrics endpoint for Istio Authorizer, adapt the metrics
parameter in values.yaml
as
follows:
metrics:
enabled: true # enable metrics endpoint
port: 9000 # metrics endpoint port
As a result, after Istio deployment, the /metrics
endpoint can be queried on Istio Authorizer to
return the
acp_authorizer_policy_duration_seconds
and acp_authorizer_request_duration_seconds
histograms.
acp_authorizer_policy_duration_seconds
shows the amount of
policy validation requests within specific time length ranges (for example,
{name="nist-aal-1_system_api",le="0.001"} 2
means there were 2 requests processed by
nist-aal-1_system_api
policy that took between 0.001 and the next threshold, which is 0.01s).
acp_authorizer_request_duration_seconds
represents requests made to specific API groups.
Below you can find the sample query output.
curl -sSLk -D - http://localhost:9000/metrics
HTTP/1.1 200 OK
Content-Type: text/plain; version=0.0.4; charset=utf-8
Date: Thu, 21 Apr 2022 22:43:29 GMT
Transfer-Encoding: chunked
# HELP acp_authorizer_policy_duration_seconds
# TYPE acp_authorizer_policy_duration_seconds histogram
acp_authorizer_policy_duration_seconds_bucket{name="nist-aal-1_system_api",le="0.001"} 2
acp_authorizer_policy_duration_seconds_bucket{name="nist-aal-1_system_api",le="0.01"} 2
acp_authorizer_policy_duration_seconds_bucket{name="nist-aal-1_system_api",le="0.05"} 2
acp_authorizer_policy_duration_seconds_bucket{name="nist-aal-1_system_api",le="0.1"} 2
acp_authorizer_policy_duration_seconds_bucket{name="nist-aal-1_system_api",le="0.5"} 2
acp_authorizer_policy_duration_seconds_bucket{name="nist-aal-1_system_api",le="1"} 2
acp_authorizer_policy_duration_seconds_bucket{name="nist-aal-1_system_api",le="+Inf"} 2
acp_authorizer_policy_duration_seconds_sum{name="nist-aal-1_system_api"} 4.1651e-05
acp_authorizer_policy_duration_seconds_count{name="nist-aal-1_system_api"} 2
# HELP acp_authorizer_request_duration_seconds
# TYPE acp_authorizer_request_duration_seconds histogram
acp_authorizer_request_duration_seconds_bucket{group="api-group-id",le="0.001"} 3
acp_authorizer_request_duration_seconds_bucket{group="api-group-id",le="0.01"} 3
acp_authorizer_request_duration_seconds_bucket{group="api-group-id",le="0.05"} 3
acp_authorizer_request_duration_seconds_bucket{group="api-group-id",le="0.1"} 3
acp_authorizer_request_duration_seconds_bucket{group="api-group-id",le="0.5"} 3
acp_authorizer_request_duration_seconds_bucket{group="api-group-id",le="1"} 3
acp_authorizer_request_duration_seconds_bucket{group="api-group-id",le="+Inf"} 3
acp_authorizer_request_duration_seconds_sum{group="api-group-id"} 5.3740000000000004e-05
acp_authorizer_request_duration_seconds_count{group="api-group-id"} 3
Configuration reference
# acp
acp:
reload_interval: 1m0s # reload interval
reload_timeout: 30s # reload configuration timeout
issuer_url: https://localhost:8443/sample/system # issuer url
client_id: bqesdrc4m4co2s81mpu0 # client id
client_secret: LH6mAb6PNljvjYMIF-A5RP2bElA5a5bnQah8sG0fsLA # client secret
tenant_id: "" # tenant id
server_id: "" # server id
force_introspection: false # force token introspection even for jwts
# http client
http_client:
timeout: 10s # http client timeout
retry_wait_min: 0s # minimum time to wait between retries
retry_wait_max: 0s # maximum time to wait between retries
retry_max: 0 # maximum number of retries
root_ca: "" # root ca that this client should trust (defaults to system root ca)
insecure_skip_verify: false # disable cert verification
disable_follow_redirects: false # disable follow redirects
disable_retry: true # disable retry
# metrics
metrics:
enabled: false # enable metrics endpoint
port: 9000 # metrics endpoint port
# analytics
analytics:
enabled: true # when enabled, events are sent to audit log
# event format
event_format:
include_policy_output: false # when enabled, policy evaluation output is sent to audit log
# sampling
sampling:
probability: 1 # Probability of an event to be published (0.0-1.0)
batch_inverval: 1s # Max duration to wait for a batch to publish
batch_limit: 100 # Max number of events in a batch
limit: 5 # Max number of batches per second to be published
timeout: 5s # Timeout for a single batch to send
workers: 8 # Number of sending workers
# cache
cache:
ttl: 10s # ttl
max_size: 100 # max size
# logging config
logging:
level: info # log level severity
# token echange config
token_exchange:
enabled: false # enable token exchange
# cache
cache:
ttl: 1m0s # ttl
max_size: 1000 # max size
# inject config (supported only for istio authorizer)
inject:
mode: "" # Defines what token should be sent to the target service when token is exchanged
# headers config
headers:
exchanged_token: "" # Defines the name of the header that contains an exchanged token.
original_token: "" # Defines the name of the header that contains an original token.
strip_bearer: false # Allows to strip the bearer prefix in headers
# enforcement config
enforcement:
allow_unknown: false # allow requests with no matching rule
# discovery config
discovery:
enabled: true # when true, API discovery is enabled
timeout: 10s # discovery process timeout
interval: 30s # how often discovery is performed
disable_proxy: false # disable proxy in discovery
open_api_endpoint: "" # if your service is self-hosting an OpenAPI endpoint, you need to provide the path to this endpoint to enable Istio authorizer to call this endpoint and automatically discover your APIs
# discover services in a given namespaces
namespaces:
- default
grpc_reflection_calls: false # allow grpc reflection calls
# http server
http_server:
port: 9002 # http port
dangerous_disable_tls: true # diables TLS
# certificate configuration
certificate:
password: "" # key passphrase
cert_path: "" # path to the certificate PEM file
key_path: "" # path to the key PEM file
cert: "" # base64 encoded cert PEM
key: "" # base64 encoded key PEM
generated_key_type: "" # type for generated key if cert and key are not provided (rsa or ecda)
client_auth_type: 0 # client auth type
# grpc server
grpc_server:
port: 9001 # gRPC port
# target service config
target_service:
# inject config
inject:
# headers config
headers:
custom_data_prefix: x-output- # custom data header name prefix used to propage global variables defined in a policy
auth_ctx: x-auth-ctx # header name containing base64 encoded authentication context json object
trust_domain: cluster.local
kubeconfig: "" # absolute path to the kubeconfig file