Configure Istio Ingress Gateway to require header token using Authorization Policy

Question

I configured Istio Ingress Gateway to accept my URLs (using https) like microservices.myexample.com, grafana.myexample.com and so on.

Everything is working but all the urls are public.

Beacause of that I was asked to configure ingress gateway to protect urls inside microservices.myexample.com (Grafana has a login page). The idea is allow acess only if the request contains a token inside the header.

But when I applied this yml file all the URLs are blocked and they require the header including grafana.myexample.com:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: ingress
 namespace: istio-system
spec:
 selector:
   matchLabels:
     app: istio-ingressgateway
 rules:
 - from: []
   to:
    - operation:
        #paths: ["/customers*"] # I also tried with paths. Every microservice has a path after microservices.myexample.com 
        hosts: ["microservices.myexample.com"]
   when:
    - key: request.headers[token]
      values: ["test123"]

Edgar Peixoto · Accepted Answer · 2020-07-23T15:08:27.553

We did it.

Just in case if someone is stuck at the same problem. The following code will be applied to all services in mynamespace. All the urls will require the token except the ones ending with /actuator/health

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: token-authorization
  namespace: mynamespace
spec:
  rules:
  - to:
    - operation:
        paths: ["*/actuator/health"]
  - to:
    - operation:
        paths: ["/*"]
    when:
    - key: request.headers[token]
      values: ["test123"]

score 0 · Answer 2 · edited Jun 20 '20 at 09:12

0

This will not work.

This is because in Your AuthorizationPolicy the hosts under operation: does not support HTTPS protocol.

According to Istio documentation:

Optional. A list of hosts, which matches to the “request.host” attribute.

If not set, any host is allowed. Must be used only with HTTP.

This is because the host header in HTTPS traffic is encrypted. More info about this is here.

The same goes for request header token.

edited Jun 20 '20 at 09:12

Community

1
1

answered Feb 06 '20 at 16:26

Piotr Malec

3,429
11
16

Can I use the path instead of host? – Edgar Peixoto Feb 06 '20 at 16:41
Path also has the following "Optional. A list of paths, which matches to the “request.url_path” attribute. If not set, any path is allowed. Must be used only with HTTP." The only option would be to use TCP/IP headers like source IP address. – Piotr Malec Feb 06 '20 at 16:45
I understand. Thanks. – Edgar Peixoto Feb 06 '20 at 16:49

Configure Istio Ingress Gateway to require header token using Authorization Policy

2 Answers2