Enforce authorization policies
After you have added your application to the ambient mesh, you can secure application access using Layer 4 authorization policies.
This feature lets you control access to and from a service based on the client workload identities that are automatically issued to all workloads in the mesh.
Enforce Layer 4 authorization policy
Let’s create an authorization policy5 that restricts which services can communicate with the productpage
service. The policy is applied to pods with the app: productpage
label, and it allows calls only from the the service account cluster.local/ns/default/sa/bookinfo-gateway-istio
. This is the service account that is used by the Bookinfo gateway you deployed in the previous step.
If you open the Bookinfo application in your browser (http://localhost:8080/productpage
), you will see the product page, just as before. However, if you try to access the productpage
service from a different service account, you should see an error.
Let’s try accessing Bookinfo application from a different client in the cluster:
Since the curl
pod is using a different service account, it will not have access the productpage
service:
Enforce Layer 7 authorization policy
To enforce Layer 7 policies, you first need a waypoint proxy for the namespace. This proxy will handle all Layer 7 traffic entering the namespace.
You can view the waypoint proxy and make sure it has the Programmed=True
status:
Adding a L7 authorization policy7 will explicitly allow the curl
service to send GET
requests to the productpage
service, but perform no other operations:
Note the targetRefs
field is used to specify the target service for the authorization policy of a waypoint proxy. The rules section is similar as before, but this time you added the to
section to specify the operation that is allowed.
Remember that our L4 policy instructed the ztunnel to only allow connections from the gateway? We now need to update it to also allow connections from the waypoint.
Confirm the new waypoint proxy is enforcing the updated authorization policy:
Next steps
With the waypoint proxy in place, you can now enforce Layer 7 policies in the namespace. In addition to authorization policies, you can use the waypoint proxy to split traffic between services8. This is useful when doing canary deployments or A/B testing.