Explicit Deny

Before you begin this task, do the following:

• Read the .

• Follow the Istio installation guide to install Istio.

• Deploy workloads:

  This task uses two workloads, httpbin and sleep, deployed on one namespace, foo. Both workloads run with an Envoy proxy in front of each. Deploy the example namespace and workloads with the following command:

• Verify that sleep talks to httpbin with the following command:

$ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl http://httpbin.foo:8000/ip -sS -o /dev/null -w "%{http_code}\n"
200

If you don’t see the expected output as you follow the task, retry after a few seconds. Caching and propagation overhead can cause some delay.

1. The following command creates the deny-method-get authorization policy for the httpbin workload in the foo namespace. The policy sets the action to DENY to deny requests that satisfy the conditions set in the rules section. This type of policy is better known as deny policy. In this case, the policy denies requests if their method is GET.

   $ kubectl apply -f - <<EOF
   apiVersion: security.istio.io/v1beta1
   kind: AuthorizationPolicy
   metadata:
     name: deny-method-get
     namespace: foo
   spec:
     selector:
       matchLabels:
         app: httpbin
     action: DENY
     - to:
       - operation:
           methods: ["GET"]
   

2. Verify that GET requests are denied:

   $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/get" -X GET -sS -o /dev/null -w "%{http_code}\n"
   403

3. Verify that POST requests are allowed:

4. $ kubectl apply -f - <<EOF
   apiVersion: security.istio.io/v1beta1
   kind: AuthorizationPolicy
   metadata:
     name: deny-method-get
     namespace: foo
   spec:
     selector:
       matchLabels:
         app: httpbin
     action: DENY
     rules:
       - operation:
           methods: ["GET"]
       when:
       - key: request.headers[x-token]
         notValues: ["admin"]
   

5. Verify that GET requests with the HTTP header x-token: admin are allowed:

   $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/get" -X GET -H "x-token: admin" -sS -o /dev/null -w "%{http_code}\n"
   200

6. Verify that GET requests with the HTTP header x-token: guest are denied:

   $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/get" -X GET -H "x-token: guest" -sS -o /dev/null -w "%{http_code}\n"
   403

7. The following command creates the allow-path-ip authorization policy to allow requests at the /ip path to the httpbin workload. This authorization policy sets the action field to ALLOW. This type of policy is better known as an allow policy.

8. Verify that GET requests with the HTTP header x-token: guest at path /ip are denied by the deny-method-get policy. Deny policies takes precedence over the allow policies:

   $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/ip" -X GET -H "x-token: guest" -s -o /dev/null -w "%{http_code}\n"
   403

9. Verify that GET requests with the HTTP header x-token: admin at path /ip are allowed by the allow-path-ip policy:

   $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/ip" -X GET -H "x-token: admin" -s -o /dev/null -w "%{http_code}\n"
   200

10. $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/get" -X GET -H "x-token: admin" -s -o /dev/null -w "%{http_code}\n"

1. Remove the namespace foo from your configuration: