This tutorial shows how Istio’s EnvoyFilter can be configured to include Envoy’s External Authorization filter to delegate authorization decisions to OPA.

This tutorial requires Kubernetes 1.14 or later. To run the tutorial locally, we recommend using in version v1.0+ with Kubernetes 1.14+.

The tutorial also requires Istio v1.8.0 or later. It assumes you have Istio deployed on top of Kubernetes. See Istio’s Quick Start page to get started.

The quick_start.yaml manifest defines the following resources:

  • External Authorization Filter to direct authorization checks to the OPA-Envoy sidecar. See kubectl -n istio-system get envoyfilter ext-authz for details.

  • Kubernetes namespace (opa-istio) for OPA-Envoy control plane components.

  • OPA configuration file and an OPA policy into ConfigMaps in the namespace where the app will be deployed, e.g., default. The following is the example OPA policy:

    • alice is granted a guest role and can perform a GET request to /productpage.
    • bob is granted an admin role and can perform a GET to /productpage and /api/v1/products.
    1. package istio.authz
    3. import input.attributes.request.http as http_request
    4. import input.parsed_path
    6. default allow = false
    8. allow {
    9.     parsed_path[0] == "health"
    10.     http_request.method == "GET"
    11. }
    13. allow {
    14.     required_roles[r]
    15. }
    17. roles_for_user[r] {
    18.     r := user_roles[user_name][_]
    19. }
    21. required_roles[r] {
    22.     perm := role_perms[r][_]
    23.     perm.method = http_request.method
    24.     perm.path = http_request.path
    25. }
    27. user_name = parsed {
    28.     [_, encoded] := split(http_request.headers.authorization, " ")
    29.     [parsed, _] := split(base64url.decode(encoded), ":")
    30. }
    32. user_roles = {
    33.     "alice": ["guest"],
    34.     "bob": ["admin"]
    35. }
    37. role_perms = {
    38.     "guest": [
    39.         {"method": "GET",  "path": "/productpage"},
    40.     "admin": [
    41.         {"method": "GET",  "path": "/productpage"},
    42.         {"method": "GET",  "path": "/api/v1/products"},
    43.     ],
    44. }

    OPA is configured to query for the decision. If the response is true the operation is allowed, otherwise the operation is denied. Sample input received by OPA is shown below:

    1. data.istio.authz.allow
    1. {
    2.     "attributes": {
    3.         "request": {
    4.             "http": {
    5.                 "method": "GET",
    6.                 "path": "/productpage",
    7.                 "headers": {
    8.                     "authorization": "Basic YWxpY2U6cGFzc3dvcmQ="
    9.                 }
    10.             }
    11.         }
    12.     }
    13. }

    With the input value above, the answer is:

    An example of the complete input received by OPA can be seen .

  1. kubectl label namespace default opa-istio-injection="enabled"
  2. kubectl label namespace default istio-injection="enabled"
  1. kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml
  1. kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml

minikube:

  1. 192.168.99.100:31380

For other platforms see the Istio documentation on determining ingress IP and ports.

Check that alice can access /productpage BUT NOT /api/v1/products.

  1. curl --user alice:password -i http://$GATEWAY_URL/productpage
  2. curl --user alice:password -i http://$GATEWAY_URL/api/v1/products

Check that bob can access /productpage AND /api/v1/products.

Congratulations for finishing the tutorial !

This tutorial showed how Istio’s can be configured to use OPA as an External authorization service.

This tutorial also showed a sample OPA policy that returns a boolean decision to indicate whether a request should be allowed or not.