Created
July 28, 2023 18:33
-
-
Save joel-bluedata/7dcf0cb2b9df753f5adeb2d3a7fd4f1e to your computer and use it in GitHub Desktop.
Istio policy to block API access based on JWT claims
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This is an example of using Istio policies to specifically block DELETE operations on the /api/v1/user endpoints of home.jkb-ezaf-lr1.com based on JWT claims. | |
| This policy is defined in the "ui" namespace, to be applied to the Envoy proxy there in the app-ui pod, so that the header injections applied at the Istio gateway by the existing app-ui-auth-policy have already happened and can be referenced here. | |
| The RequestAuthentication resource applied here is necessary if this policy is to use the request.auth.claims condition. | |
| This example specifically allows user "joel" to do the DELETE operation, by checking the preferred_username claim. | |
| It seems like we should also be able to check the list-valued "groups" claim like this, to check for admin-ness: | |
| - key: request.auth.claims[groups] | |
| values: | |
| - admin | |
| But no luck there yet. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: security.istio.io/v1beta1 | |
| kind: RequestAuthentication | |
| metadata: | |
| name: request-authentication | |
| namespace: ui | |
| spec: | |
| jwtRules: | |
| - forwardOriginalToken: true | |
| issuer: https://keycloak.jkb-ezaf-lr1.com/realms/UA | |
| jwksUri: http://keycloak.keycloak.svc.cluster.local/realms/UA/protocol/openid-connect/certs | |
| - forwardOriginalToken: true | |
| issuer: http://keycloak.keycloak.svc.cluster.local/realms/UA | |
| jwksUri: http://keycloak.keycloak.svc.cluster.local/realms/UA/protocol/openid-connect/certs | |
| selector: | |
| matchLabels: | |
| app: app-ui | |
| --- | |
| apiVersion: security.istio.io/v1beta1 | |
| kind: AuthorizationPolicy | |
| metadata: | |
| name: app-ui-admin-auth-policy | |
| namespace: ui | |
| spec: | |
| action: ALLOW | |
| rules: | |
| - to: | |
| - operation: | |
| hosts: | |
| - home.jkb-ezaf-lr1.com | |
| paths: | |
| - /api/v1/users/* | |
| methods: | |
| - DELETE | |
| when: | |
| - key: request.auth.claims[preferred_username] | |
| values: | |
| - joel | |
| - to: | |
| - operation: | |
| hosts: | |
| - home.jkb-ezaf-lr1.com | |
| paths: | |
| - /api/v1/users/* | |
| notMethods: | |
| - DELETE | |
| - to: | |
| - operation: | |
| hosts: | |
| - home.jkb-ezaf-lr1.com | |
| notPaths: | |
| - /api/v1/users/* | |
| selector: | |
| matchLabels: | |
| app: app-ui |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment