Authorization permissive mode

The authorization permissive mode allows you to verify authorization policies before applying them in a production environment.

The authorization permissive mode is an experimental feature in version 1.1. Its interface can change in future releases. If you do not want to try out the permissive mode feature, you can directly enable Istio authorization to skip enabling the permissive mode.

This task covers two scenarios regarding the use of the permissive mode for authorization:

  • For environments where authorization is disabled, this task helps you test whether it's safe to enable the authorization.

  • For environments where authorization is enabled, this task helps you test whether it's safe to add a new authorization policy.

Before you begin

To complete this task, you should first take the following actions:

After deploying the Bookinfo application, go to the Bookinfo product page at http://$GATEWAY_URL/productpage. On the product page, you can see the following sections:

  • Book Details on the lower left side, which includes: book type, number of pages, publisher, etc.
  • Book Reviews on the lower right of the page.

When you refresh the page, the app shows different versions of reviews in the product page. The app presents the reviews in a round robin style: red stars, black stars, or no stars.

Test enabling authorization globally

The following steps show you how to use authorization permissive mode to test whether it's safe to turn on authorization globally:

  1. To enable the permissive mode in the global authorization configuration, run the following command:

    $ kubectl apply -f - <<EOF
    apiVersion: "rbac.istio.io/v1alpha1"
    kind: ClusterRbacConfig
    metadata:
      name: default
    spec:
      mode: 'ON_WITH_INCLUSION'
      inclusion:
        namespaces: ["default"]
      enforcement_mode: PERMISSIVE
    EOF
    
  2. Go to the productpage at http://$GATEWAY_URL/productpage and verify that everything works fine.

  3. Apply the rbac-permissive-telemetry.yaml YAML file to enable the metric collection for the permissive mode:

    Zip
    $ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
    instance.config.istio.io/rbacsamplelog created
    handler.config.istio.io/rbacsamplehandler created
    rule.config.istio.io/rabcsamplestdio created
    
  4. Send traffic to the sample application with the following command:

    $ curl http://$GATEWAY_URL/productpage
    
  5. Go to the productpage at http://$GATEWAY_URL/productpage and verify that everything works fine.

  6. Get the log for telemetry and search for the permissiveResponseCode with the following command:

    $ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep \"instance\":\"accesslog.instance.istio-system\"
    {"level":"info","time":"2019-06-07T17:50:50.111933Z","instance":"accesslog.instance.istio-system","apiClaims":"","apiKey":"","clientTraceId":"","connection_security_policy":"mutual_tls","destinationApp":"productpage","destinationIp":"10.44.3.13","destinationName":"productpage-v1-6f7f6fd5bf-hfnw2","destinationNamespace":"default","destinationOwner":"kubernetes://apis/apps/v1/namespaces/default/deployments/productpage-v1","destinationPrincipal":"cluster.local/ns/default/sa/bookinfo-productpage","destinationServiceHost":"productpage.default.svc.cluster.local","destinationWorkload":"productpage-v1","grpcMessage":"","grpcStatus":"","httpAuthority":"35.239.224.75","latency":"32.395873ms","method":"GET","permissiveResponseCode":"denied","permissiveResponsePolicyID":"none","protocol":"http","receivedBytes":1300,"referer":"","reporter":"destination","requestId":"56eaa9a6-d0af-93f7-a162-817b23fe3f58","requestSize":0,"requestedServerName":"outbound_.9080_._.productpage.default.svc.cluster.local","responseCode":200,"responseFlags":"-","responseSize":4183,"responseTimestamp":"2019-06-07T17:50:50.144023Z","sentBytes":4328,"sourceApp":"istio-ingressgateway","sourceIp":"10.44.3.5","sourceName":"istio-ingressgateway-766f5fd7c9-775qh","sourceNamespace":"istio-system","sourceOwner":"kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway","sourcePrincipal":"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account","sourceWorkload":"istio-ingressgateway","url":"/productpage","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36","xForwardedFor":"10.44.3.1"}
    
  7. Verify that the the log shows a responseCode of 200 and a permissiveResponseCode of denied.

  8. Apply the productpage-policy.yaml authorization policy in permissive mode with the following command:

    Zip
    $ kubectl apply -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
    
  9. Send traffic to the sample application with the following command:

    $ curl http://$GATEWAY_URL/productpage
    
  10. Get the log for telemetry and search for the permissiveResponseCode with the following command:

    $ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep \"instance\":\"accesslog.instance.istio-system\"
    {"level":"info","time":"2019-06-07T18:11:49.208958Z","instance":"accesslog.instance.istio-system","apiClaims":"","apiKey":"","clientTraceId":"","connection_security_policy":"mutual_tls","destinationApp":"productpage","destinationIp":"10.44.3.13","destinationName":"productpage-v1-6f7f6fd5bf-hfnw2","destinationNamespace":"default","destinationOwner":"kubernetes://apis/apps/v1/namespaces/default/deployments/productpage-v1","destinationPrincipal":"cluster.local/ns/default/sa/bookinfo-productpage","destinationServiceHost":"productpage.default.svc.cluster.local","destinationWorkload":"productpage-v1","grpcMessage":"","grpcStatus":"","httpAuthority":"35.239.224.75","latency":"67.406515ms","method":"GET","permissiveResponseCode":"allowed","permissiveResponsePolicyID":"productpage-viewer","protocol":"http","receivedBytes":1300,"referer":"","reporter":"destination","requestId":"ee84d9d9-a0e0-9fef-a82e-417e367cdfeb","requestSize":0,"requestedServerName":"outbound_.9080_._.productpage.default.svc.cluster.local","responseCode":200,"responseFlags":"-","responseSize":5179,"responseTimestamp":"2019-06-07T18:11:49.275747Z","sentBytes":5324,"sourceApp":"istio-ingressgateway","sourceIp":"10.44.3.5","sourceName":"istio-ingressgateway-766f5fd7c9-775qh","sourceNamespace":"istio-system","sourceOwner":"kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway","sourcePrincipal":"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account","sourceWorkload":"istio-ingressgateway","url":"/productpage","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36","xForwardedFor":"10.44.3.1"}
    
  11. Verify that the the log shows a responseCode of 200 and a permissiveResponseCode of allowed for productpage service.

  12. Remove the YAML files related to enabling the permissive mode:

    ZipZipZip
    $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/productpage-policy.yaml@
    $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-config-on-permissive.yaml@
    $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
    
  13. Congratulations! You tested an authorization policy with permissive mode and verified it works as expected. To enable the authorization policy, follow the steps described in the Enabling Istio authorization task.

Test adding authorization policy

The following steps show how to test a new authorization policy with permissive mode when authorization has already been enabled.

  1. Allow access to the producepage service by following the instructions in Enabling authorization for HTTP services step 1.

  2. Allow access to the details and reviews service in permissive mode with the following command:

    Zip
    $ kubectl apply -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy-permissive.yaml@
    
  3. Verify there are errors Error fetching product details and Error fetching product reviews on the Bookinfo productpage by pointing your browser at the productpage (http://$GATEWAY_URL/productpage), These errors are expected because the policy is in PERMISSIVE mode.

  4. Apply the rbac-permissive-telemetry.yaml YAML file to enable the permissive mode metric collection.

    Zip
    $ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
    
  5. Send traffic to the sample application:

    $ curl http://$GATEWAY_URL/productpage
    
  6. Get the log for telemetry and search for the permissiveResponseCode with the following command:

    $ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep \"instance\":\"accesslog.instance.istio-system\"
    {"level":"info","time":"2019-06-07T18:51:46.860970Z","instance":"accesslog.instance.istio-system","apiClaims":"","apiKey":"","clientTraceId":"","connection_security_policy":"mutual_tls","destinationApp":"reviews","destinationIp":"10.44.3.11","destinationName":"reviews-v1-7dccc4d655-q9zc8","destinationNamespace":"default","destinationOwner":"kubernetes://apis/apps/v1/namespaces/default/deployments/reviews-v1","destinationPrincipal":"cluster.local/ns/default/sa/default","destinationServiceHost":"reviews.default.svc.cluster.local","destinationWorkload":"reviews-v1","grpcMessage":"","grpcStatus":"","httpAuthority":"reviews:9080","latency":"416.29µs","method":"GET","permissiveResponseCode":"allowed","permissiveResponsePolicyID":"details-reviews-viewer","protocol":"http","receivedBytes":0,"referer":"","reporter":"destination","requestId":"11ff06c7-ce8d-970d-b1dc-32abf12dea21","requestSize":0,"requestedServerName":"outbound_.9080_._.reviews.default.svc.cluster.local","responseCode":403,"responseFlags":"-","responseSize":19,"responseTimestamp":"2019-06-07T18:51:46.861152Z","sentBytes":117,"sourceApp":"productpage","sourceIp":"10.44.3.13","sourceName":"productpage-v1-6f7f6fd5bf-hfnw2","sourceNamespace":"default","sourceOwner":"kubernetes://apis/apps/v1/namespaces/default/deployments/productpage-v1","sourcePrincipal":"cluster.local/ns/default/sa/bookinfo-productpage","sourceWorkload":"productpage-v1","url":"/reviews/0","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36","xForwardedFor":"10.44.3.13"}
    {"level":"info","time":"2019-06-07T18:51:47.814739Z","instance":"accesslog.instance.istio-system","apiClaims":"","apiKey":"","clientTraceId":"","connection_security_policy":"mutual_tls","destinationApp":"reviews","destinationIp":"10.44.1.6","destinationName":"reviews-v2-6754c89b76-ptd6h","destinationNamespace":"default","destinationOwner":"kubernetes://apis/apps/v1/namespaces/default/deployments/reviews-v2","destinationPrincipal":"cluster.local/ns/default/sa/bookinfo-reviews","destinationServiceHost":"reviews.default.svc.cluster.local","destinationWorkload":"reviews-v2","grpcMessage":"","grpcStatus":"","httpAuthority":"reviews:9080","latency":"320.379µs","method":"GET","permissiveResponseCode":"allowed","permissiveResponsePolicyID":"details-reviews-viewer","protocol":"http","receivedBytes":0,"referer":"","reporter":"destination","requestId":"c15f0bca-33ae-9cf1-8aaa-fdcea1c528fc","requestSize":0,"requestedServerName":"outbound_.9080_._.reviews.default.svc.cluster.local","responseCode":403,"responseFlags":"-","responseSize":19,"responseTimestamp":"2019-06-07T18:51:47.814765Z","sentBytes":117,"sourceApp":"productpage","sourceIp":"10.44.3.13","sourceName":"productpage-v1-6f7f6fd5bf-hfnw2","sourceNamespace":"default","sourceOwner":"kubernetes://apis/apps/v1/namespaces/default/deployments/productpage-v1","sourcePrincipal":"cluster.local/ns/default/sa/bookinfo-productpage","sourceWorkload":"productpage-v1","url":"/reviews/0","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36","xForwardedFor":"10.44.3.13"}
    
  7. Verify that the the log shows a responseCode of 403 and a permissiveResponseCode of allowed for ratings and reviews services.

  8. Remove the YAML files related to enabling the permissive mode:

    ZipZip
    $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/details-reviews-policy-permissive.yaml@
    $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-permissive-telemetry.yaml@
    
  9. Congratulations! You tested adding an authorization policy with permissive mode and verified it will work as expected. To add the authorization policy, follow the steps described in the Enabling Istio authorization task.