AccessPolicy

Proto: access_policy.proto

Package: security.policy.gloo.solo.io

Control access for workloads in your service mesh environment. An access policy describes how clients should be authenticated and authorized to access a service. For more information about cross-origin resource sharing, see this article. AccessPolicies can be applied at the workload or destination level.

Note: Workload selectors are considered more secure than destination selectors and are therefore recommended to be used whenever possible. While workload selectors are applied to the translated Istio AuthorizationPolicy resource directly, destination selectors require the translation of the selected destination first before the access policy is enforced. This can lead to a window where traffic is unsecured if a new destination is added to the cluster. However, keep in mind that workloads selectors cannot be used when service isolation is enabled in your workspace. If service isolation is enabled, you must use destination selectors instead.

Examples: The following example is for a simple access policy that allows the productpage app to access the ratings app.

apiVersion: security.policy.gloo.solo.io/v2
kind: AccessPolicy
metadata:
  name: ratings-access
  namespace: bookinfo
spec:
  applyToWorkloads:
  - selector:
      labels:
        app: ratings
  config:
    authn:
      tlsMode: STRICT
    authzList:
    - allowedClients:
      - serviceAccountSelector:
          labels:
            app: productpage
      allowedPaths:
      - /ratings*

The following example specifies the IP address that you want to allow access to the ratings app. When a client sends a request to ratings, the client's IP address is matched against the IP addresses that are defined in the access policy. If the IP address matches, the request is forwarded to the ratings app. If the IP does not match, access to ratings is denied.

apiVersion: security.policy.gloo.solo.io/v2
kind: AccessPolicy
metadata:
  name: ratings-access
  namespace: bookinfo
spec:
  applyToWorkloads:
  - selector:
      labels:
        app: ratings
  config:
    authn:
      tlsMode: STRICT
    authzList:
    - allowedIpBlocks:
      - 112.114.230.1
      allowedPaths:
      - /ratings*

The following access policy uses a destination selector and specifies the request headers that must be sent to allow or deny the communication between the productpage and ratings apps. For example, if you send a request with the X-Test-Header: match header from the productpage app to the ratings app, the request is matched and the communication between productpage and ratings is allowed. If you send the same request without a header or with the X-Test-Header: noMatch header, the request is not matched and the communication between the apps is denied.

apiVersion: security.policy.gloo.solo.io/v2
kind: AccessPolicy
metadata:
  name: ratings-access
  namespace: bookinfo
spec:
  applyToDestinations:
  - port:
      number: 9080
    selector:
      labels:
        app: ratings
  config:
    authn:
      tlsMode: STRICT
    authzList:
    - allowedClients:
      - serviceAccountSelector:
          labels:
            app: productpage
      allowedPaths:
      - /ratings*
      match:
        request:
          headers:
            X-Test-Header:
              notValues:
              - noMatch
              - partial-blocked
              values:
              - match
              - partial*

You can have multiple authzList entries to control access to workloads. A request is allowed when it matches at least one of the authzList entries (logically OR'd together).

For each entry, you can specify different requirements for allowed clients, paths, methods, IP blocks, and other configuration settings. Then, a request is allowed only when ALL of the requirements are met (logically AND'd together).

In the following example:

apiVersion: security.policy.gloo.solo.io/v2
kind: AccessPolicy
metadata:
  name: ratings-access
  namespace: bookinfo
spec:
  applyToWorkloads:
  - selector:
      labels:
        app: ratings
  config:
    authn:
      tlsMode: STRICT
    authzList:
    - allowedClients:
      - serviceAccountSelector:
          labels:
            app: productpage
      allowedPaths:
      - /ratings*
      allowedMethods:
      - GET
    - allowedClients:
      - serviceAccountSelector:
          labels:
            app: productpage
      allowedPaths:
      - /ratings/2*
      allowedMethods:
      - PATCH
    - allowedClients:
      - serviceAccountSelector:
          labels:
            app: reviews

Types:

AccessPolicyReport

The report shows the resources that the policy selects after the policy is successfully applied.

Field Description
workspaces (repeated AccessPolicyReport.WorkspacesEntry)

A list of workspaces in which the policy can apply to destinations.
selectedDestinationPorts (repeated common.gloo.solo.io.DestinationReference)

A list of destination ports selected by the policy.
allowedServiceAccounts (repeated AccessPolicyReport.IdentityReference)

A list of the service accounts whose workloads are allowed to send requests to the selected destinations.
selectedNamespaces (repeated common.gloo.solo.io.ObjectReference)

A list of namespaces that contain workloads selected by the policy.

AccessPolicyReport.IdentityReference

A list of the service accounts whose workloads are allowed to send requests to the selected destinations.

Field Description
identityIndex (int32)

The index of the identity in the list of identity selectors.
serviceAccount (common.gloo.solo.io.ObjectReference)

The reference to the service account backing the identity.
authzIndex (int32)

The index of the authz in the authzList.

AccessPolicyReport.WorkspacesEntry

Field Description
key (string)

value (common.gloo.solo.io.Report)

AccessPolicySpec

Specifications for the policy.

Field Description
applyToDestinations (repeated common.gloo.solo.io.DestinationSelector)

Destinations to apply the policy to. If applyToWorkloads is non-empty, this field is ignored. If this field and applyToWorkloads are both empty, the policy applies to all ports on all destinations in the workspace.
For security reasons, applyToWorkloads is preferred.
applyToWorkloads (repeated AccessPolicySpec.NamespaceWorkloadSelector)

Workloads to apply the policy to. For security reasons, this field is prefered over applyToDestinations. If an empty selector is provided in the list, the policy applies to all workloads in a namespace, cluster, and workspace that are available in the parent object's workspace.
config (AccessPolicySpec.Config)

Details of the access policy to apply to the selected workloads.

AccessPolicySpec.Config

Details of the access policy to apply to the selected workloads.

Field Description
authn (AccessPolicySpec.Config.Authentication)

How clients are authenticated to the workload.
authz (AccessPolicySpec.Config.Authorization)

Deprecated; Use authzList instead. If authzList is set, it takes precedence and this field is ignored. How clients are authorized to access the workload.
enforcementLayers (common.gloo.solo.io.EnforcementLayers)

Optional: When NetworkPolicy translation is enabled, all available layers are used to enforce AccessPolicies by default. If you want to explicitly define which layers to use to enforce this AccessPolicy, you can set them by using this field. Note that the layer that you define in this field must be available to be configured.
authzList (repeated AccessPolicySpec.Config.Authorization)

How clients are authorized to access the workload. A request is allowed when it matches at least one authz entry in the list (logically OR'd together).

AccessPolicySpec.Config.Authentication

How clients are authenticated to the workload.

Field Description
tlsMode (AccessPolicySpec.Config.Authentication.TLSmode)

Type of TLS policy that is enforced on clients connecting to the workload. If service isolation is enabled for the workspace, this field is treated as ‘STRICT’.

AccessPolicySpec.Config.Authorization

Configure access to workloads.

You can have multiple authzList entries. A request is allowed when it matches at least one of the authzList entries (logically OR'd together).

For each entry, you can specify different requirements for allowed clients, paths, methods, IP blocks, and other configuration settings. Then, a request is allowed only when ALL of the requirements are met (logically AND'd together).

If the policy uses applyToWorkloads, you can also allow NO requests by setting this value to the empty object {}, which will serve as a fallback when requests do not match another authz case for the given workload.

Field Description
allowedClients (repeated common.gloo.solo.io.IdentitySelector)

Client identities that are permitted to access the workload. To allow access for all client identities, provide a single empty selector.
allowedPaths (repeated string)

Optional: A list of HTTP paths or gRPC methods to allow. gRPC methods must be presented as fully-qualified name in the form of “/packageName.serviceName/methodName”, and are case sensitive. Exact match, prefix match, and suffix match are supported for paths. For example, the path /books/review matches /books/review (exact match), *books/ (suffix match), or /books* (prefix match).
If empty, any path is allowed.
allowedMethods (repeated string)

Optional: A list of HTTP methods to allow (e.g., “GET”, “POST”). If empty, any method is allowed. This field is ignored for gRPC, because the value is always “POST”.
match (AccessPolicySpec.Config.Authorization.MatchSpec)

Optional: Additional request matching conditions.
allowedIpBlocks (repeated string)

Optional: A list of IP blocks, populated from the source address of the IP packet. Single IP addresses (e.g. “1.2.3.4”) and CIDRs (e.g. “1.2.3.0/24”) are supported. If empty, any IP address is allowed.
allowedRemoteIpBlocks (repeated string)

Optional: A list of IP blocks, populated from X-Forwarded-For header or proxy protocol. Single IP addresses (e.g. “1.2.3.4”) and CIDRs (e.g. “1.2.3.0/24”) are supported. This field is equivalent to the remote.ip attribute. If empty, any IP address is allowed.
To use this field, you must configure the meshConfig.defaultConfig.gatewayTopology.numTrustedProxies field in your Istio installation. For more info, see the Istio documentation.
dryRun (bool)

Set to true to enable a dry run of the access policy for L7 Istio service mesh authorization only. Then, you can check the sidecar proxy logs, metrics, and tracing to determine if traffic would be allowed or denied. However, the authorization is not enforced until you disable the dry run and re-apply the access policy. Note that when there are both dry run and enforced policies, dry run policies are considered independently of enforced policies; i.e. the logs, metrics, and tracing results indicating if traffic would be allowed or denied is based on the behavior if all dry run policies were enforced but all currently enforced policies were deleted. Note that dry run cannot be used to review allow or deny decisions for L4 traffic. Even if you enable the dry run feature with a Gloo Network setup, no Cilium network policy and decision logs are created or enforced.

AccessPolicySpec.Config.Authorization.MatchSpec

Optional: Additional request matching conditions.

Field Description
request (AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec)

Optional: HTTP request header matching conditions.

AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec

Field Description
headers (repeated AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeadersEntry)

Optional: HTTP request header matching conditions.

AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeaderValues

A value matching condition for HTTP request headers. At least one of values or notValues must be set.

Field Description
values (repeated string)

A list of match values for the header. A request must match at least one value. Supports wildcards. For example, to match a request with header values containing exact-books OR partial-matched-books, set values to exact-books and partial-*-books.
notValues (repeated string)

A list of negative match values for the header. A request must not match any values. Supports wildcards. For example, to not match a request with header values containing ignore-books or partial-ignored-books, set notValues to ignore-books and partial-ig*-books.

AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeadersEntry

Field Description
key (string)

value (AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeaderValues)

AccessPolicySpec.NamespaceWorkloadSelector

Select individual namespaces and workloads within the namespaces by label. Workloads must have injected (sidecars) or be standalone proxies (gateways) to be selected by Gloo policies.

Field Description
selector (AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector)

Selector to match workload objects by their metadata.

AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector

Selects zero or more Kubernetes workloads by matching on labels, namespace, cluster, and workspace.

Field Description
labels (repeated AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector.LabelsEntry)

Only select workloads with matching labels.
namespace (string)

Only select objects in the matching namespace. If empty, Gloo selects matching objects across all namespaces available in the parent object's workspace.
cluster (string)

Only select objects in the matching cluster. If empty, Gloo selects matching objects across all clusters available in the parent object's workspace.
workspace (string)

Only select objects in the given workspace. If empty, Gloo selects matching objects across all workspaces available in the parent object's workspace.

AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector.LabelsEntry

Field Description
key (string)

value (string)

AccessPolicyStatus

The status of the policy after it is applied to your Gloo environment.

Field Description
common (common.gloo.solo.io.Status)

The state and workspace conditions of the applied policy.
numSelectedDestinationPorts (uint32)

The number of destination ports selected by the policy.
numSelectedNamespaces (uint32)

The number of namespaces containing selected workloads by the policy.
numAllowedServiceAccounts (uint32)

The number of service accounts allowed to access the selected destinations.

AccessPolicySpec.Config.Authentication.TLSmode

The mutual TLS (mTLS) connection mode. The following enums correspond to the modes defined by Istio.

Name Number Description
DISABLE 0 Do not originate mTLS connections to the upstream workload, and instead use unencrypted plaintext.
PERMISSIVE 1 Permit both unencrypted plaintext and mTLS-secured connections to the upstream workload. Use this mode only when you migrate workloads to your service mesh. After the workload is onboarded to the service mesh, using the STRICT mode is recommended.
STRICT 2 Secure connections to the upstream workload with mTLS by presenting client certificates for authentication. This mode uses certificates generated automatically by Istio for mTLS authentication. When you use this mode, keep all other fields in ClientTLSSettings empty.