Proto: access_policy.proto

Package: security.policy.gloo.solo.io

Control access for workloads in your service mesh. An access policy describes how clients should be authenticated and authorized to access a service. For more information about cross-origin resource sharing, see this article. AccessPolicies can be applied at the workload or destination level.

Note: Workload selectors are considered more secure than destination selectors and are therefore recommended to be used whenever possible. While workload selectors are applied to the translated Istio AuthorizationPolicy resource directly, destination selectors require the translation of the selected destination first before the access policy is enforced. This can lead to a window where traffic is unsecured if a new destination is added to the cluster. However, keep in mind that workload selector cannot be used when service isolation is enabled in your workspace. If service isolation is enabled, you must use destination selectors instead. Note that virtual destinations are not supported as destinations with this policy.

Examples

The following example is for a simple access policy that allows the productpage app to access the ratings app.

  apiVersion: security.policy.gloo.solo.io/v2
kind: AccessPolicy
metadata:
  name: ratings-access
  namespace: bookinfo
spec:
  applyToWorkloads:
  - selector:
      labels:
        app: ratings
  config:
    authn:
      tlsMode: STRICT
    authzList:
    - allowedClients:
      - serviceAccountSelector:
          labels:
            app: productpage
      allowedPaths:
      - /ratings*
  

The following example specifies the IP address that you want to allow access to the ratings app. When a client sends a request to ratings, the client’s IP address is matched against the IP addresses that are defined in the access policy. If the IP address matches, the request is forwarded to the ratings app. If the IP does not match, access to ratings is denied.

  apiVersion: security.policy.gloo.solo.io/v2
kind: AccessPolicy
metadata:
  name: ratings-access
  namespace: bookinfo
spec:
  applyToWorkloads:
  - selector:
      labels:
        app: ratings
  config:
    authn:
      tlsMode: STRICT
    authzList:
    - allowedIpBlocks:
      - 112.114.230.1
      allowedPaths:
      - /ratings*
  

The following access policy uses a destination selector and specifies the request headers that must be sent to allow or deny the communication between the productpage and ratings apps. For example, if you send a request with the X-Test-Header: match header from the productpage app to the ratings app, the request is matched and the communication between productpage and ratings is allowed. If you send the same request without a header or with the X-Test-Header: noMatch header, the request is not matched and the communication between the apps is denied.

  apiVersion: security.policy.gloo.solo.io/v2
kind: AccessPolicy
metadata:
  name: ratings-access
  namespace: bookinfo
spec:
  applyToDestinations:
  - port:
      number: 9080
    selector:
      labels:
        app: ratings
  config:
    authn:
      tlsMode: STRICT
    authzList:
    - allowedClients:
      - serviceAccountSelector:
          labels:
            app: productpage
      allowedPaths:
      - /ratings*
      match:
        request:
          headers:
            X-Test-Header:
              notValues:
              - noMatch
              - partial-blocked
              values:
              - match
              - partial*
  

You can have multiple authzList entries to control access to workloads. A request is allowed when it matches at least one of the authzList entries (logically OR’d together).

For each entry, you can specify different requirements for allowed clients, paths, methods, IP blocks, and other configuration settings. Then, a request is allowed only when ALL of the requirements are met (logically AND’d together).

In the following example:

  • The product page app is allowed to send GET requests to the ratings app along the /ratings* wildcard path.
  • The product page app is allowed to send PATCH requests to the ratings app along the /ratings/2* wildcard path.
  • The reviews app is allowed to access the ratings app.
  apiVersion: security.policy.gloo.solo.io/v2
kind: AccessPolicy
metadata:
  name: ratings-access
  namespace: bookinfo
spec:
  applyToWorkloads:
  - selector:
      labels:
        app: ratings
  config:
    authn:
      tlsMode: STRICT
    authzList:
    - allowedClients:
      - serviceAccountSelector:
          labels:
            app: productpage
      allowedPaths:
      - /ratings*
      allowedMethods:
      - GET
    - allowedClients:
      - serviceAccountSelector:
          labels:
            app: productpage
      allowedPaths:
      - /ratings/2*
      allowedMethods:
      - PATCH
    - allowedClients:
      - serviceAccountSelector:
          labels:
            app: reviews
  

AccessPolicyReport

The report shows the resources that the policy selects after the policy is successfully applied.

FieldDescription
workspaces(repeated AccessPolicyReport.WorkspacesEntry)

A list of workspaces in which the policy can apply to destinations.
selectedDestinationPorts(repeated common.gloo.solo.io.DestinationReference)

A list of destination ports selected by the policy.
allowedServiceAccounts(repeated AccessPolicyReport.IdentityReference)

A list of the service accounts whose workloads are allowed to send requests to the selected destinations.

AccessPolicyReport.IdentityReference

A list of the service accounts whose workloads are allowed to send requests to the selected destinations.

FieldDescription
identityIndex(int32)

The index of the identity in the list of identity selectors.
serviceAccount(common.gloo.solo.io.ObjectReference)

The reference to the service account backing the identity.
authzIndex(int32)

The index of the authz in the authzList.

AccessPolicyReport.WorkspacesEntry

FieldDescription
key(string)

value(common.gloo.solo.io.Report)

AccessPolicySpec

Specifications for the policy.

FieldDescription
applyToDestinations(repeated common.gloo.solo.io.DestinationSelector)

Destinations to apply the policy to. Note that virtual destinations are not supported as destinations with this policy. If applyToWorkloads is non-empty, this field is ignored. If this field and applyToWorkloads are both empty, the policy applies to all ports on all destinations in the workspace.
applyToWorkloads(repeated AccessPolicySpec.NamespaceWorkloadSelector)

Workloads to apply the policy to. For security reasons, this field is preferred over applyToDestinations. If an empty selector is provided in the list, the policy applies to all workloads in a namespace, cluster, and workspace that are available in the parent object’s workspace.
config(AccessPolicySpec.Config)

Details of the access policy to apply to the selected workloads.

AccessPolicySpec.Config

Details of the access policy to apply to the selected workloads.

FieldDescription
authn(AccessPolicySpec.Config.Authentication)

How clients are authenticated to the workload.
authz(AccessPolicySpec.Config.Authorization)

Deprecated; Use authzList instead. If authzList is set, it takes precedence and this field is ignored. How clients are authorized to access the workload.
enforcementLayers(common.gloo.solo.io.EnforcementLayers)

Optional: When NetworkPolicy translation is enabled, all available layers are used to enforce AccessPolicies by default. If you want to explicitly define which layers to use to enforce this AccessPolicy, you can set them by using this field. Note that the layer that you define in this field must be available to be configured.
authzList(repeated AccessPolicySpec.Config.Authorization)

How clients are authorized to access the workload. A request is allowed when it matches at least one authz entry in the list (logically OR’d together).

AccessPolicySpec.Config.Authentication

How clients are authenticated to the workload.

FieldDescription
tlsMode(AccessPolicySpec.Config.Authentication.TLSmode)

Type of TLS policy that is enforced on clients connecting to the workload. If service isolation is enabled for the workspace, this field is treated as ‘STRICT’.

AccessPolicySpec.Config.Authorization

Configure access to workloads.

You can have multiple authzList entries. A request is allowed when it matches at least one of the authzList entries (logically OR’d together).

For each entry, you can specify different requirements for allowed clients, paths, methods, IP blocks, and other configuration settings. Then, a request is allowed only when ALL of the requirements are met (logically AND’d together).

If the policy uses applyToWorkloads, you can also allow NO requests by setting this value to the empty object {}, which will serve as a fallback when requests do not match another authz case for the given workload.

FieldDescription
allowedClients(repeated common.gloo.solo.io.IdentitySelector)

Client identities that are permitted to access the workload. To allow access for all client identities, provide a single empty selector.
allowedPaths(repeated string)

Optional: A list of HTTP paths or gRPC methods to allow. gRPC methods must be presented as fully-qualified name in the form of “/packageName.serviceName/methodName”, and are case sensitive. Exact match, prefix match, and suffix match are supported for paths. For example, the path /books/review matches /books/review (exact match), *books/ (suffix match), or /books* (prefix match).
If empty, any path is allowed.
allowedMethods(repeated string)

Optional: A list of HTTP methods to allow (e.g., “GET”, “POST”). If empty, any method is allowed. This field is ignored for gRPC, because the value is always “POST”.
match(AccessPolicySpec.Config.Authorization.MatchSpec)

Optional: Additional request matching conditions.
allowedIpBlocks(repeated string)

Optional: A list of IP blocks, populated from the source address of the IP packet. Single IP addresses (e.g. “1.2.3.4”) and CIDRs (e.g. “1.2.3.0/24”) are supported. If empty, any IP address is allowed.
allowedRemoteIpBlocks(repeated string)

Optional: A list of IP blocks, populated from X-Forwarded-For header or proxy protocol. Single IP addresses (e.g. “1.2.3.4”) and CIDRs (e.g. “1.2.3.0/24”) are supported. This field is equivalent to the remote.ip attribute. If empty, any IP address is allowed.
dryRun(bool)

Set to true to enable a dry run of the access policy for L7 Istio service mesh authorization only. Then, you can check the sidecar proxy logs, metrics, and tracing to determine if traffic would be allowed or denied. However, the authorization is not enforced until you disable the dry run and re-apply the access policy. Note that when there are both dry run and enforced policies, dry run policies are considered independently of enforced policies; i.e. the logs, metrics, and tracing results indicating if traffic would be allowed or denied is based on the behavior if all dry run policies were enforced but all currently enforced policies were deleted. Note that dry run cannot be used to review allow or deny decisions for L4 traffic. Even if you enable the dry run feature with a Gloo Network setup, no Cilium network policy and decision logs are created or enforced.

AccessPolicySpec.Config.Authorization.MatchSpec

Optional: Additional request matching conditions.

FieldDescription
request(AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec)

Optional: HTTP request header matching conditions.

AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec

FieldDescription
headers(repeated AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeadersEntry)

Optional: HTTP request header matching conditions.

AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeaderValues

A value matching condition for HTTP request headers. At least one of values or notValues must be set.

FieldDescription
values(repeated string)

A list of match values for the header. A request must match at least one value. Supports wildcards. For example, to match a request with header values containing exact-books OR partial-matched-books, set values to exact-books and partial-*-books.
notValues(repeated string)

A list of negative match values for the header. A request must not match any values. Supports wildcards. For example, to not match a request with header values containing ignore-books or partial-ignored-books, set notValues to ignore-books and partial-ig*-books.

AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeadersEntry

FieldDescription
key(string)

value(AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeaderValues)

AccessPolicySpec.NamespaceWorkloadSelector

Select individual namespaces and workloads within the namespaces by label. Workloads must have injected (sidecars) or be standalone proxies (gateways) to be selected by Gloo policies.

FieldDescription
selector(AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector)

Selector to match workload objects by their metadata.

AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector

Selects zero or more Kubernetes workloads by matching on labels, namespace, cluster, and workspace.

FieldDescription
labels(repeated AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector.LabelsEntry)

Only select workloads with matching labels.
namespace(string)

Only select objects in the matching namespace. If empty, Gloo selects matching objects across all namespaces available in the parent object’s workspace.
cluster(string)

Only select objects in the matching cluster. If empty, Gloo selects matching objects across all clusters available in the parent object’s workspace.
workspace(string)

Only select objects in the given workspace. If empty, Gloo selects matching objects across all workspaces available in the parent object’s workspace.

AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector.LabelsEntry

FieldDescription
key(string)

value(string)

AccessPolicyStatus

The status of the policy after it is applied to your Gloo environment.

FieldDescription
common(common.gloo.solo.io.Status)

The state and workspace conditions of the applied policy.
numSelectedDestinationPorts(uint32)

The number of destination ports selected by the policy.

AccessPolicySpec.Config.Authentication.TLSmode

The mutual TLS (mTLS) connection mode. The following enums correspond to the modes defined by Istio.

NameNumberDescription
DISABLE0Do not originate mTLS connections to the upstream workload, and instead use unencrypted plaintext.
PERMISSIVE1Permit both unencrypted plaintext and mTLS-secured connections to the upstream workload. Use this mode only when you migrate workloads to your service mesh. After the workload is onboarded to the service mesh, using the STRICT mode is recommended.
STRICT2Secure connections to the upstream workload with mTLS by presenting client certificates for authentication. This mode uses certificates generated automatically by Istio for mTLS authentication. When you use this mode, keep all other fields in ClientTLSSettings empty.