AccessPolicy
AccessPolicy API reference.
Proto: access_policy.proto
Package: security.policy.gloo.solo.io
Control access for workloads in your service mesh. An access policy describes how clients should be authenticated and authorized to access a service. For more information about cross-origin resource sharing, see this article. AccessPolicies can be applied at the workload or destination level.
Note: Workload selectors are considered more secure than destination selectors and are therefore recommended to be used whenever possible. While workload selectors are applied to the translated Istio AuthorizationPolicy resource directly, destination selectors require the translation of the selected destination first before the access policy is enforced. This can lead to a window where traffic is unsecured if a new destination is added to the cluster. However, keep in mind that workloads selectors cannot be used when service isolation is enabled in your workspace. If service isolation is enabled, you must use destination selectors instead.
Examples
The following example is for a simple access policy that allows the productpage app to access the ratings app.
apiVersion: security.policy.gloo.solo.io/v2
kind: AccessPolicy
metadata:
name: ratings-access
namespace: bookinfo
spec:
applyToWorkloads:
- selector:
labels:
app: ratings
config:
authn:
tlsMode: STRICT
authzList:
- allowedClients:
- serviceAccountSelector:
labels:
app: productpage
allowedPaths:
- /ratings*
The following example specifies the IP address that you want to allow access to the ratings app. When a client sends a request to ratings, the client’s IP address is matched against the IP addresses that are defined in the access policy. If the IP address matches, the request is forwarded to the ratings app. If the IP does not match, access to ratings is denied.
apiVersion: security.policy.gloo.solo.io/v2
kind: AccessPolicy
metadata:
name: ratings-access
namespace: bookinfo
spec:
applyToWorkloads:
- selector:
labels:
app: ratings
config:
authn:
tlsMode: STRICT
authzList:
- allowedIpBlocks:
- 112.114.230.1
allowedPaths:
- /ratings*
The following access policy uses a destination selector and specifies the request
headers that must be sent to allow or deny the communication between the productpage
and ratings apps. For example, if you send a request with the X-Test-Header: match
header from the productpage app to the ratings app, the request is matched and the
communication between productpage and ratings is allowed. If you send the same request
without a header or with the X-Test-Header: noMatch
header, the request is not matched
and the communication between the apps is denied.
apiVersion: security.policy.gloo.solo.io/v2
kind: AccessPolicy
metadata:
name: ratings-access
namespace: bookinfo
spec:
applyToDestinations:
- port:
number: 9080
selector:
labels:
app: ratings
config:
authn:
tlsMode: STRICT
authzList:
- allowedClients:
- serviceAccountSelector:
labels:
app: productpage
allowedPaths:
- /ratings*
match:
request:
headers:
X-Test-Header:
notValues:
- noMatch
- partial-blocked
values:
- match
- partial*
You can have multiple authzList
entries to control access to workloads.
A request is allowed when it matches at least one of the authzList
entries (logically OR’d together).
For each entry, you can specify different requirements for allowed clients, paths, methods, IP blocks, and other configuration settings. Then, a request is allowed only when ALL of the requirements are met (logically AND’d together).
In the following example:
- The product page app is allowed to send GET requests to the ratings app along the
/ratings*
wildcard path. - The product page app is allowed to send PATCH requests to the ratings app along the
/ratings/2*
wildcard path. - The reviews app is allowed to access the ratings app.
apiVersion: security.policy.gloo.solo.io/v2
kind: AccessPolicy
metadata:
name: ratings-access
namespace: bookinfo
spec:
applyToWorkloads:
- selector:
labels:
app: ratings
config:
authn:
tlsMode: STRICT
authzList:
- allowedClients:
- serviceAccountSelector:
labels:
app: productpage
allowedPaths:
- /ratings*
allowedMethods:
- GET
- allowedClients:
- serviceAccountSelector:
labels:
app: productpage
allowedPaths:
- /ratings/2*
allowedMethods:
- PATCH
- allowedClients:
- serviceAccountSelector:
labels:
app: reviews
AccessPolicyReport
The report shows the resources that the policy selects after the policy is successfully applied.
Field | Description |
---|---|
workspaces | (repeated AccessPolicyReport.WorkspacesEntry )A list of workspaces in which the policy can apply to destinations. |
selectedDestinationPorts | (repeated common.gloo.solo.io.DestinationReference )A list of destination ports selected by the policy. |
allowedServiceAccounts | (repeated AccessPolicyReport.IdentityReference )A list of the service accounts whose workloads are allowed to send requests to the selected destinations. |
selectedNamespaces | (repeated common.gloo.solo.io.ObjectReference )A list of namespaces that contain workloads selected by the policy. |
AccessPolicyReport.IdentityReference
A list of the service accounts whose workloads are allowed to send requests to the selected destinations.
Field | Description |
---|---|
identityIndex | (int32 )The index of the identity in the list of identity selectors. |
serviceAccount | (common.gloo.solo.io.ObjectReference )The reference to the service account backing the identity. |
authzIndex | (int32 )The index of the authz in the authzList. |
AccessPolicyReport.WorkspacesEntry
Field | Description |
---|---|
key | (string ) |
value | (common.gloo.solo.io.Report ) |
AccessPolicySpec
Specifications for the policy.
Field | Description |
---|---|
applyToDestinations | (repeated common.gloo.solo.io.DestinationSelector )Destinations to apply the policy to. If applyToWorkloads is non-empty, this field is ignored. If this field and applyToWorkloads are both empty, the policy applies to all ports on all destinations in the workspace.For security reasons, applyToWorkloads is preferred. |
applyToWorkloads | (repeated AccessPolicySpec.NamespaceWorkloadSelector )Workloads to apply the policy to. For security reasons, this field is preferred over applyToDestinations . If an empty selector is provided in the list, the policy applies to all workloads in a namespace, cluster, and workspace that are available in the parent object’s workspace. |
config | (AccessPolicySpec.Config )Details of the access policy to apply to the selected workloads. |
AccessPolicySpec.Config
Details of the access policy to apply to the selected workloads.
Field | Description |
---|---|
authn | (AccessPolicySpec.Config.Authentication )How clients are authenticated to the workload. |
authz | (AccessPolicySpec.Config.Authorization )Deprecated; Use authzList instead. If authzList is set, it takes precedence and this field is ignored. How clients are authorized to access the workload. |
enforcementLayers | (common.gloo.solo.io.EnforcementLayers )Optional: When NetworkPolicy translation is enabled, all available layers are used to enforce AccessPolicies by default. If you want to explicitly define which layers to use to enforce this AccessPolicy, you can set them by using this field. Note that the layer that you define in this field must be available to be configured. |
authzList | (repeated AccessPolicySpec.Config.Authorization )How clients are authorized to access the workload. A request is allowed when it matches at least one authz entry in the list (logically OR’d together). |
AccessPolicySpec.Config.Authentication
How clients are authenticated to the workload.
Field | Description |
---|---|
tlsMode | (AccessPolicySpec.Config.Authentication.TLSmode )Type of TLS policy that is enforced on clients connecting to the workload. If service isolation is enabled for the workspace, this field is treated as ‘STRICT’. |
AccessPolicySpec.Config.Authorization
Configure access to workloads.
You can have multiple authzList
entries.
A request is allowed when it matches at least one of the authzList
entries (logically OR’d together).
For each entry, you can specify different requirements for allowed clients, paths, methods, IP blocks, and other configuration settings. Then, a request is allowed only when ALL of the requirements are met (logically AND’d together).
If the policy uses applyToWorkloads
, you can also allow NO requests by setting this value to the empty object {}
,
which will serve as a fallback when requests do not match another authz
case for the given workload.
Field | Description |
---|---|
allowedClients | (repeated common.gloo.solo.io.IdentitySelector )Client identities that are permitted to access the workload. To allow access for all client identities, provide a single empty selector. |
allowedPaths | (repeated string )Optional: A list of HTTP paths or gRPC methods to allow. gRPC methods must be presented as fully-qualified name in the form of “/packageName.serviceName/methodName”, and are case sensitive. Exact match, prefix match, and suffix match are supported for paths. For example, the path /books/review matches /books/review (exact match), *books/ (suffix match), or /books* (prefix match).If empty, any path is allowed. |
allowedMethods | (repeated string )Optional: A list of HTTP methods to allow (e.g., “GET”, “POST”). If empty, any method is allowed. This field is ignored for gRPC, because the value is always “POST”. |
match | (AccessPolicySpec.Config.Authorization.MatchSpec )Optional: Additional request matching conditions. |
allowedIpBlocks | (repeated string )Optional: A list of IP blocks, populated from the source address of the IP packet. Single IP addresses (e.g. “1.2.3.4”) and CIDRs (e.g. “1.2.3.0/24”) are supported. If empty, any IP address is allowed. |
allowedRemoteIpBlocks | (repeated string )Optional: A list of IP blocks, populated from X-Forwarded-For header or proxy protocol. Single IP addresses (e.g. “1.2.3.4”) and CIDRs (e.g. “1.2.3.0/24”) are supported. This field is equivalent to the remote.ip attribute. If empty, any IP address is allowed. To use this field, you must configure the meshConfig.defaultConfig.gatewayTopology.numTrustedProxies field in your Istio installation. For more info, see the Istio documentation. |
dryRun | (bool )Set to true to enable a dry run of the access policy for L7 Istio service mesh authorization only. Then, you can check the sidecar proxy logs, metrics, and tracing to determine if traffic would be allowed or denied. However, the authorization is not enforced until you disable the dry run and re-apply the access policy. Note that when there are both dry run and enforced policies, dry run policies are considered independently of enforced policies; i.e. the logs, metrics, and tracing results indicating if traffic would be allowed or denied is based on the behavior if all dry run policies were enforced but all currently enforced policies were deleted. Note that dry run cannot be used to review allow or deny decisions for L4 traffic. Even if you enable the dry run feature with a Gloo Network setup, no Cilium network policy and decision logs are created or enforced. |
AccessPolicySpec.Config.Authorization.MatchSpec
Optional: Additional request matching conditions.
Field | Description |
---|---|
request | (AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec )Optional: HTTP request header matching conditions. |
AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec
Field | Description |
---|---|
headers | (repeated AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeadersEntry )Optional: HTTP request header matching conditions. |
AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeaderValues
A value matching condition for HTTP request headers.
At least one of values
or notValues
must be set.
Field | Description |
---|---|
values | (repeated string )A list of match values for the header. A request must match at least one value. Supports wildcards. For example, to match a request with header values containing exact-books OR partial-matched-books , set values to exact-books and partial-*-books . |
notValues | (repeated string )A list of negative match values for the header. A request must not match any values. Supports wildcards. For example, to not match a request with header values containing ignore-books or partial-ignored-books , set notValues to ignore-books and partial-ig*-books . |
AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeadersEntry
Field | Description |
---|---|
key | (string ) |
value | (AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeaderValues ) |
AccessPolicySpec.NamespaceWorkloadSelector
Select individual namespaces and workloads within the namespaces by label. Workloads must have injected (sidecars) or be standalone proxies (gateways) to be selected by Gloo policies.
Field | Description |
---|---|
selector | (AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector )Selector to match workload objects by their metadata. |
AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector
Selects zero or more Kubernetes workloads by matching on labels, namespace, cluster, and workspace.
Field | Description |
---|---|
labels | (repeated AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector.LabelsEntry )Only select workloads with matching labels. |
namespace | (string )Only select objects in the matching namespace. If empty, Gloo selects matching objects across all namespaces available in the parent object’s workspace. |
cluster | (string )Only select objects in the matching cluster. If empty, Gloo selects matching objects across all clusters available in the parent object’s workspace. |
workspace | (string )Only select objects in the given workspace. If empty, Gloo selects matching objects across all workspaces available in the parent object’s workspace. |
AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector.LabelsEntry
Field | Description |
---|---|
key | (string ) |
value | (string ) |
AccessPolicyStatus
The status of the policy after it is applied to your Gloo environment.
Field | Description |
---|---|
common | (common.gloo.solo.io.Status )The state and workspace conditions of the applied policy. |
numSelectedDestinationPorts | (uint32 )The number of destination ports selected by the policy. |
numSelectedNamespaces | (uint32 )The number of namespaces containing selected workloads by the policy. |
numAllowedServiceAccounts | (uint32 )The number of service accounts allowed to access the selected destinations. |
AccessPolicySpec.Config.Authentication.TLSmode
The mutual TLS (mTLS) connection mode. The following enums correspond to the modes defined by Istio.
Name | Number | Description |
---|---|---|
DISABLE | 0 | Do not originate mTLS connections to the upstream workload, and instead use unencrypted plaintext. |
PERMISSIVE | 1 | Permit both unencrypted plaintext and mTLS-secured connections to the upstream workload. Use this mode only when you migrate workloads to your service mesh. After the workload is onboarded to the service mesh, using the STRICT mode is recommended. |
STRICT | 2 | Secure connections to the upstream workload with mTLS by presenting client certificates for authentication. This mode uses certificates generated automatically by Istio for mTLS authentication. When you use this mode, keep all other fields in ClientTLSSettings empty. |