Authorization Policy¶
The authorization policy is similar to a L4 to L7 "firewall". It will analyze and match the data flow like a traditional firewall, and then perform corresponding actions. The authorization policy applies whether the request is from internal or external.
A reference YAML example for an authorization policy is as follows:
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: "ratings-viewer"
namespace: default
spec:
selector:
matchLabels:
app: ratings
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/bookinfo-reviews"]
to:
- operation:
methods: ["GET"]
Service mesh provides two creation methods: wizard and YAML. The specific steps to create through the wizard are as follows:
-
In the left navigation bar, click Security -> Authorization Policy , and click the Create button in the upper right corner.
-
In the Create Request Authentication Policy interface, firstly fill in the basic settings and then click Next .
-
After setting the policy according to the screen prompts, click OK . See Policy Setting Parameter Description.
-
Return to the authorization list, and the screen prompts that the creation is successful.
-
On the right side of the list, click ┇ in the operation column to perform more operations through the pop-up menu.
Note
- For the configuration of specific parameters, refer to Authorization Policy Parameter Configuration.
- For a more intuitive operation demonstration, refer to Video Tutorial.