Merge pull request #28594 from neal-timpe/ossmdoc-200

JStickler · web-flow · commit 7019d191d30d · 2021-02-04T15:13:36.000-05:00
OSSMDOC-200
diff --git a/modules/ossm-security-auth-policy.adoc b/modules/ossm-security-auth-policy.adoc
@@ -0,0 +1,181 @@
+////
+Module included in the following assemblies:
+-service_mesh/v2x/ossm-security.adoc
+////
+
+[id="ossm-vs-istio_{context}"]
+= Configuring Role Based Access Control (RBAC)
+
+Role-based access control (RBAC) objects determine whether a user or service is allowed to perform a given action within a project. You can define mesh-, namespace-, and workload-wide access control for your workloads in the mesh. 
+
+To configure RBAC, create an `AuthorizationPolicy` resource in the namespace for which you are configuring access. If you are configuring mesh-wide access, use `istio-system`.
+
+For example, with RBAC, you can create policies that:
+
+* Configure intra-project communication.
+* Allow or deny full access to all workloads in the default namespace.
+* Allow or deny ingress gateway access.
+* Require a token for access.
+
+An authorization policy includes a selector, an action, and a list of rules:
+
+* The `selector` field specifies the target of the policy.
+* The `action` field specifies whether to allow or deny the request.
+* The `rules` field specifies when to trigger the action.
+** The `from` field specifies constraints on the request origin.
+** The `to` field specifies constraints on request target and parameters.
+** The `when` field specifies additional conditions that to apply the rule.
+
+.Procedure
+
+. Create your `AuthorizationPolicy` resource. The following example shows a resource that updates the ingress-policy `AuthorizationPolicy` to deny an IP address from accessing the ingress gateway.
++
+[source,yaml]
+----
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: ingress-policy
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      app: istio-ingressgateway
+  action: DENY
+  rules:
+  - from:
+    - source:
+      ipBlocks: ["1.2.3.4"]
+----
++
+. Run the following command after you write your resource to create your resource in your namespace. The namespace must match your `metadata.namespace` field in your `AuthorizationPolicy` resource.
++
+[source,terminal]
+----
+$ oc create -n istio-system -f <filename> 
+----
+
+.Next steps
+
+Consider the following examples for other common configurations.
+
+== Configure intra-project communication
+
+You can use `AuthorizationPolicy` to configure your control plane to allow or deny the traffic communicating with your mesh or services in your mesh.
+
+=== Restrict access to services outside a namespace
+
+You can deny requests from any source that is not in the `bookinfo` namespace with the following `AuthorizationPolicy` resource example.
+
+[source,yaml]
+----
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: httpbin-deny
+ namespace: bookinfo
+spec:
+ selector:
+   matchLabels:
+     app: httpbin
+     version: v1
+ action: DENY
+ rules:
+ - from:
+   - source:
+       notNamespaces: ["bookinfo"]
+----
+
+=== Creating allow-all and default deny-all authorization policies
+
+The following example shows an allow-all authorization policy that allows full access to all workloads in the `bookinfo` namespace.
+
+[source,yaml]
+----
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: allow-all
+  namespace: bookinfo
+spec:
+  action: ALLOW
+  rules:
+  - {}
+----
+
+The following example shows a policy that denies any access to all workloads in the `bookinfo` namespace.
+
+[source,yaml]
+----
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: deny-all
+  namespace: bookinfo
+spec:
+  {}
+----
+
+== Allow or deny access to the ingress gateway
+
+You can set an authorization policy to add allow or deny lists based on IP addresses.
+
+[source,yaml]
+----
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: ingress-policy
+  namespace: istio-system
+spec:
+  selector:
+    matchLabels:
+      app: istio-ingressgateway
+  action: ALLOW
+  rules:
+  - from:
+    - source:
+       ipBlocks: ["1.2.3.4", "5.6.7.0/24"]
+----
+
+== Restrict access with JSON Web Token
+
+You can restrict what can access your mesh with a JSON Web Token (JWT). After authentication, a user or service can access routes, services that are associated with that token.
+
+Create a `RequestAuthentication` resource, which defines the authentication methods that are supported by a workload. The following example accepts a JWT issued by `http://localhost:8080/auth/realms/master`.
+
+[source,yaml]
+----
+apiVersion: "security.istio.io/v1beta1"
+kind: "RequestAuthentication"
+metadata:
+  name: "jwt-example"
+  namespace: bookinfo
+spec:
+  selector:
+    matchLabels:
+      app: httpbin
+  jwtRules:
+  - issuer: "http://localhost:8080/auth/realms/master"
+    jwksUri: "http://keycloak.default.svc:8080/auth/realms/master/protocol/openid-connect/certs"
+----
+
+Then, create an `AuthorizationPolicy` resource in the same namespace to work with `RequestAuthentication` resource you created. The following example requires a JWT to be present in the `Authorization` header when sending a request to `httpbin` workloads.
+
+[source,yaml]
+----
+apiVersion: "security.istio.io/v1beta1"
+kind: "AuthorizationPolicy"
+metadata:
+  name: "frontend-ingress"
+  namespace: bookinfo
+spec:
+  selector:
+    matchLabels:
+      app: httpbin
+  action: DENY
+  rules:
+  - from:
+    - source:
+        notRequestPrincipals: ["*"]
+----
diff --git a/service_mesh/v2x/ossm-security.adoc b/service_mesh/v2x/ossm-security.adoc
@@ -20,6 +20,8 @@ If you don't have a project, install the xref:../../service_mesh/v2x/prepare-to-
 
 include::modules/ossm-security-mtls.adoc[leveloffset=+1]
 
+include::modules/ossm-security-auth-policy.adoc[leveloffset=+1]
+
 include::modules/ossm-security-cipher.adoc[leveloffset=+1]
 
 include::modules/ossm-security-cert-manage.adoc[leveloffset=+1]
