Problem Statement
Istio supports authorization policies that can be used to control access to services. If Istio's built-in authorization policies are not sufficient, you can use external authorization services. This guide will show you how to use an external authorization service with Istio on AKS.
Solution
With Istio add-on for AKS, you can use an external authorization service to control access to services. You can use a sidecar or a service to implement the external authorization service. This guide will show you how to implement an external authorization service as a sidecar and as a service.
High level steps to implement external authz service as a centralized service are as follows:
-
Define a configmap with a name istio-shared-configmap-asm-x-yy (where x-yy is the version of Istio) and add the extension providers for envoyExtAuthzHttp and envoyExtAuthzGrpc.
-
Create a new deployment for the external authorization service. The deployment should have a container that runs the external authorization service.
-
Create a new service for the external authorization service. The service should have a selector that matches the labels of the external authorization service deployment.
-
Create a new Istio authorization policy that uses the external authorization service. The policy action should be CUSTOM and the provider should be the name of the extension provider that you defined in the configmap.
High level steps to implement external authz service as a sidecar are as follows:
-
Define a configmap with a name istio-shared-configmap-asm-x-yy (where x-yy is the version of Istio) and add the extension providers for envoyExtAuthzHttp and envoyExtAuthzGrpc.
-
Inject the external authorization service as a sidecar in the deployment of the service that you want to protect. The sidecar should have a container that runs the external authorization service.
-
Create a new Istio authorization policy that uses the external authorization service. The policy action should be CUSTOM and the provider should be the name of the extension provider that you defined in the configmap.
-
Create a ServiceEntry for the external authorization service. The service entry should have the host as 127.0.0.1 for the external authorization service and the ports that the external authorization service uses. This redirects the external authorization service traffic to the sidecar.
Refer to the following link for detailed steps to implement external authz service as a sidecar or a centralized service on AKS.
https://github.com/srinman/aksworkshop/blob/main/lab-istio/istio-mesh-extauthz.md