Authorization
AuthorizationPolicy allows you to finely control service access permissions.
Table of Contents
Authorization Overview
Istio AuthorizationPolicy provides fine-grained access control for services. The diagram above shows how Authorization Policy works:
- Request Reception: Envoy receives inbound request
- Policy Evaluation: AuthorizationPolicy rules are evaluated in order
- Access Decision: ALLOW, DENY, or CUSTOM action is applied
- Audit Logging: All decisions are recorded
Supported Conditions:
- Source: Request origin (ServiceAccount, Namespace, IP)
- Operation: HTTP method, path, port
- Conditions: Custom conditions (headers, JWT claims, etc.)
Basic Policies
Default Deny (Deny All)
yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: default
spec:
action: DENY
rules:
- {} # Deny all requestsDefault Allow (Allow All)
yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: allow-all
namespace: default
spec:
action: ALLOW
rules:
- {} # Allow all requestsHTTP Method Based
yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: httpbin-get-only
namespace: default
spec:
selector:
matchLabels:
app: httpbin
action: ALLOW
rules:
- to:
- operation:
methods: ["GET"] # Allow only GETAdvanced Policies
Service Account Based
yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: ratings-sa-policy
namespace: default
spec:
selector:
matchLabels:
app: ratings
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/reviews"] # Allow only reviews SANamespace Based
yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: db-namespace-policy
namespace: database
spec:
selector:
matchLabels:
app: postgresql
action: ALLOW
rules:
- from:
- source:
namespaces: ["production", "staging"] # Specific namespaces onlyPath Based
yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: path-based-policy
namespace: default
spec:
selector:
matchLabels:
app: api
action: ALLOW
rules:
- to:
- operation:
paths: ["/api/public/*"] # Allow only public API
- from:
- source:
principals: ["cluster.local/ns/default/sa/admin"]
to:
- operation:
paths: ["/api/admin/*"] # admin SA can access admin APIJWT Claims Based
yaml
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: jwt-claims-policy
namespace: default
spec:
selector:
matchLabels:
app: myapp
action: ALLOW
rules:
- when:
- key: request.auth.claims[role]
values: ["admin", "superuser"] # role claim is admin or superuser