Service Mesh Authorization
- Authorization
- A service mesh provides the ability to enforce service-to-service and enduser-to-service authorization.
- Using a service mesh for authorization can provide the ability to secure your services, and enforce the principle of least privilege
- There are two authorization types that can be enforced with a service mesh:
- Role Based Access Control (RBAC)
- 基于角色的通路控制,圍繞“角色”和“許可”定義,與政策無關;
- Grant access by roles
- Coarse-grained
- May cause role explosions
- separation of duty (SOD)
- Attribute Based Access Control (ABAC)
- 下一代授權模型
- 基于屬性的通路控制
- Grant access by policies,also known as policy-based access control,定義了一種通路控制範式,通過将屬性組合為政策授予使用者通路權限;與RBAC相比,它還額外兼顧使用角色群組之外的屬性,且基于政策而非靜态定義的權限;
- boolean logic:可基于複雜的布爾規則集定義;
- context,例如time、location和IP等;
- ABAC可以看作是外部的和動态的授權管理機制,能夠完成細粒度的授權;
- OPA:Open Policy Agent
- 開源的通用政策引擎,用于統一整個堆棧中的政策應用;
- 使用進階聲明性語言Rego(也稱為policy language)定義政策;
- 常用于在微服務、Kubernetes、CI/CD pipeline、API網關等中實施政策;
RBAC
- RBAC是一種操作授權機制,用于界定“誰(Subject)”能夠“操作(Verb)”哪個或哪類“對象(Object)”;
- Envoy的RBAC過濾器為服務提供服務級别和方法級别的通路控制功能,相關過濾器配置名稱為envoy.filters.http.rbac
- 該過濾器支援基于連接配接屬性(IP、Port或SSL Subject)以及傳入的請求的HTTP标頭安全清單(Allow)或阻止清單(Deny)政策集進行配置;
- 支援強制模式和影子模式,影子模式僅用于驗證政策而不會産生真正的影響
- Envoy的RBAC配置主要由兩個參數組成
- action:政策比對時要采取的操作,當且僅當以下情形方才允許請求的操作
- action為允許,且至少有一個政策比對
- action為拒絕,但沒有任何政策比對
- policies:從政策名稱到政策的映射,成功的條件是至少一個政策與請求比對
RBAC配置格式
Network filter 配置格式
--
listeners:
...
filter_chains:
filter_chain_match: {...}
use_proxy_proto: {...}
transport_socket: {...}
transport_socket_connect_timeout: {...}
name: ...
filters: # 組成過濾器鍊的單個網絡過濾器清單,用于與偵聽器建立連接配接。順序很重要,因為過濾器在連接配接事件發生時按順序處理。注意:如果過濾器清單為空,則預設關閉連接配接。
name: envoy.filters.network.rbac # 過濾器配置的名稱。取決于typed_config配置的過濾器指定的名稱。
typed_config: {...} # 過濾器特定配置,這取決于被執行個體化的過濾器。
"@type": type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
rules: {...}
matcher: {...}
shadow_rules: {...}
shadow_matcher: {...}
shadow_rules_stat_prefix: ...
stat_prefix: ...
enforcement_type: ...
HTTP filter配置格式
--
listeners:
...
filter_chains:
...
name: ...
filters: # 組成過濾器鍊的單個網絡過濾器清單,用于與偵聽器建立連接配接。順序很重要,因為過濾器在連接配接事件發生時按順序處理。注意:如果過濾器清單為空,則預設關閉連接配接。
name: envoy.filters.network.http_connection_manager # 過濾器配置的名稱。取決于typed_config配置的過濾器指定的名稱。
typed_config: # 過濾器特定配置,這取決于被執行個體化的過濾器。
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
...
http_filters:
- name: envoy.filters.http.rbac
config_discovery: {...}
is_optional: ...
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
rules:
action: ... # 政策比對時的操作行為,支援ALLOW、DENY、LOG、true;
policies: # 授權政策
permissions: # 應用于一個角色之上的權限許可清單,各清單項之間為“或”關系;
and_rules: {...} # 以“與”關系定義的一組操作權限;
or_rules: {...} # 以“或”關系定義的一組操作權限;
any: ... # 布爾型值,是否比對所有操作;
header: {...} # 核驗傳入的HTTP請求封包的指定标頭;僅适用于HTTP請求;
url_path: {...}
destination_ip: {...} # 針對于目标IP的CIDR位址塊的操作權限;
destination_port: ... # 針對于目标端口的操作權限;
destination_port_range: {...}
metadata: {...} # 針對于指定的中繼資料的操作權限;
not_rule: {...} # 以“非”關系定義的一組操作權限;
requested_server_name: {...} # 針對于用戶端請求的目标伺服器的操作權限;
matcher: {...}
principals:
and_ids: {...} # “與”關系的一組主體;
or_ids: {...} # “或”關系的一組主體;
any: ...
authenticated: {...} # 經過認證的;
source_ip: {...}
direct_remote_ip: {...}
remote_ip: {...}
header: {...} # 傳入HTTP請求封包的指定标頭;
url_path: {...}
metadata: {...} # 描述有關Subject的其它資訊的中繼資料;
not_id: {...} # “非”關系主體,即指定主體之外的其他主體;
condition: {...}
matcher: {...}
shadow_rules: {...}
shadow_matcher: {...}
shadow_rules_stat_prefix: ...
RBAC配置示例
- Service account
has full access to the service, and so does “cluster.local/ns/default/sa/superuser”.cluster.local/ns/default/sa/admin
- Any user can read (
) the service at paths with prefix GET
, so long as the destination port is either 80 or 443./products
action: ALLOW
policies:
"service-admin":
permissions:
- any: true
principals:
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/admin"
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/superuser"
"product-viewer":
permissions:
- and_rules:
rules:
- header:
name: ":method"
string_match:
exact: "GET"
- url_path:
path: { prefix: "/products" }
- or_rules:
rules:
- destination_port: 80
- destination_port: 443
principals:
- any: true
參考文檔
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/rbac/v3/rbac.proto#extension-envoy-filters-network-rbac
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/rbac/v3/rbac.proto#envoy-v3-api-msg-extensions-filters-http-rbac-v3-rbac