Skip to content

External Authorization

This scenario demonstrates how Envoy's external authorization filter can be applied to an HttpRoute.

Context

We will use the Ext Authz service sample from the Istio distribution.

Deploy the service:

kubectl apply -f ext-authz/ext-authz.yaml

The contract

The service you just deployed will allow (200) any request bearing the header x-ext-authz: allow.

The absence of the header, or the header with a value other than allow will be denied (403).

Instructions

Make sure that the httpbin service is deployed, and a simple route is defined from the gateway to the service.

Review the following security policy:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: ext-authz-policy
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: httpbin
  extAuth:
    http:
      backendRefs:
      - group: ""
        kind: Service
        name: ext-authz
        port: 8000
    headersToExtAuth:
    - x-ext-authz

Apply the policy:

kubectl apply -f ext-authz/security-policy.yaml

Send a test request:

curl -v -H "x-ext-authz: allow" http://httpbin.esuez.org/json --resolve httpbin.esuez.org:80:$GATEWAY_IP

The above request should succeed.

Absence of the header, or header value that is not "allow" will return a 403.