Istio AuthserviceVersion: Next

Istio

The Istio Authservice can be used as an Istio External Authorization service. Configuring Istio to use the authservice requires the following:

Mounting the OIDC Configuration file in the authservice pod.
Defining an Extension Provider pointing to the authservice Kubernetes service.
Configuring an Istio AuthorizationPolicy to intercept traffic and forward it to the defined extension provider.

Mounting the OIDC configuration

The authservice expects the configuration file to be in: /etc/authservice/config.json. You can customize this by setting the --config-path startup flag in the authservice deployment, but the examples in this documentation site will assume the default location.

To configure authservice, simply define a Kubernetes ConfigMap that provides the configuration file, like in the example below:

kind: ConfigMap
apiVersion: v1
metadata:
  name: authservice-config
  namespace: authservice
data:
  config.json: |
    {
      "listen_address": "0.0.0.0",
      "listen_port": "10003",
      "log_level": "debug",
      "allow_unmatched_requests": false,
      "chains": [
        {
          "name": "keycloak",
          "filters": [
            {
              "oidc":
              {
                ...
                <OIDC config options>
                ...
              }
            }
          ]
        }
      ]
    }

Refer to the OIDC Configuration Guide for a detailed list of the available OIDC configuration options.

Custom extension provider
Once the authservice is up & running with the desired configuration, Istio needs to be configured to intercept traffic and forward it to the authservice. This can be done as explained below:
First an the extension provider that points to where the authservice is deployed needs to be defined, as explained in the Istio External Authorization configuration Guide.
The following example shows an example configuration that can be used in the values.yaml when configuring Istio with Helm:
```
meshConfig:
  extensionProviders:
    # Configure the backend for the Auth Service provider that can be used in AuthorizationPolicies
    # in CUSTOM mode.
    - name: authservice-grpc
      envoyExtAuthzGrpc:
        service: "authservice.authservice.svc.cluster.local"  # K8s service for the authservice
        port: "10003"                                         # authservice default gRPC port
```

Authz enforcement

Once the custom authorization service has been defined, an AuthorizationPolicy needs to be created to intercept traffic and forward it to the authservice for an access decision. This can be done by creating an AuthorizationPolicy with a CUSTOM action as follows:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: authservice
  # Namespace where the policy will be applied. If this is the istio root namespace (istio-system) the
  # policy will apply to all workloads. Otherwise it will only apply to the services in the defined namespace.
  namespace: myapp-namespace
spec:
  # Action CUSTOM to delegate the access decision to the configured extension provider.
  action: CUSTOM
  provider:
    # Name defined in the extensionProviders property in the MeshConfig
    # (the `istio` ConfigMap in the istio-system namespace)
    name: authservice-grpc
  # A single empty rule will force all requests to be forwarded to the external
  # authorization backend, as long as the workload is captured by the selectors
  # configured above.
  rules:
    - {}

Mounting the OIDC configuration​

Custom extension provider​

Authz enforcement​

Mounting the OIDC configuration

Custom extension provider

Authz enforcement