Istio Authorization Policies in OOM

Background

Authorization policies are being introduced as part of the service mesh security being brought in with Istio. Reference to the architecture can be found here: https://lf-onap.atlassian.net/wiki/pages/viewpage.action?pageId=16472429

This page covers the current state (as of when this page was created/updated) of the authorization policies for service-to-service communications among ONAP components. Reference to the jira epic: https://jira.onap.org/browse/OOM-2822

Pre-requisites

The information here assumes your cluster is setup like the “ONAP on ServiceMesh setup guide” from here: https://lf-onap.atlassian.net/wiki/display/DW/ONAP+on+ServiceMesh+setup+guide

If you wish to use authorization policies, Istio must be installed on the cluster before trying to enable the authorization policies and make/build/deploy OOM.

Current Setup

Common Template

Location of the common template

A common template for authorization policies has been created in the oom project here:

kubernetes/common/common/templates/_serviceMesh.tpl

In the future, it may be desirable to update this template, or offer alternative versions of it.

Using the common template

The common template can be used by:

  • Creating an authorizationpolicy.yaml file in your component’s template directory

    • Inside this file, adding:

      {{ include "common.authorizationPolicy" . }}



  • Updating the corresponding values.yaml file with the following information:

    • Minimum (i.e., no authorized principals / no serviceAccounts allowed access to this service):

      serviceMesh: authorizationPolicy: authorizedPrincipals:[]



  •  

    • All options:

      serviceMesh: authorizationPolicy: authorizedPrincipals: - serviceAccount: <a service account allowed to access this service, will use default ONAP namespace> - serviceAccount: <another service account allowed to access this service>        namespace: <Optional, change namespace from default ONAP namespace>        trustedDomain: <Optional, change trustedDomain from default “cluster.local” domain>        allowedOperationMethods: <Optionally restrict HTTP operations, e.g., [ “GET” ], will default to: [ "GET", "POST", "PUT", "PATCH", "DELETE" ]>



Enabling authorization policies

Authorization policies will only be enabled when running on service mesh and when the policies themselves are enabled.

At present, the check for this is determined by the common.useAuthorizationPolicies function, which is also in the kubernetes/common/common/templates/_serviceMesh.tpl file. This function checks 2 things:

  1. Whether service mesh is enabled, determined by the common.onServiceMesh function, (also in the _serviceMesh.tpl file), which requires that the following value exists and is set to true: .Values.global.serviceMesh.enabled

  2. Whether authorization policies themselves are enabled, which requires that the following value exists and is set to true: .Values.global.authorizationPolicies.enabled

When using authorization policies, if your service requires access to another service, the service account for your service needs to be included in the list of authorized principals serviceAccounts of the service to which it requires access to.

Updated Components

Initial authorization policies and corresponding values settings have been created for the following components:

Some testing on a fully operational service mesh deployment is required to confirm functionality for the above, and whether further changes need to be made.