Set up Service Security on Envoy sidecar service mesh on GKE

This page describes how to set up security features on Envoy sidecar service mesh on GKE.

Prerequisites

As a starting point, this guide assumes that you have already:

• Created a GKE cluster and registered it to a fleet.
• Setup Envoy sidecar service mesh with Gateway APIs.

Setup authorization policies on sidecars on GKE

This section shows you how to set up different kinds of authorization policies on Cloud Service Mesh sidecars on GKE.

Before you can create an authorization policy, you must install the GCPAuthzPolicy CustomResourceDefinition (CRD):

curl https://github.com/GoogleCloudPlatform/gke-networking-recipes/blob/main/gateway-api/config/mesh/crd/experimental/gcpauthzpolicy.yaml \
| kubectl apply -f -

Authorization Policies can enforce access control on traffic entering Envoy sidecars. Policies can be applied on Kubernetes deployments. Deployment should be in the same namespace as Authorization Policy.

Authorization policy to deny all the requests

When you have a workload that is supposed to make only outbound calls, like a cron job, you can configure an authorization policy to deny any incoming HTTP requests to the workload. The following example denies incoming HTTP requests to the workload whereami.

Perform the following steps to create and apply the deny authorization policy:

1. Create a deny policy by creating a file called deny-all-authz-policy.yaml:

   cat >deny-all-authz-policy.yaml <<EOF
   apiVersion: networking.gke.io/v1
   kind: GCPAuthzPolicy
   metadata:
     name: myworkload-authz
     namespace: sidecar-example
   spec:
   targetRefs:
   - kind: Deployment
     name: wherami
   httpRules:
   - to:
       operations:
       - paths:
         - type: Prefix
           value: "/"
   action: DENY
   EOF
   

2. Apply the policy:

   kubectl apply -f deny-all-authz-policy.yaml
   

Authorization policy to allow requests

You can also configure an allow policy that allows only requests that match a specific criteria while rejecting the rest. The following example configures an authorization policy on the whereami Deployment to allow only mTLS requests from Pods with the identity spiffee://cluster.local/ns1/pod1.

Perform the following steps to create and apply the allow authorization policy, delete the previously created deny policy before adding this policy to see the results:

1. Create a custom policy by creating a file called allow-authz-policy.yaml:

   cat >allow-authz-policy.yaml <<EOF
   apiVersion: networking.gke.io/v1
   kind: GCPAuthzPolicy
   metadata:
     name: myworkload-authz
     namespace: sidecar-example
   spec:
   targetRefs:
   - kind: Deployment
     name: whereami
   httpRules:
   - from:
       sources:
       - principals:
         - type: Exact
           value: "spiffee://cluster.local/ns1/pod1"
   action: ALLOW
   EOF
   

2. Apply the policy:

   kubectl apply -f allow-authz-policy.yaml
   

Authorization policy to deny requests based on rules

The following example denies incoming HTTP POST requests to the workload whereami when it is on the path /admin .

Perform the following steps to create and apply the deny authorization policy:

1. Create a deny policy by creating a file called deny-path-authz-policy.yaml:

   cat >deny-path-authz-policy.yaml <<EOF
   apiVersion: networking.gke.io/v1
   kind: GCPAuthzPolicy
   metadata:
     name: myworkload-authz
     namespace: sidecar-example
   spec:
   targetRefs:
   - kind: Deployment
     name: whereami
   httpRules:
   - to:
       operations:
       - paths:
         - type: Prefix
           value: "/admin"
         methods: ["POST"]
   action: DENY
   EOF
   

2. Apply the policy:

   kubectl apply -f deny-path-authz-policy.yaml