Set up Service Security on Envoy sidecar service mesh on GKE
This page describes how to set up security features on Envoy sidecar service mesh on GKE.
Prerequisites
As a starting point, this guide assumes that you have already:
- Created a GKE cluster and registered it to a fleet.
- Setup Envoy sidecar service mesh with Gateway APIs.
Setup authorization policies on sidecars on GKE
This section shows you how to set up different kinds of authorization policies on Cloud Service Mesh sidecars on GKE.
Before you can create an authorization policy, you must install the GCPAuthzPolicy CustomResourceDefinition (CRD):
curl https://github.com/GoogleCloudPlatform/gke-networking-recipes/blob/main/gateway-api/config/mesh/crd/experimental/gcpauthzpolicy.yaml \
| kubectl apply -f -
Authorization Policies can enforce access control on traffic entering Envoy sidecars. Policies can be applied on Kubernetes deployments. Deployment should be in the same namespace as Authorization Policy.
Authorization policy to deny all the requests
When you have a workload that is supposed to make only outbound calls, like a
cron job, you can configure an authorization policy to deny any incoming HTTP
requests to the workload. The following example denies incoming HTTP requests to
the workload whereami
.
Perform the following steps to create and apply the deny authorization policy:
Create a deny policy by creating a file called
deny-all-authz-policy.yaml
:cat >deny-all-authz-policy.yaml <<EOF apiVersion: networking.gke.io/v1 kind: GCPAuthzPolicy metadata: name: myworkload-authz namespace: sidecar-example spec: targetRefs: - kind: Deployment name: whereami httpRules: - to: operations: - paths: - type: Prefix value: "/" action: DENY EOF
Apply the policy:
kubectl apply -f deny-all-authz-policy.yaml
Authorization policy to allow requests
You can also configure an allow policy that allows only requests that match a
specific criteria while rejecting the rest. The following example configures an
authorization policy on the whereami
where o nly GET
requests that have http header x-user-role:admin
present in the request will be allowed.
Perform the following steps to create and apply the allow authorization policy, delete the previously created deny policy before adding this policy to see the results:
Create a custom policy by creating a file called
allow-authz-policy.yaml
:cat >allow-authz-policy.yaml <<EOF apiVersion: networking.gke.io/v1 kind: GCPAuthzPolicy metadata: name: myworkload-authz namespace: sidecar-example spec: targetRefs: - kind: Deployment name: whereami httpRules: - to: operations: - methods: ["GET"] when: "request.headers['x-user-role'] == 'admin' action: ALLOW EOF
Apply the policy:
kubectl apply -f allow-authz-policy.yaml
Authorization policy to deny requests based on rules
The following example denies incoming HTTP GET
requests to
the workload whereami
when it is on the path /admin
.
Perform the following steps to create and apply the deny authorization policy:
Create a deny policy by creating a file called
deny-path-authz-policy.yaml
:cat >deny-path-authz-policy.yaml <<EOF apiVersion: networking.gke.io/v1 kind: GCPAuthzPolicy metadata: name: myworkload-authz namespace: sidecar-example spec: targetRefs: - kind: Deployment name: whereami httpRules: - to: operations: - paths: - type: Prefix value: "/admin" methods: ["GET"] action: DENY EOF
Apply the policy:
kubectl apply -f deny-path-authz-policy.yaml