Configuration

Updated on 01 Sep 2024
5 Minutes to read

Print
Dark
Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback

The Envoy Sidecar configuration can be set per service/app to fit its specific enforcement requirements. The sidecar
configuration is done by custom resource definitions that are part of the installation process. To apply the
configuration, run the following command:
kubectl apply -f authz-v1-plainidinjector.yaml
The configuration will be applied immediately and no redeployment of the application is required.
### Custom Resource Definitions

PlainidInjector

The PlainidInjector CRD provides a mechanism to inject the PlainID Authorizer into a pod.

Sample authz-v1-plainidinjector.yaml

apiVersion: authz.plainid.io/v1
kind: PlainidInjector
metadata:
  name: plainidinjector-sample
spec:
  volume:
    name: podinfo
    downwardAPI:
      items:
        - path: "labels"
          fieldRef:
            fieldPath: metadata.labels
        - path: "annotations"
          fieldRef:
            fieldPath: metadata.annotations
  container:
    name: plainid-authz
    image: docker.io/plainid/authz-envoy-sidecar:1.6.0
    resources:
      requests:
        cpu: "0.05"
        memory: "50M"
      limits:
        cpu: "0.2"
    imagePullPolicy: Always
    ports:
      - containerPort: 50051
      - containerPort: 9090
    volumeMounts:
      - name: podinfo
        mountPath: /config
    env:
      - name: POD_NAME
        valueFrom:
          fieldRef:
            apiVersion: v1
            fieldPath: metadata.name
      - name: POD_NAMESPACE
        valueFrom:
          fieldRef:
            apiVersion: v1
            fieldPath: metadata.namespace
  config:
    params:
      mgr: plainid-controller-manager-discover.plainid-system:16000
      SKIP_TLS_VERIFY: "true"

The following table lists the keys that should be updated in the authz-v1-plainidinjector.
All remaining text should be the default value.

Name	Description	Example
config.params.mgr	Operator service name and port	plainid-controller-manager-discover.plainid-system:16000
config.params.SKIP_TLS_VERIFY	Skip TLS certificate verification (for dev environments)	false

PlainidSidecar

The PlainidSidecar CRD provides a mechanism to customize the Sidecar configuration generated by the operator. Use the
PlainidSidecar CRD to modify values for certain fields and define the specific behavior of the Sidecar.
*This feature must be used with care, as incorrect configurations could potentially destabilize the Sidecar and the service. *
Apply configuration by workload selectors and namespaces. The following example applies to all workloads with the label
app:echo in a namespace test.

Sample sidecar-echo.yaml

Following is an example of a microservice sidecar configuration file.

apiVersion: authz.plainid.io/v1
kind: PlainidSidecar
metadata:
  name: echo
spec:
  workloadSelector:
    labels:
      app: echo
  sidecarConfig:
    matchers: # API Matchers section (Optional)
      - match: /echo/bypass# Request path pattern
        method: # Request methods
          - POST
          - GET
        bypass: true       # Bypass request (ignore all validations and authorization) 
      - match: /echo/:abc
        runtime: # Specific runtime configuratoin for matching requests 
          entityTypeid: jwt
          cacheTime: 11s
        mode: # Specific mode configuratoin for matching requests
          entitlement: true
          format: 5
          flat: false
          denyOnEmpty: true
      - match: /echo
        runtime:
          entityTypeid: jwt
          cacheTime: 11s
          clientId: client_id_goes_here
          clientSecret: client_secret_goes_here
          environments:
            amount: "$.body.amount"
            account: "$.body.account"
            url: $.path.[0]
        mode:
          resolution: true
          format: 5
          flat: false
          denyOnEmpty: true
    runtime:
      clientId: client_id_goes_here           # Mandatory: From Policy Manager Management UI
      clientSecret: client_secret_goes_here   # From Policy Manager Management UI, if no Secret store used 
      entityTypeid: jwt
      plainidUrl: https://demo.plainid.cloud  # Mandatory: PDP URL, Should be set
      resourceTypes: # Asset mappings example (only for PDP API v1-4)
        - name: Accounts
          assetPath: $.path[4]
        - name: Loans
      environments:
        amount: "$.body.amount"
        account: "$.path[2]"
        url: $.path.[0]
      options:
        includeDetails: true
        includeAccessPolicy: true
        includeAssetAttributes: true
        includeIdentity: true
        includeDenyReason: true
    jwt: # Mandatory: External request JWT configuration
      header: authorization
      allowed:
        - name: demo.plainid.cloud            # Mandatory: JWT Issuer example
        - name: demo                          # Mandatory: JWT Issuer mapping example in case of JWT issuer do not match an issuer provided by Auth service
          mapped: https://demo.plainid.cloud/auth/realms/demo
      userClaim: "$.user.preferred_username[0]"
      validateJwt: true
      algs: # List of supported Signing Algorythms (RS256 by default if not set)
        - ES256
        - RS256
    mode: # Mandatory: Operation mode, ONLY ONE OF SHOULD BE TRUE: decision/entitlement/resolution/denyOnEmpty
      decision: true     # PERMIT/DENY Mode
      entitlement: false # Header Injection mode
      resolution: false  # Header injection mode Query format
      denyOnEmpty: false # DENY transaction when no policy fits the access request.
      format: 2
    logger:
      logLevel: debug
      detailedLog: false
      format: text
    tlsSkip: true
    grpc:
      servicePort: "7001"

Name	Description	Example
workloadSelector	This criteria is used to select the specific set of pods on which this configuration should be applied. If omitted, the set of patches in this configuration will be applied to all workload instances in the same namespace.	`app: echo`
jwt.allowed	List of allowed jwt issuers Ability to define mappings between iss claim and the actual issuer.ID mapping is not required omit mapped value	- name: demo mapped: <`https://demo.plainid.cloud/auth/realms/demo`> - name: demo.plainid.cloud
jwt.userClaim	string: JsonPath of the user unique identifier	`$.user.preferred_username[0]`
jwt.header	string: Header name of the jwt	`authorization`
jwt.validateJwt	Bool: Indicates if jwt should be validated (use for development purposes only)	`true`
jwt.algs	List: Algorithms (RS256 by default if not set)	- `ES256` - `RS256`
mode.decision *	`PERMIT`/`DENY` Mode * only one mode should be set to true	`true`
mode.entitlement *	Boolean: Header Injection mode * only one mode should be set to true	`true`
mode.resolution *	Boolean: Header injection mode Query format * only one mode should be set to true	`true`
mode.denyOnEmpty	Boolean: DENY transaction when no policy fits the access request.	`false`
mode.format	0 – full access token 1 – short access token – action with list of assets. Ex. {"Accounts":{"assets":{"get":["0008","0001","0004","0002"],"view":["0008","0001","0004","0002"]}}} 2 – short access token – asset with list of actions Ex. {"0001":["view","get"],"0002":["view","get"],"0004":["view","get"],"0008":["view","get"]}	`0`
runtime.clientId	Application ClientId	From Policy Manager Management UI.
runtime.clientSecret	Application Secret	From Policy Manager Management UI.
runtime.entityTypeid	Entity Type	From Policy Manager Management UI.
runtime.plainidUrl	Runtime (pdp) base URL	`http://pdp:8000`
runtime.resourceTypes	Refer to ResourceTypes	`****`
runtime.environments	environment variable and the values from the request	`amount: $.body.amount`
runtime.passIncomingJwt	Boolean: To define whether to pass the IDP JWT as-is to the PDP	`false`
runtime.options	PDP Runtime response fine tune options
runtime.options.includeDetails	Boolean: Determines whether to include the details of the Access Decision in the response.	`false`
runtime.options.includeAccessPolicy	Boolean: Show/hide the name of the Policy in the response that has granted the specified access.	`false`
runtime.options.includeAssetAttributes	Boolean: Show/hide the asset attribute of the assets in the response.	`false`
runtime.options.includeIdentity	Boolean: Show/hide the identity attribute of the identity in the response.	`false`
runtime.options.includeDenyReason	Boolean: Show/hide the reason for the denial of access in the response.	`false`

ResourceTypes

Name	Description	Example
actionPath	The Request part that is considered as an Action. Default HTTP Method See Request Parts Locations	$.body.action
assetPath	Request part considered as Asset ID. See Request Parts Locations	$.path[4]
name	Template name to use	Accounts
virtualMap	The mapping between Template Attributes and Request parts	virtualMap: userid: $.path[1] userid - is an attribute in plainid template $.path[1] – is JsonPath of the request part

Request Parts Locations

Request Part	JsonPath root object	Notes
Body	$.body
URI	$.path	Array of URI parts Full URI - $.path[0] First Part - $.path[1]
Headers	$.header	All headers will be converted to lowercase
Query Parameters	$.param
User Attributes	$.user

Was this article helpful?

What's Next

Sidecar Configuration

Table of contents