Istio Configuration

01 Sep 2024
9 Minutes to read

Print
Dark
Light
PDF

Istio Configuration

Updated on 01 Sep 2024
9 Minutes to read

Print
Dark
Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback

Sidecar Configuration

The sidecar configuration can be set per service/app to fit its specific enforcement requirements. The sidecar configuration is done by custom resource definitions that are part of the installation process. To apply the configuration, run the following command:

kubectl apply -f authz-v1-plainid-injector.yaml

The configuration will be applied immediately and no redeployment of the application is required.

Custom Resource Definitions

Sample authz-v1-plainidinjector.yaml

apiVersion: authz.plainid.io/v1
kind: PlainidInjector
metadata:
  name: plainidinjector-sample
spec:
  volume:
    name: podinfo
    downwardAPI:
      items:
        - path: "labels"
          fieldRef:
            fieldPath: metadata.labels
        - path: "annotations"
          fieldRef:
            fieldPath: metadata.annotations
 
  container:
    name: plainid-authz
    image: gcr.io/plainid-presales/authz-envoy-sidecar:1.0.1
    resources:
      requests:
        cpu: "0.05"
        memory: "50M"
      limits:
        cpu: "0.2"
    imagePullPolicy: Always
    ports:
      - containerPort: 50051
      - containerPort: 9090
    volumeMounts:
      - name: podinfo
        mountPath: /config
    env:
      - name: POD_NAME
        valueFrom:
          fieldRef:
            apiVersion: v1
            fieldPath: metadata.name
      - name: POD_NAMESPACE
        valueFrom:
          fieldRef:
            apiVersion: v1
            fieldPath: metadata.namespace
  config:
    params:
      mgr: plainid-controller-manager-discover.plainid-system:16000
      SKIP_TLS_VERIFY: "true"

authz-v1-plainidinjector.yaml

The following table lists the keys that should be updated in the plainidinjectorconfig.yaml.
All remaining text should be the default value.

Name	Description	Example
config.params.mgr	Operator service name and port	plainid-controller-manager-discover.plainid-system:16000
config.params.SKIP_TLS_VERIFY	Skip TLS certificate verification (for dev environments)	false

PlainidSidecar

The PlainidSidecar CRD provides a mechanism to customize the Sidecar configuration generated by the operator. Use the PlainidSidecar CRD to modify values for certain fields and define the specific behavior of the Sidecar.
*Note: This feature must be used with care, as incorrect configurations could potentially destabilize the Sidecar and the service. *
Apply configuration by workload selectors and namespaces. The following example applies to all workloads with the label app:echo in a namespace test.

Sample sidecar-echo.yaml

Following is an example of a microservice sidecar configuration file.

apiVersion: authz.plainid.io/v1
kind: PlainidSidecar
metadata:
  name: echo
spec:
  workloadSelector:
    labels:
      app: echo
  sidecarConfig:
    matchers:               # API Matchers section (Optional)
      - match: /echo/bypass# Request path pattern
        method:            # Request methods
          - POST
          - GET
        bypass: true       # Bypass request (ignore all validations and authorization) 
      - match: /echo/:abc
        runtime:           # Specific runtime configuratoin for matching requests 
          entityTypeid: jwt
          cacheTime: 11s
        mode:              # Specific mode configuratoin for matching requests
          entitlement: true
          format: 5
          flat: false
          denyOnEmpty: true
      - match: /echo
        runtime:
          metadata: "{\"combinedMultiValues\": true}"
          entityTypeid: jwt
          cacheTime: 11s
          clientId: client_id_goes_here
          clientSecret: client_secret_goes_here 
          environments:
            amount: "$.body.amount"
            account: "$.body.account"
            url: $.path.[0]
        mode:
          resolution: true
          format: 5
          flat: false
          denyOnEmpty: true
    runtime:
      clientId: client_id_goes_here           # Mandatory: From the Platform UI
      clientSecret: client_secret_goes_here   # From the Platform UI, if no Secret store used 
      entityTypeid: jwt
      plainidUrl: https://demo.plainid.cloud  # Mandatory: PDP URL, Should be set
      resourceTypes:                          # Asset mappings example (only for PDP API v1-4)
        - name: Accounts
          assetPath: $.path[4]
        - name: Loans
      environments:
        amount: "$.body.amount"
        account: "$.path[2]"
        url: $.path.[0]
    jwt:                                      # Mandatory: External request JWT configuration
      header: authorization
      allowed:
        - name: demo.plainid.cloud            # Mandatory: JWT Issuer example
        - name: demo                          # Mandatory: JWT Issuer mapping example in case of JWT issuer do not match an issuer provided by Auth service
          mapped: https://demo.plainid.cloud/auth/realms/demo
      userClaim: "$.user.preferred_username[0]"
      validateJwt: true
      algs:              # List of supported Signing Algorythms (RS256 by default if not set)
        - ES256
        - RS256
    mode:                # Mandatory: Operation mode, ONLY ONE OF SHOULD BE TRUE: decision/entitlement/resolution/denyOnEmpty
      decision: true     # PERMIT/DENY Mode
      entitlement: false # Header Injection mode
      resolution: false  # Header injection mode Query format
      denyOnEmpty: false # DENY transaction when no policy fits the access request.
      format: 2
    logger:
      logLevel: debug
      detailedLog: false
      format: text
    tlsSkip: true
    grpc:
      servicePort: "7001"

sidecar-echo.yaml

Name	Description	Example
workloadSelector	This criteria is used to select the specific set of pods on which this configuration should be applied. If omitted, the set of patches in this configuration will be applied to all workload instances in the same namespace.	app: echo
jwt.allowed	List of allowed jwt issuers Ability to define mappings between iss claim and the actual issuer.ID mapping is not required omit mapped value	- name: demo mapped: <`https://demo.plainid.cloud/auth/realms/demo`> - name: demo.plainid.cloud
jwt.userClaim	string: JsonPath of the user unique identifier	$.user.preferred_username[0]
jwt.header	string: Header name of the jwt	authorization
jwt.validateJwt	Bool: Indicates if jwt should be validated (use for development purposes only)	true
jwt.algs	List: Algorithms (RS256 by default if not set)	- ES256 - RS256
mode.decision *	Bool: PERMIT/DENY Mode * only one mode should be set to true	true
mode.entitlement *	Bool: Header Injection mode * only one mode should be set to true	true
mode.resolution *	Bool: Header injection mode Query format * only one mode should be set to true	true
mode.denyOnEmpty	Bool: DENY transaction when no Policy fits the access request.	false
mode.format	0 – full access token 1 – short access token – action with list of assets. Ex. {"Accounts":{"assets":{"get":["0008","0001","0004","0002"],"view":["0008","0001","0004","0002"]}}} 2 – short access token – asset with list of actions Ex. {"0001":["view","get"],"0002":["view","get"],"0004":["view","get"],"0008":["view","get"]}	0
runtime.clientId	Application ClientId	From the Platform UI.
runtime.clientSecret	Application Secret	From the Platform UI.
runtime.entityTypeid	Entity Type	From Platform Management UI.
runtime.plainidUrl	Runtime (pdp) base URL	<`http://pdp:8000`>
runtime.resourceTypes	Refer to ResourceTypes	****
Runtime.environments	environment variable and the values from the request	amount: $.body.amount
runtime.metadata	This parameter maps the JSON data into the Runtime metadata section and can be leveraged to fine-tune the PDP calculation with additional supported request properties. Refer to our Authorization APIs documentation for more details on potential properties. This parameter should be passed as a JSON string with the relevant PDP properties and values.	`{\"combinedMultiValues\": true}`

ResourceTypes

Name	Description	Example
actionPath	The Request part that is considered as an Action. Default HTTP Method See Request Parts Locations	$.body.action
assetPath	Request part considered as Asset ID. See Request Parts Locations	$.path[4]
name	Template name to use	Accounts
virtualMap	The mapping between Template Attributes and Request parts	virtualMap: userid: $.path[1] userid - is an attribute in plainid template $.path[1] – is JsonPath of the request part

Request Parts Locations

Request Part	JsonPath root object	Notes
Body	$.body
URI	$.path	Array of URI parts Full URI - $.path[0] First Part - $.path[1]
Headers	$.header	All headers will be converted to lowercase
Query Parameters	$.param
User Attributes	$.user

Operation Modes

The Platform sidecar supports three operation modes:

Decision – a basic Permit/Deny mode that enables or blocks the transaction.
Entitlements – an advanced mode that can enrich the request header with a list of entitlements or any authorization supporting data.
Resolution – an advanced mode that can enrich the request header with a “policy resolution” decision - JSON or SQL filtering for data.

For more information on these options, refer to the Authorization APIs in the Developer Portal.

Request Sample


Request URL	POST `http://localhost:18000/echo/0000001/assets?test=true`
Request Header	Tenant: t1 X-Forwarded-For: 10.2.3.1
Request Body	`{"amount":50, "type": "transaction", "asset" : 1234}`

Mapping Sample

JSON Path	Value based on request sample
$.body.amount	50
$.param.test	true
$.path[2]	0000001
$.header.x-forwarded-for	10.2.3.1

Additional Configuration Information

Option Explanation

JWT Issuers and mapping In jwt.allowed, you can either define an issuer URI or you can define an issuer alias with a mapped value.
Define an issuer URI:
jwt:
header: authorization
allowed:
- name: demo.plainid.cloud

Example of an issuer alias with a mapped value:
jwt:
header: authorization
allowed:
- name: demo
mapped: https://demo.plainid.cloud/auth/realms/demo

You can also use a combination (as shown in the configuration above)

Option	Explanation
JWT Issuers and mapping	In jwt.allowed, you can either define an issuer URI or you can define an issuer alias with a mapped value. Define an issuer URI: `jwt:` `header: authorization` `allowed:` `- name: demo.plainid.cloud` Example of an issuer alias with a mapped value: `jwt:` `header: authorization` `allowed:` `- name: demo` `mapped: https://demo.plainid.cloud/auth/realms/demo` You can also use a combination (as shown in the configuration above)

:::

Override Default Configuration

The helm install command accepts parameters to override default configuration values inline or that are defined in a file.

Example – To override the configuration found in the file:

cat override-values.yml

runtime:
  debugLevel: info
  replicas: 5

helm install sidecar-test1 ./ --values override-values.yml

Add a namespace label to instruct PlainID to automatically inject the sidecar when you deploy your application later:

kubectl label namespace default pid-injection=enabled

Instruct the Istio proxy to send the traffic to the PlainID sidecar for authorization.

The following example (found in filter.yaml) inserts an http ext_authz filter in the default namespace:

apiVersion: v1
items:
  - apiVersion: networking.istio.io/v1alpha3
    kind: EnvoyFilter
    metadata:
      generation: 1
      name: demo-filter
      namespace: default
    spec:
      configPatches:
        - applyTo: HTTP_FILTER
          
            match:
            context: SIDECAR_INBOUND
            listener:
              filterChain:
                filter:
                  name: envoy.http_connection_manager
                  subFilter:
                    name: envoy.router
              portNumber: 7000
          patch:
            operation: INSERT_BEFORE
            value:
              name: envoy.ext_authz
              typed_config:
                '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
                failure_mode_allow: false
                grpc_service:
                  google_grpc:
                    stat_prefix: ext_authz
                    target_uri: 127.0.0.1:50051
                  timeout: 2s
                transport_api_version: V3
                with_request_body:
                  allow_partial_message: true
                  max_request_bytes: 1024
                  pack_as_bytes: true
#    workloadSelector:
#      annotations:
#        plainid.io/inject: "yes"
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

Sample values.yaml

Note: For versions 4.x, you should remove the following from the values.yaml configuration file:

pdpAPIVersion: v5 #Optional: PDP Runtime API v5 integration

# Please Generate  Public key , Private key and  Certificate chain
# based on the documentation provided by PlainID and place in certs folder
# File names should match the example files  in the chart
 
image:
  pullPolicy: Always
imagePullSecrets:
  - name: cr-creds
nameOverride: ""
fullnameOverride: ""
serviceAccount: plainid
podSecurityContext: {}
operator:
  image: gcr.io/plainid-presales/authz-operator
  namespace: plainid-system
  resources:
    limits:
      cpu: 100m
      memory: 100Mi
    requests:
      cpu: 100m
      memory: 20Mi
  replicas: 1
  debug: true
redis:
  local: true
  image: redis
  port: 6379
  pass: ""
  tls: false
  masterhost: test-plainid-redis-ro.plainid    # Administration point address
securityContext:
  capabilities:
    drop:
      - ALL
  runAsNonRoot: true
  runAsUser: 1000610001
webhook:
  enabled: true
  selfCert: true
auth:                                         # Optional: Secret store configuration
  file: "/keys/key"
  iss: "ruleengine"
  exp: 10s
pdpAPIVersion: v5                            #Optional: PDP Runtime API v5 integration
authorizer:
  id: test-authorizer                         # Mandatory: Should be updated
  version: 1.2.3
moreVolumes:                                  # Optional: Extra volumes configuration
  - name: key-config
    configMap:
      name: key-config
nodeSelector: {}
tolerations: []
affinity: {}

authz-v1-plainidinjector.yaml

The following table lists the keys that should be updated in the plainidinjectorconfig.yaml.

All remaining text should be the default value.

Name	Description	Example
config.params.mgr	config.params.mgr	plainid-controller-manager- discover.plainid-system:16000
config.params.SKIP_TLS_VERIFY	Skip TLS certificate verification (for dev environments)	false

Operator

Key	Explanation	Optional Value/Example
namespace	The namespace where the operator will be created	plainid-system
replicas	Number of replicas	1
debug	The debug state	true/false
image	The image repository of the operator	gcr.io/plainid-presales/authz-operator

Redis

Key	Explanation	Optional Value/Example
image	Redis image repository	redis
masterhost	Hostname of the master Redis instance	Master.redis.example.com
pass	Master password	*****

Auth

Key	Explanation	Optional Value/Example
file	full path to a file with a secret key (same key as in Runtime configuration)	secret:/keys/key
iss	issuer or JWT claim (same issuer as in Runtime configuration)	ruleengine
exp	JWT expiration (10s by default if not set)	10s

GRPC Support

The PlainID sidecar supports GRPC (Google Remote Procedure Call) parsing. This capability can be achieved in different ways:

Auto learning
Providing a Protocol Buffer (protobuf) descriptor file

Auto Learning

To support auto learning, the Application Developer should be enabled GRPC reflection on the server side (backend). In the sidecar configuration YAML, the service port should be defined. Example

grpc:
     servicePort: "7001"

Providing a protobuf Descriptor File

Providing a protobuf descriptor file can be accomplished in one of the following ways:

Method	Example
Create a protobuf descriptor file from proto definition.	protoc --descriptor_set_out=demo.pb demo.proto
Create a new container image from plainid-authz-sidecar.	Create a new Dockerfile FROM gcr.io/plainid-presales/authz-envoy-sidecar:1.0.1;, ADD demo.pb /proto/demo.pb Build a new image: docker build -t authz-envoy-sidecar:1.0.1-pb, Push the new image to the relevant registry

Multiple Descriptors

It is possible to include multiple descriptors. You can use the same image for all the services. To use the same image for multiple descriptors:

Change the PlainidInjector yaml to provide a new image tag.
In the plainidsidecar.yaml file, provide the path to the relevant descriptor file.

grpc: protoFile: "/proto/demo.pb"

Was this article helpful?

What's Next

Java Data Access SDK

Table of contents

Sidecar Configuration
Custom Resource Definitions
PlainidSidecar
Additional Configuration Information
Override Default Configuration
Sample values.yaml
GRPC Support
Auto Learning
Providing a protobuf Descriptor File
Multiple Descriptors