Updated on 2025-07-30 GMT+08:00

Service Authorization

Service authorization controls access to services in a service mesh and determines whether a request can be sent to a service. In service authorization, Selector is used to select the target workload, and jwtRules describes authentication rules to define how to match authentication information on a JWT.

Creating a Service Authorization Policy

Create a service authorization policy using YAML.

  1. Log in to the UCS console. In the navigation pane, choose Service Meshes.
  2. Click the name of the target service mesh to go to its details page.
  3. In the navigation pane, choose Service Security > Service Authorization.
  4. Click Create from YAML in the upper right corner.
  5. Configure parameters as follows. Only the requests that meet the conditions are allowed.

    apiVersion: security.istio.io/v1beta1
    kind: AuthorizationPolicy                # Set the service security type to service authorization.
    metadata:
     name: forecast                         # Name the service authorization policy.
     namespace: weather                      # Set the namespace to weather.
    spec:
     selector:
       matchLabels:
         app: forecast
         version: v2
     rules:
     - from:
       - source:
           principals: ["cluster.local/ns/weather/sa/frontend"]
       to:
       - operation:
           methods: ["PUT","POST"]
       when:
       - key: request.headers[group]
         values: ["admin"]

Updating a Service Authorization Policy

  1. Log in to the UCS console. In the navigation pane, choose Service Meshes.
  2. Click the name of the target service mesh to go to its details page.
  3. In the navigation pane, choose Service Security > Service Authorization.
  4. Locate the authorization policy to be updated and click Edit YAML in the Operation column.
  5. Update the configured conditions, for example, the version number.

    spec:
     selector:
       matchLabels:
         app: forecast
         version: v2
     rules:
     - from:
       - source:
           principals: ["cluster.local/ns/weather/sa/frontend"]
       to:
       - operation:
           methods: ["PUT","POST"]
       when:
       - key: request.headers[group]
         values: ["admin"]

Deleting a Service Authorization Policy

Deleted service authorization policies cannot be recovered. Deleting a service authorization policy will not affect the running of associated services.

  1. Log in to the UCS console. In the navigation pane, choose Service Meshes.
  2. Click the name of the target service mesh to go to its details page.
  3. In the navigation pane, choose Service Security > Service Authorization.
  4. Locate the authorization policy to be deleted and click Delete in the Operation column.
  5. In the dialog box displayed, click Yes.

Case

Authorize the access using TCP.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: tcp-auth-policy
  namespace: weather
spec:
 selector:
   matchLabels:
     app: forecast
 action: ALLOW
 rules:
 - from:
   - source:
       ipBlocks: ["10.**.**.**/**"]
   to:
   - operation:
       ports: ["8090"]