Service Authorization
Service authorization controls access to services in a service mesh and determines whether a request can be sent to a service. In service authorization, Selector is used to select the target workload, and jwtRules describes authentication rules to define how to match authentication information on a JWT.
Creating a Service Authorization Policy
Create a service authorization policy using YAML.
- Log in to the UCS console. In the navigation pane, choose Service Meshes.
- Click the name of the target service mesh to go to its details page.
- In the navigation pane, choose Service Security > Service Authorization.
- Click Create from YAML in the upper right corner.
- Configure parameters as follows. Only the requests that meet the conditions are allowed.
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy # Set the service security type to service authorization. metadata: name: forecast # Name the service authorization policy. namespace: weather # Set the namespace to weather. spec: selector: matchLabels: app: forecast version: v2 rules: - from: - source: principals: ["cluster.local/ns/weather/sa/frontend"] to: - operation: methods: ["PUT","POST"] when: - key: request.headers[group] values: ["admin"]
Updating a Service Authorization Policy
- Log in to the UCS console. In the navigation pane, choose Service Meshes.
- Click the name of the target service mesh to go to its details page.
- In the navigation pane, choose Service Security > Service Authorization.
- Locate the authorization policy to be updated and click Edit YAML in the Operation column.
- Update the configured conditions, for example, the version number.
spec: selector: matchLabels: app: forecast version: v2 rules: - from: - source: principals: ["cluster.local/ns/weather/sa/frontend"] to: - operation: methods: ["PUT","POST"] when: - key: request.headers[group] values: ["admin"]
Deleting a Service Authorization Policy

Deleted service authorization policies cannot be recovered. Deleting a service authorization policy will not affect the running of associated services.
- Log in to the UCS console. In the navigation pane, choose Service Meshes.
- Click the name of the target service mesh to go to its details page.
- In the navigation pane, choose Service Security > Service Authorization.
- Locate the authorization policy to be deleted and click Delete in the Operation column.
- In the dialog box displayed, click Yes.
Case
Authorize the access using TCP.
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: tcp-auth-policy namespace: weather spec: selector: matchLabels: app: forecast action: ALLOW rules: - from: - source: ipBlocks: ["10.**.**.**/**"] to: - operation: ports: ["8090"]
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot