Method-aware authorization with Istio policy
WHAT IT TESTS: identity- and method-scoped authz. OUTLINE: an ALLOW policy on user-service granting frontend's principal POST plus the users path, another granting all principals GET; deny is implicit once any ALLOW exists.
WHAT IT TESTS: precise use of Istio AuthorizationPolicy with identity and HTTP attributes. ANSWER OUTLINE: write an ALLOW policy selecting the user-service workload that permits source principal of the frontend service account to use method POST on the /api/v1/users path, and a second ALLOW permitting any authenticated principal to use GET. Once an ALLOW rule exists, anything unmatched is denied by default. RED FLAG: keying rules on pod IP rather than mTLS-verified principal, which is spoofable and breaks on rescheduling.
Read the original → interview
- #istio
- #authorization
- #security
- #rbac
- #mtls
Get five bites like this every day.
Tezvyn delivers a daily feed of 60-second tech bites with quizzes to lock in what you learn.