You are viewing documentation for Anthos Service Mesh 1.4. View the latest documentation.

Updating your authorization policies

Beginning with Anthos Service Mesh version 1.4.5, Anthos Service Mesh certificate authority (Mesh CA) manages the issuance and rotation of mTLS certificates and keys for GKE Pods. Open source Istio and earlier versions of Anthos Service Mesh use Citadel as the certificate authority.

If you are upgrading from Istio or an earlier version of Anthos Service Mesh, and you have existing authorization policies that use a custom trust domain, you must update your authorization policies to use cluster.local to refer to your local trust domain. If your existing authorization policies already use cluster.local, you don't need to do anything.

To update your authorization policies:

  1. Grep your authorization policies to find all the occurrences of your custom trust domain. In the following example, old-td is the name of a custom trust domain.

    apiVersion: security.istio.io/v1beta1
    kind: AuthorizationPolicy
    metadata:
      name: service-httpbin.default.svc.cluster.local
      namespace: default
    spec:
      rules:
      - from:
        - source:
            principals:
            - old-td/ns/sleep-allow/sa/sleep
        to:
        - operation:
            methods:
            - GET
      selector:
        matchLabels:
          app: httpbin
    
  2. Change the custom trust domain to cluster.local, and apply the updated policy.

    kubectl apply -f - <<EOF
    apiVersion: security.istio.io/v1beta1
    kind: AuthorizationPolicy
    metadata:
      name: service-httpbin.default.svc.cluster.local
      namespace: default
    spec:
      rules:
      - from:
        - source:
            principals:
            - cluster.local/ns/sleep-allow/sa/sleep
        to:
        - operation:
            methods:
            - GET
      selector:
        matchLabels:
          app: httpbin
    ---
    EOF
    

What's next