Set up Service Security on Envoy sidecar service mesh on GKE

This page describes how to set up security features on Envoy sidecar service mesh on GKE.

Prerequisites

As a starting point, this guide assumes that you have already:

Setup authorization policies on sidecars on GKE

This section shows you how to set up different kinds of authorization policies on Cloud Service Mesh sidecars on GKE.

Before you can create an authorization policy, you must install the GCPAuthzPolicy CustomResourceDefinition (CRD):

curl https://github.com/GoogleCloudPlatform/gke-networking-recipes/blob/main/gateway-api/config/mesh/crd/experimental/gcpauthzpolicy.yaml \
| kubectl apply -f -

Authorization Policies can enforce access control on traffic entering Envoy sidecars. Policies can be applied on Kubernetes deployments. Deployment should be in the same namespace as Authorization Policy.

Authorization policy to deny all the requests

When you have a workload that is supposed to make only outbound calls, like a cron job, you can configure an authorization policy to deny any incoming HTTP requests to the workload. The following example denies incoming HTTP requests to the workload whereami.

Perform the following steps to create and apply the deny authorization policy:

  1. Create a deny policy by creating a file called deny-all-authz-policy.yaml:

    cat >deny-all-authz-policy.yaml <<EOF
    apiVersion: networking.gke.io/v1
    kind: GCPAuthzPolicy
    metadata:
      name: myworkload-authz
      namespace: sidecar-example
    spec:
    targetRefs:
    - kind: Deployment
      name: wherami
    httpRules:
    - to:
        operations:
        - paths:
          - type: Prefix
            value: "/"
    action: DENY
    EOF
    
  2. Apply the policy:

    kubectl apply -f deny-all-authz-policy.yaml
    

Authorization policy to allow requests

You can also configure an allow policy that allows only requests that match a specific criteria while rejecting the rest. The following example configures an authorization policy on the whereamiwhere o nly GET requests that have http header x-user-role:admin present in the request will be allowed.

Perform the following steps to create and apply the allow authorization policy, delete the previously created deny policy before adding this policy to see the results:

  1. Create a custom policy by creating a file called allow-authz-policy.yaml:

    cat >allow-authz-policy.yaml <<EOF
    apiVersion: networking.gke.io/v1
    kind: GCPAuthzPolicy
    metadata:
      name: myworkload-authz
      namespace: sidecar-example
    spec:
    targetRefs:
    - kind: Deployment
      name: whereami
    httpRules:
    - to:
        operations:
        - methods: ["GET"]
      when: "request.headers['x-user-role'] == 'admin'
    action: ALLOW
    EOF
    
  2. Apply the policy:

    kubectl apply -f allow-authz-policy.yaml
    

Authorization policy to deny requests based on rules

The following example denies incoming HTTP GET requests to the workload whereami when it is on the path /admin .

Perform the following steps to create and apply the deny authorization policy:

  1. Create a deny policy by creating a file called deny-path-authz-policy.yaml:

    cat >deny-path-authz-policy.yaml <<EOF
    apiVersion: networking.gke.io/v1
    kind: GCPAuthzPolicy
    metadata:
      name: myworkload-authz
      namespace: sidecar-example
    spec:
    targetRefs:
    - kind: Deployment
      name: whereami
    httpRules:
    - to:
        operations:
        - paths:
          - type: Prefix
            value: "/admin"
          methods: ["GET"]
    action: DENY
    EOF
    
  2. Apply the policy:

    kubectl apply -f deny-path-authz-policy.yaml