Set up Service Security on Proxyless gRPC service mesh on GKE

This page describes how to set up security features on a proxyless gRPC service mesh on GKE.

Prerequisites

As a starting point, this guide assumes that you have already:

Setup authorization policies on proxyless gRPC service.

This section shows you how to set up different kinds of authorization policies on Cloud Service Mesh proxyless gRPC services on GKE.

Before you can create an authorization policy, you must install the GCPAuthzPolicy CustomResourceDefinition (CRD):

curl https://github.com/GoogleCloudPlatform/gke-networking-recipes/blob/main/gateway-api/config/mesh/crd/experimental/gcpauthzpolicy.yaml \
| kubectl apply -f -

Authorization Policies can enforce access control on traffic entering proxyless gRPC services. Policies can be applied on Kubernetes deployments. Deployment should be in the same namespace as Authorization Policy.

Authorization policy to deny all the requests

When you have a workload that is supposed to make only outbound calls, like a cron job, you can configure an authorization policy to deny any incoming HTTP requests to the workload. The following example denies incoming HTTP requests to the gRPC service psm-grpc-server.

Perform the following steps to create and apply the deny authorization policy:

  1. Create a deny policy by creating a file called deny-all-authz-policy.yaml:

    cat >deny-all-authz-policy.yaml <<EOF
    apiVersion: networking.gke.io/v1
    kind: GCPAuthzPolicy
    metadata:
      name: myworkload-authz
      namespace: default
    spec:
    targetRefs:
    - kind: Deployment
      name: psm-grpc-server
    httpRules:
    - to:
        operations:
        - paths:
          - type: Prefix
            value: "/"
    action: DENY
    EOF
    
  2. Apply the policy:

    kubectl apply -f deny-all-authz-policy.yaml
    

Authorization policy to allow requests

You can also configure an allow policy that allows only requests that match a specific criteria while rejecting the rest. The following example configures an authorization policy on the psm-grpc-serverwhere only POST requests that have http header x-user-role:admin present in the request will be allowed.

Perform the following steps to create and apply the allow authorization policy, delete the previously created deny policy before adding this policy to see the results:

  1. Create a custom policy by creating a file called allow-authz-policy.yaml:

    cat >allow-authz-policy.yaml <<EOF
    apiVersion: networking.gke.io/v1
    kind: GCPAuthzPolicy
    metadata:
      name: myworkload-authz
      namespace: default
    spec:
    targetRefs:
    - kind: Deployment
      name: psm-grpc-server
    httpRules:
    - to:
        operations:
        - methods: ["POST"]
      when: "request.headers['x-user-role'] == 'admin'
    action: ALLOW
    EOF
    
  2. Apply the policy:

    kubectl apply -f allow-authz-policy.yaml
    

Authorization policy to deny requests based on rules

The following example denies incoming HTTP POST requests to the workload psm-grpc-server when it is on the path /admin .

Perform the following steps to create and apply the deny authorization policy:

  1. Create a deny policy by creating a file called deny-path-authz-policy.yaml:

    cat >deny-path-authz-policy.yaml <<EOF
    apiVersion: networking.gke.io/v1
    kind: GCPAuthzPolicy
    metadata:
      name: myworkload-authz
      namespace: default
    spec:
    targetRefs:
    - kind: Deployment
      name: psm-grpc-server
    httpRules:
    - to:
        operations:
        - paths:
          - type: Prefix
            value: "/admin"
          methods: ["GET"]
    action: DENY
    EOF
    
  2. Apply the policy:

    kubectl apply -f deny-path-authz-policy.yaml