Set up Service Security on Proxyless gRPC service mesh on GKE
This page describes how to set up security features on a proxyless gRPC service mesh on GKE.
Prerequisites
As a starting point, this guide assumes that you have already:
Setup authorization policies on proxyless gRPC service.
This section shows you how to set up different kinds of authorization policies on Cloud Service Mesh proxyless gRPC services on GKE.
Before you can create an authorization policy, you must install the GCPAuthzPolicy CustomResourceDefinition (CRD):
curl https://github.com/GoogleCloudPlatform/gke-networking-recipes/blob/main/gateway-api/config/mesh/crd/experimental/gcpauthzpolicy.yaml \
| kubectl apply -f -
Authorization Policies can enforce access control on traffic entering proxyless gRPC services. Policies can be applied on Kubernetes deployments. Deployment should be in the same namespace as Authorization Policy.
Authorization policy to deny all the requests
When you have a workload that is supposed to make only outbound calls, like a
cron job, you can configure an authorization policy to deny any incoming HTTP
requests to the workload. The following example denies incoming HTTP requests to
the gRPC service psm-grpc-server
.
Perform the following steps to create and apply the deny authorization policy:
Create a deny policy by creating a file called
deny-all-authz-policy.yaml
:cat >deny-all-authz-policy.yaml <<EOF apiVersion: networking.gke.io/v1 kind: GCPAuthzPolicy metadata: name: myworkload-authz namespace: default spec: targetRefs: - kind: Deployment name: psm-grpc-server httpRules: - to: operations: - paths: - type: Prefix value: "/" action: DENY EOF
Apply the policy:
kubectl apply -f deny-all-authz-policy.yaml
Authorization policy to allow requests
You can also configure an allow policy that allows only requests that match a
specific criteria while rejecting the rest. The following example configures an
authorization policy on the psm-grpc-server
where only POST
requests that have http header x-user-role:admin
present in the request will be allowed.
Perform the following steps to create and apply the allow authorization policy, delete the previously created deny policy before adding this policy to see the results:
Create a custom policy by creating a file called
allow-authz-policy.yaml
:cat >allow-authz-policy.yaml <<EOF apiVersion: networking.gke.io/v1 kind: GCPAuthzPolicy metadata: name: myworkload-authz namespace: default spec: targetRefs: - kind: Deployment name: psm-grpc-server httpRules: - to: operations: - methods: ["POST"] when: "request.headers['x-user-role'] == 'admin' action: ALLOW EOF
Apply the policy:
kubectl apply -f allow-authz-policy.yaml
Authorization policy to deny requests based on rules
The following example denies incoming HTTP POST
requests to
the workload psm-grpc-server
when it is on the path /admin
.
Perform the following steps to create and apply the deny authorization policy:
Create a deny policy by creating a file called
deny-path-authz-policy.yaml
:cat >deny-path-authz-policy.yaml <<EOF apiVersion: networking.gke.io/v1 kind: GCPAuthzPolicy metadata: name: myworkload-authz namespace: default spec: targetRefs: - kind: Deployment name: psm-grpc-server httpRules: - to: operations: - paths: - type: Prefix value: "/admin" methods: ["GET"] action: DENY EOF
Apply the policy:
kubectl apply -f deny-path-authz-policy.yaml