Skip to content

Commit 8e3aa10

Browse files
istio-testingilrudiecraigboxdhawton
authored
[release-1.25] Clarify use of default-deny when waypoints are added (#16444)
* Clarify use of default-deny when waypoints are added Signed-off-by: Ian Rudie <[email protected]> * Apply suggestions from code review Co-authored-by: Daniel Hawton <[email protected]> --------- Signed-off-by: Ian Rudie <[email protected]> Co-authored-by: Ian Rudie <[email protected]> Co-authored-by: Craig Box <[email protected]> Co-authored-by: Daniel Hawton <[email protected]>
1 parent 221cf57 commit 8e3aa10

File tree

1 file changed

+14
-0
lines changed
  • content/en/docs/ops/best-practices/security

1 file changed

+14
-0
lines changed

content/en/docs/ops/best-practices/security/index.md

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,20 @@ For example, in the [authorization for HTTP traffic task](/docs/tasks/security/a
4444
the authorization policy named `allow-nothing` makes sure all traffic is denied by default.
4545
From there, other authorization policies allow traffic based on specific conditions.
4646

47+
#### Default-deny pattern with waypoints
48+
49+
Istio's new ambient data plane mode introduced a new split dataplane architecture.
50+
In this architecture, the waypoint proxy is configured using Kubernetes Gateway API which uses more explicit binding to gateways using `parentRef` and `targetRef`.
51+
Because waypoints adhere more closely to the principles of Kubernetes Gateway API, the default-deny pattern is enabled in a slightly different way when policy is applied waypoints.
52+
Beginning with Istio 1.25, you may bind `AuthorizationPolicy` resources to the `istio-waypoint` `GatewayClass`.
53+
By binding `AuthorizationPolicy` to the `GatewayClass`, you can configure all gateways which implement that `GatewayClass` with a default policy.
54+
It is important to note that `GatewayClass` is a cluster-scoped resource, and binding namespace-scoped policies to it requires special care.
55+
Istio requires that policies which are bound to a `GatewayClass` reside in the root namespace, typically `istio-system`.
56+
57+
{{< tip >}}
58+
When using the default-deny pattern with waypoints, the policy bound to the `istio-waypoint` `GatewayClass` should be used in addition to the "classic" default-deny policy. The "classic" default-deny policy will be enforced by ztunnel against the workloads in your mesh and still provides meaningful value.
59+
{{< /tip >}}
60+
4761
#### Use `ALLOW-with-positive-matching` and `DENY-with-negative-match` patterns
4862

4963
Use the `ALLOW-with-positive-matching` or `DENY-with-negative-matching` patterns whenever possible. These authorization policy

0 commit comments

Comments
 (0)