yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
a41a4e0331fbc0beff63bb28fa59228cc9a751df
doc-exports/docs/asm/umn/asm_01_0088.html
Dong, Qiu Jian ec0b45029f ASM UMN initial version -20240425 
Reviewed-by: Kovács, Zoltán <zkovacs@t-systems.com>
Co-authored-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
Co-committed-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
2024-09-18 09:02:28 +00:00

52 lines
6.6 KiB
HTML
Raw Blame History

<a name="asm_01_0088"></a><a name="asm_01_0088"></a>
<h1 class="topictitle1">Configuring a Security Policy</h1>
<div id="body0000001234454836"><p id="asm_01_0088__p1347415315207">ASM security functions include <strong id="asm_01_0088__b317844618376">Access Authorization</strong>, <strong id="asm_01_0088__b1515245373712">Peer Authentication</strong>, <strong id="asm_01_0088__b91349303817">JWT Authentication</strong> to ensure the reliable service communication.</p>
<div class="section" id="asm_01_0088__section94901507173"><h4 class="sectiontitle">Procedure</h4><ol id="asm_01_0088__ol45250152481"><li id="asm_01_0088__li1312216018017"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0088__li1442714155498"><span>In the navigation pane, choose <strong id="asm_01_0088__b27638561235">Service Management</strong>. In the upper right corner of the list, select the namespace that your services belong to.</span></li><li id="asm_01_0088__li8181195172812"><span>Locate the target service and click <span class="uicontrol" id="asm_01_0088__uicontrol108394511052052"><b>Security</b></span> in the <span class="uicontrol" id="asm_01_0088__uicontrol175322372052052"><b>Operation</b></span> column. In the window that slides out from the right, configure access authorization and peer authentication.</span><p><p id="asm_01_0088__p344313256297"><strong id="asm_01_0088__b9563298293">Access Authorization</strong></p>
<p id="asm_01_0088__p195756344103">Access authorization controls the access to services in the mesh and determines whether a request can be sent to the current service.</p>
<p id="asm_01_0088__p553824310916">On the <strong id="asm_01_0088__b1529133462815">Access Authorization</strong> tab, click <strong id="asm_01_0088__b1029603419287">Configure now</strong>. In the displayed dialog box, click <span><img id="asm_01_0088__image35657146119" src="en-us_image_0000001374968509.png"></span> to select one or more services in a specified namespace.</p>
<p id="asm_01_0088__p175497263299"><strong id="asm_01_0088__b7886163582718">Peer Authentication</strong></p>
<p id="asm_01_0088__p1629911482104">Istio enables communication between service pods using the Policy Enforcement Point (PEP) tunnel between clients and servers. Peer authentication defines how traffic reaches the current service pod through the tunnel (or not through the tunnel). By default, service pods that have sidecars injected communicate with each other through tunnels. Traffic is automatically encrypted using TLS.</p>
<p id="asm_01_0088__p4695835131211">On the <strong id="asm_01_0088__b48210718288">Peer Authentication</strong> tab, click <strong id="asm_01_0088__b7600316152816">Configure now</strong>. In the displayed dialog box, select an authentication policy.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="asm_01_0088__table192939523213" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Authentication policies</caption><thead align="left"><tr id="asm_01_0088__row182932521527"><th align="left" class="cellrowborder" valign="top" width="28.51%" id="mcps1.3.2.2.3.2.7.2.3.1.1"><p id="asm_01_0088__p182931152420">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="71.49%" id="mcps1.3.2.2.3.2.7.2.3.1.2"><p id="asm_01_0088__p142931521029">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="asm_01_0088__row15293195212216"><td class="cellrowborder" valign="top" width="28.51%" headers="mcps1.3.2.2.3.2.7.2.3.1.1 "><p id="asm_01_0088__p111705451310">UNSET</p>
</td>
<td class="cellrowborder" valign="top" width="71.49%" headers="mcps1.3.2.2.3.2.7.2.3.1.2 "><p id="asm_01_0088__p18116185471315">If a peer authentication policy is configured for the parent scope, the service inherits the policy.</p>
</td>
</tr>
<tr id="asm_01_0088__row529365215211"><td class="cellrowborder" valign="top" width="28.51%" headers="mcps1.3.2.2.3.2.7.2.3.1.1 "><p id="asm_01_0088__p2011645419131">PERMISSIVE</p>
</td>
<td class="cellrowborder" valign="top" width="71.49%" headers="mcps1.3.2.2.3.2.7.2.3.1.2 "><p id="asm_01_0088__p13116165411130">Traffic can be transmitted without passing through the tunnel. Workloads accept both mutual TLS and plain text traffic. By default, the mesh is configured with a peer authentication policy in PERMISSIVE mode.</p>
</td>
</tr>
<tr id="asm_01_0088__row12293452325"><td class="cellrowborder" valign="top" width="28.51%" headers="mcps1.3.2.2.3.2.7.2.3.1.1 "><p id="asm_01_0088__p1611618545137">STRICT</p>
</td>
<td class="cellrowborder" valign="top" width="71.49%" headers="mcps1.3.2.2.3.2.7.2.3.1.2 "><p id="asm_01_0088__p179495491320">Traffic is transmitted only through the tunnel because the request must be encrypted using TLS and must contain the client certificate.</p>
</td>
</tr>
</tbody>
</table>
</div>
<p id="asm_01_0088__p20273184615449"><strong id="asm_01_0088__b1939152722315">JWT Authentication</strong></p>
<p id="asm_01_0088__p123235364412">You can configure JWT authentication on ASM. With JWT, ASM authenticates whether the access token in a request header is trusted and authorize the valid user requests.</p>
<div class="note" id="asm_01_0088__note1364912291619"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_01_0088__p5649724166">JWT authentication can be configured only for HTTP services.</p>
</div></div>
<p id="asm_01_0088__p2044454894512">On the <strong id="asm_01_0088__b7218122314343">JWT Authentication</strong> tab, click <strong id="asm_01_0088__b16218142314340">Configure now</strong>. In the displayed dialog box, set the following parameters:</p>
<ul id="asm_01_0088__ul11959165474711"><li id="asm_01_0088__li17959354124710"><strong id="asm_01_0088__b105221210184912">Issuer</strong>: issuer of the JWT</li><li id="asm_01_0088__li97930110487"><strong id="asm_01_0088__b052017221493">Audiences</strong>: audiences who use the JWT token to access the service. Separate audiences by commas (,). A null value indicates that the service can be accessed by any audiences.</li><li id="asm_01_0088__li19105201054819"><strong id="asm_01_0088__b994312588490">JWKS</strong>: JWT rule set</li></ul>
<p id="asm_01_0088__p14761136183314">For details about the principles and application examples of JWT authentication, see <a href="asm_01_0096.html">JWT Authentication Principles</a> and <a href="asm_01_0097.html">Authenticating JWT Requests on the Ingress Gateway Using ASM</a>.</p>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0087.html">Security</a></div>
</div>
</div>
View Git Blame Copy Permalink