Use a waypoint proxy for L7 authorization policy
Without a waypoint installed, you can only use Layer 4 security policies. By adding a waypoint, you gain access to the the full set of attributes in Istio’s AuthorizationPolicy, as well as request authentication.
Policy enforcement using waypoints
A basic Layer 7 authorization policy looks like this:
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: productpage-viewer
namespace: default
spec:
targetRefs:
- kind: Service
group: ""
name: productpage
action: ALLOW
rules:
- from:
- source:
principals:
- cluster.local/ns/default/sa/curl
to:
- operation:
methods: ["GET"]
Considerations for authorization policies
In ambient mesh, authorization policies can either be targeted (for ztunnel
enforcement) or attached (for waypoint enforcement). For an authorization
policy to be attached to a waypoint it must have a targetRef
which refers to
the waypoint, or a Service which uses that waypoint.
The ztunnel cannot enforce L7 policies. If a policy with rules matching L7
attributes is targeted with a workload selector (rather than attached with a
targetRef
), such that it is enforced by a ztunnel, it will fail safe by
becoming a DENY
policy.
See the L4 policy guide for more information, including when to attach policies to waypoints for TCP-only use cases.