Use a waypoint proxy for L7 authorization policy

Use a waypoint proxy for L7 authorization policy

Without a waypoint installed, you can only use Layer 4 security policies. By adding a waypoint, you gain access to the the full set of attributes in Istio’s AuthorizationPolicy, as well as request authentication.

Policy enforcement using waypoints

A basic Layer 7 authorization policy looks like this:

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: productpage-viewer
  namespace: default
spec:
  targetRefs:
  - kind: Service
    group: ""
    name: productpage
  action: ALLOW
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/default/sa/curl
    to:
    - operation:
        methods: ["GET"]

Considerations for authorization policies

In ambient mesh, authorization policies can either be targeted (for ztunnel enforcement) or attached (for waypoint enforcement). For an authorization policy to be attached to a waypoint it must have a targetRef which refers to the waypoint, or a Service which uses that waypoint.

The ztunnel cannot enforce L7 policies. If a policy with rules matching L7 attributes is targeted with a workload selector (rather than attached with a targetRef), such that it is enforced by a ztunnel, it will fail safe by becoming a DENY policy.

See the L4 policy guide for more information, including when to attach policies to waypoints for TCP-only use cases.