I am trying to setup the OPA adapter in Istio with the simplest rule to deny everything by default:
---
apiVersion: "config.istio.io/v1alpha2"
kind: authorization
metadata:
name: authz-instance
namespace: istio-demo
spec:
subject:
user: source.uid | ""
action:
namespace: destination.namespace | "default"
service: destination.service | ""
method: request.method | ""
path: request.path | ""
---
apiVersion: "config.istio.io/v1alpha2"
kind: opa
metadata:
name: opa-handler
namespace: istio-demo
spec:
policy:
- |+
package mixerauthz
default allow = false
checkMethod: "data.mixerauthz.allow"
failClose: true
---
apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
name: authz-rule
namespace: istio-demo
spec:
match: "true"
actions:
- handler: opa-handler.opa.istio-demo
instances:
- authz-instance.authorization.istio-demo
When I apply it, Istio's policy complains about not finding the handler:
istio-system/istio-policy-7f86484668-fc8lv[mixer]: 2019-08-12T15:58:21.798783Z info Built new config.Snapshot: id='9'
istio-system/istio-policy-7f86484668-fc8lv[mixer]: 2019-08-12T15:58:21.798819Z error 2 errors occurred:
istio-system/istio-policy-7f86484668-fc8lv[mixer]: * action='authz-rule.rule.istio-demo[0]': Handler not found: handler='opa-handler.opa.istio-demo'
istio-system/istio-policy-7f86484668-fc8lv[mixer]: * rule=authz-rule.rule.istio-demo: No valid actions found in rule
I've tried to apply it in the istio-system namespace, but same issue.
Anyone can help out here?
Thanks in advance.
Alternatively you can try out the OPA/Istio/Envoy integration that enforces the same type of policies at the proxy layer