Search code examples
kubernetesauthorizationistioenvoyproxy

Questions about istio external authorization

Problem statement:

My goal is to have istio with external authorization service (ideally HTTP, if not possible than GRPC would do as well). There is a requirement to be able to control what exact status code will be returned to client on authorization service. The latter requirement is the most problematic part.

My research

  • I have read istio documentation on external authorizer

  • I have made a prototype with HTTP Auth service, but whatever non 200 status code I return from Auth Service the client always receives 403 Forbidden

  • In mesh config specification I see the only possibility to set statusOnError but it will be used only in case auth service is unreachable and it can not be dynamically changed.

  • Also in envoy documentation for GRPC service I see possibility to set custom status

    HTTP attributes for a denied response.
{
   "status": "{...}",
   "headers": [],
   "body": "..."
 }

Questions:

  1. Is having custom status possible only with GRPC auth service?
  2. Is istio using envoy API-V3 or API-V2?
  3. Any suggestion how to cook istio with external authorizer and custin status codes?
Solution

  • I made the GRPC Auth service prototype and found the answer. It is counter-intuitive but GRPC external auth service is really more flexible than HTTP one. And it really allows to set arbitrary status code