Skip to content

Ext Authz Service Implementation

The Ext Authz Service is a sample implementation of an external authorization server designed to integrate with the [[Envoy]] ext_authz filter within an Istio service mesh^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]. It acts as a policy enforcement point, intercepting requests to determine if they should be allowed or denied based on custom logic^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md].

API and Protocol Support

The service supports the standard Envoy External Authorization API, allowing it to receive authorization requests from the mesh proxy^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]. It is capable of handling requests over two distinct protocols:

  • HTTP: Listens on port 8000^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md].
  • gRPC: Supports versions 2 and 3 of the API on port 9000^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md].

Authorization Logic

The server determines whether to permit a request by evaluating specific attributes within the request context^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]. A request is allowed if it meets either of the following conditions:

  1. Header Match: The request contains the header x-ext-authz: allow^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md].
  2. Service Account Match: The source workload's service account is set to a^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md].

If these conditions are not met, the service responds with a denial (HTTP 403)^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md].

Note: The service account value a is a default intended for testing purposes. It can be customized using the -allow_service_account flag when starting the server^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md].

Deployment

The service is deployed within the Kubernetes cluster as a dedicated pod^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]. This isolation ensures that the authorization logic runs independently of the workloads it protects^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md].

While the standard deployment method involves a separate Pod (defined in ext-authz.yaml), the service can also be deployed locally within the same application container (using local-ext-authz.yaml), though the dedicated deployment is the primary architectural pattern^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md].

Advanced Features and Response Headers

To facilitate testing and integration verification, the Ext Authz server manipulates the headers of the user request in specific ways^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md].

Request Tracing

The server adds the header x-ext-authz-check-received to the request^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]. The value of this header is a dump of the entire CheckRequest object received from the Envoy filter^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]. This allows operators to verify exactly what data the filter is transmitting to the authorization server.

Header Override Logic

The server demonstrates the ability to dynamically add or override headers. It injects the header x-ext-authz-additional-header-override into the request^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]. The value assigned to this header depends on the protocol used for the authorization check:

  • HTTP Server: It mirrors the value found in the x-ext-authz-additional-header-override header of the incoming check request^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md].
  • gRPC Server: It sets the value to a constant string: grpc-additional-header-override-value^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md].

Sources

^[400-devops-07-monitoring-and-observability-k8s-istio-samples-extauthz-readme.md]