Lesson 10 · Security, telemetry & operations
AuthorizationPolicy & edge auth
Deciding who may call what — the Istio way, and the way this repo actually does it.
Your win: explain AuthorizationPolicy and RequestAuthentication (the cert material), and contrast them with how this repo actually enforces access — in the app and at the edge, not in the mesh for backend services.
Authorization — the layer above identity
mTLS (Lesson 9) proves who is calling. AuthorizationPolicy decides whether that identity is allowed to do what it's asking — an ALLOW/DENY rule matching on the source (principal/namespace), the operation (paths, methods), and conditions.1 Two related resources:
| Resource | Answers |
|---|---|
| PeerAuthentication (L9) | must the peer use mTLS? (workload identity) |
| RequestAuthentication | is the end-user's JWT valid? (origin identity) |
| AuthorizationPolicy | given identity, is this call allowed? |
POST /v1/foo." Each answers a different question. In an interview, being able to
place a given rule in the right layer is the tell that you understand the model.
How this repo enforces access — not via Istio (for backend)
AuthorizationPolicy and no RequestAuthentication (grep = 0).
Access control happens in the application: the service validates the caller's token
and maps it to gRPC metadata (the interceptor pattern from the gRPC course). The mesh routes
the request; the app authorizes it.
- At the edge, via VirtualService
fault.abort: bob returns 403 to block Internal RPC paths from the public gateway (backend/bob/values.yaml:42-46, Lesson 4). A routing rule used as a coarse access control. - Istio authz IS used — but only for platform/monitoring: the one place
this repo reaches for
AuthorizationPolicy+ JWTRequestAuthenticationis guarding the monitoring/Grafana ingress (platforms/monitoring/<env>-gateway.yaml) and Atlantis (platforms/atlantis/authz.yaml) — infra dashboards, not business traffic.
Istio docs — AuthorizationPolicy (+ authn policy task)
ALLOW/DENY rules, source/operation matching, and how it composes with mTLS and JWT authn.
→ istio.io — AuthorizationPolicy
→ istio.io — Authentication Policy (task)
Check yourself (from memory)
Q1. AuthorizationPolicy decides…
Q2. A valid end-user JWT is checked by…
Q3. Backend access control in this repo is done…
fault.abort 403
to block Internal RPCs (bob/values.yaml:42-46); and Istio AuthorizationPolicy +
JWT ONLY for platform/monitoring (Grafana ingress, Atlantis). Trade-off: in-app = fine-grained
but repeated; mesh = centralised but coarse. This repo leans on the app for backend.