How can I access Istio Authorization details in my target Service(For e.g. Flask code)-CodePudding

For Example I have enabled the mTLS in my istio service in STRICT mode. and I have authorization policy that have kind of source.principals rule check.

Now I want to access these rules details like source.principals and source.namespace after request is authenticated and authorized so that I can do more business login in my flask(python) service.

My python code looks like this:

from flask import Flask
app = Flask(__name__)

@app.route("/mutate-hook", methods=['POST'])
def mutate():
    source = request.headers.get('source')
    # I am expacting source to the source from this: https://istio-releases.github.io/v0.1/docs/reference/config/mixer/attribute-vocabulary.html
    print(source)
    request_json = request.get_json()
    # I am expacting source to the source from this: https://istio-releases.github.io/v0.1/docs/reference/config/mixer/attribute-vocabulary.html
    request_source = request_json.get('source')
    print(request_source["principal"], request_source['namespace'])

CodePudding user response：

I solved this using a different approach.

So each pod in k8s has access to its service account token and we can use TokeReview api to validate this token and that tokenreview api return the service account with its namespace. So when a service talks to another service, we pass this serviceaccount token from Service A to Service B and then Service B validates this token using TokenReview API. and gets the principal (which is service account name) and namespace.

CodePudding user response：

You can use X-Forwarded-Client-Cert header added by envoy, it contains the service account name of the sender like cluster.local/ns/default/sa/senderServiceAccountName from which you can find both the namespace and the deployment (if you used a separate service account for each of your deployments) of the sender.