Old Service Policy

Objective

This document provides instructions on how to configure an application-level policy using service policy rules and service policy sets. To know more about how Volterra secures your applications using service policies, See Volterra Service Policy for more information.

Using the instructions provided in this document, you can create service policies with policy rules to secure your applications.


Prerequisites


Configuration

The following image shows configuration workflow for policy rule, policy, and policy set:

image17
Figure: Creating an Application Service Policy

Configuration Sequence

Configuring service policy requires you to perform the following sequence of actions:

Phase Description
Create Service Policy Rule Create a policy rule to use in the policy.
Create Service Policy Create a policy with the policy rule.
Create Service Policy Set Create a policy set with the policy created and apply it to a virtual host.

Create Service Policy Rule

Step 1: Select or create the desired namespace. Select Security from configuration menu and Network Security from options pane.

Note: You can create a ‘Service Policy’ in the following namespaces:

  • System
  • Shared
  • Configured namespace (NS).

image4
Figure: Navigating to a Namespace

image15
Figure: Creating a Service Policy Rule

Step 2: Create a service policy rule. Select Policy Rules from Service Policies and click Add service policy rule.

Enter the policy rule configuration parameters as per the following guidelines:

  • Name: Name of the service policy rule
  • Action: Supported actions are ‘allow’ and ‘deny’
  • Client: Client field has the following subfields.

    • Client Name: Name of the client accessing the server
    • Label selector: Label selector expression for the client. In case of client coming from public internet, implicit labels like Geo-IP Country or Geo-IP Region can be used. The Geo-IP data is sourced from the MaxMind free database.
  • Label Matcher: List of label keys for which label values should be the same for server and client.
  • Path: In case of HTTP or HTTPs proxy, this is URL path.
  • Headers: Match HTTP/HTTPs proxy HTTP header in the request
  • Method: HTTP method of the request. For example, GET, POST, PUT or DELETE etc.
  • Query Params: Match HTTP/HTTPs proxy query parameters in the request
  • Client role: Role is currently used in Volterra RBAC policies and API Gateway
  • Client name matcher: Regular expression matching the client's name

This example shows a sample rule to block traffic from France using the Geo-IP label geoip.ves.io/country.

geo ip deny
Figure: Service Policy Rule Configuration


Create Service Policy

Step 1: Select Policies under Service Policies and click Add service policy.

Enter the policy configuration parameters as per the following guidelines:

  • Name: Name of the Service Policy
  • Rule Combining Algorithm: The algorithm is of the following types:

    • First Rule Match: Evaluates each rule in the order of configuration
    • Deny Rule Overrides: Evaluates all "allow" rules only.
    • Allow Rule Overrides: Evaluates all "deny" rules before evaluating any "allow" rules.
  • Server name: A Fully Qualified Domain Name of the server
  • Selector Expression: Label selector using keys
  • Rules: Select service policy rule created above

image14
Figure: Creating a Service Policy


Create Service Policy Set

Step 1: Select Policy set under Service Policies and click Add service policy set.

Enter the policy set configuration parameters as per the following guidelines:

  • Name: Name of the service policy set
  • Policies: Select service policy created above

image9
Figure: Creating a Service Policy Set

Example: Block Backend Requests for Bookinfo Application

image20
Figure: Blocking Access based on HTTP Query Parameters

This step assumes user has already deployed a sample bookinfo application and a virtual host is created to access the application.

Step 1: Ensure that the name resolution is functioning correctly from your machine. In this example, the domain is "bookinfovk8s.customer1.demo1.volterra.us" and successfully resolves to the IP address of a Volterra RE ‘13.92.86.106/32’.

image7
Figure: Configuring a static entry in /etc/hosts for name resolution

Step 2: Test the bookinfo application from CLI. This example sends requests using curl.

curl bookinfovk8s.customer1.demo1.volterra.us -v

image16
Figure: Successful Response without any user

curl bookinfovk8s.customer1.demo1.volterra.us/productpage?u=normal -v

image5
Figure: Successful Response with user=normal

curl bookinfovk8s.customer1.demo1.volterra.us/productpage?u=test -v

image28
Figure: Successful Response with user=test

Step 3: Configure a service policy set. Create the following service policy rules:

  • First rule ‘allow-normal’ allows all traffic from normal user
  • Second rule ‘deny-test’ denies all Test user traffic based on an HTTP value.

First service policy rule ‘allow-normal’

image10
Figure: Creating a Service Policy Rule - allow normal

Second service policy rule ‘deny-test’

image3
Figure: Creating a Service Policy Rule - deny-test

Second service policy rule ‘deny-test’ HTTP query configuration

image8
Figure: Creating a Service Policy Rule - deny-test - HTTP Query

Step 4: Configure service policy and ensure policy rules are in correct order and explicit ‘allow all‘ is at the end.

Service policy

image13
Figure: Associating Service Policy Rules to Service Policy

Step 5: Configure service policy set and select the policy defined in the previous step.

Service policy set

image18
Figure: Associating Service Policy to Service Policy Set

Result: Service policy denying traffic to HTTP request with exact value of ‘test’ in the query header is applied.

Step 6: Access the user link from a browser or using curl CLI command.

curl bookinfovk8s.customer1.demo1.volterra.us -v

image6
Figure: Successful Response without any user

curl bookinfovk8s.customer1.demo1.volterra.us/productpage?u=normal -v

image1
Figure: Successful Response with user=normal

Accessing the test user link results in denial with ‘403 Forbidden’ response.

curl bookinfovk8s.customer1.demo1.volterra.us/productpage?u=test -v

image19
Figure: Forbidden Response with user=test

Step 7: Check service policy statistics using the tenant portal and namespace. The statistics include the number of hits per service policy rule.

image11
Figure: Monitoring Service Policy Stats


Concepts


API References