Service Policy

Objective

This document provides instructions on how to configure an application-level policy using service policy rules and service policy sets. To know more about how Volterra secures your applications using service policies, See Volterra Service Policy for more information.

Using the instructions provided in this document, you can create service policies with policy rules to secure your applications.


Prerequisites


Configuration

The following image shows configuration workflow for policy rule, policy, and policy set:

image17
Figure: Creating an Application Service Policy

Configure Service Policy

Log into VoltConsole and perform the following steps to create and apply service polcies to your application:

Step 1: Select or create the desired namespace.

Click General on the namespace selector and select Personal Management -> My Namespaces. Click Add namespace, enter a name for your namespace, and click Save.

ns new
Figure: Create a Namespace

You can change to an existing namespace or a created namespace by clicking App on the namespace selector and selecting a namespace from the list of the namespaces.

ns nav
Figure: Navigating to a Namespace

Note: You can create a service policy in the following namespaces:

  • System
  • Shared
  • Configured namespace (NS).
Step 2: Start creating service policy set.

Select Security -> Service Policy from configuration menu and Service Policy Sets from the options. Click Add Service policy set. Enter a name and click Select policy object.

sp set 1
Figure: Service Policy Set Creation

Step 3: Start service policy creation.

Click Add new service policy in the service policy selection screen.

add new pol
Figure: Service Policy Creation

Step 4: Set the service policy configuration.

Set a name and configure the fields as per the following guidelines:

  • Select one of the following options for the Server Selection field:

    • Any Server - Applies the policy to any server.
    • Server Name - Name of the server to which request is made. Enter name of server in the Server Name field.
    • Group of Servers by Name - List of server names for which requests are made. You can specify them using Exact Values or Regex Values. Click Add item and enter exact values or regular expressions for server names.
    • Group of Servers by Label Selector - Specifies the labels associated with the servers to which the requests are made. Click on the Selector Expression field, select a key from the displayed options or type a key and click Assign Custom Key. Select a displayed operator and select a displayed value or enter a custom value and click Assign Custom Value.

      Note: Custom labels are currently not supported for this field.

  • Click Add service policy rule in the Rules section. The service policy rule creation form gets loaded.
Step 5: Create service policy rules and apply them to the service policy.

Create service policy rules as per the following guidelines:

  • Enter a name for the policy and select an option in the Action field.
  • Select one of the following options for the Client Selection field:

    • Any Client - Applies the policy to any client.
    • Client Name - Name of the client making the request. Enter name of client in the Client Name field.
    • Group of Clients by Name - List of client names making the request. You can specify them using Exact Values or Regex Values. Click Add item and enter exact values or regular expressions for client names.
    • Group of Clients by Label Selector - Specifies the labels associated with the clients to which the requests are made. Click on the Selector Expression field, select a key from the displayed options or type a key and click Assign Custom Key. Select a displayed operator and select a displayed value or enter a custom value and click Assign Custom Value.

Note:

  • Custom labels are currently not supported for this field.
  • In case of client coming from public internet, implicit labels like Geo-IP Country or Geo-IP City Geo-IP Region can be used. The Geo-IP data is sourced from the MaxMind free database. Geo-IP label can be used with the keys geoip.ves.io/country or geoip.ves.io/city or geoip.ves.io/region and the value as the selected from the choices.
  • Optionally, configure Servers section by clicking Add item for Exact Values or Regex Values fields. Enter exact value or regular expression for the domain.

spol rule 1
Figure: Rule Action and Client Settings

  • Optionally, configure Request Match field as per the following guidelines:

    • Select an option for the HTTP Method field.
    • Enter a path for the HTTP Path field. You can specify them using Prefix Values or Exact Values or Regex Values. Click Add item and enter appropriate path value accordingly.

spol rule 2
Figure: Request Match Settings

  • Optionally, click Add query param in the HTTP Query Parameters field and configure as per the following guidelines:

    • Enter query parameter name in the Query Parameter Name field.
    • Select an option for the Match Options field. In case of the Match Values option (which is populated by default), you can specify values using Exact Values or Regex Values. Click Add item and enter exact values or regular expressions.
    • Click Add query param to apply the query parameter.

query params
Figure: Query Parameter Settings

  • Optionally, click Add header in the HTTP Headers field and configure as per the following guidelines:

    • Enter query parameter name in the Header Name field.
    • Select an option for the Match Options field. In case of the Match Values option (which is populated by default), you can specify values using Exact Values or Regex Values. Click Add item and enter exact values or regular expressions.
    • Click Add header to apply the header settings.

header matcher
Figure: Header Matcher Settings

  • Click Save and Exit to create and add the policy rule to policy configuration.

spol rule 3
Figure: Policy Rule Created

Similarly you can use the Add service policy rule to create and add more rules as per your requirement.

Note: Ensure you create and add a rule with a name and Allow action. Leave the rest of the fields to default.

Step 6: Complete service policy creation.
  • Click Continue to create the policy.

new pol 2
Figure: Service Policy Created

Note: You can click Add new service policy in the policy selection form and add more policies to the service policy set.

  • Click Select policy object to add the policy to the policy set configuration.
Step 7: Complete service policy set creation.
  • Click Save and Exit to create the service policy set.

sp set 2
Figure: Service Policy Set Created


Concepts


API References