Enabling application layer policy

About enabling application layer policy

Application layer policy for Calico allows you to write policies that enforce against application layer attributes like HTTP methods or paths as well as against cryptographically secure identities.

Support for application layer policy is not enabled by default in Calico installs, since it requires extra CPU and memory resources to operate.

Enabling application layer policy

Prerequisite: Calico installed.

Locate the manifest below that matches your installation method and apply it. After applying the manifest, your calico/node containers will restart.

  • Calico for policy and networking with the etcd datastore:

    kubectl apply -f \
    https://docs.projectcalico.org/v3.4/getting-started/kubernetes/installation/manifests/app-layer-policy/etcd/calico-networking/calico-node.yaml
    

    Note: You can also view the manifest in your browser.

  • Calico for policy and networking with the Kubernetes API datastore:

    kubectl apply -f \
    https://docs.projectcalico.org/v3.4/getting-started/kubernetes/installation/manifests/app-layer-policy/kubernetes-datastore/calico-networking/calico-node.yaml
    

    Note: You can also view the manifest in your browser.

  • Calico for policy and flannel for networking with the Kubernetes API datastore:

    kubectl apply -f \
    https://docs.projectcalico.org/v3.4/getting-started/kubernetes/installation/manifests/app-layer-policy/kubernetes-datastore/flannel/calico-node.yaml
    

    Note: You can also view the manifest in your browser.

  • Calico for policy only:

    kubectl apply -f \
    https://docs.projectcalico.org/v3.4/getting-started/kubernetes/installation/manifests/app-layer-policy/kubernetes-datastore/policy-only/calico-node.yaml
    

    Note: You can also view the manifest in your browser.

Installing Istio

Application layer policy requires Istio.

Install Istio according to the Istio project documentation, making sure to enable mutual TLS authentication. For example:

curl -L https://git.io/getLatestIstio | sh -
cd $(ls -d istio-*)
kubectl apply -f install/kubernetes/istio-demo-auth.yaml

Note: If an “unable to recognize” error occurs after applying install/kubernetes/istio-demo-auth.yaml it is likely a race condition between creating an Istio CRD and then a resource of that type. Re-run the kubectl apply.

Updating the Istio sidecar injector

The sidecar injector automatically modifies pods as they are created to work with Istio. This step modifies the injector configuration to add Dikastes, a Calico component, as sidecar containers.

  1. Follow the Automatic sidecar injection instructions to install the sidecar injector and enable it in your chosen namespace(s).

  2. Apply the following ConfigMap to enable injection of Dikastes alongside Envoy.

    kubectl apply -f \
    https://docs.projectcalico.org/v3.4/getting-started/kubernetes/installation/manifests/app-layer-policy/istio-inject-configmap.yaml
    

    Note: You can also view the manifest in your browser.

If you would like to install a different version of Istio or inspect the changes we have made to the standard sidecar injector ConfigMap, see Customizing the manifests.

Adding Calico authorization services to the mesh

Apply the following manifest to configure Istio to query Calico for application layer policy authorization decisions

kubectl apply -f \
https://docs.projectcalico.org/v3.4/getting-started/kubernetes/installation/manifests/app-layer-policy/istio-app-layer-policy.yaml

Note: You can also view the manifest in your browser.

Adding namespace labels

Application layer policy is only enforced on pods that are started with the Envoy and Dikastes sidecars. Pods that do not have these sidecars will only enforce standard Calico network policy.

You can control this on a per-namespace basis. To enable Istio and application layer policy in a namespace, add the label istio-injection=enabled.

kubectl label namespace <your namespace name> istio-injection=enabled

If the namespace already has pods in it, you will have to recreate them for this to take effect.

Note: Envoy must be able to communicate with the istio-pilot.istio-system service. If you apply any egress policies to your pods, you must enable access. For example, you could apply a network policy.