Enabling application layer policy (optional)
About enabling application layer policy
Application layer policy for Calico allows you to write policies that enforce against application layer attributes like HTTP methods or paths as well as against cryptographically secure identities.
Support for application layer policy is not enabled by default in Calico installs, since it requires extra CPU and memory resources to operate.
Enabling application layer policy
Prerequisites:
Application layer policy requires the Policy Sync API to be enabled on Felix. To do this cluster-wide, modify the default
FelixConfiguration to set the field policySyncPathPrefix
to /var/run/nodeagent
. The following example uses sed
to modify your
existing default config before re-applying it.
calicoctl get felixconfiguration default --export -o yaml | \
sed -e '/ policySyncPathPrefix:/d' \
-e '$ a\ policySyncPathPrefix: /var/run/nodeagent' > felix-config.yaml
calicoctl apply -f felix-config.yaml
Installing Istio
Application layer policy requires Istio.
Install Istio according to the Istio project documentation, making sure to enable mutual TLS authentication. For example:
curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.1.7 sh -
cd $(ls -d istio-*)
kubectl apply -f install/kubernetes/helm/istio-init/files/
kubectl apply -f install/kubernetes/istio-demo-auth.yaml
Note: If an “unable to recognize” error occurs after applying
install/kubernetes/istio-demo-auth.yaml
it is likely a race condition between creating an Istio CRD and then a resource of that type. Re-run thekubectl apply
.
Updating the Istio sidecar injector
The sidecar injector automatically modifies pods as they are created to work with Istio. This step modifies the injector configuration to add Dikastes, a Calico component, as sidecar containers.
-
Follow the Automatic sidecar injection instructions to install the sidecar injector and enable it in your chosen namespace(s).
-
Apply the following ConfigMap to enable injection of Dikastes alongside Envoy.
kubectl apply -f https://docs.projectcalico.org/v3.8/manifests/alp/istio-inject-configmap-1.1.7.yaml
Note: You can also view the manifest in your browser.
If you have installed a different version of Istio, substitute 1.1.7
in the above URL for your Istio version. We have
pre-defined ConfigMaps
for Istio versions 1.0.6, 1.0.7, and 1.1.0 through 1.1.7. To customize the standard sidecar injector ConfigMap
or
understand the changes we have made, see
Customizing the manifests.
Adding Calico authorization services to the mesh
Apply the following manifest to configure Istio to query Calico for application layer policy authorization decisions
kubectl apply -f https://docs.projectcalico.org/v3.8/manifests/alp/istio-app-layer-policy.yaml
Note: You can also view the manifest in your browser.
Adding namespace labels
Application layer policy is only enforced on pods that are started with the Envoy and Dikastes sidecars. Pods that do not have these sidecars will only enforce standard Calico network policy.
You can control this on a per-namespace basis. To enable Istio and application
layer policy in a namespace, add the label istio-injection=enabled
.
kubectl label namespace <your namespace name> istio-injection=enabled
If the namespace already has pods in it, you will have to recreate them for this to take effect.
Note: Envoy must be able to communicate with the
istio-pilot.istio-system
service. If you apply any egress policies to your
pods, you must enable access. For example, you could
apply a network policy.