Skip to main content

Policy Authoring

Policy authoring with Emissary-ingress amounts to describing which HTTP APIs should be allowed or denied. Those policies are enforced by Emissary-ingress, and a rejected API request is never seen by the service.

Pre-installed Policies

When you add the Emissary-ingress system, ingress policy is automatically installed. In the Styra DAS, click ingress folders from your Emissary-ingress system to see the policies.

  • Ingress: Policy that either allows or denies incoming traffic.

Write Ingress Policy

Use Open Policy Agent's policy language called Rego to author policies.

For an introduction to Rego, Styra recommends you to read the following resources:

When writing Rego policies, you need to know the format of the JSON that is provided to each of your policies as input. The following shows a sample input provided by Emissary-ingress for ingress policy. This sample includes HTTP method, requested path, source address and headers with destination address.

{
"attributes": {
"destination": {...},
"metadata_context": {},
"request": {
"http": {
"headers": {
":authority": "emissary-ingress.emissary.svc.cluster.local",
":method": "GET",
":path": "/finance/salary/charlie",
"accept": "*/*",
"authorization": "Basic Ym9iOnBhc3N3b3Jk",
"user-agent": "curl/7.74.0-DEV",
"x-envoy-internal": "true",
"x-forwarded-for": "172.17.0.1",
"x-forwarded-proto": "https",
"x-request-id": "905393fa-03ca-4bd5-939c-1bc4b26eccaa"
},
"host": "emissary-ingress.emissary.svc.cluster.local",
"id": "`2924924403999187583`",
"method": "GET",
"path": "/finance/salary/charlie",
"protocol": "HTTP/1.1"
}

When writing policies, the allow or deny rules are written to describe the conditions under which a request is allowed or denied. By default, requests are all allowed, so you must write policy to deny them.

For example, if you want to allow all GET requests and deny all POST requests to the root path, then write the following allow and deny rule.

# allow GET requests to the root path
allow {
input.attributes.request.http.method == "GET"
input.attributes.request.http.path == "/"
}

# deny POST requests to the root path
deny {
input.attributes.request.http.method == "POST"
input.attributes.request.http.path == "/"
}

The decision mapping for Emissary-ingress systems rely on the presence of well-known field to correctly parse the results. The decision mapper expects allowed field in the result.

{
"result": {
"allowed": false # boolean value to determine if decision was Allowed or Denied
# an absence of this value will mark the decision as Unknown
}
}