Skip to main content

Policy Authoring

Policy authoring with Envoy amounts to describing which HTTP APIs should be allowed into and out of a service running next to Envoy. Those policies are enforced by Envoy, and a rejected API request is never seen by the service. Additionally, you can write a policy that your service calls into explicitly to provide additional information that Envoy does not have; it is your service's responsibility to enforce that decision appropriately.

Pre-installed Policies

When you add the Envoy system, several policies are automatically installed. In the Styra DAS, click app, egress or ingress folders from your Envoy system to see the policies.

  • app: Custom policy that you can use if your application needs additional policy decisions from OPA.

  • egress: Policy that either allows or denies outgoing traffic.

  • ingress: Policy that either allows or denies incoming traffic.

Write Ingress and Egress Policies

When authoring policies, use Open Policy Agent's policy language, Rego, to author policies.

For an introduction to Rego, Styra recommends you to read the following materials:

When writing Rego policies, you need to know the format of the JSON that is provided to each of your policies as input. The following shows a sample input provided by Envoy for Ingress and Egress policies. This sample includes source, destination, the request itself, and additional metadata. Usually, the concern is around the request itself.

{
"attributes": {
"destination": {
"address": {
"socketAddress": {
"address": "3.89.166.41",
"portValue": 80
}
}
},
"metadataContext": {
"filterMetadata": {
"envoy.filters.http.header_to_metadata": {
"policy_type": "egress"
}
}
},
"request": {
"http": {
"headers": {
":authority": "httpbin.org",
":method": "GET",
":path": "/anything",
"accept": "*/*",
"user-agent": "curl/7.74.0-DEV",
"x-forwarded-proto": "http",
"x-request-id": "7b18247b-e2fd-4002-a8e2-ff2a9b7ceca0"
},
"host": "httpbin.org",
"id": "5026273330918463281",
"method": "GET",
"path": "/anything",
"protocol": "HTTP/1.1"
},
"time": "2021-09-13T16:55:30.872223Z"
},
"source": {
"address": {
"socketAddress": {
"address": "10.244.0.7",
"portValue": 37790
}
}
}
},
"parsed_body": null,
"parsed_path": [
"anything"
],
"parsed_query": {

},
"truncated_body": false,
"version": {
"encoding": "protojson",
"ext_authz": "v3"
}
}

When writing policies, the allow or deny rules are written to describe the conditions under which a request is allowed or denied. By default, requests are all allowed, so you must write policy to deny them.

For example, if you want to allow all GET requests and deny all POST requests to the root path, then write the following allow and deny rule.

# allow GET requests to the root path
allow {
input.attributes.request.http.method == "GET"
input.attributes.request.http.path == "/"
}

# deny POST requests to the root path
deny {
input.attributes.request.http.method == "POST"
input.attributes.request.http.path == "/"
}

Write App rules for OPA-aware Applications

In addition to the Ingress and Egress policies, the Envoy systems also support application policies. The structure of these policies are customizable according to the application's requirements. By default, the module policy.app contains allow and deny - rules similar to Ingress and Egress policies, but you can remove those and write any Rego that you want.

An application can directly query the OPA embedded in data plane sidecar, usually listening at localhost:8181, for application-specific authorization decisions. The default data document for application policies is data.application.main. This exercises the allow or deny rule created in policy.app module.

envoy-opa-das-App

Figure 1: Envoy Architecture for OPA-aware Applications

To query the App-specific main rule:

curl -XPOST localhost:8181/v1/data/application/main \
-d '{
"input": {
"method": "GET",
"path": [
"finance",
"salary",
"bob"
],
"user": "bob"
}
}'
{
"decision_id":"d9abc874-d27b-4ee4-9542-c044871484c9",
"result": {
"allowed": true,
"code": 200,
"status_code": 200,
"outcome": {
"allowed": true,
"code": 200,
"status_code": 200,
"policy_type": "app",
"system_type": "envoy"
}
}
}

The decision mappings for Envoy systems rely on the presence of well-known fields to correctly parse the results. The decision mapper expects an outcome structure in the result with two required fields:

  1. allowed

  2. policy_type

{
"outcome": {
"allowed": false, # boolean value to determine if decision was Allowed or Denied
# an absence of this value will mark the decision as Unknown
"policy_type": "app" # classifies the decision as an app decision
# useful for filtering decisions by type in the Decisions UI
}
}