Old Service Policy
On This Page:
Objective
This document provides instructions on how to configure an application-level policy using service policy rules and service policy sets. To know more about how Volterra secures your applications using service policies, See Volterra Service Policy for more information.
Using the instructions provided in this document, you can create service policies with policy rules to secure your applications.
Prerequisites
- Note: If you do not have an account, see Create a Volterra Account.
- A virtual host
- Note: If you do not have a virtual host, create one.
- Optionally, one or more cloud or edge locations with Volterra site
- Note: Install the Volterra Node or Cluster Image in your Cloud or Edge location.
Configuration
The following image shows configuration workflow for policy rule, policy, and policy set:
Configuration Sequence
Configuring service policy requires you to perform the following sequence of actions:
| Phase | Description |
|---|---|
| Create Service Policy Rule | Create a policy rule to use in the policy. |
| Create Service Policy | Create a policy with the policy rule. |
| Create Service Policy Set | Create a policy set with the policy created and apply it to a virtual host. |
Create Service Policy Rule
Step 1: Select or create the desired namespace. Select Security from configuration menu and Network Security from options pane.
Note: You can create a ‘Service Policy’ in the following namespaces:
- System
- Shared
- Configured namespace (NS).
Step 2: Create a service policy rule. Select Policy Rules from Service Policies and click Add service policy rule.
Enter the policy rule configuration parameters as per the following guidelines:
- Name: Name of the service policy rule
- Action: Supported actions are ‘allow’ and ‘deny’
- Client: Client field has the following subfields.
- Client Name: Name of the client accessing the server
- Label selector: Label selector expression for the client. In case of client coming from public internet, implicit labels like Geo-IP Country or Geo-IP Region can be used. The Geo-IP data is sourced from the MaxMind free database.
- Label Matcher: List of label keys for which label values should be the same for server and client.
- Path: In case of HTTP or HTTPs proxy, this is URL path.
- Headers: Match HTTP/HTTPs proxy HTTP header in the request
- Method: HTTP method of the request. For example, GET, POST, PUT or DELETE etc.
- Query Params: Match HTTP/HTTPs proxy query parameters in the request
- Client role: Role is currently used in Volterra RBAC policies and API Gateway
- Client name matcher: Regular expression matching the client's name
This example shows a sample rule to block traffic from France using the Geo-IP label geoip.ves.io/country.
Create Service Policy
Step 1: Select Policies under Service Policies and click Add service policy.
Enter the policy configuration parameters as per the following guidelines:
- Name: Name of the Service Policy
- Rule Combining Algorithm: The algorithm is of the following types:
- First Rule Match: Evaluates each rule in the order of configuration
- Deny Rule Overrides: Evaluates all "allow" rules only.
- Allow Rule Overrides: Evaluates all "deny" rules before evaluating any "allow" rules.
- Server name: A Fully Qualified Domain Name of the server
- Selector Expression: Label selector using keys
- Rules: Select service policy rule created above
Create Service Policy Set
Step 1: Select Policy set under Service Policies and click Add service policy set.
Enter the policy set configuration parameters as per the following guidelines:
- Name: Name of the service policy set
- Policies: Select service policy created above
Example: Block Backend Requests for Bookinfo Application
This step assumes user has already deployed a sample bookinfo application and a virtual host is created to access the application.
Step 1: Ensure that the name resolution is functioning correctly from your machine. In this example, the domain is "bookinfovk8s.customer1.demo1.volterra.us" and successfully resolves to the IP address of a Volterra RE ‘13.92.86.106/32’.
Step 2: Test the bookinfo application from CLI. This example sends requests using curl.
curl bookinfovk8s.customer1.demo1.volterra.us -v
curl bookinfovk8s.customer1.demo1.volterra.us/productpage?u=normal -v
curl bookinfovk8s.customer1.demo1.volterra.us/productpage?u=test -v
Step 3: Configure a service policy set. Create the following service policy rules:
- First rule ‘allow-normal’ allows all traffic from normal user
- Second rule ‘deny-test’ denies all Test user traffic based on an HTTP value.
First service policy rule ‘allow-normal’
Second service policy rule ‘deny-test’
Second service policy rule ‘deny-test’ HTTP query configuration
Step 4: Configure service policy and ensure policy rules are in correct order and explicit ‘allow all‘ is at the end.
Service policy
Step 5: Configure service policy set and select the policy defined in the previous step.
Service policy set
Result: Service policy denying traffic to HTTP request with exact value of ‘test’ in the query header is applied.
Step 6: Access the user link from a browser or using curl CLI command.
curl bookinfovk8s.customer1.demo1.volterra.us -v
curl bookinfovk8s.customer1.demo1.volterra.us/productpage?u=normal -v
Accessing the test user link results in denial with ‘403 Forbidden’ response.
curl bookinfovk8s.customer1.demo1.volterra.us/productpage?u=test -v
Step 7: Check service policy statistics using the tenant portal and namespace. The statistics include the number of hits per service policy rule.
