Enabling application layer policy
About enabling application layer policy
Application layer policy for Calico allows you to write policies that enforce against application layer attributes like HTTP methods or paths as well as against cryptographically secure identities.
Support for application layer policy is not enabled by default in Calico installs, since it requires extra CPU and memory resources to operate.
Enabling application layer policy
Prerequisite: Calico installed.
Locate the manifest below that matches your installation method and apply it. After applying
the manifest, your calico/node containers will restart.
-
Calico for policy and networking with the etcd datastore:
kubectl apply -f \ https://just-master--zealous-perlman-827aaa.netlify.com/v3.2/getting-started/kubernetes/installation/manifests/app-layer-policy/etcd/calico-networking/calico-node.yamlNote: You can also view the manifest in your browser.
-
Calico for policy and networking with the Kubernetes API datastore:
kubectl apply -f \ https://just-master--zealous-perlman-827aaa.netlify.com/v3.2/getting-started/kubernetes/installation/manifests/app-layer-policy/kubernetes-datastore/calico-networking/calico-node.yamlNote: You can also view the manifest in your browser.
-
Calico for policy and flannel for networking with the Kubernetes API datastore:
kubectl apply -f \ https://just-master--zealous-perlman-827aaa.netlify.com/v3.2/getting-started/kubernetes/installation/manifests/app-layer-policy/kubernetes-datastore/flannel/calico-node.yamlNote: You can also view the manifest in your browser.
-
Calico for policy only:
kubectl apply -f \ https://just-master--zealous-perlman-827aaa.netlify.com/v3.2/getting-started/kubernetes/installation/manifests/app-layer-policy/kubernetes-datastore/policy-only/calico-node.yamlNote: You can also view the manifest in your browser.
Installing Istio
Application layer policy requires you to use Istio in your cluster to function correctly. We support Istio version 1.0.0 or newer.
Install Istio according to the Istio project documentation, making sure to enable mutual TLS authentication. For example:
curl -L https://git.io/getLatestIstio | sh -
cd istio-1.0.0
kubectl apply -f install/kubernetes/istio-demo-auth.yaml
Updating the Istio sidecar injector
The sidecar injector automatically modifies pods as they are created to work with Istio. This step modifies the injector configuration to add Dikastes, a Calico component, as sidecar containers.
-
Follow the Automatic sidecar injection instructions to install the sidecar injector and enable it in your chosen namespace(s).
-
Apply the following ConfigMap to enable injection of Dikastes alongside Envoy.
kubectl apply -f \ https://just-master--zealous-perlman-827aaa.netlify.com/v3.2/getting-started/kubernetes/installation/manifests/app-layer-policy/istio-inject-configmap.yamlNote: You can also view the manifest in your browser.
If you would like to install a different version of Istio or inspect the changes
we have made to the standard sidecar injector ConfigMap, see
Customizing the manifests.
Adding Calico authorization services to the mesh
Apply the following manifest to configure Istio to query Calico for application layer policy authorization decisions
kubectl apply -f \
https://just-master--zealous-perlman-827aaa.netlify.com/v3.2/getting-started/kubernetes/installation/manifests/app-layer-policy/istio-app-layer-policy.yaml
Note: You can also view the manifest in your browser.
Adding namespace labels
Application layer policy is only enforced on pods that are started with the Envoy and Dikastes sidecars. Pods that do not have these sidecars will only enforce standard Calico network policy.
You can control this on a per-namespace basis. To enable Istio and application
layer policy in a namespace, add the label istio-injection=enabled.
kubectl label namespace <your namespace name> istio-injection=enabled
If the namespace already has pods in it, you will have to recreate them for this to take effect.
Note: Envoy must be able to communicate with the
istio-pilot.istio-system service. If you apply any egress policies to your
pods, you must enable access. For example, you could
apply a network policy.