Istio

Istio uses Envoy as an Ingress. This means it has a relatively comprehensive integration option. Istio is supported with Authelia v4.37.0 and higher via the Envoy proxy external authorization filter.

Get started#

It’s strongly recommended that users setting up Authelia for the first time take a look at our Get started guide. This takes you through various steps which are essential to bootstrapping Authelia.

Variables#

Some of the values within this page can automatically be replaced with documentation variables.

Set Documentation Variables

Example#

This example assumes that you have deployed an Authelia pod and you have configured it to be served on the URL https://auth.example.com and there is a Kubernetes Service with the name authelia in the default namespace with TCP port 80 configured to route to the Authelia pod’s HTTP port and that your cluster is configured with the default DNS domain name of cluster.local.

Operator#

This is an example IstioOperator manifest adjusted to authenticate with Authelia. This example only shows the necessary portions of the resource that you add as well as context. You will need to adapt it to your needs.

apiVersion: 'install.istio.io/v1alpha1'
kind: 'IstioOperator'
spec:
  meshConfig:
    extensionProviders:
      - name: 'authelia'
        envoyExtAuthzHttp:
          service: 'authelia.default.svc.cluster.local'
          port: 80
          pathPrefix: '/api/authz/ext-authz/'
          includeRequestHeadersInCheck:
            - 'accept'
            - 'cookie'
            - 'authorization'
            - 'proxy-authorization'
          headersToUpstreamOnAllow:
            - 'remote-*'
            - 'authelia-*'
          includeAdditionalHeadersInCheck:
            X-Forwarded-Proto: '%REQ(:SCHEME)%'
          headersToDownstreamOnDeny:
            - 'set-cookie'
          headersToDownstreamOnAllow:
            - 'set-cookie'

Authorization Policy#

The following Authorization Policy applies the above filter extension provider to the nextcloud.example.com domain:

apiVersion: 'security.istio.io/v1beta1'
kind: 'AuthorizationPolicy'
metadata:
  name: 'nextcloud'
  namespace: 'apps'
spec:
  action: 'CUSTOM'
  provider:
    name:  'authelia'
  rules:
    - to:
        - operation:
            hosts:
              - 'nextcloud.example.com'

See Also#

• Istio External Authentication Documentation
• Istio Authorization Policy Documentation
• Istio IstioOperator Options Documentation
• Istio MeshConfig Extension Provider EnvoyExtAuthz HTTP Provider Documentation