Skip to content

Service Mesh (Istio)

Work in Progress

This page is a placeholder. See Architecture for current documentation.

Overview

Istio can enforce authorization policies based on SPIFFE identity.

Authorization Policy Example

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: allow-code-review-agent
  namespace: backend
spec:
  action: ALLOW
  rules:
    - from:
        - source:
            principals:
              - "spiffe://cluster.local/ns/ai-agents/sa/code-review"
      to:
        - operation:
            methods: ["GET", "POST"]
            paths: ["/api/reviews/*", "/api/comments/*"]
    - from:
        - source:
            principals:
              - "spiffe://cluster.local/ns/ai-agents/sa/code-review"
      to:
        - operation:
            methods: ["GET"]
            paths: ["/api/repos/*/files/*"]

Reference