Secure an API with Tyk Operator
Table Of Contents
A security policy encapsulates several options that can be applied to a key. It acts as a template that can override individual sections of an API key (or identity) in Tyk.
Currently Operator only works with Tyk Dashboard for this feature. Support for Tyk Open Source on Security Policies will be added in future Tyk Operator releases. You can get round this by mounting the policy object as a volume into the gateway container.
Tutorial: Create a Policy with Tyk Operator
Step 1: Create a SecurityPolicy resource in YAML format
Create a file called
ratelimit.yaml, then add the following:
apiVersion: tyk.tyk.io/v1alpha1 kind: SecurityPolicy metadata: name: httpbin spec: name: Rate Limit, Quota and Throttling policy state: active active: true access_rights_array: - name: httpbin namespace: default versions: - Default quota_max: 10 quota_renewal_rate: 60 rate: 5 per: 5 throttle_interval: 2 throttle_retry_limit: 2
You can link this Security Policy to any APIs you have defined in
access_rights_array. In this example, the security policy is applied to
httpbin API in
Step 2: Deploy the SecurityPolicy resource
You can do so either by applying sample manifests defined in our repository, for example:
kubectl apply -f docs/policies/ratelimit.yaml
Or, if you don’t have the manifest with you, you can run the following command:
cat <<EOF | kubectl apply -f - apiVersion: tyk.tyk.io/v1alpha1 kind: ApiDefinition metadata: name: httpbin spec: name: httpbin protected protocol: http active: true proxy: target_url: http://httpbin.org listen_path: /httpbin strip_listen_path: true use_standard_auth: true auth_configs: authToken: auth_header_name: Authorization --- apiVersion: tyk.tyk.io/v1alpha1 kind: SecurityPolicy metadata: name: httpbin spec: name: Rate Limit, Quota and Throttling policy state: active active: true access_rights_array: - name: httpbin namespace: default versions: - Default quota_max: 10 quota_renewal_rate: 60 rate: 5 per: 5 throttle_interval: 2 throttle_retry_limit: 2 EOF
To check that policy has been created, you can run the following command:
$ kubectl get securitypolicy NAME AGE httpbin 10s
You have successfully created the
httpbin security policy for your
You can use SecurityPolicy CRD to set access lists for API and versions, global usage quota, rate limits, and throttling, and also add tags and metadata:
apiVersion: tyk.tyk.io/v1alpha1 kind: SecurityPolicy # SecurityPolicy CRD metadata: name: httpbin # Unique k8s name spec: name: Httpbin Security Policy # Generic Name state: active # View securitypolicy_types for more info active: true # View securitypolicy_types for more info access_rights_array: # Adding APIs to the Policy. More info just below - name: httpbin # Metadata name of API namespace: default versions: - Default # Mandatory, Default is created automatically quota_max: 10 quota_renewal_rate: 60 rate: 5 per: 5 throttle_interval: 2 throttle_retry_limit: 2 tags: - Hello - World meta_data: key: value hello: world
Required fields in the policy:
name: The name of the security policy.
active: Marks policy as active.
state: It can have value
Access lists for API and versions:
access_right_array: The list of APIs security policy has access to.
Usage Quota fields:
quota_max: The maximum number of allowed requests over a quota period.
quota_renewal_rate: Time, in seconds, after which quota will be renewed.
Rate limiting fields:
rate: The number of the requests to allow per period.
per: Time in seconds.
throttle_interval: Interval (in seconds) between each request retry.
throttle_retry_limit: Total requests retry number.
tags: List of tags.
meta_data: Metadata key and values.
You can go to the Policies page on GitHub to see all the latest Security Policies fields and features we support.