This task covers the primary activities you might need to perform when enabling, configuring, and using Istio authentication policies. Find out more about the underlying concepts in the authentication overview.
Mutual TLS Migration
Understand Istio authentication policy and related mutual TLS authentication concepts. Install Istio on a Kubernetes cluster with the default configuration profile, as described in installation steps. Our examples use two namespaces foo and barwith two services, httpbin and sleepboth running with an Envoy proxy. We also use second instances of httpbin and sleep running without the sidecar in the legacy namespace.
You can verify setup by sending an HTTP request with curl from any sleep pod in the namespace foobar or legacy to either httpbin.
All requests should succeed with HTTP code For example, here is a command to check sleep. Last but not least, verify that there are no destination rules that apply on the example services. You can do this by checking the host: value of existing destination rules and make sure they do not match. For example:.
By default, Istio tracks the server workloads migrated to Istio proxies, and configures client proxies to send mutual TLS traffic to those workloads automatically, and to send plain text traffic to workloads without sidecars. Thus, all traffic between workloads with proxies uses mutual TLS, without you doing anything. While Istio automatically upgrades all traffic between the proxies and the workloads to mutual TLS, workloads can still receive plain text traffic.
The mesh-wide peer authentication policy should not have a selector and must be applied in the root namespacefor example:.
This peer authentication policy configures workloads to only accept requests encrypted with TLS. This is expected because mutual TLS is now strictly required, but the workload without sidecar cannot comply.
To change mutual TLS for all workloads within a particular namespace, use a namespace-wide policy. The specification of the policy is the same as for a mesh-wide policy, but you specify the namespace it applies to under metadata. For example, the following peer authentication policy enables strict mutual TLS for the foo namespace:.
As this policy is applied on workloads in namespace foo only, you should see only request from client-without-sidecar sleep. To set a peer authentication policy for a specific workload, you must configure the selector section and specify the labels that match the desired workload. However, Istio cannot aggregate workload-level policies for outbound mutual TLS traffic to a service.
Configure a destination rule to manage that behavior. For example, the following peer authentication policy and destination rule enable strict mutual TLS for the httpbin. Again, run the probing command. As expected, request from sleep. For example, the following peer authentication policy requires mutual TLS on all ports, except port 80 :. A workload-specific peer authentication policy takes precedence over a namespace-wide policy.
You can test this behavior if you add a policy to disable mutual TLS for the httpbin. Re-running the request from sleep. To experiment with this feature, you need a valid JWT. Also, for convenience, expose httpbin. Apply the policy to the namespace of the workload it selects, ingressgateway in this case. The namespace you need to specify is then istio-system.
If you provide a token in the authorization header, its implicitly default location, Istio validates the token using the public key setand rejects requests if the bearer token is invalid. However, requests without tokens are accepted. To observe this behavior, retry the request without a token, with a bad token, and with a valid token:.Many techniques evolved to help ease this requirement and enable businesses to focus on business value.
Unless you are a security expert, it is challenging to implement these techniques correctly.
Even seasoned security professionals can find it difficult to implement and audit such systems. A service mesh helps to alleviate these concerns with the goal of drastically lessening the burden of securing and auditing such systems, enabling users to focus on their core products. However, very few deployments of Istio are in green-field environments where services are slowly adopted, created and can be monitored independently before new services are rolled out.
In these cases, users will most likely adopt mTLS gradually service-by-service and will carefully monitor traffic behavior before proceeding to the next service. A common problem that many users experience when enabling mTLS for service communication in their service mesh is inadvertently breaking traffic. Until such capability exists there are techniques and tools which we will discuss to aid you in debugging traffic management issues.
At Aspen Mesh we are trying to enable our users to feel confident in their ability to manage their infrastructure. We will now walk-through debugging policy issues when using Aspen Mesh. The graph suggests that there is a problem with traffic generator communicating with productpage. We will first inspect policy settings and logs of our services. The output will be similar to the following:.
For this example it was a fairly simple fix. Here are a couple of checks to aid you in diagnosing the issue to see if it is related to an mTLS issue. In most cases this will be all of the debugging you will have to do. However, we can also dig deeper to understand the issue and it never hurts to know more about the underlying infrastructure of your system. Remember that in a distributed system changes may take a while to propagate through a system and both Pilot and Mixer are responsible for passing configuration and enforcing policy, respectively.
This helps us understand that it is likely to be an mTLS issue. This is a very strong indication that the TLS handshake failed.
If you look closely at that returned object you can also inspect and verify rules being applied. Istio is a incredibly sophisticated and powerful tool.
Similar to other such tools, it requires expertise to get the most out of it, but the rewards are greater than the challenge. Aspen Mesh is committed to enabling Istio and our customers to succeed. As our platform matures, we will continue to help users by surfacing use cases and examples like in the above service graph, along with further in-depth ways to diagnose and troubleshoot issues.
Keep an eye on our blog for future announcements. Save my name, email, and website in this browser for the next time I comment. In Policy. By Jacob Delgado. XXX" outbound productpage. XXX - [T The Future Istio is a incredibly sophisticated and powerful tool. Prev Next.Authorization policy supports both allow and deny policies. When allow and deny policies are used for a workload at the same time, the deny policies are evaluated first.
The evaluation is determined by the following rules:. AUDIT policies do not affect whether requests are allowed or denied to the workload. A request will be internally marked that it should be audited if there is an AUDIT policy on the workload that matches the request.
A separate plugin must be configured and enabled to actually fulfill the audit decision and complete the audit behavior. The request will not be audited if there are no such supporting plugins enabled. Currently, the only supported plugin is the Telemetry v2 Stackdriver plugin.
For example, the following authorization policy denies all requests to workloads in namespace foo. Workload selector decides where to apply the authorization policy. If not set, the authorization policy will be applied to all workloads in the same namespace as the authorization policy.
A list of rules to match the request. A match occurs when at least one rule matches the request. If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads. Rule matches requests from a list of sources that perform a list of operations subject to a list of conditions.
A match occurs when at least one source, operation and condition matches the request. An empty rule is always matched. A list of source peer identities i. This field requires mTLS enabled.This task shows how to ensure your workloads only communicate using mutual TLS as they are migrated to Istio.
Istio automatically configures workload sidecars to use mutual TLS when calling other workloads. Understand Istio authentication policy and related mutual TLS authentication concepts. Read the authentication policy task to learn how to configure authentication policy. Have a Kubernetes cluster with Istio installed, without global mutual TLS enabled for example, use the default configuration profile as described in installation steps.
Create two namespaces, foo and barand deploy httpbin and sleep with sidecars on both of them:. Create another namespace, legacyand deploy sleep without a sidecar:. Verify the setup by sending http requests using curl from the sleep pods, in namespaces foobar and legacyto httpbin. All requests should succeed with return code After migrating all clients to Istio and injecting the Envoy sidecar, you can lock down workloads in the foo namespace to only accept mutual TLS traffic.
Now, you should see the request from sleep. If you installed Istio with values. You will see plain text and encrypted text in the output when requests are sent from sleep. We recommend you use Istio Authorization to configure different paths with different authorization policies. Now, both the foo and bar namespaces enforce mutual TLS only traffic, so you should see requests from sleep. Authentication Policy. Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication.
Authorization Policy Trust Domain Migration. Shows how to migrate from one trust domain to another without changing authorization policy. Introducing Workload Entries. Istio in - Following the Trade Winds. Remove cross-pod unix domain sockets. Concepts What is Istio? Traffic Management Security Observability Extensibility. Authentication Policy Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication.
Authorization Policy Trust Domain Migration Shows how to migrate from one trust domain to another without changing authorization policy.This message occurs when a destination rule resource and a policy resource are in conflict with regards to mutual TLS. The two resources are in conflict if they each specify incompatible mutual TLS modes to be used; this conflict means traffic matching the destination rule to the specified host will be rejected.
This message is deprecated and only produced on service meshes that are using alpha authentication policy. The effect of this policy resource is that all services have an authentication policy requiring mutual TLS to be used. However, note that without a corresponding destination rule requiring traffic to use mutual TLS, traffic will be sent to services without using mutual TLS.
This conflict means that traffic destined for services in the mesh will ultimately fail. Consider an example service named my-service in namespace my-namespace.
To determine which policy object is applied to my-servicethe following resources are matched in order:. To determine which destination rules are applied to traffic sent to my-servicewe must first know which namespace the traffic originates from. Destination rules are matched in the following order:. The first resources that matches the specified criteria is used.
Concepts What is Istio? Traffic Management Security Observability Extensibility. An example Which destination rules and policies are relevant to a service How to resolve. Level Error.Imagine you have an Istio installation where mTLS is enabled for the whole cluster. You should have something like this:. In terms of configuration, you should have the following pieces:.
Workloads are all the entities on the service mesh that are able to start communications with other services or ServiceEntries endpoints outside the service mesh. For more information about the integrity of both rules, Kiali have the Istio Config Section.
There you can list all the Istio Objects that are living in your cluster. Thanks to the filtering, you can easily find both pieces of config described just above. Two different things need to be done. We will have to change the behavior for both clients and services again.
It is important to apply the Policy first in order to allow all services to receive both plain and mTLS connections. If you apply the DestinationRule first, you would have all the workloads starting connections in plain but any service would be available to respond. Regarding clients, we need to define a new DestinationRule overriding the trafficPolicy declared in the mesh-wide one.
The overriding mechanism of Istio has nothing to do with the names of the config names. Once both configs are published in the Service Mesh, this is what you should see:. Open lock in the edges of your service mesh shows that either part or all of the traffic is unencrypted not using mTLS. Right after applying the previous configs most of the traffic still uses mTLS. Nevertheless, locks on the edges warn that there is unencrypted traffic going through. The exact amount of mTLS traffic is displayed in the right hand side panel.
After some time with mTLS disabled for the namespace, the graph snould be fully green with full traffic unencrypted. However, your mesh-wide mTLS is still enabled. Therefore, when you want to disable traffic for either a namespace or a service you do not want to have traffic using mTLS.
So this goes against the MeshPolicy definition. As we can see, our service mesh has:. The important point here is that the DestinationRule has a problem. Also important: Kiali warns you. See below:.
Also, Kiali suggests that you add a permissive policy. In order to fix that, you have two options: either set MeshPolicy to permissive mode which is not good practice or add a Policy in permissive mode to bookinfo namespace as we saw in the first part of this article. Sign in. Istio adventures — disabling mTLS for one namespace. Xavier Canal Follow. Thanks to Alissa Bonas.
Software engineer at Red Hat.Microservice Authentication and Authorization - Nic Jackson
Written by Xavier Canal Follow. More From Medium.Breaking down a monolithic application into atomic services offers various benefits, including better agility, better scalability and better ability to reuse services.
However, microservices also have particular security needs:. Istio Security provides a comprehensive security solution to solve these issues. This page gives an overview on how you can use Istio security features to secure your services, wherever you run them. In particular, Istio security mitigates both insider and external threats against your data, endpoints, communication, and platform. The Istio security features provide strong identity, powerful policy, transparent TLS encryption, and authentication, authorization and audit AAA tools to protect your services and data.
The goals of Istio security are:. Visit our mutual TLS Migration docs to start using Istio security features with your deployed services. Visit our Security Tasks for detailed instructions to use the security features. Sidecar and perimeter proxies work as Policy Enforcement Points PEPs to secure communication between clients and servers. The PEPs are implemented using Envoy. The following diagram shows the architecture.
Identity is a fundamental concept of any security infrastructure. At the beginning of a workload-to-workload communication, the two parties must exchange credentials with their identity information for mutual authentication purposes.
On the server side, the server can determine what information the client can access based on the authorization policiesaudit who accessed what at what time, charge clients based on the workloads they used, and reject any clients who failed to pay their bill from accessing the workloads.
This model allows for great flexibility and granularity for service identities to represent a human user, an individual workload, or a group of workloads.
On platforms without a service identity, Istio can use other identities that can group workload instances, such as service names. Istio securely provisions strong identities to every workload with X.
Istio agents, running alongside each Envoy proxy, work together with istiod to automate key and certificate rotation at scale. The following diagram shows the identity provisioning flow. Istio provisions identities through the secret discovery service SDS using the following flow:. Peer authentication: used for service-to-service authentication to verify the client making the connection. Istio offers mutual TLS as a full stack solution for transport authentication, which can be enabled without requiring service code changes.
This solution:. Request authentication: Used for end-user authentication to verify the credential attached to the request. The Istiod component is the consolidated monolithic control plane binary that encapsulates the functions of Pilot, Citadel, Mixer, and Galley.
Istio tunnels service-to-service communication through the client- and server-side PEPs, which are implemented as Envoy proxies. When a workload sends a request to another workload using mutual TLS authentication, the request is handled as follows:. Istio mutual TLS has a permissive mode, which allows a service to accept both plaintext traffic and mutual TLS traffic at the same time. This feature greatly improves the mutual TLS onboarding experience. Many non-Istio clients communicating with a non-Istio server presents a problem for an operator who wants to migrate that server to Istio with mutual TLS enabled.
Commonly, the operator cannot install an Istio sidecar for all clients at the same time or does not even have the permissions to do so on some clients. Even after installing the Istio sidecar on the server, the operator cannot enable mutual TLS without breaking existing communications. With the permissive mode enabled, the server accepts both plaintext and mutual TLS traffic. The mode provides greater flexibility for the on-boarding process. Once the configuration of the clients is complete, the operator can configure the server to mutual TLS only mode.
Server identities are encoded in certificates, but service names are retrieved through the discovery service or DNS.