Advance Concepts of Service Meshes - Hands On

Technologies Available

istio

Service security capabilities

Access Control

You will start by denying all traffic.

1apiVersion: security.istio.io/v1beta1
2kind: AuthorizationPolicy
3metadata:
4  name: deny-all
5  namespace: default
6spec: {}

And then begin poking holes in your service mesh "firewall".

1---
2apiVersion: "security.istio.io/v1beta1"
3kind: "AuthorizationPolicy"
4metadata:
5  name: "allow-get"
6  namespace: default
7spec:
8  selector:
9    matchLabels:
10      app: httpbin
11  rules:
12    - to:
13        - operation:
14            methods: ["GET"]

Create AuthorizationPolicy for each BookInfo service.

1---
2apiVersion: "security.istio.io/v1beta1"
3kind: "AuthorizationPolicy"
4metadata:
5  name: "view-productpage"
6  namespace: default
7spec:
8  selector:
9    matchLabels:
10      app: productpage
11  rules:
12    - to:
13        - operation:
14            methods: ["GET", "POST"] # try login with just GET (fails)
15---
16apiVersion: "security.istio.io/v1beta1"
17kind: "AuthorizationPolicy"
18metadata:
19  name: "view-details"
20  namespace: default
21spec:
22  selector:
23    matchLabels:
24      app: details
25  rules:
26    - from:
27        - source:
28            principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]
29      to:
30        - operation:
31            methods: ["GET", "POST"]
32---
33apiVersion: "security.istio.io/v1beta1"
34kind: "AuthorizationPolicy"
35metadata:
36  name: "view-reviews"
37  namespace: default
38spec:
39  selector:
40    matchLabels:
41      app: reviews
42  rules:
43    - from:
44        - source:
45            principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]
46      to:
47        - operation:
48            methods: ["GET", "POST"]
49---
50apiVersion: "security.istio.io/v1beta1"
51kind: "AuthorizationPolicy"
52metadata:
53  name: "view-ratings"
54  namespace: default
55spec:
56  selector:
57    matchLabels:
58      app: ratings
59  rules:
60    - from:
61        - source:
62            principals: ["cluster.local/ns/default/sa/bookinfo-reviews"]
63      to:
64        - operation:
65            methods: ["GET", "POST"]

Allow per user access

1---
2apiVersion: "security.istio.io/v1beta1"
3kind: "AuthorizationPolicy"
4metadata:
5  name: "view-reviews"
6  namespace: default
7spec:
8  selector:
9    matchLabels:
10      app: reviews
11  rules:
12    - from:
13        - source:
14            principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]
15      to:
16        - operation:
17            methods: ["GET"]
18      when:
19        - key: request.headers[end-user]
20          values: ["naruto"]

Reset BookInfo Subsets (reset destination rules)

1apiVersion: networking.istio.io/v1alpha3
2kind: DestinationRule
3metadata:
4  name: productpage
5spec:
6  host: productpage
7  subsets:
8    - name: v1
9      labels:
10        version: v1
11---
12apiVersion: networking.istio.io/v1alpha3
13kind: DestinationRule
14metadata:
15  name: reviews
16spec:
17  host: reviews
18  subsets:
19    - name: v1
20      labels:
21        version: v1
22    - name: v2
23      labels:
24        version: v2
25    - name: v3
26      labels:
27        version: v3
28---
29apiVersion: networking.istio.io/v1alpha3
30kind: DestinationRule
31metadata:
32  name: ratings
33spec:
34  host: ratings
35  subsets:
36    - name: v1
37      labels:
38        version: v1
39    - name: v2
40      labels:
41        version: v2
42    - name: v2-mysql
43      labels:
44        version: v2-mysql
45    - name: v2-mysql-vm
46      labels:
47        version: v2-mysql-vm
48---
49apiVersion: networking.istio.io/v1alpha3
50kind: DestinationRule
51metadata:
52  name: details
53spec:
54  host: details
55  subsets:
56    - name: v1
57      labels:
58        version: v1
59    - name: v2
60      labels:
61        version: v2
62---

Identity Verification

Note: this lab uses the sample application HTTPbin.

Using Meshery, deploy the HTTPbin sample application.

Add Claims

1apiVersion: security.istio.io/v1beta1
2kind: AuthorizationPolicy
3metadata:
4  name: require-jwt
5  namespace: foo
6spec:
7  selector:
8    matchLabels:
9      app: httpbin
10  action: ALLOW
11  rules:
12    - from:
13        - source:
14            requestPrincipals:
15              ["testing@secure.istio.io/testing@secure.istio.io"]
16      when:
17        - key: request.auth.claims[groups]
18          values: ["group1"]

Def

1apiVersion: "security.istio.io/v1beta1"
2kind: "RequestAuthentication"
3metadata:
4  name: "jwt"
5  namespace: default
6spec:
7  selector:
8    matchLabels:
9      app: httpbin
10  jwtRules:
11    - issuer: "testing@secure.istio.io"
12      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.7/security/tools/jwt/samples/jwks.json"

Mutual TLS

Using Meshery, you can change mTLS enforcement for a namespace.

To configure mTLS on more selective level, you can change and apply this configuration:

1apiVersion: "security.istio.io/v1beta1"
2kind: "PeerAuthentication"
3metadata:
4  name: "default"
5  namespace: "istio-system"
6spec:
7  # selector:
8  #   matchLabels:
9  #     app: httpbin
10  mtls:
11    mode: STRICT #ISTIO_MUTUAL,DISABLE
12  # portLevelMtls:
13  #   80:
14  #     mode: DISABLE

NEXT CHAPTER

Getting Started

Layer5, the cloud native management company

An empowerer of engineers, Layer5 helps you extract more value from your infrastructure. Creator and maintainer of cloud native standards. Maker of Meshery, the cloud native manager.

RESOURCES

COMMUNITY

SOLUTIONS

COMPANY

2025 Copyright ©Layer5, Inc | All Rights Reserved