Service Meshes Available

istio

Service security capabilities

Access Control

You will start by denying all traffic.

1apiVersion: security.istio.io/v1beta1
2kind: AuthorizationPolicy
3metadata:
4 name: deny-all
5 namespace: default
6spec: {}

And then begin poking holes in your service mesh "firewall".

1---
2apiVersion: "security.istio.io/v1beta1"
3kind: "AuthorizationPolicy"
4metadata:
5 name: "allow-get"
6 namespace: default
7spec:
8 selector:
9 matchLabels:
10 app: httpbin
11 rules:
12 - to:
13 - operation:
14 methods: ["GET"]

Create AuthorizationPolicy for each BookInfo service.

1---
2apiVersion: "security.istio.io/v1beta1"
3kind: "AuthorizationPolicy"
4metadata:
5 name: "view-productpage"
6 namespace: default
7spec:
8 selector:
9 matchLabels:
10 app: productpage
11 rules:
12 - to:
13 - operation:
14 methods: ["GET", "POST"] # try login with just GET (fails)
15---
16apiVersion: "security.istio.io/v1beta1"
17kind: "AuthorizationPolicy"
18metadata:
19 name: "view-details"
20 namespace: default
21spec:
22 selector:
23 matchLabels:
24 app: details
25 rules:
26 - from:
27 - source:
28 principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]
29 to:
30 - operation:
31 methods: ["GET", "POST"]
32---
33apiVersion: "security.istio.io/v1beta1"
34kind: "AuthorizationPolicy"
35metadata:
36 name: "view-reviews"
37 namespace: default
38spec:
39 selector:
40 matchLabels:
41 app: reviews
42 rules:
43 - from:
44 - source:
45 principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]
46 to:
47 - operation:
48 methods: ["GET", "POST"]
49---
50apiVersion: "security.istio.io/v1beta1"
51kind: "AuthorizationPolicy"
52metadata:
53 name: "view-ratings"
54 namespace: default
55spec:
56 selector:
57 matchLabels:
58 app: ratings
59 rules:
60 - from:
61 - source:
62 principals: ["cluster.local/ns/default/sa/bookinfo-reviews"]
63 to:
64 - operation:
65 methods: ["GET", "POST"]

Allow per user access

1---
2apiVersion: "security.istio.io/v1beta1"
3kind: "AuthorizationPolicy"
4metadata:
5 name: "view-reviews"
6 namespace: default
7spec:
8 selector:
9 matchLabels:
10 app: reviews
11 rules:
12 - from:
13 - source:
14 principals: ["cluster.local/ns/default/sa/bookinfo-productpage"]
15 to:
16 - operation:
17 methods: ["GET"]
18 when:
19 - key: request.headers[end-user]
20 values: ["naruto"]

Reset BookInfo Subsets (reset destination rules)

1apiVersion: networking.istio.io/v1alpha3
2kind: DestinationRule
3metadata:
4 name: productpage
5spec:
6 host: productpage
7 subsets:
8 - name: v1
9 labels:
10 version: v1
11---
12apiVersion: networking.istio.io/v1alpha3
13kind: DestinationRule
14metadata:
15 name: reviews
16spec:
17 host: reviews
18 subsets:
19 - name: v1
20 labels:
21 version: v1
22 - name: v2
23 labels:
24 version: v2
25 - name: v3
26 labels:
27 version: v3
28---
29apiVersion: networking.istio.io/v1alpha3
30kind: DestinationRule
31metadata:
32 name: ratings
33spec:
34 host: ratings
35 subsets:
36 - name: v1
37 labels:
38 version: v1
39 - name: v2
40 labels:
41 version: v2
42 - name: v2-mysql
43 labels:
44 version: v2-mysql
45 - name: v2-mysql-vm
46 labels:
47 version: v2-mysql-vm
48---
49apiVersion: networking.istio.io/v1alpha3
50kind: DestinationRule
51metadata:
52 name: details
53spec:
54 host: details
55 subsets:
56 - name: v1
57 labels:
58 version: v1
59 - name: v2
60 labels:
61 version: v2
62---

Identity Verfification

Note: this lab uses the sample application HTTPbin.

Using Meshery, deploy the HTTPbin sample application.

Add Claims

1apiVersion: security.istio.io/v1beta1
2kind: AuthorizationPolicy
3metadata:
4 name: require-jwt
5 namespace: foo
6spec:
7 selector:
8 matchLabels:
9 app: httpbin
10 action: ALLOW
11 rules:
12 - from:
13 - source:
14 requestPrincipals:
15 ["testing@secure.istio.io/testing@secure.istio.io"]
16 when:
17 - key: request.auth.claims[groups]
18 values: ["group1"]

Def

1apiVersion: "security.istio.io/v1beta1"
2kind: "RequestAuthentication"
3metadata:
4 name: "jwt"
5 namespace: default
6spec:
7 selector:
8 matchLabels:
9 app: httpbin
10 jwtRules:
11 - issuer: "testing@secure.istio.io"
12 jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.7/security/tools/jwt/samples/jwks.json"

Mutual TLS

Using Meshery, you can change mTLS enforcement for a namespace.

To configure mTLS on more selective level, you can change and apply this configuration:

1apiVersion: "security.istio.io/v1beta1"
2kind: "PeerAuthentication"
3metadata:
4 name: "default"
5 namespace: "istio-system"
6spec:
7 # selector:
8 # matchLabels:
9 # app: httpbin
10 mtls:
11 mode: STRICT #ISTIO_MUTUAL,DISABLE
12 # portLevelMtls:
13 # 80:
14 # mode: DISABLE

NEXT CHAPTER

Getting Started

Layer5, the cloud native management company

An empowerer of engineers, Layer5 helps you extract more value from your infrastructure. Creator and maintainer of service mesh standards. Maker of Meshery, the cloud native management plane.