Security with Mutual TLS (mTLS)

By default the TLS protocol only identifies the server to the client using an X.509 certificate, while the authentication of the client to the server is left to the application. Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time. Mutual TLS (mTLS) authentication is optional in TLS but more common in B2B applications.

TBD: use a Loopback Guestbook API and create a Java Spring Boot Web Guestbook UI in a guestbook namespace. The Bookinfo application uses global installation configuration values for global.mtls.enabled and global.controlPlaneSecurityEnabled that may conflict with the service level authentication policy and destinationrules.

Overview

To check is the Bookinfo application and Istio installation for mTLS enablement.

$ kubectl get pods
NAME READY STATUS RESTARTS AGE
details-v1-6ccd7768b4-44cw2 2/2 Running 0 24h
productpage-v1-6d554df9b8-x4pct 2/2 Running 0 24h
ratings-v1-699946589b-qxsk5 2/2 Running 0 24h
reviews-v1-56b595ccdd-pcwmn 2/2 Running 0 24h
reviews-v2-54478ff77-lrrzr 2/2 Running 0 24h
reviews-v3-8d9fc6986-fck7z 2/2 Running 0 24h

Authentication policies apply to requests that a service receives. So for each service that you want to require mTLS, you need to apply an authentication policy with a peers: - mtls: {} section.

To check what authentication policies, istioctl authn, and destination rules are used by Pilot to config a proxy instance, and to check if TLS settings are compatible between the instances use the istioctl authn tls-check command.

$ istioctl authn tls-check details-v1-6ccd7768b4-44cw2 | grep default.svc.cluster.local
HOST:PORT STATUS SERVER CLIENT AUTHN POLICY DESTINATION RULE
details.default.svc.cluster.local:9080 OK HTTP HTTP - details/default
kubernetes.default.svc.cluster.local:443 OK HTTP HTTP - -
productpage.default.svc.cluster.local:9080 OK HTTP HTTP - productpage/default
ratings.default.svc.cluster.local:9080 OK HTTP HTTP - ratings/default
reviews.default.svc.cluster.local:9080 OK HTTP HTTP - reviews/default

The peers: section of an Authentication Policy defines the authentication methods and associated parameters supported for transport authentication in a policy.

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "default"
namespace: "default"
spec:
targets:
- name: details
peers:
- mtls: {}

To get all policies for the default namespace,

$ kubectl get policies.authentication.istio.io -n default

To specify client-side authentication rules in mutual TLS, you need to specify the TLSSettings in the DestinationRule,

View the DestinationRule list,

$ kubectl get destinationrules
NAME HOST AGE
details details 24h
productpage productpage 24h
ratings ratings 24h
reviews reviews 24h

To get the details for a DestinationRule,

$ kubectl describe destinationrules details
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
Labels: addonmanager.kubernetes.io/mode=Reconcile
metadata:
name: "details"
namespace: "default"
Spec:
Host: details
Subsets:
Labels:
Version: v1
Name: v1
Labels:
Version: v2
Name: v2

To set the trafficPolicy for mTLS edit the DestinationRule spec,

spec:
host: "*.default.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL