remkohdev
  • Learn to Code
  • About Me
  • CI/CD
    • DevOps101
      • Welcome
  • OpenShift
    • Setup OpenShift
      • Setup Minishift
    • Builds
      • Source-to-Image (S2I)
        • Setup S2I
        • Build, Run, Deploy from Source
      • Jenkins Pipeline
    • Jenkins as a Service
      • Setup Jenkins on Openshift
      • Create a Pipeline for Java Spring Boot
  • Istio
    • Setup Istio on IKS
      • Login to IKS
    • Setup Istio on Openshift 3.11
    • Traffic Shifts with a VirtualService
    • Telemetry of Metrics using Prometheus
    • Telemetry of Distributed Tracing using Jaeger
    • Security with Mutual TLS (mTLS)
  • Apache Kafka
    • Setup Apache Kafka on IBM Cloud
    • Setup Apache Kafka on OpenShift
    • Produce and Consume Streams with Kafka Console Tools
    • Produce and Consume Streams with Spring Boot
    • Using the Event Streams CLI
    • Kafka Admin API
  • API Connect
    • APIC CLI
      • Manage API Lifecycle with apic
    • Securing your API
      • Setup AppID
      • Setup API Connect
      • Optional: Add Node-RED Test Server
      • Add 3rd Party OAuth OIDC
        • Create a Custom AppID API
        • Add a Security Definition to your API
Powered by GitBook
On this page

Was this helpful?

  1. Istio

Security with Mutual TLS (mTLS)

PreviousTelemetry of Distributed Tracing using JaegerNextSetup Apache Kafka on IBM Cloud

Last updated 5 years ago

Was this helpful?

By default the TLS protocol only identifies the server to the client using an X.509 certificate, while the authentication of the client to the server is left to the application. Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time. Mutual TLS (mTLS) authentication is optional in TLS but more common in B2B applications.

TBD: use a Loopback Guestbook API and create a Java Spring Boot Web Guestbook UI in a guestbook namespace. The Bookinfo application uses global installation configuration values for global.mtls.enabled and global.controlPlaneSecurityEnabled that may conflict with the service level authentication policy and destinationrules.

Overview

To check is the Bookinfo application and Istio installation for mTLS enablement. 

$ kubectl get pods
NAME                              READY   STATUS    RESTARTS   AGE
details-v1-6ccd7768b4-44cw2       2/2     Running   0          24h
productpage-v1-6d554df9b8-x4pct   2/2     Running   0          24h
ratings-v1-699946589b-qxsk5       2/2     Running   0          24h
reviews-v1-56b595ccdd-pcwmn       2/2     Running   0          24h
reviews-v2-54478ff77-lrrzr        2/2     Running   0          24h
reviews-v3-8d9fc6986-fck7z        2/2     Running   0          24h

Authentication policies apply to requests that a service receives. So for each service that you want to require mTLS, you need to apply an authentication policy with a peers: - mtls: {} section.

To check what authentication policies, , and destination rules are used by Pilot to config a proxy instance, and to check if TLS settings are compatible between the instances use the command.

$ istioctl authn tls-check details-v1-6ccd7768b4-44cw2 | grep default.svc.cluster.local
HOST:PORT     STATUS     SERVER     CLIENT     AUTHN     POLICY     DESTINATION RULE
details.default.svc.cluster.local:9080       OK  HTTP  HTTP  -  details/default
kubernetes.default.svc.cluster.local:443     OK  HTTP  HTTP  -  -
productpage.default.svc.cluster.local:9080   OK  HTTP  HTTP  -  productpage/default
ratings.default.svc.cluster.local:9080       OK  HTTP  HTTP  -  ratings/default
reviews.default.svc.cluster.local:9080       OK  HTTP  HTTP  -  reviews/default
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "default"
  namespace: "default"
spec:
  targets:
  - name: details
  peers:
  - mtls: {}

To get all policies for the default namespace,

$ kubectl get policies.authentication.istio.io -n default

To specify client-side authentication rules in mutual TLS, you need to specify the TLSSettings in the DestinationRule,

$ kubectl get destinationrules 
NAME          HOST          AGE
details       details       24h
productpage   productpage   24h
ratings       ratings       24h
reviews       reviews       24h

To get the details for a DestinationRule,

$ kubectl describe destinationrules details
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
Labels: addonmanager.kubernetes.io/mode=Reconcile
metadata:
  name: "details"
  namespace: "default"
Spec:
  Host:  details
  Subsets:
    Labels:
      Version:  v1
    Name:       v1
    Labels:
      Version:  v2
    Name:       v2

To set the trafficPolicy for mTLS edit the DestinationRule spec,

spec:
  host: "*.default.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

The peers: section of an defines the authentication methods and associated parameters supported for transport authentication in a policy.

View the list,

istioctl authn
istioctl authn tls-check
Authentication Policy
DestinationRule