Security with Mutual TLS (mTLS)

By default the TLS protocol only identifies the server to the client using an X.509 certificate, while the authentication of the client to the server is left to the application. Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time. Mutual TLS (mTLS) authentication is optional in TLS but more common in B2B applications.

TBD: use a Loopback Guestbook API and create a Java Spring Boot Web Guestbook UI in a guestbook namespace. The Bookinfo application uses global installation configuration values for global.mtls.enabled and global.controlPlaneSecurityEnabled that may conflict with the service level authentication policy and destinationrules.

Overview

To check is the Bookinfo application and Istio installation for mTLS enablement. 

$ kubectl get pods
NAME                              READY   STATUS    RESTARTS   AGE
details-v1-6ccd7768b4-44cw2       2/2     Running   0          24h
productpage-v1-6d554df9b8-x4pct   2/2     Running   0          24h
ratings-v1-699946589b-qxsk5       2/2     Running   0          24h
reviews-v1-56b595ccdd-pcwmn       2/2     Running   0          24h
reviews-v2-54478ff77-lrrzr        2/2     Running   0          24h
reviews-v3-8d9fc6986-fck7z        2/2     Running   0          24h

Authentication policies apply to requests that a service receives. So for each service that you want to require mTLS, you need to apply an authentication policy with a peers: - mtls: {} section.

To check what authentication policies, istioctl authn, and destination rules are used by Pilot to config a proxy instance, and to check if TLS settings are compatible between the instances use the istioctl authn tls-check command.

$ istioctl authn tls-check details-v1-6ccd7768b4-44cw2 | grep default.svc.cluster.local
HOST:PORT     STATUS     SERVER     CLIENT     AUTHN     POLICY     DESTINATION RULE
details.default.svc.cluster.local:9080       OK  HTTP  HTTP  -  details/default
kubernetes.default.svc.cluster.local:443     OK  HTTP  HTTP  -  -
productpage.default.svc.cluster.local:9080   OK  HTTP  HTTP  -  productpage/default
ratings.default.svc.cluster.local:9080       OK  HTTP  HTTP  -  ratings/default
reviews.default.svc.cluster.local:9080       OK  HTTP  HTTP  -  reviews/default

The peers: section of an Authentication Policy defines the authentication methods and associated parameters supported for transport authentication in a policy. 

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "default"
  namespace: "default"
spec:
  targets:
  - name: details
  peers:
  - mtls: {}

To get all policies for the default namespace,

$ kubectl get policies.authentication.istio.io -n default

To specify client-side authentication rules in mutual TLS, you need to specify the TLSSettings in the DestinationRule,

View the DestinationRule list,

$ kubectl get destinationrules 
NAME          HOST          AGE
details       details       24h
productpage   productpage   24h
ratings       ratings       24h
reviews       reviews       24h

To get the details for a DestinationRule,

$ kubectl describe destinationrules details
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
Labels: addonmanager.kubernetes.io/mode=Reconcile
metadata:
  name: "details"
  namespace: "default"
Spec:
  Host:  details
  Subsets:
    Labels:
      Version:  v1
    Name:       v1
    Labels:
      Version:  v2
    Name:       v2

To set the trafficPolicy for mTLS edit the DestinationRule spec,

spec:
  host: "*.default.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

PreviousTelemetry of Distributed Tracing using JaegerNextSetup Apache Kafka on IBM Cloud

Last updated