istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[Release-1.5] Delete auto-mTLS task (#6591) 

* Delete auto-mTLS task

* Fix links

* Fix links

* Fix links on 1.5

* Fix links
This commit is contained in:
Diem Vu 2020-03-05 18:01:06 -08:00 committed by GitHub
parent c8a36e611f
commit 055f5e480c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 7 additions and 387 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
content/en/about/feature-stages/index.md
View File

@ -76,7 +76,7 @@ Below is our list of existing features and their current phases. This informatio
| [Pluggable Key/Cert Support for Istio CA](/docs/tasks/security/plugin-ca-cert/) | Stable
| [Authorization](/docs/concepts/security/#authorization) | Beta
| [End User (JWT) Authentication](/docs/concepts/security/#authentication) | Beta
| [Automatic mutual TLS](/docs/tasks/security/authentication/auto-mtls/) | Beta
| [Automatic mutual TLS](/docs/tasks/security/authentication/authn-policy/#auto-mutual-tls) | Beta
| [VM: Service Credential Distribution](/docs/concepts/security/#pki) | Beta
| [Mutual TLS Migration](/docs/tasks/security/authentication/mtls-migration) | Beta
| [Deny Checker](/docs/reference/config/policy-and-telemetry/adapters/denier/) | Deprecated

2
content/en/blog/2020/tradewinds-2020/index.md
View File

@ -153,7 +153,7 @@ status of our APIs, see our
Network traffic is also becoming more secure by default. After many users
enabled it in preview,
[automated rollout of mutual TLS](/docs/tasks/security/authentication/auto-mtls/)
[automated rollout of mutual TLS](/docs/tasks/security/authentication/authn-policy/#auto-mutual-tls)
is becoming the recommended practice in Istio 1.5.
In addition we will make Istio require fewer privileges and simplify its

3
content/en/docs/reference/config/analysis/ist0113/index.md
View File

@ -8,8 +8,7 @@ in conflict with regards to mutual TLS. The two resources are in conflict if the
specify incompatible mutual TLS modes to be used; this conflict means traffic matching
the destination rule to the specified host will be rejected.
This message is only produced on service meshes that are not using [automatic mutual
TLS](/docs/tasks/security/authentication/auto-mtls/).
This message is deprecated and only produced on service meshes that are using alpha authentication policy.
## An example

379
content/en/docs/tasks/security/authentication/auto-mtls/index.md
View File

@ -1,379 +0,0 @@
---
title: Automatic mutual TLS
description: A simplified workflow to adopt mutual TLS with minimal configuration overhead.
weight: 10
keywords: [security,mtls,ux]
---
This tasks shows a simplified workflow for mutual TLS adoption.
With Istio auto mutual TLS feature, you can adopt mutual TLS by only configuring authentication policy without worrying about destination rule.
Istio tracks the server workloads migrated to Istio sidecar, and configures client sidecar to send mutual TLS traffic to those workloads automatically, and send plain text traffic to workloads
without sidecars. This allows you to adopt Istio mutual TLS incrementally with minimal manual configuration.
## Before you begin
* Understand Istio [authentication policy](/docs/concepts/security/#authentication-policies) and related
[mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication) concepts.
* Install Istio with the `global.mtls.enabled` option set to false and `global.mtls.auto` set to true.
For example, using the `demo` configuration profile:
{{< text bash >}}
$ istioctl manifest apply --set profile=demo \
--set values.global.mtls.auto=true \
--set values.global.mtls.enabled=false
{{< /text >}}
## Instructions
### Setup
Our examples deploy `httpbin` service into three namespaces, `full`, `partial`, and `legacy`.
Each represents different phase of Istio migration.
`full` namespace contains all server workloads finishing the Istio migration. All deployments have
sidecar injected.
{{< text bash >}}
$ kubectl create ns full
$ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n full
$ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@) -n full
{{< /text >}}
`partial` namespace contains server workloads partially migrated to Istio. Only migrated one has
sidecar injected, able to serve mutual TLS traffic.
{{< text bash >}}
$ kubectl create ns partial
$ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n partial
$ cat <<EOF | kubectl apply -n partial -f -
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin-nosidecar
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
template:
metadata:
labels:
app: httpbin
version: nosidecar
spec:
containers:
- image: docker.io/kennethreitz/httpbin
imagePullPolicy: IfNotPresent
name: httpbin
ports:
- containerPort: 80
EOF
{{< /text >}}
`legacy` namespace contains the workloads and none of them have Envoy sidecar.
{{< text bash >}}
$ kubectl create ns legacy
$ kubectl apply -f @samples/httpbin/httpbin.yaml@ -n legacy
$ kubectl apply -f @samples/sleep/sleep.yaml@ -n legacy
{{< /text >}}
Last we deploy two `sleep` workloads, one has sidecar and one does not.
{{< text bash >}}
$ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@) -n full
$ kubectl apply -f @samples/sleep/sleep.yaml@ -n legacy
{{< /text >}}
You can confirm the deployments in all namespaces.
{{< text bash >}}
$ kubectl get pods -n full
$ kubectl get pods -n partial
$ kubectl get pods -n legacy
NAME READY STATUS RESTARTS AGE
httpbin-dcd949489-5cndk 2/2 Running 0 39s
sleep-58d6644d44-gb55j 2/2 Running 0 38s
NAME READY STATUS RESTARTS AGE
httpbin-6f6fc94fb6-8d62h 1/1 Running 0 10s
httpbin-dcd949489-5fsbs 2/2 Running 0 12s
NAME READY STATUS RESTARTS AGE
httpbin-54f5bb4957-lzxlg 1/1 Running 0 6s
sleep-74564b477b-vb6h4 1/1 Running 0 4s
{{< /text >}}
You should also verify that there is a default mesh authentication policy in the system, which you can do as follows:
{{< text bash >}}
$ kubectl get policies.authentication.istio.io --all-namespaces
$ kubectl get meshpolicies -o yaml | grep ' mode'
NAMESPACE NAME AGE
istio-system grafana-ports-mtls-disabled 2h
mode: PERMISSIVE
{{< /text >}}
Last but not least, verify that there are no destination rules that apply on the example services. You can do this by checking the `host:` value of
existing destination rules and make sure they do not match. For example:
{{< text bash >}}
$ kubectl get destinationrules.networking.istio.io --all-namespaces -o yaml | grep "host:"
host: istio-policy.istio-system.svc.cluster.local
host: istio-telemetry.istio-system.svc.cluster.local
{{< /text >}}
You can verify setup by sending an HTTP request with `curl` from any `sleep` pod in the namespace `full`, `partial` or `legacy` to either `httpbin.full`, `httpbin.partial` or `httpbin.legacy`. All requests should succeed with HTTP code 200.
For example, here is a command to check `sleep.full` to `httpbin.full` reachability:
{{< text bash >}}
$ kubectl exec $(kubectl get pod -l app=sleep -n full -o jsonpath={.items..metadata.name}) -c sleep -n full -- curl http://httpbin.full:8000/headers -s -w "response %{http_code}\n" | egrep -o 'URI\=spiffe.*sa/[a-z]*|response.*$'
URI=spiffe://cluster.local/ns/full/sa/sleep
response 200
{{< /text >}}
The SPIFFE URI shows the client identity from X509 certificate, which
indicates the traffic is sent in mutual TLS. If the traffic is in plain text, no client certificate
will be displayed.
### Start from PERMISSIVE mode
In the setup, we start with `PERMISSIVE` for all services in the mesh.
1. All `httpbin.full` workloads and the workload with sidecar for `httpbin.partial` are able to serve
both mutual TLS traffic and plain text traffic.
1. The workload without sidecar for `httpbin.partial` and workloads of `httpbin.legacy` can only serve
plain text traffic.
Automatic mutual TLS configures the client, `sleep.full`, to send mutual TLS to the first type of
workloads and plain text to the second type.
You can verify the reachability as:
{{< text bash >}}
$ for from in "full" "legacy"; do for to in "full" "partial" "legacy"; do echo "sleep.${from} to httpbin.${to}";kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl http://httpbin.${to}:8000/headers -s -w "response code: %{http_code}\n" | egrep -o 'URI\=spiffe.*sa/[a-z]*|response.*$'; echo -n "\n"; done; done
sleep.full to httpbin.full
URI=spiffe://cluster.local/ns/full/sa/sleep
response code: 200
sleep.full to httpbin.partial
URI=spiffe://cluster.local/ns/full/sa/sleep
response code: 200
sleep.full to httpbin.legacy
response code: 200
sleep.legacy to httpbin.full
response code: 200
sleep.legacy to httpbin.partial
response code: 200
sleep.legacy to httpbin.legacy
response code: 200
{{< /text >}}
### Working with Sidecar Migration
The request to `httpbin.partial` can reach to server workloads with or without sidecar. Istio
automatically configures the `sleep.full` client to initiates mutual TLS connection to workload
with sidecar.
{{< text bash >}}
$ for i in `seq 1 10`; do kubectl exec $(kubectl get pod -l app=sleep -n full -o jsonpath={.items..metadata.name}) -c sleep -nfull -- curl http://httpbin.partial:8000/headers -s -w "response code: %{http_code}\n" | egrep -o 'URI\=spiffe.*sa/[a-z]*|response.*$'; echo -n "\n"; done
URI=spiffe://cluster.local/ns/full/sa/sleep
response code: 200
response code: 200
URI=spiffe://cluster.local/ns/full/sa/sleep
response code: 200
response code: 200
URI=spiffe://cluster.local/ns/full/sa/sleep
response code: 200
URI=spiffe://cluster.local/ns/full/sa/sleep
response code: 200
response code: 200
URI=spiffe://cluster.local/ns/full/sa/sleep
response code: 200
response code: 200
response code: 200
{{< /text >}}
Without automatic mutual TLS feature, you have to track the sidecar migration finishes, and then
explicitly configure the destination rule to make client send mutual TLS traffic to `httpbin.full`.
### Lock down mutual TLS to STRICT
Imagine now you need to lock down the `httpbin.full` service to only accept mutual TLS traffic. You
can configure authentication policy to `STRICT`.
{{< text bash >}}
$ cat <<EOF | kubectl apply -n full -f -
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "httpbin"
spec:
targets:
- name: httpbin
peers:
- mtls: {}
EOF
{{< /text >}}
All `httpbin.full` workloads and the workload with sidecar for `httpbin.partial` can only serve
mutual TLS traffic.
Now the requests from the `sleep.legacy` starts to fail, since it can't send mutual TLS traffic.
But the client `sleep.full` is automatically configured with auto mutual TLS, to send mutual TLS
request, returning 200.
{{< text bash >}}
$ for from in "full" "legacy"; do for to in "full" "partial" "legacy"; do echo "sleep.${from} to httpbin.${to}";kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl http://httpbin.${to}:8000/headers -s -w "response code: %{http_code}\n" | egrep -o 'URI\=spiffe.*sa/[a-z]*|response.*$'; echo -n "\n"; done; done
sleep.full to httpbin.full
URI=spiffe://cluster.local/ns/full/sa/sleep
response code: 200
sleep.full to httpbin.partial
URI=spiffe://cluster.local/ns/full/sa/sleep
response code: 200
sleep.full to httpbin.legacy
response code: 200
sleep.legacy to httpbin.full
response code: 000
command terminated with exit code 56
sleep.legacy to httpbin.partial
response code: 200
sleep.legacy to httpbin.legacy
response code: 200
{{< /text >}}
### Disable mutual TLS to plain text
If for some reason, you want service to be in plain text mode explicitly, we can configure authentication policy as plain text.
{{< text bash >}}
$ cat <<EOF | kubectl apply -n full -f -
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "httpbin"
spec:
targets:
- name: httpbin
EOF
{{< /text >}}
In this case, since the service is in plain text mode. Istio automatically configures client sidecars
to send plain text traffic to avoid breakage.
{{< text bash >}}
$ for from in "full" "legacy"; do for to in "full" "partial" "legacy"; do echo "sleep.${from} to httpbin.${to}";kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl http://httpbin.${to}:8000/headers -s -w "response code: %{http_code}\n" | egrep -o 'URI\=spiffe.*sa/[a-z]*|response.*$'; echo -n "\n"; done; done
sleep.full to httpbin.full
response code: 200
sleep.full to httpbin.partial
response code: 200
sleep.full to httpbin.legacy
response code: 200
sleep.legacy to httpbin.full
response code: 200
sleep.legacy to httpbin.partial
response code: 200
sleep.legacy to httpbin.legacy
response code: 200
{{< /text >}}
All traffic are now in plain text.
### Destination rule overrides
For backward compatibility, you can still use destination rule to override the TLS configuration as
before. When destination rule has an explicit TLS configuration, that overrides the client sidecars'
TLS configuration.
For example, you can explicitly configure destination rule for `httpbin.full` to enable or
disable mutual TLS explicitly.
{{< text bash >}}
$ cat <<EOF | kubectl apply -n full -f -
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "httpbin-full-mtls"
spec:
host: httpbin.full.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
EOF
{{< /text >}}
Since in previous steps, we already disable the authentication policy for `httpbin.full` to disable
mutual TLS, we should see the traffic from `sleep.full` starting to fail.
{{< text bash >}}
$ for from in "full" "legacy"; do for to in "full" "partial" "legacy"; do echo "sleep.${from} to httpbin.${to}";kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl http://httpbin.${to}:8000/headers -s -w "response code: %{http_code}\n" | egrep -o 'URI\=spiffe.*sa/[a-z]*|response.*$'; echo -n "\n"; done; done
sleep.full to httpbin.full
response code: 503
sleep.full to httpbin.partial
URI=spiffe://cluster.local/ns/full/sa/sleep
response code: 200
sleep.full to httpbin.legacy
response code: 200
sleep.legacy to httpbin.full
response code: 200
sleep.legacy to httpbin.partial
response code: 200
sleep.legacy to httpbin.legacy
response code: 200
{{< /text >}}
### Cleanup
{{< text bash >}}
$ kubectl delete ns full partial legacy
{{< /text >}}
## Summary
Automatic mutual TLS configures the client sidecar to send TLS traffic by default between sidecars.
You only need to configure authentication policy.
As aforementioned, automatic mutual TLS is a mesh wide Helm installation option. You have to
re-deploy Istio to enable or disable the feature. When disabling the feature, if you already rely
on it to automatically encrypt the traffic, then traffic can **fall back to plain text**, which
can affect your **security posture or break the traffic**, if the service is already configured as
`STRICT` to only accept mutual TLS traffic.
Currently, automatic mutual TLS is an Alpha stage feature, please be aware of the risk, and the
additional CPU cost for TLS encryption.
We're considering to make this feature the default enabled. Please consider to send your feedback
or encountered issues when trying auto mutual TLS via [Git Hub](https://github.com/istio/istio/issues/18548).

2
content/en/news/releases/1.4.x/announcing-1.4/_index.md
View File

@ -38,7 +38,7 @@ focuses on simplification and flexibility. This will also replace the old
## Automatic mutual TLS
We added [automatic mutual TLS support](/docs/tasks/security/authentication/auto-mtls/). It allows
We added [automatic mutual TLS support](/docs/tasks/security/authentication/authn-policy/#auto-mutual-tls). It allows
you to adopt mutual TLS without needing to configure destination rules. Istio automatically programs
client sidecar proxies to send mutual TLS to server endpoints that are able to accept mutual TLS.

2
content/en/news/releases/1.4.x/announcing-1.4/change-notes/index.md
View File

@ -16,7 +16,7 @@ weight: 10
## Security
- **Added** the [`v1beta1` authorization policy model](/blog/2019/v1beta1-authorization-policy/) for enforcing access control. This will eventually replace the [`v1alpha1` RBAC policy](/docs/reference/config/security/istio.rbac.v1alpha1/).
- **Added** experimental support for [automatic mutual TLS](/docs/tasks/security/authentication/auto-mtls/) to enable mutual TLS without destination rule configuration.
- **Added** experimental support for automatic mutual TLS to enable mutual TLS without destination rule configuration.
- **Added** experimental support for [authorization policy trust domain migration](/docs/tasks/security/authorization/authz-td-migration/).
- **Added** experimental [DNS certificate management](/blog/2019/dns-cert/) to securely provision and manage DNS certificates signed by the Kubernetes CA.
- **Improved** Citadel to periodically check and rotate the expired root certificate when running in self-sign CA mode.

2
content/en/news/releases/1.5.x/announcing-1.5/_index.md
View File

@ -82,7 +82,7 @@ Istio 1.4.
As always, we are working to make Istio more secure with every release. With
1.5, all security policies including
[Auto mTLS](/docs/tasks/security/authentication/auto-mtls/),
[Auto mTLS](/docs/tasks/security/authentication/authn-policy/#auto-mutual-tls),
[`AuthenticationPolicy`](/docs/reference/config/security/istio.authentication.v1alpha1/)
(`PeerAuthentication` and `RequestAuthentication`) and authorization are now in
Beta. SDS is now stable. Authorization now supports Deny semantics to enforce

2
content/en/news/releases/1.5.x/announcing-1.5/change-notes/index.md
View File

@ -24,7 +24,7 @@ weight: 10
- **Graduated** SDS to stable and enabled by default. It provides identity provisioning for Istio Envoy proxies.
- **Added** Beta authentication API. The new API separates peer (i.e mutual TLS) and origin (JWT) authentication into [`PeerAuthentication`](https://github.com/istio/api/blob/master/security/v1beta1/peer_authentication.proto) and [`RequestAuthentication`](https://github.com/istio/api/blob/master/security/v1beta1/request_authentication.proto) respectively. Both new APIs are workload-oriented, as opposed to service-oriented in alpha `AuthenticationPolicy`.
- **Added** [deny semantics](https://github.com/istio/api/blob/master/security/v1beta1/authorization.proto#L28) to Authorization Policy
- **Graduated** [auto mutual TLS](/docs/tasks/security/authentication/auto-mtls/) from alpha to beta. This feature is now enabled by default.
- **Graduated** [auto mutual TLS](/docs/tasks/security/authentication/authn-policy/#auto-mutual-tls) from alpha to beta. This feature is now enabled by default.
- **Improved** [SDS security](https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret) by merging Node Agent with Pilot Agent as Istio Agent and removing cross-pod UDS, which no longer requires users to deploy Kubernetes pod security policies for UDS connections.
- **Improved** Istio by including certificate provisioning functionality within istiod.
- **Added** Support Kubernetes [`first-party-jwt`](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens) as a fallback token for CSR authentication in clusters where [`third-party-jwt`](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) is not supported.