istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

zh-translation: /blog/2019/egress-traffic-control-in-istio-part-2/index.md (#6262) 

* zh-trans: /blog/2019/egress-traffic-control-in-istio-part-2/index.md

* finish zh-translation for /blog/2019/egress-traffic-control-in-istio-part-2/index.md

* fix lint error

* fix review issues
This commit is contained in:
helight 2019-12-31 15:42:21 +08:00 committed by Istio Automation
parent 04e9c91c42
commit 372f7ba1f7
1 changed files with 48 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

145
content/zh/blog/2019/egress-traffic-control-in-istio-part-2/index.md
View File

@ -1,129 +1,80 @@
--- ---
title: Secure Control of Egress Traffic in Istio, part 2 title: Istio 中的安全管控出口流量,第二部分
subtitle: Use Istio Egress Traffic Control to prevent attacks involving egress traffic subtitle: 使用 Istio 的出口流量管控来阻止相关出口流量攻击
description: Use Istio Egress Traffic Control to prevent attacks involving egress traffic. description: 使用 Istio 的出口流量管控来阻止相关出口流量攻击。
publishdate: 2019-07-10 publishdate: 2019-07-10
attribution: Vadim Eisenberg (IBM) attribution: Vadim Eisenberg (IBM)
keywords: [traffic-management,egress,security,gateway,tls] keywords: [traffic-management,egress,security,gateway,tls]
target_release: 1.2 target_release: 1.2
--- ---
Welcome to part 2 in our new series about secure control of egress traffic in Istio. 欢迎来看 Istio 对出口流量进行安全管控系列文章的第 2 部分。
In [the first part in the series](/zh/blog/2019/egress-traffic-control-in-istio-part-1/), I presented the attacks involving 在[这个系列文章的第一部分](/zh/blog/2019/egress-traffic-control-in-istio-part-1/),我提出了出口流量相关攻击和针对出口流量进行安全管控我们收集的要求点。
egress traffic and the requirements we collected for a secure control system for egress traffic. 在这一期中,我会讲述对出口流量进行安全管控的 Istio 方式,并且展示 Istio 如何帮你阻止攻击。
In this installment, I describe the Istio way to securely control the egress traffic, and show how Istio can help you
prevent the attacks.
## Secure control of egress traffic in Istio ## Istio 中的出口流量安全管控 {#secure-control-of-egress-traffic-in-Istio}
To implement secure control of egress traffic in Istio, you must 为了在 Istio 中实施出口流量的安全管控,你必须[通过出口网关将 TLS 流量发送到外部服务](/zh/docs/tasks/traffic-management/egress/egress-gateway/#egress-gateway-for-https-traffic)。
[direct TLS traffic to external services through an egress gateway](/zh/docs/tasks/traffic-management/egress/egress-gateway/#egress-gateway-for-https-traffic). 或者可以[通过出口网关发送 HTTP 流量](/zh/docs/tasks/traffic-management/egress/egress-gateway/#egress-gateway-for-http-traffic),并且[让出口网关来发起执行 TLS](/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/#perform-TLS-origination-with-an-egress-gateway)。
Alternatively, you
can [direct HTTP traffic through an egress gateway](/zh/docs/tasks/traffic-management/egress/egress-gateway/#egress-gateway-for-http-traffic)
and [let the egress gateway perform TLS origination](/zh/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/#perform-TLS-origination-with-an-egress-gateway).
Both alternatives have their pros and cons, you should choose between them according to your circumstances. 两种选择各有利弊,你应该根据你的具体场景进行选择。选择的关键取决于你的应用程序是否能发送不加密的 HTTP 请求和你团队的安全策略是否允许发送不加密的 HTTP 请求。
The choice mainly depends on whether your application can send unencrypted HTTP requests and whether your 例如,如果你的应用程序使用了某些客户端库,用这些库来对流量进行加密,但是它无法取消加密,你就不能使用发送不加密 HTTP 流量的选项。万一你团队的安全策略无法让你**在 pod 内**发送不加密的 HTTP 请求也是一样的pod 外的流量由 Istio 来加密)。
organization's security policies allow sending unencrypted HTTP requests.
For example, if your application uses some client library that encrypts the traffic without a possibility to cancel the
encryption, you cannot use the option of sending unencrypted HTTP traffic.
The same in the case your organization's security policies do not allow sending unencrypted HTTP requests
**inside the pod** (outside the pod the traffic is encrypted by Istio).
If the application sends HTTP requests and the egress gateway performs TLS origination, you can monitor HTTP 如果应用程序发送 HTTP 请求,并且由出口网关发起执行 TLS你就可以监控 HTTP 信息,像 HTTP 方法、HTTP 头和 URL 路径。也可以根据上面说的 HTTP 信息来[定义策略](/zh/blog/2018/egress-monitoring-access-control)。如果是由应用程序发起执行 TLS你就可以对源 pod 的 TLS 流量的 [SNI 和服务账号进行监控](/zh/docs/tasks/traffic-management/egress/egress_sni_monitoring_and_policies/),并且基于 SNI 和服务账号定义策略。
information like HTTP methods, headers, and URL paths. You can also
[define policies](/zh/blog/2018/egress-monitoring-access-control) based on said HTTP information. If the application
performs TLS origination, you can
[monitor SNI and the service account](/zh/docs/tasks/traffic-management/egress/egress_sni_monitoring_and_policies/) of the
source pod's TLS traffic, and define policies based on SNI and service accounts.
You must ensure that traffic from your cluster to the outside cannot bypass the egress gateway. Istio cannot enforce it 你必须确保你集群到外部的流量不能绕过出口网关。Istio 不能给你确保这一点,所以你必需使用一些[附加的安全机制](/zh/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations),比如 [Kubernetes 网络策略](https://kubernetes.io/docs/concepts/services-networking/network-policies/)或者 L3 防火墙。 看一个 [Kubernetes 网络策略配置](/zh/docs/tasks/traffic-management/egress/egress-gateway/#apply-Kubernetes-network-policies)的例子。
for you, so you must apply some 根据[纵深防御](https://en.wikipedia.org/wiki/Defense_in_depth_(computing)) 的概念,为同一个目标使用的安全机制越多越安全。
[additional security mechanisms](/zh/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations),
for example,
the [Kubernetes network policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) or an L3
firewall. See an example of the
[Kubernetes network policies configuration](/zh/docs/tasks/traffic-management/egress/egress-gateway/#apply-Kubernetes-network-policies).
According to the [Defense in depth](https://en.wikipedia.org/wiki/Defense_in_depth_(computing)) concept, the more
security mechanisms you apply for the same goal, the better.
You must also ensure that Istio control plane and the egress gateway cannot be compromised. While you may have hundreds 你也必需也要确保 Istio 控制平面和出口网关不能被破坏。你的集群里面可能有成百上千的应用程序 pod而只有十几个 Istio 控制平面 pod 和网关。
or thousands of application pods in your cluster, there are only a dozen of Istio control plane pods and the gateways. 你可以也应该聚焦在保护控制平面 pod 和网关,因为这比较容易(需要保护的 pod 数量很少),并且这对集群的安全性是最关键的。
You can and should focus on protecting the control plane pods and the gateways, since it is easy (there is a small 如果攻击者破坏了控制平面和出口网关,他们可以违反任何策略。
number of pods to protect) and it is most crucial for the security of your cluster.
If attackers compromise the control plane or the egress gateway, they could violate any policy.
You might have multiple tools to protect the control plane pods, depending on your environment. 根据环境的不同,你可能有多种工具来保护控制平面 pod。合理的安全策略如下
The reasonable security measures are:
- Run the control plane pods on nodes separate from the application nodes. - 把运行控制平面 pod 的节点和应用程序节点隔离开。
- Run the control plane pods in their own separate namespace. - 把控制平面的 pod 运行在它们自己独立的命名空间中。
- Apply the Kubernetes RBAC and network policies to protect the control plane pods. - 启用 Kubernetes 的 RBAC 和网络策略来保护控制平面的 pod。
- Monitor the control plane pods more closely than you do the application pods. - 监控控制平面 pod 要比监控应用程序 pod 更紧密。
Once you direct egress traffic through an egress gateway and apply the additional security mechanisms, 一旦你通过出口网关引导了出口流量,并且应用了附加的安全机制,就可以进行安全的监控和施加对流量的安全策略。
you can securely monitor and enforce security policies for the traffic.
The following diagram shows Istio's security architecture, augmented with an L3 firewall which is part of the 下图展示了 Istio 的安全架构,用 L3 防火墙进行了加强, L3 防火墙就是[附加安全机制](/zh/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations)的一部分,它应该在 Istio 的外面。
[additional security mechanisms](/zh/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations)
that should be provided outside of Istio.
{{< image width="80%" link="./SecurityArchitectureWithL3Firewalls.svg" caption="Istio Security Architecture with Egress Gateway and L3 Firewall" >}} {{< image width="80%" link="./SecurityArchitectureWithL3Firewalls.svg" caption="带有出口网关和 L3 防火钱的 Istio 安全架构" >}}
You can configure the L3 firewall trivially to only allow incoming traffic through the Istio ingress gateway and 可以简单的配置 L3 防火墙,使它只允许通过 Istio 入口网关来的流量,并且只允许通过 Istio 出口网关出去的流量。网关的 Istio 代理执行策略,并且和在网格中其它所有代理一样上报检测信息。
only allow outgoing traffic through the Istio egress gateway. The Istio proxies of the gateways enforce
policies and report telemetry just as all other proxies in the mesh do.
Now let's examine possible attacks and let me show you how the secure control of egress traffic in Istio prevents them. 现在我们来测试一下可能的攻击,并且我会给你们展示 Istio 中的出口流量安全管控是怎么阻止攻击的。
## Preventing possible attacks ## 阻止可能的攻击 {#preventing-possible-attacks}
Consider the following security policies for egress traffic: 参考以下出口流量的安全策略:
- Application **A** is allowed to access `*.ibm.com`, which includes all the external services with URLs matching - 允许应用程序 **A** 访问 `*.ibm.com`,这包含了所有外部服务中匹配 `*.ibm.com` 的 URL。
`*.ibm.com`. - 允许应用程序 **B** 访问 `mongo1.composedb.com`
- Application **B** is allowed to access `mongo1.composedb.com`. - 监控所有的出口流量。
- All egress traffic is monitored.
Suppose the attackers have the following goals: 假设攻击者有以下目标:
- Access `*.ibm.com` from your cluster. - 从你的集群中访问 `*.ibm.com`
- Access `*.ibm.com` from your cluster, unmonitored. The attackers want their traffic to be unmonitored to prevent a - 从你的集群中访问 `*.ibm.com`,并且不被监控到。攻击者不想他的流量被监控到,如果被监控到你将会发觉这个禁止的访问。
possibility that you will detect the forbidden access. - 从你的集群中访问 `mongo1.composedb.com`
- Access `mongo1.composedb.com` from your cluster.
Now suppose that the attackers manage to break into one of the pods of application **A**, and try to use the compromised 现在假设攻击者设法在攻破应用程序 **A** 的其中一个 pod并且试图使用这个被攻破的 pod 来执行被禁止的访问。攻击者可能试试运气直接访问外部服务。你会对这个直接的尝试做出如下反应:
pod to perform the forbidden access. The attackers may try their luck and access the external services in a
straightforward way. You will react to the straightforward attempts as follows:
- Initially, there is no way to prevent a compromised application **A** to access `*.ibm.com`, because the compromised - 最开始,是没有办法阻止被攻破的 应用程序 **A** 去访问 `*.ibm.com`,因为被攻破的 pod 很难和原来的 pod 区分开。
pod is indistinguishable from the original pod. - 幸运的是,你可以监控所有对外部服务的访问,检测可疑流量,并且阻止攻击者获得对 `*.ibm.com` 的无监控访问。例如,你可以用异常检测工具检测出口流量的日志。
- Fortunately, you can monitor all access to external services, detect suspicious traffic, and thwart attackers from - 阻止攻击者从集群中访问 `mongo1.composedb.com`Istio 会正确的检测流量的源,如这个例子中应用程序 **A**,根据上面提到的安全策略验证它是不是被允许访问 `mongo1.composedb.com`
gaining unmonitored access to `*.ibm.com`. For example, you could apply anomaly detection tools on the
egress traffic logs.
- To stop attackers from accessing `mongo1.composedb.com` from your cluster, Istio will correctly detect the source of
the traffic, application **A** in this case, and verify that it is not allowed to access `mongo1.composedb.com`
according to the security policies mentioned above.
Having failed to achieve their goals in a straightforward way, the malicious actors may resort to advanced attacks: 直接攻击失败的话,恶意攻击者可能会使用高级攻击方式:
- **Bypass the container's sidecar proxy** to be able to access any external service directly, without the sidecar's - **绕过容器的 sidecar 代理** 就可能直接访问任何外部服务,而且没有了 sidecar 的策略执行和上报。这种攻击可以通过 Kubernetes 网络策略或者 L3 防火墙来阻止,因为它们可以让出网格的流量只通过出口网关。
policy enforcement and reporting. This attack is prevented by a Kubernetes Network Policy or by an L3 firewall that - **破坏出口网关** 就可以强制它发送假信息给监控系统或禁止执行安全策略。这种攻击可以通过在出口网关 pod 上应用特殊的安全策略。
allow egress traffic to exit the mesh only from the egress gateway. - **冒充应用程序 B**,因为允许应用程序 **B** 访问 `mongo1.composedb.com`。幸运的是,这种攻击可以用 Istio 的[强身份认证支持](/zh/docs/concepts/security/#istio-identity)来阻止。
- **Compromise the egress gateway** to be able to force it to send fake information to the monitoring system or to
disable enforcement of the security policies. This attack is prevented by applying the special security measures to
the egress gateway pods.
- **Impersonate as application B** since application **B** is allowed to access `mongo1.composedb.com`. This attack,
fortunately, is prevented by Istio's [strong identity support](/zh/docs/concepts/security/#istio-identity).
As far as we can see, all the forbidden access is prevented, or at least is monitored and can be prevented later. 据我们所见,所有禁止的访问都可以阻止,或者至少可以监控到,在以后可以被阻止。
If you see other attacks that involve egress traffic or security holes in the current design, we would be happy 如果看到当前设计中涉及出口流量或安全漏洞的其它攻击,我们将很高兴[听到它](https://discus.istio.io)。
[to hear about it](https://discuss.istio.io).
## Summary ## 总结 {#summary}
Hopefully, I managed to convince you that Istio is an effective tool to prevent attacks involving egress 希望我能说服你Istio 在阻止相关出口流量攻击上是一个非常高效的工具。在[这个系列文章的下一部分](/zh/blog/2019/egress-traffic-control-in-istio-part-3/),我对 Istio 出口流量安全管控方案和其它的方案进行了对比,比如 [Kubernetes 网络策略](https://kubernetes.io/docs/concepts/services-networking/network-policies/)和已有的出口代理/防火墙。
traffic. In [the next part of this series](/zh/blog/2019/egress-traffic-control-in-istio-part-3/), I compare secure control of egress traffic in Istio with alternative
solutions such as
[Kubernetes Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) and legacy
egress proxies/firewalls.