istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Copy edit for the TLS Origination for Egress Traffic topic. (#1756)

This commit is contained in:
Stephen Gilson 2018-07-11 10:04:48 -04:00 committed by Martin Taillefer
parent b55dae17d6
commit 70f3a4144c
1 changed files with 24 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
content/docs/tasks/traffic-management/egress-tls-origination/index.md
View File

@ -6,7 +6,7 @@ weight: 42
> This task uses the new [v1alpha3 traffic management API](/blog/2018/v1alpha3-routing/). The old API has been deprecated and will be removed in the next Istio release. If you need to use the old version, follow the docs [here](https://archive.istio.io/v0.7/docs/tasks/traffic-management/).
The [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task demonstrates how external (outside the Kubernetes cluster) HTTP and HTTPS services can be accessed from applications inside the mesh. A quick reminder: by default, Istio-enabled applications are unable to access URLs outside the cluster. To enable such access, a [ServiceEntry](/docs/reference/config/istio.networking.v1alpha3/#ServiceEntry) for the external service must be defined, or, alternatively, [direct access to external services](/docs/tasks/traffic-management/egress/#calling-external-services-directly) must be configured.
The [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task demonstrates how external, meaning outside of the Kubernetes cluster, HTTP and HTTPS services can be accessed from applications inside the mesh. As described in that topic, by default Istio-enabled applications are unable to access URLs outside the cluster. To enable external access, a [ServiceEntry](/docs/reference/config/istio.networking.v1alpha3/#ServiceEntry) for the external service must be defined, or alternatively, [direct access to external services](/docs/tasks/traffic-management/egress/#calling-external-services-directly) must be configured.
This task describes how to configure Istio to perform TLS origination for egress traffic.
@ -14,7 +14,7 @@ This task describes how to configure Istio to perform TLS origination for egress
Consider a legacy application that performs HTTP calls to external sites. Suppose the organization that operates the application receives a new requirement which states that all the external traffic must be encrypted. With Istio, such a requirement can be achieved just by configuration, without changing the code of the application.
In this task we show how to configure Istio to open HTTPS connections to external services in cases the original traffic was HTTP. The application will send unencrypted HTTP requests as previously and Istio will encrypt the requests for the application.
In this task, you configure Istio to open HTTPS connections to external services in cases the original traffic was HTTP. The application will send unencrypted HTTP requests as previously and Istio will encrypt the requests for the application.
## Before you begin
@ -24,22 +24,22 @@ In this task we show how to configure Istio to open HTTPS connections to externa
* Start the [sleep]({{< github_tree >}}/samples/sleep) sample
which will be used as a test source for external calls.
If you have enabled [automatic sidecar injection](/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection), do
If you have enabled [automatic sidecar injection](/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection), deploy the `sleep` application:
{{< text bash >}}
$ kubectl apply -f @samples/sleep/sleep.yaml@
{{< /text >}}
otherwise, you have to manually inject the sidecar before deploying the `sleep` application:
Otherwise, you have to manually inject the sidecar before deploying the `sleep` application:
{{< text bash >}}
$ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@)
{{< /text >}}
Note that any pod that you can `exec` and `curl` from would do.
Note that any pod that you can `exec` and `curl` from will do for the procedures below.
* Create a shell variable to hold the name of the source pod for sending requests to external services.
If we used the [sleep]({{< github_tree >}}/samples/sleep) sample, we run:
If you used the [sleep]({{< github_tree >}}/samples/sleep) sample, run:
{{< text bash >}}
$ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
@ -47,8 +47,8 @@ If we used the [sleep]({{< github_tree >}}/samples/sleep) sample, we run:
## Configuring HTTP and HTTPS external services
First, we configure access to _cnn.com_ in the same way as in the [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task.
Note that we use a wildcard `*` in our `hosts` definition: `*.cnn.com`. Using the wildcard we allow access to _www.cnn.com_ as well as to _edition.cnn.com_.
First, configure access to _cnn.com_ in the same way as in the [Control Egress Traffic](/docs/tasks/traffic-management/egress/) task.
Note that you use a wildcard `*` in your `hosts` definition: `*.cnn.com`. Using the wildcard allows access to _www.cnn.com_ as well as to _edition.cnn.com_.
1. Create a `ServiceEntry` to allow access to an external HTTP and HTTPS services:
@ -87,14 +87,14 @@ Note that we use a wildcard `*` in our `hosts` definition: `*.cnn.com`. Using th
...
{{< /text >}}
The output should be similar to the above (unimportant details replaced by ellipsis):
The output should be similar to the above (some details replaced by ellipsis).
Note the `-L` flag of `curl`. It instructs `curl` to follow redirects. In this case,
the server responded with a redirect response ([301 Moved Permanently](https://tools.ietf.org/html/rfc2616#section-10.3.2)) to an HTTP request to http://edition.cnn.com/politics. The redirect response instructs the client to send an additional request, this time by HTTPS to https://edition.cnn.com/politics. For the second request, the server responds with the requested content and _200 OK_ status code.
Note the `-L` flag of _curl_ which instructs _curl_ to follow redirects. In this case,
the server returned a redirect response ([301 Moved Permanently](https://tools.ietf.org/html/rfc2616#section-10.3.2)) to an HTTP request to `http://edition.cnn.com/politics`. The redirect response instructs the client to send an additional request, this time by HTTPS, to `https://edition.cnn.com/politics`. For the second request, the server returns the requested content and _200 OK_ status code.
While for the user of `curl` this redirection happens transparently, there are two issues here. The first issue is the redundant first request, which doubles the latency of fetching the content of http://edition.cnn.com/politics. The second issue is that the path of the URL, _politics_ in this case, is sent in clear text. If there is an attacker who sniffs the communication between our application and _cnn.com_, the attacker would know which specific topics and articles of _cnn.com_ our application fetched. Due to the privacy reasons we may want to prevent such disclosure from the attacker.
While for the _curl_ command this redirection happens transparently, there are two issues here. The first issue is the redundant first request, which doubles the latency of fetching the content of http://edition.cnn.com/politics. The second issue is that the path of the URL, _politics_ in this case, is sent in clear text. If there is an attacker who sniffs the communication between your application and _cnn.com_, the attacker would know which specific topics and articles of _cnn.com_ your application fetched. For privacy reasons, you might want to prevent such disclosure from the attacker.
In the next section we configure Istio to perform TLS origination to resolve the two issues above. Let's clean our configuration before proceeding to the next section:
In the next section, you configure Istio to perform TLS origination to resolve these two issues. Clean your configuration before proceeding to the next section:
{{< text bash >}}
$ istioctl delete serviceentry cnn
@ -104,12 +104,12 @@ $ istioctl delete serviceentry cnn
1. Define a `ServiceEntry` to allow traffic to _edition.cnn.com_, a `VirtualService` to perform request port rewriting, and a `DestinationRule` for TLS origination.
Unlike the ServiceEntry in the previous section, here we use HTTP for the protocol on port 433, since clients
will send HTTP requests and Istio will perform TLS origination for them. Also, the resolution must be set
to DNS to correctly configure Envoy in this case.
Unlike the `ServiceEntry` in the previous section, here you use HTTP for the protocol on port 433 because clients
will send HTTP requests and Istio will perform TLS origination for them. Also, in this example the resolution must be set
to DNS to correctly configure Envoy.
Finally, note that the VirtualService uses a specific host _edition.cnn.com_ (no wildcard) because the Envoy
proxy needs to know exactly which host to access using HTTPS.
Finally, note that the `VirtualService` uses a specific host _edition.cnn.com_ (no wildcard) because the Envoy
proxy needs to know exactly which host to access using HTTPS:
{{< text bash >}}
$ cat <<EOF | istioctl create -f -
@ -162,7 +162,7 @@ proxy needs to know exactly which host to access using HTTPS.
EOF
{{< /text >}}
1. Send an HTTP request to http://edition.cnn.com/politics, as in the previous section.
1. Send an HTTP request to http://edition.cnn.com/politics, as in the previous section:
{{< text bash >}}
$ kubectl exec -it $SOURCE_POD -c sleep -- curl -sL -o /dev/null -D - http://edition.cnn.com/politics
@ -173,19 +173,19 @@ proxy needs to know exactly which host to access using HTTPS.
...
{{< /text >}}
This time we receive _200 OK_ as the first and the only response. Istio performed TLS origination for `curl` so the original HTTP request was forwarded to _cnn.com_ as HTTPS. The server of _cnn.com_ returned the content directly, without the need for redirection. We spared the double round trip between the client and the server, and the request left the mesh encrypted, without disclosing the fact that our application fetched the _politics_ section of _cnn.com_.
This time you receive _200 OK_ as the first and the only response. Istio performed TLS origination for _curl_ so the original HTTP request was forwarded to _cnn.com_ as HTTPS. The _cnn.com_ server returned the content directly, without the need for redirection. You eliminated the double round trip between the client and the server, and the request left the mesh encrypted, without disclosing the fact that your application fetched the _politics_ section of _cnn.com_.
Note that we used the same command as in the previous section. For applications that access external services programmatically, the code will not be changed. We get the benefits of TLS origination by configuring Istio, without changing a line of code, transparently for the application.
Note that you used the same command as in the previous section. For applications that access external services programmatically, the code will not be changed. Therefore, you get the benefits of TLS origination by configuring Istio, without changing a line of code.
## Additional security considerations
Note that the traffic between the application pod and the sidecar proxy on the local host is still unencrypted. It means that if the attackers would be able to penetrate the node of our application, they would still be able to see the unencrypted communication on the local network of the node. In some environments a strict security requirement may exist that would state that all the traffic must be encrypted, even on the local network of the nodes. With such a strict requirement the applications should use HTTPS (TLS) only, the TLS origination described in this task will not be sufficient.
Note that the traffic between the application pod and the sidecar proxy on the local host is still unencrypted. It means that if an attacker was able to penetrate the node of your application, they would still be able to see the unencrypted communication on the local network of the node. In some environments a strict security requirement might exist that would state that all the traffic must be encrypted, even on the local network of the nodes. With such a strict requirement the applications should use HTTPS (TLS) only, the TLS origination described in this task will not be sufficient.
Also note that even for HTTPS originated by the application, the attackers could know that the requests to _cnn.com_ are being sent, by inspecting [Server Name Indication (SNI)](https://en.wikipedia.org/wiki/Server_Name_Indication). The _SNI_ field is sent unencrypted during the TLS handshake. Using HTTPS prevents the attackers from knowing specific topics and articles, it does not prevent the attackers from learning that _cnn.com_ is accessed.
Also note that even for HTTPS originated by the application, the attacker could know that the requests to _cnn.com_ are being sent, by inspecting [Server Name Indication (SNI)](https://en.wikipedia.org/wiki/Server_Name_Indication). The _SNI_ field is sent unencrypted during the TLS handshake. Using HTTPS prevents the attackers from knowing specific topics and articles, it does not prevent the attackers from learning that _cnn.com_ is accessed.
## Cleanup
1. Remove the Istio configuration items we created:
1. Remove the Istio configuration items you created:
{{< text bash >}}
$ istioctl delete serviceentry cnn