istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update Istio auth task with Hackathon feedback (#177) 

* Add Istio auth configuration instructions.
* Remove Istio per-cluster CA deployment.
This commit is contained in:
Oliver Liu 2017-05-16 15:48:31 -07:00 committed by Andra Cismaru
parent c084cf2bab
commit bcd75ce6e9
2 changed files with 48 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
_docs/tasks/installing-istio.md
View File

@ -86,7 +86,7 @@ default namespace. They can be modified for deployment in a different namespace.
1. Install Istio's core components . 1. Install Istio's core components .
There are two mutually exclusive options at this stage: There are two mutually exclusive options at this stage:
* Install Istio without enabling [Istio Auth](https://istio.io/docs/concepts/network-and-auth/auth.html) feature: * Install Istio without enabling [Istio Auth]({{home}}/docs/concepts/network-and-auth/auth.html) feature:
```bash ```bash
kubectl apply -f install/kubernetes/istio.yaml kubectl apply -f install/kubernetes/istio.yaml
@ -94,7 +94,9 @@ default namespace. They can be modified for deployment in a different namespace.
This command will install Istio-Manager, Mixer, Ingress-Controller, Egress-Controller core components. This command will install Istio-Manager, Mixer, Ingress-Controller, Egress-Controller core components.
* Install Istio and enable [Istio Auth](https://istio.io/docs/concepts/network-and-auth/auth.html) feature: * Install Istio and enable [Istio Auth]({{home}}/docs/concepts/network-and-auth/auth.html) feature
(This deploys a CA in the namespace and enables
[mTLS](https://en.wikipedia.org/wiki/Mutual_authentication) between the services):
```bash ```bash
kubectl apply -f install/kubernetes/istio-auth.yaml kubectl apply -f install/kubernetes/istio-auth.yaml
@ -275,3 +277,5 @@ kubectl create -f <(istioctl kube-inject -f <your-app-spec>.yaml)
## What's next ## What's next
* See the sample [BookInfo]({{home}}/docs/samples/bookinfo.html) application. * See the sample [BookInfo]({{home}}/docs/samples/bookinfo.html) application.
* See how to [test Istio Auth]({{home}}/docs/tasks/istio-auth.html).

186
_docs/tasks/istio-auth.md
View File

@ -1,6 +1,6 @@
--- ---
title: Enabling Istio Auth title: Test Istio Auth
overview: This task shows you how to setup Istio-Auth to provide mutual TLS authentication between services. overview: This task shows you how to verify and test Istio-Auth.
order: 100 order: 100
@ -9,169 +9,67 @@ type: markdown
--- ---
{% include home.html %} {% include home.html %}
This task shows how to set up Istio Auth in a Kubernetes cluster. You'll learn Through this task, you will learn how to:
how to:
* Enable Istio Auth
* Disable Istio Auth
* Verify Istio Auth setup * Verify Istio Auth setup
* Manually test Istio Auth
## Before you begin ## Before you begin
This task assumes you have: This task assumes you have:
* Read the [Istio Auth concepts]({{home}}/docs/concepts/network-and-auth/index.html). * Installed Istio with Auth by following
[the Istio installation task]({{home}}/docs/tasks/installing-istio.html).
* [Installed Istio](./installing-istio.html#installation-steps). Note to choose "enable Istio Auth feature" at step 5 in "Installation steps".
In real world systems, only a single Istio CA should be present in a Kubernetes cluster,
which is always deployed in a dedicated namespace. The Istio CA issues certificates/keys to
all pods in the Kubernetes cluster. This offers strong security and automatic trust between namespaces in the same cluster.
However, this task also instructs how to deploy a namespace-scoped Istio CA,
for easy setup and clean up during the experiments.
## Enabling Istio Auth
### Option 1: using per-namespace CA
Per namespace CA is convenient for doing experiments.
Because each Istio CA is scoped within a namespace, Istio CAs in different namespaces will not interfere with each other
and they are easy to clean up through a single command.
We have the YAML files *istio-auth-X.yaml* for deploying all Istio components including Istio CA into the namespace.
Follow [the Istio installation guide](./installing-istio.html),
and **choose "If you would like to enable Istio Auth" in step 3**.
### Option 2: (recommended) using per-cluster CA
Only a single Istio CA is deployed for the Kubernetes cluster, in a dedicated namespace.
Doing this offers the following benefits:
* In the near future, the dedicated namespace will use
[Kubernetes RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) (beta in Kubernetes V1.6) to provide security
boundary. This will offer strong security for Istio CA.
* Services in the same Kubernetes cluster but different namespaces are able to talk to each other through Istio Auth
without extra trust setup.
#### Deplying CA
The following command creates namespace *istio-system* and deploys CA into the namespace:
```bash
kubectl apply -f ./kubernetes/istio-auth/istio-cluster-ca.yaml
```
#### Enabling Istio Auth in Istio config
The following command uncomments the line *authPolicy: MUTUAL_TLS* in the file *kubernetes/istio-X.yaml*,
and backs up the original file as *istio-X.yaml.bak*
(*X* corresponds to the Kubernetes server version, choose "15" or "16").
```bash
sed "s/# authPolicy: MUTUAL_TLS/authPolicy: MUTUAL_TLS/" ./kubernetes/istio-X.yaml > ./kubernetes/istio-auth-X.yaml
```
#### Deploying other services
Follow [the general Istio installation guide](./installing-istio.html),
and **choose "If you would like to enable Istio Auth" in step 3**.
## Disabling Istio Auth
Disabling Istio Auth requires all Istio services and applications to be reconfigured and restarted without auth config.
### For per-namespace CA Istio Auth
Run the following command to uninstall Istio, and redeploy Istio without auth:
```bash
kubectl delete -f ./kubernetes/istio-auth-X.yaml
kubectl apply -f ./kubernetes/istio-X.yaml
```
Also, redeploy your application by running:
```bash
kubectl replace -f <(istioctl kube-inject -f <your-app-spec>.yaml)
```
### For per-cluster CA Istio Auth
#### Removing per-cluster Istio CA
The following command removes Istio CA and its namespace *istio-system*.
```bash
kubectl delete -f ./kubernetes/istio-auth/istio-cluster-ca.yaml
```
#### Redeploying Istio and applications
Run the following command to uninstall Istio, and redeploy Istio without auth:
```bash
kubectl delete -f ./kubernetes/istio-auth-X.yaml
kubectl apply -f ./kubernetes/istio-X.yaml
```
Also, redeploy your application by running:
```bash
kubectl replace -f <(istioctl kube-inject -f <your-app-spec>.yaml)
```
#### Recovering the original config files
The following command will recover the original *istio-auth-X.yaml* file.
```bash
git checkout ./kubernetes/istio-auth-X.yaml
```
## Verifying Istio Auth setup ## Verifying Istio Auth setup
The following instructions assume the applications are deployed in the "default" namespace. The following commands assume the services are deployed in the default namespace.
They can be modified for deployments in a separate namespace. Use the parameter *-n yournamespace* to specify a namespace other than the default one.
Verify AuthPolicy setting in ConfigMap: ### Verifying Istio CA
Verify the cluster-level CA is running:
```bash ```bash
kubectl get configmap istio -o yaml | grep authPolicy kubectl get pods
```
```bash
# Istio Auth is enabled if the line "authPolicy: MUTUAL_TLS" is uncommented.
``` ```
Check the certificate and key files are mounted onto the application pod *app-pod*:
```bash ```bash
kubectl exec <app-pod> -c proxy -- ls /etc/certs NAME READY STATUS RESTARTS AGE
``` istio-ca-11513534-q3dz1 1/1 Running 0 45s
```bash ...
# Expected files: cert-chain.pem, key.pem and root-cert.pem.
``` ```
When Istio Auth is enabled for a pod, *ssl_context* stanzas should be in the pod's proxy config. ### Verifying service configuration
The following commands verifies the proxy config on *app-pod* has *ssl_context* configured:
```bash 1. Verify AuthPolicy setting in ConfigMap.
kubectl exec <app-pod> -c proxy -- ls /etc/envoy
```
```bash
# Get the config file named "envoy-revX.json".
```
```bash
kubectl exec <app-pod> -c proxy -- cat /etc/envoy/envoy-revX.json | grep ssl_context
```
```bash
# Expect ssl_context in the output.
```
## Playing with auth ```bash
kubectl get configmap istio -o yaml | grep authPolicy
```
Istio Auth is enabled if the line "authPolicy: MUTUAL\_TLS" is uncommented.
1. Check Istio Auth is enabled on Envoy proxies.
When Istio Auth is enabled for a pod, the *ssl_context* stanzas should be in the pod's proxy config.
The following commands verifies the proxy config on *app-pod* has *ssl_context* configured:
```bash
kubectl exec <app-pod> -c proxy -- ls /etc/envoy
```
The output should contain the config file "envoy-rev<X>.json". Use the file name in the following command:
```bash
kubectl exec <app-pod> -c proxy -- cat /etc/envoy/envoy-rev<X>.json | grep ssl_context
```
If you see *ssl_context* lines in the output, the proxy has enabled Istio Auth.
## Testing Istio Auth
When running Istio auth-enabled services, you can use curl in one service's When running Istio auth-enabled services, you can use curl in one service's
envoy to send request to other services. envoy to send request to other services.