rbac: add rbac tcp task. (#2588)

2018-10-02 19:51:53 -07:00 · 2018-10-02 19:51:53 -07:00 · d85999dd98
parent 27fa255e3a
commit d85999dd98
4 changed files with 228 additions and 5 deletions
--- a/content/blog/2018/istio-authorization/index.md
+++ b/content/blog/2018/istio-authorization/index.md
@ -77,7 +77,7 @@ through IP. You can still use Istio authorization to control which IP addresses

 ## Examples

-The [authorization task](/docs/tasks/security/role-based-access-control/) shows you how to
+The [authorization task](/docs/tasks/security/authz-http/) shows you how to
 use Istio's authorization feature to control namespace level and service level access using the
 [Bookinfo application](/docs/examples/bookinfo/). In this section, you'll see more examples on how to achieve
 micro-segmentation with Istio authorization.
--- a/content/docs/tasks/security/role-based-access-control/index.md
+++ b/content/docs/tasks/security/role-based-access-control/index.md
@ -1,12 +1,14 @@
 ---
-title: Authorization
-description: Shows how to set up role-based access control for services in the mesh.
+title: Authorization for HTTP services
+description: Shows how to set up role-based access control for HTTP services.
 weight: 40
 keywords: [security,access-control,rbac,authorization]
+aliases:
+    - /docs/tasks/security/role-based-access-control.html
 ---

 This task covers the activities you might need to perform to set up Istio authorization, also known
-as Istio Role Based Access Control (RBAC), for services in an Istio mesh. You can read more in
+as Istio Role Based Access Control (RBAC), for HTTP services in an Istio mesh. You can read more in
 [authorization](/docs/concepts/security/#authorization) and get started with
 a basic tutorial in Istio Security Basics.

--- a/content/docs/tasks/security/authz-tcp/index.md
+++ b/content/docs/tasks/security/authz-tcp/index.md
@ -0,0 +1,221 @@
+---
+title: Authorization for TCP services
+description: Shows how to set up role-based access control for TCP services.
+weight: 40
+keywords: [security,access-control,rbac,tcp,authorization]
+---
+
+This task covers the activities you might need to perform to set up Istio authorization, also known
+as Istio Role Based Access Control (RBAC), for TCP services in an Istio mesh. You can learn more about
+the Istio authorization in the [authorization concept page](/docs/concepts/security/#authorization).
+
+## Before you begin
+
+The activities in this task assume that you:
+
+* Read the [authorization concept](/docs/concepts/security/#authorization).
+
+* Follow the instructions in the [quick start](/docs/setup/kubernetes/quick-start/) to install Istio on
+  Kubernetes **with authentication enabled**.
+
+* Enable mutual TLS (mTLS) authentication when running the [installation steps](/docs/setup/kubernetes/quick-start/#installation-steps).
+
+The commands used in this task assume the Bookinfo example application is deployed in the default
+namespace. To specify a namespace other than the default namespace, use the `-n` option in the command.
+
+## Installing and configuring a TCP service
+
+By default, the [Bookinfo](/docs/examples/bookinfo/) example application only includes HTTP services.
+To show how Istio handles the authorization of TCP services, we must update the application to use a
+TCP service. Follow this procedure to deploy the Bookinfo example app and update its `ratings` service
+to the `v2` version, which talks to a MongoDB backend using TCP.
+
+### Prerequisites
+
+Deploy the [Bookinfo](/docs/examples/bookinfo/) sample application.
+
+After deploying the Bookinfo application, go to the Bookinfo product page at `http://$GATEWAY_URL/productpage`. On
+the product page, you can see:
+
+* The **Book Details** section on the lower left of the page includes book type, number of
+  pages, publisher, etc.
+* The **Book Reviews** section on the lower right of the page.
+
+When you refresh the page, the app shows different versions of reviews in the product page.
+The app presents the reviews in a round robin style: red stars, black stars, or no stars.
+
+### Installing a service using a service account
+
+1. Install `v2` of the `ratings` service with service account `bookinfo-ratings-v2`:
+
+    Istio cryptographically authenticates service accounts in the mesh. To give different services
+    different access privileges, we must create a `v2` version of the `ratings` service using the
+    `bookinfo-ratings-v2` service account. Other services use the `default` service account.
+
+    * To create the service account and configure the new version of the service for a cluster
+      **with** automatic sidecar injection enabled:
+
+        {{< text bash >}}
+        $ kubectl apply -f @samples/bookinfo/platform/kube/rbac/ratings-v2-add-serviceaccount.yaml@
+        {{< /text >}}
+
+    * To create the service account and configure the new version of the service for a cluster
+      **without** automatic sidecar injection enabled:
+
+        {{< text bash >}}
+        $ kubectl apply -f <(istioctl kube-inject -f @samples/bookinfo/platform/kube/rbac/ratings-v2-add-serviceaccount.yaml@)
+        {{< /text >}}
+
+### Configure the application to use the new version of the service
+
+The Bookinfo application can use multiple versions of each service. Istio requires you to define
+a service subset for each version. You must also define the load balancing policy for each subset.
+To define the subsets and their load balancing policies, you must create appropriate destination rules.
+
+1. Create the appropriate destination rules:
+
+    {{< text bash >}}
+    $ kubectl apply -f @samples/bookinfo/networking/destination-rule-all-mtls.yaml@
+    {{< /text >}}
+
+    Since the subset referenced in the virtual service rules relies on the destination rules,
+    wait a few seconds for the destination rules to propagate before adding the virtual service rules.
+
+1. After the destination rules propagate, update the `reviews` service to only use the `v2` of the `ratings` service:
+
+    {{< text bash >}}
+    $ kubectl apply -f @samples/bookinfo/networking/virtual-service-ratings-db.yaml@
+    {{< /text >}}
+
+1. Go to the Bookinfo product page at (`http://$GATEWAY_URL/productpage`).
+
+    On the product page, you can see an error message on the **Book Reviews** section.
+    The message reads: **"Ratings service is currently unavailable."**. The message appears because we
+    switched to use the `v2` subset of the `ratings` service without deploying the MongoDB service.
+
+1. Deploy the MongoDB service:
+
+    * To deploy MongoDB in a cluster **with** automatic sidecar injection enabled:
+
+        {{< text bash >}}
+        $ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-db.yaml@
+        {{< /text >}}
+
+    * To deploy MongoDB in a cluster **without** automatic sidecar injection enabled:
+
+        {{< text bash >}}
+        $ kubectl apply -f <(istioctl kube-inject -f @samples/bookinfo/platform/kube/bookinfo-db.yaml@)
+        {{< /text >}}
+
+1. Go to the Bookinfo product page at `http://$GATEWAY_URL/productpage`.
+
+1. Verify that the **Book Reviews** section shows the reviews.
+
+## Enabling Istio authorization
+
+Run the following command to enable Istio authorization for the MongoDB service:
+
+{{< text bash >}}
+$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-config-on-mongodb.yaml@
+{{< /text >}}
+
+Point your browser at the Bookinfo `productpage` (`http://$GATEWAY_URL/productpage`).  You should see:
+
+* The **Book Details** section on the lower left of the page includes book type, number of pages, publisher, etc.
+* The **Book Reviews** section on the lower right of the page includes an error message **"Ratings service is
+  currently unavailable"**.
+
+This is because Istio authorization is "deny by default", which means that you need to explicitly
+define access control policies to grant access to the MongoDB service.
+
+> There may be some delays due to caching and other propagation overhead.
+
+## Enforcing Service-level access control
+
+Now let's set up service-level access control using Istio authorization to allow `v2` of `ratings`
+to access the MongoDB service.
+
+1. Run the following command to apply the authorization policy:
+
+    {{< text bash >}}
+    $ kubectl apply -f @samples/bookinfo/platform/kube/rbac/mongodb-policy.yaml@
+    {{< /text >}}
+
+    The step above does the following:
+
+    * Creates a service role "mongodb-viewer" which allows access to the port 27017 of the MongoDB service.
+
+        {{< text yaml >}}
+        apiVersion: "rbac.istio.io/v1alpha1"
+        kind: ServiceRole
+        metadata:
+          name: mongodb-viewer
+          namespace: default
+        spec:
+          rules:
+          - services: ["mongodb.default.svc.cluster.local"]
+            constraints:
+            - key: "destination.port"
+              values: ["27017"]
+        {{< /text >}}
+
+    * Creates a service role binding `bind-mongodb-viewer` which assigns the "mongodb-viewer" role to "bookinfo-ratings-v2".
+
+        {{< text yaml >}}
+        apiVersion: "rbac.istio.io/v1alpha1"
+        kind: ServiceRoleBinding
+        metadata:
+          name: bind-mongodb-viewer
+          namespace: default
+        spec:
+          subjects:
+          - user: "cluster.local/ns/default/sa/bookinfo-ratings-v2"
+          roleRef:
+            kind: ServiceRole
+            name: "mongodb-viewer"
+        {{< /text >}}
+
+    Point your browser at the Bookinfo `productpage` (`http://$GATEWAY_URL/productpage`).  You should see:
+
+    * The **Book Details** section on the lower left of the page includes book type, number of pages, publisher, etc.
+    * The **Book Reviews** section on the lower right of the page includes red stars.
+
+    > There may be some delays due to caching and other propagation overhead.
+
+1. To confirm the MongoDB service can only be accessed by service account `bookinfo-ratings-v2`:
+
+    Run the following command to re-deploy the `v2` of `ratings` with service account `default`:
+
+    {{< text bash >}}
+    $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/ratings-v2-add-serviceaccount.yaml@
+    $ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml@
+    {{< /text >}}
+
+    Point your browser at the Bookinfo `productpage` (`http://$GATEWAY_URL/productpage`).  You should see:
+
+    * The **Book Details** section on the lower left of the page includes book type, number of pages, publisher, etc.
+    * The **Book Reviews** section on the lower right of the page includes an error message **"Ratings
+      service is currently unavailable"**.
+
+    > There may be some delays due to caching and other propagation overhead.
+
+## Cleanup
+
+*   Remove Istio authorization policy configuration:
+
+    {{< text bash >}}
+    $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/mongodb-policy.yaml@
+    {{< /text >}}
+
+    Alternatively, you can delete all service role and service role binding resources by running the following commands:
+
+    {{< text bash >}}
+    $ kubectl delete servicerole --all
+    $ kubectl delete servicerolebinding --all
+    {{< /text >}}
+
+*   Disable Istio authorization:
+
+    {{< text bash >}}
+    $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-config-on-mongodb.yaml@
+    {{< /text >}}
--- a/content/docs/tasks/security/mtls-migration/index.md
+++ b/content/docs/tasks/security/mtls-migration/index.md
@ -157,7 +157,7 @@ $ for from in "foo" "bar" "legacy"; do kubectl exec $(kubectl get pod -l app=sle

 If you can't migrate all your services to Istio (injecting Envoy sidecar), you have to stay at `PERMISSIVE` mode.
 However, when configured with `PERMISSIVE` mode, no authentication or authorization checks will be performed for the plain text traffic by default.
-We recommend to use [RBAC](/docs/tasks/security/role-based-access-control/) to configure different paths with different authorization policies.
+We recommend you use [Istio Authorization](/docs/tasks/security/authz-http/) to configure different paths with different authorization policies.

 ## Cleanup