istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v0.2/docs/tasks/security/mutual-tls.html

21 lines
20 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en" itemscope itemtype="https://schema.org/WebPage" style="overflow-y: scroll;"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="title" content="Testing Istio mutual TLS authentication"><meta name="og:title" content="Testing Istio mutual TLS authentication"><meta name="og:image" content="/v0.2/img/logo.png"/><meta name="description" content="This task shows you how to verify and test Istio's automatic mutual TLS authentication."><meta name="og:description" content="This task shows you how to verify and test Istio's automatic mutual TLS authentication."><title>Istioldie 0.2 / Testing Istio mutual TLS authentication</title><script> window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date; ga('create', 'UA-98480406-2', 'auto'); ga('send', 'pageview'); </script> <script async src='https://www.google-analytics.com/analytics.js'></script><link rel="alternate" type="application/rss+xml" title="Istio Blog RSS" href="/v0.2/feed.xml"><link rel="apple-touch-icon" href="/v0.2/favicons/apple-touch-icon.png" sizes="180x180"><link rel="icon" type="image/png" href="/v0.2/favicons/android-chrome-96x96.png" sizes="96x96" ><link rel="icon" type="image/png" href="/v0.2/favicons/favicon-32x32.png" sizes="32x32"><link rel="icon" type="image/png" href="/v0.2/favicons/favicon-16x16.png" sizes="16x16"><link rel="manifest" href="/v0.2/favicons/manifest.json"><link rel="mask-icon" href="/v0.2/favicons/safari-pinned-tab.svg" color="#2DA6B0"><meta name="msapplication-TileColor" content="#ffffff"><meta name="msapplication-TileImage" content="/v0.2/favicons/mstile-150x150.png"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic"><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><link rel="stylesheet" href="/v0.2/css/all.css"><link rel="stylesheet" href="/v0.2/css/prism.css"> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script></head><body class="language-unknown"><div class="nav-hero-container" style="z-index: 200000;"><nav id="header-nav" class="navbar navbar-inverse" role="navigation"><div class="container"><div class="row"><div class="col-md-11 nofloat center-block "><div class="navbar-header"> <button type="button" class="hamburger navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar-collapse-1" aria-expanded="false"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="/v0.2/"><div> <img src="/v0.2/img/logo.png" alt="Istio" width="36px" height="54px"/> <span class="brand-name">Istioldie 0.2</span></div></a></div><div class="collapse navbar-collapse" id="navbar-collapse-1"><ul class="nav navbar-nav navbar-right"><li><a href="/v0.2/about/" >About</a></li><li><a href="/v0.2/docs/" class='current'>Docs</a></li><li><a href="/v0.2/blog/" >Blog</a></li><li><a href="/v0.2/community/" >Community</a></li><li><a href="/v0.2/faq/" >FAQ</a></li><li class="dropdown"><li class="dropdown"> <a class="dropdown-toggle" data-toggle="dropdown" href=""> <i class='fa fa-lg fa-cog'></i> <span class="caret"></span> </a><ul class="dropdown-menu"><h6 class="dropdown-header">Other versions of this site</h6><li> <a href="https://istio.io">Current Release</a></li><li> <a href="https://preliminary.istio.io">Next Release</a></li><li> <a href="https://archive.istio.io">Older Releases</a></li></ul></li><li><form name="cse" id="searchbox_demo" class="navbar-form navbar-right" role="search"> <input type="hidden" name="cx" value="013699703217164175118:iwwf17ikgf4" /> <input type="hidden" name="ie" value="utf-8" /> <input type="hidden" name="hl" value="en" /><div class="form-group"><div class="input-group"> <input name="q" class="form-control" type="text" size="30" /><div class="input-group-addon"> <span class="btn-search glyphicon glyphicon-search"></span></div></div></div></form> <script type="text/javascript" src="https://www.google.com/cse/brand?form=searchbox_demo"></script></li></ul></div></div></div></div></nav></div><div class="container"><div class="row"><div class="col-md-11 nofloat center-block" style="margin-top: 3px;"><ul class="col-sm-10 nav nav-tabs"><li role="presentation" ><a href="/v0.2/docs/">Welcome</a></li><li role="presentation" ><a href="/v0.2/docs/concepts/">Concepts</a></li><li role="presentation" ><a href="/v0.2/docs/setup/">Setup</a></li><li role="presentation" class='active'><a href="/v0.2/docs/tasks/">Tasks</a></li><li role="presentation" ><a href="/v0.2/docs/guides/">Guides</a></li><li role="presentation" ><a href="/v0.2/docs/reference/">Reference</a></li></ul></div></div></div><script src="/v0.2/js/navtree.js"></script><div class="container docs"><div class="row"><div class="col-md-11 nofloat center-block"><div class="row"><div id="sidebar-container" class="col-sm-3"><ul class="doc-side-nav"><li><h5 class='doc-side-nav-title'>Tasks</h5></li><script type="text/javascript"> var docs = []; docs.push({path: [ "index.md", ], url: "/docs/tasks/", title: "Tasks", order: 20, overview: "Tasks show you how to do a single specific targeted activity with the Istio system."}); docs.push({path: [ "policy-enforcement", "faq.md", ], url: "/docs/tasks/policy-enforcement/faq.html", title: "FAQ", order: 100, overview: "Common issues, known limitations and work arounds, and other frequently asked questions on this topic."}); docs.push({path: [ "policy-enforcement", "index.md", ], url: "/docs/tasks/policy-enforcement/", title: "Policy Enforcement", order: 20, overview: "Describes tasks that demonstrate policy enforcement features."}); docs.push({path: [ "policy-enforcement", "rate-limiting.md", ], url: "/docs/tasks/policy-enforcement/rate-limiting.html", title: "Enabling Rate Limits", order: 10, overview: "This task shows you how to use Istio to dynamically limit the traffic to a service."}); docs.push({path: [ "security", "basic-access-control.md", ], url: "/docs/tasks/security/basic-access-control.html", title: "Setting up Basic Access Control", order: 20, overview: "This task shows how to control access to a service using the Kubernetes labels."}); docs.push({path: [ "security", "faq.md", ], url: "/docs/tasks/security/faq.html", title: "FAQ", order: 100, overview: "Common issues, known limitations and work arounds, and other frequently asked questions on this topic."}); docs.push({path: [ "security", "index.md", ], url: "/docs/tasks/security/", title: "Security", order: 40, overview: "Describes tasks that help securing the service mesh traffic."}); docs.push({path: [ "security", "mutual-tls.md", ], url: "/docs/tasks/security/mutual-tls.html", title: "Testing Istio mutual TLS authentication", order: 10, overview: "This task shows you how to verify and test Istio's automatic mutual TLS authentication."}); docs.push({path: [ "security", "plugin-ca-cert.md", ], url: "/docs/tasks/security/plugin-ca-cert.html", title: "Plugging in CA certificate and key", order: 40, overview: "This task shows how operators can plug existing certificate and key into Istio CA."}); docs.push({path: [ "security", "secure-access-control.md", ], url: "/docs/tasks/security/secure-access-control.html", title: "Setting up Secure Access Control", order: 30, overview: "This task shows how to securely control access to a service using service accounts."}); docs.push({path: [ "telemetry", "distributed-tracing.md", ], url: "/docs/tasks/telemetry/distributed-tracing.html", title: "Distributed Tracing", order: 10, overview: "How to configure the proxies to send tracing requests to Zipkin or Jaeger"}); docs.push({path: [ "telemetry", "faq.md", ], url: "/docs/tasks/telemetry/faq.html", title: "FAQ", order: 100, overview: "Common issues, known limitations and work arounds, and other frequently asked questions on this topic."}); docs.push({path: [ "telemetry", "index.md", ], url: "/docs/tasks/telemetry/", title: "Metrics, Logs, and Traces", order: 30, overview: "Describes tasks that demonstrate how to collect telemetry information from the service mesh."}); docs.push({path: [ "telemetry", "metrics-logs.md", ], url: "/docs/tasks/telemetry/metrics-logs.html", title: "Collecting Metrics and Logs", order: 20, overview: "This task shows you how to configure Istio to collect metrics and logs."}); docs.push({path: [ "telemetry", "querying-metrics.md", ], url: "/docs/tasks/telemetry/querying-metrics.html", title: "Querying Metrics from Prometheus", order: 30, overview: "This task shows you how to query for Istio Metrics using Prometheus."}); docs.push({path: [ "telemetry", "servicegraph.md", ], url: "/docs/tasks/telemetry/servicegraph.html", title: "Generating a Service Graph", order: 50, overview: "This task shows you how to generate a graph of services within an Istio mesh."}); docs.push({path: [ "telemetry", "tcp-metrics.md", ], url: "/docs/tasks/telemetry/tcp-metrics.html", title: "Collecting Metrics for TCP services", order: 25, overview: "This task shows you how to configure Istio to collect metrics for TCP services."}); docs.push({path: [ "telemetry", "using-istio-dashboard.md", ], url: "/docs/tasks/telemetry/using-istio-dashboard.html", title: "Visualizing Metrics with Grafana", order: 40, overview: "This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic."}); docs.push({path: [ "traffic-management", "egress.md", ], url: "/docs/tasks/traffic-management/egress.html", title: "Control Egress Traffic", order: 40, overview: "Describes how to configure Istio to route traffic from services in the mesh to external services."}); docs.push({path: [ "traffic-management", "faq.md", ], url: "/docs/tasks/traffic-management/faq.html", title: "FAQ", order: 100, overview: "Common issues, known limitations and work arounds, and other frequently asked questions on this topic."}); docs.push({path: [ "traffic-management", "fault-injection.md", ], url: "/docs/tasks/traffic-management/fault-injection.html", title: "Fault Injection", order: 20, overview: "This task shows how to inject delays and test the resiliency of your application."}); docs.push({path: [ "traffic-management", "index.md", ], url: "/docs/tasks/traffic-management/", title: "Traffic Management", order: 10, overview: "Describes tasks that demonstrate traffic routing features of Istio service mesh."}); docs.push({path: [ "traffic-management", "ingress.md", ], url: "/docs/tasks/traffic-management/ingress.html", title: "Istio Ingress Controller", order: 30, overview: "Describes how to configure the Istio ingress controller on Kubernetes."}); docs.push({path: [ "traffic-management", "request-routing.md", ], url: "/docs/tasks/traffic-management/request-routing.html", title: "Configuring Request Routing", order: 10, overview: "This task shows you how to configure dynamic request routing based on weights and HTTP headers."}); docs.push({path: [ "traffic-management", "request-timeouts.md", ], url: "/docs/tasks/traffic-management/request-timeouts.html", title: "Setting Request Timeouts", order: 28, overview: "This task shows you how to setup request timeouts in Envoy using Istio."}); docs.push({path: [ "traffic-management", "traffic-shifting.md", ], url: "/docs/tasks/traffic-management/traffic-shifting.html", title: "Traffic Shifting", order: 25, overview: "This task shows you how to migrate traffic from an old to new version of a service."}); genNavBarTree(docs) </script></ul></div><div id="tab-container" class="col-xs-1 tab-neg-margin pull-left"> <a id="sidebar-tab" class="glyphicon glyphicon-chevron-left" href="javascript:void 0;"></a></div><div id="content-container" class="thin-left-border col-sm-9 markdown"><div id="toc" class="toc"></div><div id="doc-content"><h1>Testing Istio mutual TLS authentication</h1><p>Through this task, you will learn how to:</p><ul><li><p>Verify the Istio mutual TLS Authentication setup</p></li><li><p>Manually test the authentication</p></li></ul><h2 id="before-you-begin">Before you begin</h2><p>This task assumes you have a Kubernetes cluster:</p><ul><li>Installed Istio with mutual TLS authentication by following <a href="/v0.2/docs/setup/kubernetes/quick-start.html">the Istio installation task</a>. Note to choose “enable Istio mutual TLS Authentication feature” at step 5 in “<a href="/v0.2/docs/setup/kubernetes/quick-start.html#installation-steps">Installation steps</a>”.</li></ul><h2 id="verifying-istios-mutual-tls-authentication-setup">Verifying Istios mutual TLS authentication setup</h2><p>The following commands assume the services are deployed in the default namespace. Use the parameter <em>-n yournamespace</em> to specify a namespace other than the default one.</p><h3 id="verifying-istio-ca">Verifying Istio CA</h3><p>Verify the cluster-level CA is running:</p><pre><code class="language-bash">kubectl get deploy -l istio=istio-ca -n istio-system
</code></pre><pre><code class="language-bash">NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
istio-ca 1 1 1 1 1m
</code></pre><p>Istio CA is up if the “AVAILABLE” column is 1.</p><h3 id="verifying-service-configuration">Verifying service configuration</h3><ol><li><p>Verify AuthPolicy setting in ConfigMap.</p><pre><code class="language-bash">kubectl get configmap istio -o yaml -n istio-system | grep authPolicy | head -1
</code></pre><p>Istio mutual TLS authentication is enabled if the line <code>authPolicy: MUTUAL_TLS</code> is uncommented (doesnt have a <code>#</code>).</p></li></ol><h2 id="testing-the-authentication-setup">Testing the authentication setup</h2><p>When running Istio with mutual TLS authentication turned on, you can use curl in one services envoy to send request to other services. For example, after starting the <a href="/v0.2/docs/guides/bookinfo.html">BookInfo</a> sample application you can ssh into the envoy container of <code>productpage</code> service, and send request to other services by curl.</p><p>There are several steps:</p><ol><li>get the productpage pod name<pre><code class="language-bash">kubectl get pods -l app=productpage
</code></pre><pre><code class="language-bash">NAME READY STATUS RESTARTS AGE
productpage-v1-4184313719-5mxjc 2/2 Running 0 23h
</code></pre><p>Make sure the pod is “Running”.</p></li><li>ssh into the envoy container<pre><code class="language-bash">kubectl exec -it productpage-v1-4184313719-5mxjc -c istio-proxy /bin/bash
</code></pre></li><li>make sure the key/cert is in /etc/certs/ directory<pre><code class="language-bash">ls /etc/certs/
</code></pre><pre><code class="language-bash">cert-chain.pem key.pem root-cert.pem
</code></pre><p>Note that cert-chain.pem is envoys cert that needs to present to the other side. key.pem is envoys private key paired with cert-chain.pem. root-cert.pem is the root cert to verify the other sides cert. Currently we only have one CA, so all envoys have the same root-cert.pem.</p></li><li>send requests to another service, for example, details.<pre><code class="language-bash">curl https://details:9080/details/0 -v --key /etc/certs/key.pem --cert /etc/certs/cert-chain.pem --cacert /etc/certs/root-cert.pem -k
</code></pre><pre><code class="language-bash">...
&lt; HTTP/1.1 200 OK
&lt; content-type: text/html; charset=utf-8
&lt; content-length: 1867
&lt; server: envoy
&lt; date: Thu, 11 May 2017 18:59:42 GMT
&lt; x-envoy-upstream-service-time: 2
...
</code></pre></li></ol><p>The service name and port are defined <a href="https://github.com/istio/istio/blob/master/samples/bookinfo/kube/bookinfo.yaml">here</a>.</p><p>Note that Istio uses <a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account">Kubernetes service account</a> as service identity, which offers stronger security than service name (refer <a href="/v0.2/docs/concepts/security/mutual-tls.html#identity">here</a> for more information). Thus the certificates used in Istio do not have service name, which is the information that curl needs to verify server identity. As a result, we use curl option -k to prevent the curl client from verifying service identity in servers (i.e., productpage) certificate. Please check secure naming <a href="/v0.2/docs/concepts/security/mutual-tls.html#workflow">here</a> for more information about how the client verifies the servers identity in Istio.</p><h2 id="further-reading">Further reading</h2><ul><li>Learn more about the design principles behind Istios automatic mTLS authentication between all services in this <a href="/v0.2/blog/istio-auth-for-microservices.html">blog</a>.</li></ul></div></div></div></div></div></div><script src="/v0.2/js/sidemenu.js"></script><footer><div class="container"><div class="row"><div class="col-md-2"></div><div class="col-md-3 col-sm-4 col-xs-12 center-block"><ul class="toggle"><p class="header">Docs</p><li><a href="/v0.2/docs/">Welcome</a></li><li><a href="/v0.2/docs/concepts">Concepts</a></li><li><a href="/v0.2/docs/setup">Setup</a></li><li><a href="/v0.2/docs/tasks">Tasks</a></li><li><a href="/v0.2/docs/guides">Guides</a></li><li><a href="/v0.2/docs/reference">Reference</a></li></ul></div><hr class="footer-sections" /><div class="col-md-3 col-sm-4 col-xs-12 center-block"><ul class="toggle"><p class="header">Resources</p><li><a href="/v0.2/faq">Frequently Asked Questions</a></li><li><a href="/v0.2/troubleshooting">Troubleshooting Guide</a></li><li><a href="/v0.2/bugs">Report a Bug</a></li><li><a href="https://github.com/istio/istio.github.io/issues/new?title=Issue with _docs/tasks/security/mutual-tls.md">Report a Doc Issue</a></li><li><a href="https://github.com/istio/istio.github.io/edit/master/_docs/tasks/security/mutual-tls.md">Edit This Page on GitHub</a></li></ul></div><hr class="footer-sections" /><div class="col-md-3 col-sm-4 col-xs-12 center-block"><ul class="toggle"><p class="header">Community</p><li><a href="https://groups.google.com/forum/#!forum/istio-users" target="_blank"><span class="group">User</span></a> | <a href="https://groups.google.com/forum/#!forum/istio-dev" target="_blank">Dev</a> | <a href="https://github.com/istio/istio/blob/master/GROUPS.md#working-groups" target="_blank">Working Group Lists</a></li><li><a href="https://twitter.com/IstioMesh" target="_blank"><span class="twitter">Twitter</span></a></li><li><a href="https://github.com/istio/istio" target="_blank"><span class="github">GitHub</span></a></li></ul></div><div class="col-md-1"></div></div><div class="row"><p class="description small text-center"> Istio 0.2, Copyright &copy; 2017 Istio Authors<br> Archived on 12-Nov-2017</p></div></div></footer><script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.15.0/jquery.validate.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery.form/4.2.1/jquery.form.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-visible/1.2.0/jquery.visible.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.6.0/slick.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> <script src="/v0.2/js/common.js"></script> <script src="/v0.2/js/buttons.js"></script> <script src="/v0.2/js/search.js"></script> <script src="/v0.2/js/prism.js"></script></body></html>
Reference in New Issue View Git Blame Copy Permalink