istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v0.1/docs/tasks/istio-auth.html

23 lines
16 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en" itemscope itemtype="https://schema.org/WebPage" style="overflow-y: scroll;"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="title" content="Testing Istio Auth"><meta name="og:title" content="Testing Istio Auth"><meta name="og:image" content="/v0.1/img/logo.png"/><meta name="description" content="This task shows you how to verify and test Istio-Auth."><meta name="og:description" content="This task shows you how to verify and test Istio-Auth."><title>Istioldie 0.1 / Testing Istio Auth</title><script> window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date; ga('create', 'UA-98480406-2', 'auto'); ga('send', 'pageview'); </script> <script async src='https://www.google-analytics.com/analytics.js'></script><link href='https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic' rel='stylesheet' type='text/css'><link rel="alternate" type="application/rss+xml" title="Istio Blog RSS" href="/v0.1/feed.xml"><link rel="apple-touch-icon" href="/v0.1/favicons/apple-touch-icon.png" sizes="180x180"><link rel="icon" type="image/png" href="/v0.1/favicons/android-chrome-96x96.png" sizes="96x96" ><link rel="icon" type="image/png" href="/v0.1/favicons/favicon-32x32.png" sizes="32x32"><link rel="icon" type="image/png" href="/v0.1/favicons/favicon-16x16.png" sizes="16x16"><link rel="manifest" href="/v0.1/favicons/manifest.json"><link rel="mask-icon" href="/v0.1/favicons/safari-pinned-tab.svg" color="#2DA6B0"><meta name="msapplication-TileColor" content="#ffffff"><meta name="msapplication-TileImage" content="/v0.1/favicons/mstile-150x150.png"><link href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.1/css/bootstrap.min.css" rel="stylesheet"><link rel="stylesheet" href="/v0.1/css/all.css"><link rel="stylesheet" href="/v0.1/css/prism.css"><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.4.0/css/font-awesome.min.css"> <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script></head><body class="language-unknown"><div class="nav-hero-container" style="z-index: 200000;"><nav id="header-nav" class="navbar navbar-inverse" role="navigation"><div class="container"><div class="row"><div class="col-md-11 nofloat center-block "><div class="navbar-header"> <button type="button" class="hamburger navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar-collapse-1" aria-expanded="false"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="/v0.1/"><div> <img src="/v0.1/img/logo.png" alt="Istio" width="36px" height="54px"/> <span class="brand-name">Istioldie 0.1</span></div></a></div><div class="collapse navbar-collapse" id="navbar-collapse-1"><ul class="nav navbar-nav navbar-right"><li><a href="/v0.1/about/" >About</a></li><li><a href="/v0.1/docs/" class='current'>Docs</a></li><li><a href="/v0.1/blog/" >Blog</a></li><li><a href="/v0.1/community/" >Community</a></li><li><a href="/v0.1/faq/" >FAQ</a></li><li class="dropdown"> <a class="dropdown-toggle" data-toggle="dropdown" href=""> <i class='fa fa-lg fa-cog'></i> <span class="caret"></span> </a><ul class="dropdown-menu"><h6 class="dropdown-header">Other versions of this site</h6><li> <a href="https://istio.io">Current Release</a></li><li> <a href="https://preliminary.istio.io">Next Release</a></li><li> <a href="https://archive.istio.io">Older Releases</a></li></ul></li><li><form name="cse" id="searchbox_demo" class="navbar-form navbar-right" role="search"> <input type="hidden" name="cx" value="013699703217164175118:iwwf17ikgf4" /> <input type="hidden" name="ie" value="utf-8" /> <input type="hidden" name="hl" value="en" /><div class="form-group"><div class="input-group"> <input name="q" class="form-control" type="text" size="30" /><div class="input-group-addon"> <span class="btn-search glyphicon glyphicon-search"></span></div></div></div></form> <script type="text/javascript" src="https://www.google.com/cse/brand?form=searchbox_demo"></script></li></ul></div></div></div></div></nav></div><div class="container"><div class="row"><div class="col-md-11 nofloat center-block" style="margin-top: 3px;"><ul class="col-sm-10 nav nav-tabs"><li role="presentation" ><a href="/v0.1/docs/index.html">Welcome</a></li><li role="presentation" ><a href="/v0.1/docs/concepts/index.html">Concepts</a></li><li role="presentation" class='active'><a href="/v0.1/docs/tasks/index.html">Tasks</a></li><li role="presentation" ><a href="/v0.1/docs/samples/index.html">Samples</a></li><li role="presentation" ><a href="/v0.1/docs/reference/index.html">Reference</a></li></ul></div></div></div><script src="/v0.1/js/navtree.js"></script><div class="container docs"><div class="row"><div class="col-md-11 nofloat center-block"><div class="row"><div id="sidebar-container" class="col-sm-3"><ul class="doc-side-nav"><li><h5 class='doc-side-nav-title'>Tasks</h5></li><script type="text/javascript"> var docs = []; docs.push({path: [ "basic-access-control.md", ], url: "/docs/tasks/basic-access-control.html", title: "Enabling Simple Access Control", order: 90, overview: "This task shows how to use Istio to control access to a service."}); docs.push({path: [ "egress.md", ], url: "/docs/tasks/egress.html", title: "Enabling Egress Traffic", order: 40, overview: "Describes how to configure Istio to route traffic from services in the mesh to external services."}); docs.push({path: [ "fault-injection.md", ], url: "/docs/tasks/fault-injection.html", title: "Fault Injection", order: 60, overview: "This task shows how to inject delays and test the resiliency of your application."}); docs.push({path: [ "index.md", ], url: "/docs/tasks/index.html", title: "Tasks", order: 20, overview: "Tasks show you how to do a single specific targeted activity with the Istio system."}); docs.push({path: [ "ingress.md", ], url: "/docs/tasks/ingress.html", title: "Enabling Ingress Traffic", order: 30, overview: "Describes how to configure Istio to expose a service outside of the service mesh."}); docs.push({path: [ "installing-istio.md", ], url: "/docs/tasks/installing-istio.html", title: "Installing Istio", order: 10, overview: "This task shows you how to setup the Istio service mesh."}); docs.push({path: [ "integrating-services-into-istio.md", ], url: "/docs/tasks/integrating-services-into-istio.html", title: "Integrating Services into the Mesh", order: 20, overview: "This task shows you how to integrate your applications with the Istio service mesh."}); docs.push({path: [ "istio-auth.md", ], url: "/docs/tasks/istio-auth.html", title: "Testing Istio Auth", order: 100, overview: "This task shows you how to verify and test Istio-Auth."}); docs.push({path: [ "metrics-logs.md", ], url: "/docs/tasks/metrics-logs.html", title: "Collecting Metrics and Logs", order: 110, overview: "This task shows you how to configure Mixer to collect metrics and logs from Envoy instances."}); docs.push({path: [ "rate-limiting.md", ], url: "/docs/tasks/rate-limiting.html", title: "Enabling Rate Limits", order: 80, overview: "This task shows you how to use Istio to dynamically limit the traffic to a service."}); docs.push({path: [ "request-routing.md", ], url: "/docs/tasks/request-routing.html", title: "Configuring Request Routing", order: 50, overview: "This task shows you how to configure dynamic request routing based on weights and HTTP headers."}); docs.push({path: [ "request-timeouts.md", ], url: "/docs/tasks/request-timeouts.html", title: "Setting Request Timeouts", order: 70, overview: "This task shows you how to setup request timeouts in Envoy using Istio."}); docs.push({path: [ "zipkin-tracing.md", ], url: "/docs/tasks/zipkin-tracing.html", title: "Distributed Request Tracing", order: 120, overview: "How to configure the proxies to send tracing requests to Zipkin"}); genNavBarTree(docs) </script></ul></div><div id="tab-container" class="col-xs-1 tab-neg-margin pull-left"> <a id="sidebar-tab" class="glyphicon glyphicon-chevron-left" href="javascript:void 0;"></a></div><div id="content-container" class="thin-left-border col-sm-9 markdown"><div id="toc" class="toc"></div><div id="doc-content"><h1>Testing Istio Auth</h1><p>Through this task, you will learn how to:</p><ul><li><p>Verify Istio Auth setup</p></li><li><p>Manually test Istio Auth</p></li></ul><h2 id="before-you-begin">Before you begin</h2><p>This task assumes you have:</p><ul><li>Installed Istio with Auth by following <a href="/v0.1/docs/tasks/installing-istio.html">the Istio installation task</a>. Note to choose “enable Istio Auth feature” at step 5 in “<a href="/v0.1/docs/tasks/installing-istio.html#installation-steps">Installation steps</a>”.</li></ul><h2 id="verifying-istio-auth-setup">Verifying Istio Auth setup</h2><p>The following commands assume the services are deployed in the default namespace. Use the parameter <em>-n yournamespace</em> to specify a namespace other than the default one.</p><h3 id="verifying-istio-ca">Verifying Istio CA</h3><p>Verify the cluster-level CA is running:</p><pre><code class="language-bash">kubectl get deploy -l istio=istio-ca
</code></pre><pre><code class="language-bash">NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
istio-ca 1 1 1 1 1m
</code></pre><p>Istio CA is up if the “AVAILABLE” column is 1.</p><h3 id="verifying-service-configuration">Verifying service configuration</h3><ol><li><p>Verify AuthPolicy setting in ConfigMap.</p><pre><code class="language-bash">kubectl get configmap istio -o yaml | grep authPolicy | head -1
</code></pre><p>Istio Auth is enabled if the line ` authPolicy: MUTUAL_TLS` is uncommented.</p></li><li><p>Check Istio Auth is enabled on Envoy proxies.</p><p>When Istio Auth is enabled for a pod, the <em>ssl_context</em> stanzas should be in the pods proxy config. The following commands verifies the proxy config on <em>app-pod</em> has <em>ssl_context</em> configured:</p><pre><code class="language-bash">kubectl exec &lt;app-pod&gt; -c proxy -- ls /etc/envoy
</code></pre><p>The output should contain the config file “envoy-rev<X>.json". Use the file name in the following command:</X></p><pre><code class="language-bash">kubectl exec &lt;app-pod&gt; -c proxy -- cat /etc/envoy/envoy-rev&lt;X&gt;.json | grep ssl_context
</code></pre><p>If you see <em>ssl_context</em> lines in the output, the proxy has enabled Istio Auth.</p></li></ol><h2 id="testing-istio-auth">Testing Istio Auth</h2><p>When running Istio auth-enabled services, you can use curl in one services envoy to send request to other services. For example, after starting the <a href="/v0.1/docs/samples/bookinfo.html">BookInfo</a> sample application you can ssh into the envoy container of <code>productpage</code> service, and send request to other services by curl.</p><p>There are several steps:</p><ol><li>get the productpage pod name<pre><code class="language-bash">kubectl get pods -l app=productpage
</code></pre><pre><code class="language-bash">NAME READY STATUS RESTARTS AGE
productpage-v1-4184313719-5mxjc 2/2 Running 0 23h
</code></pre><p>Make sure the pod is “Running”.</p></li><li>ssh into the envoy container<pre><code class="language-bash">kubectl exec -it productpage-v1-4184313719-5mxjc -c proxy /bin/bash
</code></pre></li><li>make sure the key/cert is in /etc/certs/ directory<pre><code class="language-bash">ls /etc/certs/
</code></pre><pre><code class="language-bash">cert-chain.pem key.pem root-cert.pem
</code></pre><p>Note that cert-chain.pem is envoys cert that needs to present to the other side. key.pem is envoys private key paired with cert-chain.pem. root-cert.pem is the root cert to verify the other sides cert. Currently we only have one CA, so all envoys have the same root-cert.pem.</p></li><li>send requests to another service, for example, details.<pre><code class="language-bash">curl https://details:9080 -v --key /etc/certs/key.pem --cert /etc/certs/cert-chain.pem --cacert /etc/certs/root-cert.pem -k
</code></pre><pre><code class="language-bash">...
&lt; HTTP/1.1 200 OK
&lt; content-type: text/html; charset=utf-8
&lt; content-length: 1867
&lt; server: envoy
&lt; date: Thu, 11 May 2017 18:59:42 GMT
&lt; x-envoy-upstream-service-time: 2
...
</code></pre></li></ol><p>The service name and port are defined <a href="https://github.com/istio/istio/blob/master/samples/apps/bookinfo/bookinfo.yaml">here</a>.</p><p>Note that Istio uses <a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account">Kubernetes service account</a> as service identity, which offers stronger security than service name (refer <a href="/v0.1/docs/concepts/network-and-auth/auth.html#identity">here</a> for more information). Thus the certificates used in Istio do not have service name, which is the information that curl needs to verify server identity. As a result, we use curl option -k to prevent the curl client from verifying service identity in servers (i.e., productpage) certificate. Please check secure naming <a href="/v0.1/docs/concepts/network-and-auth/auth.html#workflow">here</a> for more information about how the client verifies the servers identity in Istio.</p></div></div></div></div></div></div><script src="/v0.1/js/sidemenu.js"></script><footer><div class="container"><div class="row"><div class="col-md-2"></div><div class="col-md-3 col-sm-4 col-xs-12 center-block"><ul class="toggle"><p class="header">Docs</p><li><a href="/v0.1/docs/">Welcome</a></li><li><a href="/v0.1/docs/concepts">Concepts</a></li><li><a href="/v0.1/docs/tasks">Tasks</a></li><li><a href="/v0.1/docs/samples">Samples</a></li><li><a href="/v0.1/docs/reference">Reference</a></li></ul></div><hr class="footer-sections" /><div class="col-md-3 col-sm-4 col-xs-12 center-block"><ul class="toggle"><p class="header">Resources</p><li><a href="/v0.1/faq">Frequently Asked Questions</a></li><li><a href="/v0.1/troubleshooting">Troubleshooting Guide</a></li><li><a href="/v0.1/bugs">Report a Bug</a></li><li><a href="https://github.com/istio/istio.github.io/issues/new?title=Issue with _docs/tasks/istio-auth.md">Report a Doc Issue</a></li><li><a href="https://github.com/istio/istio.github.io/edit/master/_docs/tasks/istio-auth.md">Edit This Page on GitHub</a></li></ul></div><hr class="footer-sections" /><div class="col-md-3 col-sm-4 col-xs-12 center-block"><ul class="toggle"><p class="header">Community</p><li><a href="https://groups.google.com/forum/#!forum/istio-users" target="_blank"><span class="group">User</span></a> | <a href="https://groups.google.com/forum/#!forum/istio-dev" target="_blank">Dev Mailing Lists</a></li><li><a href="https://twitter.com/IstioMesh" target="_blank"><span class="twitter">Twitter</span></a></li><li><a href="https://github.com/istio/istio" target="_blank"><span class="github">GitHub</span></a></li></ul></div><div class="col-md-1"></div></div><div class="row"><p class="description small text-center"> Copyright &copy; 2017 Istio Authors<br> Istio 0.1<br> Archived on 20-Jul-2017</p></div></div></footer><script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.15.0/jquery.validate.min.js"></script> <script src="/v0.1/js/jquery.form.min.js"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.1/js/bootstrap.min.js"></script> <script src="/v0.1/js/slick.min.js"></script> <script src="/v0.1/js/jquery.visible.min.js"></script> <script src="/v0.1/js/common.js" type="text/javascript" charset="utf-8"></script> <script src="/v0.1/js/buttons.js"></script> <script src="/v0.1/js/search.js"></script> <script src="/v0.1/js/prism.js"></script></body></html>
Reference in New Issue View Git Blame Copy Permalink