mirror of https://github.com/istio/istio.io.git
244 lines
64 KiB
HTML
244 lines
64 KiB
HTML
<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Provisioning Identity through SDS"><meta name=description content="Shows how to enable SDS (secret discovery service) for Istio identity provisioning."><meta name=keywords content=microservices,services,mesh,security,auth-sds><meta property=og:title content="Provisioning Identity through SDS"><meta property=og:type content=website><meta property=og:description content="Shows how to enable SDS (secret discovery service) for Istio identity provisioning."><meta property=og:url content=/v1.1/docs/tasks/security/auth-sds/><meta property=og:image content=/v1.1/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.1 / Provisioning Identity through SDS</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
|
|
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.1/feed.xml><link rel="shortcut icon" href=/v1.1/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.1/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.1/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.1/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.1/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.1/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.1/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.1/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.1/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.1/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.1/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.1/css/all.css></head><body class="language-unknown archive-site"><script src=/v1.1/js/themes_init.min.js></script><script>const branchName="release-1.1";const docTitle="Provisioning Identity through SDS";const iconFile="\/v1.1/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.1/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.1/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.1</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#hamburger"/></svg></div><div id=header-links><span title="Learn how to deploy, use, and operate Istio.">Docs</span>
|
|
<a title="Posts about using Istio." href=/v1.1/blog/2019/announcing-1.1.9/>Blog</a>
|
|
<a title="A bunch of resources to help you deploy, configure and use Istio." href=/v1.1/help/>Help</a>
|
|
<a title="Get a bit more in-depth info about the Istio project." href=/v1.1/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
|
|
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
|
|
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/docs\/tasks\/security\/auth-sds\/');return false;">Current Release</a>
|
|
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/docs\/tasks\/security\/auth-sds\/');return false;">Next Release</a>
|
|
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
|
|
<input type=hidden name=ie value=utf-8>
|
|
<input type=hidden name=hl value=en>
|
|
<input type=hidden id=search-page-url value=/v1.1/search.html>
|
|
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
|
|
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card19 title="Learn about the different parts of the Istio system and the abstractions it uses." aria-controls=card19-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#concepts"/></svg>Concepts</button><div class=body aria-labelledby=card19 role=region id=card19-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card19><li role=none><a role=treeitem title="Introduces Istio, the problems it solves, its high-level architecture and design goals." href=/v1.1/docs/concepts/what-is-istio/>What is Istio?</a></li><li role=none><a role=treeitem title="Describes the various Istio features focused on traffic routing and control." href=/v1.1/docs/concepts/traffic-management/>Traffic Management</a></li><li role=none><a role=treeitem title="Describes Istio's authorization and authentication functionality." href=/v1.1/docs/concepts/security/>Security</a></li><li role=none><a role=treeitem title="Describes the policy enforcement and telemetry mechanisms." href=/v1.1/docs/concepts/policies-and-telemetry/>Policies and Telemetry</a></li><li role=none><a role=treeitem title="Introduces performance and scalability for Istio." href=/v1.1/docs/concepts/performance-and-scalability/>Performance and Scalability</a></li><li role=none><a role=treeitem title="Describes how a service mesh can be configured to include services from more than one cluster." href=/v1.1/docs/concepts/multicluster-deployments/>Multicluster Deployments</a></li></ul></div></div><div class=card><button class="header dynamic" id=card39 title="How to deploy and upgrade Istio in various environments such as Kubernetes and Consul." aria-controls=card39-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#setup"/></svg>Setup</button><div class=body aria-labelledby=card39 role=region id=card39-body><ul role=tree aria-expanded=true aria-labelledby=card39><li role=treeitem aria-label=Kubernetes><button aria-hidden=true></button><a title="Instructions for installing the Istio control plane on Kubernetes and adding virtual machines into the mesh." href=/v1.1/docs/setup/kubernetes/>Kubernetes</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Prepare><button aria-hidden=true></button><a title="Getting ready for Istio." href=/v1.1/docs/setup/kubernetes/prepare/>Prepare</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Prepare your Kubernetes pods and services to run in an Istio-enabled cluster." href=/v1.1/docs/setup/kubernetes/prepare/requirements/>Pods and Services</a></li><li role=treeitem aria-label="Platform Setup"><button aria-hidden=true></button><a title="How to prepare various Kubernetes platforms before installing Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/>Platform Setup</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to setup an Alibaba Cloud Kubernetes cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup an Azure cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/azure/>Azure</a></li><li role=none><a role=treeitem title="Instructions to setup Docker For Desktop for use with Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/docker/>Docker For Desktop</a></li><li role=none><a role=treeitem title="Instructions to setup a Google Kubernetes Engine cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to setup an IBM Cloud cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/ibm/>IBM Cloud</a></li><li role=none><a role=treeitem title="Instructions to setup Minikube for use with Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/minikube/>Minikube</a></li><li role=none><a role=treeitem title="Instructions to setup an OpenShift cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/openshift/>OpenShift</a></li><li role=none><a role=treeitem title="Instructions to setup an OKE cluster for Istio." href=/v1.1/docs/setup/kubernetes/prepare/platform-setup/oci/>Oracle Cloud Infrastructure</a></li></ul></li></ul></li><li role=none><a role=treeitem title="Download the Istio release and prepare for installation." href=/v1.1/docs/setup/kubernetes/download/>Download</a></li><li role=treeitem aria-label=Install><button aria-hidden=true></button><a title="Choose the flows that best suit your needs and platform." href=/v1.1/docs/setup/kubernetes/install/>Install</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Instructions to install and configure an Istio mesh in a Kubernetes cluster for evaluation." href=/v1.1/docs/setup/kubernetes/install/kubernetes/>Quick Start Evaluation Install</a></li><li role=none><a role=treeitem title="Instructions to install Istio using a Helm chart." href=/v1.1/docs/setup/kubernetes/install/helm/>Customizable Install with Helm</a></li><li role=treeitem aria-label="Multicluster Installation"><button aria-hidden=true></button><a title="Configure an Istio mesh spanning multiple Kubernetes clusters." href=/v1.1/docs/setup/kubernetes/install/multicluster/>Multicluster Installation</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters using Istio Gateway to reach remote pods." href=/v1.1/docs/setup/kubernetes/install/multicluster/gateways/>Gateway Connectivity</a></li><li role=none><a role=treeitem title="Install an Istio mesh across multiple Kubernetes clusters with direct network access to remote pods." href=/v1.1/docs/setup/kubernetes/install/multicluster/vpn/>VPN Connectivity</a></li></ul></li><li role=treeitem aria-label="Platform-specific Instructions"><button aria-hidden=true></button><a title="Additional installation flows for the supported Kubernetes platforms." href=/v1.1/docs/setup/kubernetes/install/platform/>Platform-specific Instructions</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Instructions to install Istio using the Alibaba Cloud Kubernetes Container Service." href=/v1.1/docs/setup/kubernetes/install/platform/alicloud/>Alibaba Cloud</a></li><li role=none><a role=treeitem title="Instructions to install Istio using the Google Kubernetes Engine (GKE)." href=/v1.1/docs/setup/kubernetes/install/platform/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Instructions to install Istio using IBM Cloud Public or IBM Cloud Private." href=/v1.1/docs/setup/kubernetes/install/platform/ibm/>IBM Cloud</a></li></ul></li></ul></li><li role=treeitem aria-label=Upgrade><button aria-hidden=true></button><a title="Information on upgrading Istio." href=/v1.1/docs/setup/kubernetes/upgrade/>Upgrade</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Important changes operators must understand before upgrading to Istio 1.1." href=/v1.1/docs/setup/kubernetes/upgrade/notice/>1.1 Upgrade Notice</a></li><li role=none><a role=treeitem title="Upgrade the Istio control plane and data plane independently." href=/v1.1/docs/setup/kubernetes/upgrade/steps/>Upgrade Steps</a></li></ul></li><li role=treeitem aria-label="More Guides"><button aria-hidden=true></button><a title="More information on additional setup tasks." href=/v1.1/docs/setup/kubernetes/additional-setup/>More Guides</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the built-in Istio installation configuration profiles." href=/v1.1/docs/setup/kubernetes/additional-setup/config-profiles/>Installation Configuration Profiles</a></li><li role=none><a role=treeitem title="Install the Istio sidecar in application pods automatically using the sidecar injector webhook or manually using istioctl CLI." href=/v1.1/docs/setup/kubernetes/additional-setup/sidecar-injection/>Installing the Sidecar</a></li><li role=none><a role=treeitem title="Install and use Istio with the Istio CNI plugin, allowing operators to deploy services with lower privilege." href=/v1.1/docs/setup/kubernetes/additional-setup/cni/>Install Istio with the Istio CNI plugin</a></li><li role=none><a role=treeitem title="Integrate VMs and bare metal hosts into an Istio mesh deployed on Kubernetes." href=/v1.1/docs/setup/kubernetes/additional-setup/mesh-expansion/>Mesh Expansion</a></li></ul></li></ul></li><li role=treeitem aria-label="Nomad & Consul"><button aria-hidden=true></button><a title="Instructions for installing the Istio control plane in a Consul based environment, with or without Nomad." href=/v1.1/docs/setup/consul/>Nomad & Consul</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Quick Start instructions to setup the Istio service mesh with Docker Compose." href=/v1.1/docs/setup/consul/quick-start/>Quick Start on Docker</a></li><li role=none><a role=treeitem title="Instructions for installing the Istio control plane in a Consul-based environment, with or without Nomad." href=/v1.1/docs/setup/consul/install/>Installation</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card57 title="How to do single specific targeted activities with the Istio system." aria-controls=card57-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#tasks"/></svg>Tasks</button><div class="body default" aria-labelledby=card57 role=region id=card57-body><ul role=tree aria-expanded=true aria-labelledby=card57><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Tasks that demonstrate Istio's traffic routing features." href=/v1.1/docs/tasks/traffic-management/>Traffic Management</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="This task shows you how to configure dynamic request routing to multiple versions of a microservice." href=/v1.1/docs/tasks/traffic-management/request-routing/>Configuring Request Routing</a></li><li role=none><a role=treeitem title="This task shows you how to inject faults to test the resiliency of your application." href=/v1.1/docs/tasks/traffic-management/fault-injection/>Fault Injection</a></li><li role=none><a role=treeitem title="Shows you how to migrate traffic from an old to new version of a service." href=/v1.1/docs/tasks/traffic-management/traffic-shifting/>Traffic Shifting</a></li><li role=none><a role=treeitem title="Shows you how to migrate TCP traffic from an old to new version of a TCP service." href=/v1.1/docs/tasks/traffic-management/tcp-traffic-shifting/>TCP Traffic Shifting</a></li><li role=none><a role=treeitem title="This task shows you how to setup request timeouts in Envoy using Istio." href=/v1.1/docs/tasks/traffic-management/request-timeouts/>Setting Request Timeouts</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to expose a service outside of the service mesh." href=/v1.1/docs/tasks/traffic-management/ingress/>Control Ingress Traffic</a></li><li role=treeitem aria-label="Securing Ingress Gateway"><button aria-hidden=true></button><a title="Secure ingress gateway controllers using various approaches." href=/v1.1/docs/tasks/traffic-management/secure-ingress/>Securing Ingress Gateway</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Expose a service outside of the service mesh over TLS or mTLS." href=/v1.1/docs/tasks/traffic-management/secure-ingress/mount/>Securing Gateways with HTTPS With a File Mount-Based Approach</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to expose a service outside of the service mesh, over TLS or Mutual TLS, using secret discovery service." href=/v1.1/docs/tasks/traffic-management/secure-ingress/sds/>Securing Gateways with HTTPS Using Secret Discovery Service</a></li></ul></li><li role=none><a role=treeitem title="Describes how to configure Istio to route traffic from services in the mesh to external services." href=/v1.1/docs/tasks/traffic-management/egress/>Control Egress Traffic</a></li><li role=none><a role=treeitem title="This task shows you how to configure circuit breaking for connections, requests, and outlier detection." href=/v1.1/docs/tasks/traffic-management/circuit-breaking/>Circuit Breaking</a></li><li role=none><a role=treeitem title="This task demonstrates the traffic mirroring/shadowing capabilities of Istio." href=/v1.1/docs/tasks/traffic-management/mirroring/>Mirroring</a></li></ul></li><li role=treeitem aria-label=Security><button class=show aria-hidden=true></button><a title="Demonstrates how to secure the mesh." href=/v1.1/docs/tasks/security/>Security</a><ul role=group aria-expanded=true class=leaf-section><li role=none><a role=treeitem title="Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication." href=/v1.1/docs/tasks/security/authn-policy/>Authentication Policy</a></li><li role=none><a role=treeitem title="Shows how to set up role-based access control for HTTP services." href=/v1.1/docs/tasks/security/authz-http/>Authorization for HTTP Services</a></li><li role=none><a role=treeitem title="Shows how to set up role-based access control for TCP services." href=/v1.1/docs/tasks/security/authz-tcp/>Authorization for TCP Services</a></li><li role=none><a role=treeitem title="Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio." href=/v1.1/docs/tasks/security/rbac-groups/>Authorization for groups and list claims</a></li><li role=none><a role=treeitem title="Shows how to use Authorization permissive mode." href=/v1.1/docs/tasks/security/authz-permissive/>Authorization permissive mode</a></li><li role=none><a role=treeitem title="This task shows you how to integrate a Vault Certificate Authority with Istio for mutual TLS." href=/v1.1/docs/tasks/security/vault-ca/>Istio Vault CA Integration</a></li><li role=none><a role=treeitem title="Shows you how to verify and test Istio's automatic mutual TLS authentication." href=/v1.1/docs/tasks/security/mutual-tls/>Mutual TLS Deep-Dive</a></li><li role=none><a role=treeitem title="Shows how operators can configure Citadel with existing root certificate, signing certificate and key." href=/v1.1/docs/tasks/security/plugin-ca-cert/>Plugging in External CA Key and Certificate</a></li><li role=none><a role=treeitem title="Shows how to enable Citadel health checking with Kubernetes." href=/v1.1/docs/tasks/security/health-check/>Citadel Health Checking</a></li><li role=none><span role=treeitem class=current title="Shows how to enable SDS (secret discovery service) for Istio identity provisioning.">Provisioning Identity through SDS</span></li><li role=none><a role=treeitem title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.1/docs/tasks/security/mtls-migration/>Mutual TLS Migration</a></li><li role=none><a role=treeitem title="Shows how to enable mutual TLS on HTTPS services." href=/v1.1/docs/tasks/security/https-overlay/>Mutual TLS over HTTPS</a></li></ul></li><li role=treeitem aria-label=Policies><button aria-hidden=true></button><a title="Demonstrates policy enforcement features." href=/v1.1/docs/tasks/policy-enforcement/>Policies</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to enable Istio policy enforcement." href=/v1.1/docs/tasks/policy-enforcement/enabling-policy/>Enabling Policy Enforcement</a></li><li role=none><a role=treeitem title="This task shows you how to use Istio to dynamically limit the traffic to a service." href=/v1.1/docs/tasks/policy-enforcement/rate-limiting/>Enabling Rate Limits</a></li><li role=none><a role=treeitem title="Shows how to modify request headers and routing using policy adapters." href=/v1.1/docs/tasks/policy-enforcement/control-headers/>Control Headers and Routing</a></li><li role=none><a role=treeitem title="Shows how to control access to a service using simple denials or white/black listing." href=/v1.1/docs/tasks/policy-enforcement/denial-and-list/>Denials and White/Black Listing</a></li></ul></li><li role=treeitem aria-label=Telemetry><button aria-hidden=true></button><a title="Demonstrates how to collect telemetry information from the mesh." href=/v1.1/docs/tasks/telemetry/>Telemetry</a><ul role=group aria-expanded=false><li role=treeitem aria-label=Metrics><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh metrics." href=/v1.1/docs/tasks/telemetry/metrics/>Metrics</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize metrics." href=/v1.1/docs/tasks/telemetry/metrics/collecting-metrics/>Collecting Metrics</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect metrics for TCP services." href=/v1.1/docs/tasks/telemetry/metrics/tcp-metrics/>Collecting Metrics for TCP services</a></li><li role=none><a role=treeitem title="This task shows you how to query for Istio Metrics using Prometheus." href=/v1.1/docs/tasks/telemetry/metrics/querying-metrics/>Querying Metrics from Prometheus</a></li><li role=none><a role=treeitem title="This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic." href=/v1.1/docs/tasks/telemetry/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a></li></ul></li><li role=treeitem aria-label=Logs><button aria-hidden=true></button><a title="Demonstrates the configuration, collection, and processing of Istio mesh logs." href=/v1.1/docs/tasks/telemetry/logs/>Logs</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="This task shows you how to configure Istio to collect and customize logs." href=/v1.1/docs/tasks/telemetry/logs/collecting-logs/>Collecting Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Envoy proxies to print access log to their standard output." href=/v1.1/docs/tasks/telemetry/logs/access-log/>Getting Envoy's Access Logs</a></li><li role=none><a role=treeitem title="This task shows you how to configure Istio to log to a Fluentd daemon." href=/v1.1/docs/tasks/telemetry/logs/fluentd/>Logging with Fluentd</a></li></ul></li><li role=treeitem aria-label="Distributed Tracing"><button aria-hidden=true></button><a title="This task shows you how to configure Istio-enabled applications to collect trace spans." href=/v1.1/docs/tasks/telemetry/distributed-tracing/>Distributed Tracing</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Overview of distributed tracing in Istio." href=/v1.1/docs/tasks/telemetry/distributed-tracing/overview/>Overview</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Jaeger." href=/v1.1/docs/tasks/telemetry/distributed-tracing/jaeger/>Jaeger</a></li><li role=none><a role=treeitem title="Learn how to configure the proxies to send tracing requests to Zipkin." href=/v1.1/docs/tasks/telemetry/distributed-tracing/zipkin/>Zipkin</a></li><li role=none><a role=treeitem title="How to configure the proxies to send tracing requests to LightStep." href=/v1.1/docs/tasks/telemetry/distributed-tracing/lightstep/>LightStep</a></li></ul></li><li role=none><a role=treeitem title="This task shows you how to visualize your services within an Istio mesh." href=/v1.1/docs/tasks/telemetry/kiali/>Visualizing Your Mesh</a></li><li role=none><a role=treeitem title="This task shows you how to configure external access to the set of Istio telemetry addons." href=/v1.1/docs/tasks/telemetry/gateways/>Remotely Accessing Telemetry Addons</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card72 title="A variety of fully working example uses for Istio that you can experiment with." aria-controls=card72-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#examples"/></svg>Examples</button><div class=body aria-labelledby=card72 role=region id=card72-body><ul role=tree aria-expanded=true aria-labelledby=card72><li role=none><a role=treeitem title="Deploys a sample application composed of four separate microservices used to demonstrate various Istio features." href=/v1.1/docs/examples/bookinfo/>Bookinfo Application</a></li><li role=none><a role=treeitem title="Explains how to manually integrate Google Cloud Endpoints services with Istio." href=/v1.1/docs/examples/endpoints/>Install Istio for Google Cloud Endpoints Services</a></li><li role=none><a role=treeitem title="Illustrates how to use Istio to control a Kubernetes cluster and raw VMs as a single mesh." href=/v1.1/docs/examples/integrating-vms/>Integrating Virtual Machines</a></li><li role=treeitem aria-label="Edge Traffic Management"><button aria-hidden=true></button><a title="A variety of advanced examples for managing traffic at the edge (i.e., ingress and egress traffic) of an Istio service mesh." href=/v1.1/docs/examples/advanced-gateways/>Edge Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes how to configure SNI passthrough for an ingress gateway." href=/v1.1/docs/examples/advanced-gateways/ingress-sni-passthrough/>Ingress Gateway without TLS Termination</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to perform TLS origination for traffic to external services." href=/v1.1/docs/examples/advanced-gateways/egress-tls-origination/>TLS Origination for Egress Traffic</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to direct traffic to external services through a dedicated gateway." href=/v1.1/docs/examples/advanced-gateways/egress-gateway/>Configure an Egress Gateway</a></li><li role=none><a role=treeitem title="Describes how to configure an Egress Gateway to perform TLS origination to external services." href=/v1.1/docs/examples/advanced-gateways/egress-gateway-tls-origination/>Egress Gateway with TLS Origination</a></li><li role=none><a role=treeitem title="Describes how to enable egress traffic for a set of hosts in a common domain, instead of configuring each and every host separately." href=/v1.1/docs/examples/advanced-gateways/wildcard-egress-hosts/>Configure Egress Traffic using Wildcard Hosts</a></li><li role=none><a role=treeitem title="Describes how to configure SNI monitoring and apply policies on TLS egress traffic." href=/v1.1/docs/examples/advanced-gateways/egress_sni_monitoring_and_policies/>SNI Monitoring and Policies for TLS Egress Traffic</a></li><li role=none><a role=treeitem title="Describes how to configure Istio to let applications use an external HTTPS proxy." href=/v1.1/docs/examples/advanced-gateways/http-proxy/>Connect to an External HTTPS Proxy</a></li><li role=none><a role=treeitem title="Demonstrates how to obtain Let's Encrypt TLS certificates for Kubernetes Ingress automatically using Cert-Manager." href=/v1.1/docs/examples/advanced-gateways/ingress-certmgr/>Securing Kubernetes Ingress with Cert-Manager</a></li></ul></li><li role=treeitem aria-label="Multicluster Service Mesh"><button aria-hidden=true></button><a title="A variety of fully working multicluster examples for Istio that you can experiment with." href=/v1.1/docs/examples/multicluster/>Multicluster Service Mesh</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuring remote services in a gateway-connected multicluster mesh." href=/v1.1/docs/examples/multicluster/gateways/>Gateway-Connected Clusters</a></li><li role=none><a role=treeitem title="Set up a multicluster mesh over two GKE clusters." href=/v1.1/docs/examples/multicluster/gke/>Google Kubernetes Engine</a></li><li role=none><a role=treeitem title="Example multicluster mesh over two IBM Cloud Private clusters." href=/v1.1/docs/examples/multicluster/icp/>IBM Cloud Private</a></li><li role=none><a role=treeitem title="Multicluster mesh between IBM Cloud Kubernetes Service and IBM Cloud Private." href=/v1.1/docs/examples/multicluster/iks-icp/>IBM Cloud Kubernetes Service & IBM Cloud Private</a></li><li role=none><a role=treeitem title="Leveraging Istio's Split-horizon EDS to create a multicluster mesh." href=/v1.1/docs/examples/multicluster/split-horizon-eds/>Cluster-Aware Service Routing</a></li></ul></li></ul></div></div><div class=card><button class="header dynamic" id=card106 title="Detailed authoritative reference material such as command-line options, configuration options, and API calling parameters." aria-controls=card106-body><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#reference"/></svg>Reference</button><div class=body aria-labelledby=card106 role=region id=card106-body><ul role=tree aria-expanded=true aria-labelledby=card106><li role=treeitem aria-label=Configuration><button aria-hidden=true></button><a title="Detailed information on configuration options." href=/v1.1/docs/reference/config/>Configuration</a><ul role=group aria-expanded=false><li role=treeitem aria-label="Traffic Management"><button aria-hidden=true></button><a title="Describes how to configure HTTP/TCP routing features." href=/v1.1/docs/reference/config/networking/>Traffic Management</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Configuration affecting load balancing, outlier detection, etc." href=/v1.1/docs/reference/config/networking/v1alpha3/destination-rule/>Destination Rule</a></li><li role=none><a role=treeitem title="Configuration affecting insertion of custom Envoy filters." href=/v1.1/docs/reference/config/networking/v1alpha3/envoy-filter/>Envoy Filter</a></li><li role=none><a role=treeitem title="Configuration affecting edge load balancer." href=/v1.1/docs/reference/config/networking/v1alpha3/gateway/>Gateway</a></li><li role=none><a role=treeitem title="Configuration affecting service registry." href=/v1.1/docs/reference/config/networking/v1alpha3/service-entry/>Service Entry</a></li><li role=none><a role=treeitem title="Configuration affecting network reachability of a sidecar." href=/v1.1/docs/reference/config/networking/v1alpha3/sidecar/>Sidecar</a></li><li role=none><a role=treeitem title="Configuration affecting label/content routing, sni routing, etc." href=/v1.1/docs/reference/config/networking/v1alpha3/virtual-service/>Virtual Service</a></li></ul></li><li role=treeitem aria-label=Authorization><button aria-hidden=true></button><a title="Describes how to configure Istio's authorization features." href=/v1.1/docs/reference/config/authorization/>Authorization</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Describes the supported constraints and properties." href=/v1.1/docs/reference/config/authorization/constraints-and-properties/>Constraints and Properties</a></li><li role=none><a role=treeitem title="Configuration for Role Based Access Control." href=/v1.1/docs/reference/config/authorization/istio.rbac.v1alpha1/>RBAC</a></li></ul></li><li role=none><a role=treeitem title="Describes the options available when installing Istio using the included Helm chart." href=/v1.1/docs/reference/config/installation-options/>Installation Options</a></li><li role=none><a role=treeitem title="Details the Helm chart installation options differences between release-1.0 and release-1.1." href=/v1.1/docs/reference/config/installation-options-changes/>Installation Options Changes</a></li><li role=treeitem aria-label="Policies and Telemetry"><button aria-hidden=true></button><a title="Describes how to configure Istio's policy and telemetry features." href=/v1.1/docs/reference/config/policy-and-telemetry/>Policies and Telemetry</a><ul role=group aria-expanded=false><li role=none><a role=treeitem title="Describes the base attribute vocabulary used for policy and control." href=/v1.1/docs/reference/config/policy-and-telemetry/attribute-vocabulary/>Attribute Vocabulary</a></li><li role=none><a role=treeitem title="Mixer configuration expression language reference." href=/v1.1/docs/reference/config/policy-and-telemetry/expression-language/>Expression Language</a></li><li role=treeitem aria-label=Adapters><button aria-hidden=true></button><a title="Mixer adapters allow Istio to interface to a variety of infrastructure backends for such things as metrics and logs." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/>Adapters</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Adapter to deliver metrics to Apache SkyWalking." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/apache-skywalking/>Apache SkyWalking</a></li><li role=none><a role=treeitem title="Adapter for Apigee's distributed policy checks and analytics." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/apigee/>Apigee</a></li><li role=none><a role=treeitem title="Adapter for circonus.com's monitoring solution." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/circonus/>Circonus</a></li><li role=none><a role=treeitem title="Adapter for cloudmonitor metrics." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/cloudmonitor/>CloudMonitor</a></li><li role=none><a role=treeitem title="Adapter for cloudwatch metrics." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/cloudwatch/>CloudWatch</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a dogstatsd agent for delivery to DataDog." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/datadog/>Datadog</a></li><li role=none><a role=treeitem title="Adapter that always returns a precondition denial." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/denier/>Denier</a></li><li role=none><a role=treeitem title="Adapter that delivers logs to a Fluentd daemon." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/fluentd/>Fluentd</a></li><li role=none><a role=treeitem title="Adapter that extracts information from a Kubernetes environment." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/kubernetesenv/>Kubernetes Env</a></li><li role=none><a role=treeitem title="Adapter that performs whitelist or blacklist checks." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/list/>List</a></li><li role=none><a role=treeitem title="Adapter for a simple in-memory quota management system." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/memquota/>Memory quota</a></li><li role=none><a role=treeitem title="Adapter that implements an Open Policy Agent engine." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/opa/>OPA</a></li><li role=none><a role=treeitem title="Adapter that exposes Istio metrics for ingestion by a Prometheus harvester." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/prometheus/>Prometheus</a></li><li role=none><a role=treeitem title="Adapter for a Redis-based quota management system." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/redisquota/>Redis Quota</a></li><li role=none><a role=treeitem title="Adapter that sends metrics to SignalFx." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/signalfx/>SignalFx</a></li><li role=none><a role=treeitem title="Adapter to deliver logs and metrics to Papertrail and AppOptics backends." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/solarwinds/>SolarWinds</a></li><li role=none><a role=treeitem title="Adapter to deliver logs, metrics, and traces to Stackdriver." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/stackdriver/>Stackdriver</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to a StatsD backend." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/statsd/>StatsD</a></li><li role=none><a role=treeitem title="Adapter to locally output logs and metrics." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/stdio/>Stdio</a></li><li role=none><a role=treeitem title="Adapter to deliver metrics to Wavefront by VMware." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/wavefront/>Wavefront by VMware</a></li><li role=none><a role=treeitem title="Adapter to deliver tracing data to Zipkin." href=/v1.1/docs/reference/config/policy-and-telemetry/adapters/zipkin/>Zipkin</a></li></ul></li><li role=none><a role=treeitem title="Default Metrics exported from Istio through Mixer." href=/v1.1/docs/reference/config/policy-and-telemetry/metrics/>Default Metrics</a></li><li role=treeitem aria-label=Templates><button aria-hidden=true></button><a title="Mixer templates are used to send data to individual adapters." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/>Templates</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="A template that represents a single API key." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/apikey/>API Key</a></li><li role=none><a role=treeitem title="The Analytics template is used to dispatch runtime telemetry to Apigee." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/analytics/>Analytics</a></li><li role=none><a role=treeitem title="A template used to represent an access control query." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/authorization/>Authorization</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/checknothing/>Check Nothing</a></li><li role=none><a role=treeitem title="A template designed to report observed communication edges between workloads." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/edge/>Edge</a></li><li role=none><a role=treeitem title="A template that is used to control the production of Kubernetes-specific attributes." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/kubernetes/>Kubernetes</a></li><li role=none><a role=treeitem title="A template designed to let you perform list checking operations." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/listentry/>List Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime log entry." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/logentry/>Log Entry</a></li><li role=none><a role=treeitem title="A template that represents a single runtime metric." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/metric/>Metric</a></li><li role=none><a role=treeitem title="A template that represents a quota allocation request." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/quota/>Quota</a></li><li role=none><a role=treeitem title="A template that carries no data, useful for testing." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/reportnothing/>Report Nothing</a></li><li role=none><a role=treeitem title="A template that represents an individual span within a distributed trace." href=/v1.1/docs/reference/config/policy-and-telemetry/templates/tracespan/>Trace Span</a></li></ul></li><li role=none><a role=treeitem title="Configuration state for the Mixer client library." href=/v1.1/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/>Mixer Client</a></li><li role=none><a role=treeitem title="Describes the rules used to configure Mixer's policy and telemetry features." href=/v1.1/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/>Rules</a></li></ul></li><li role=none><a role=treeitem title="Authentication policy for Istio services." href=/v1.1/docs/reference/config/istio.authentication.v1alpha1/>Authentication Policy</a></li><li role=none><a role=treeitem title="Configuration affecting the service mesh as a whole." href=/v1.1/docs/reference/config/istio.mesh.v1alpha1/>Service Mesh</a></li></ul></li><li role=treeitem aria-label=Commands><button aria-hidden=true></button><a title="Describes usage and options of the Istio commands and utilities." href=/v1.1/docs/reference/commands/>Commands</a><ul role=group aria-expanded=false class=leaf-section><li role=none><a role=treeitem title="Galley provides configuration management services for Istio." href=/v1.1/docs/reference/commands/galley/>galley</a></li><li role=none><a role=treeitem title="Istio Certificate Authority (CA)." href=/v1.1/docs/reference/commands/istio_ca/>istio_ca</a></li><li role=none><a role=treeitem title="Istio control interface." href=/v1.1/docs/reference/commands/istioctl/>istioctl</a></li><li role=none><a role=treeitem title="Utility to trigger direct calls to Mixer's API." href=/v1.1/docs/reference/commands/mixc/>mixc</a></li><li role=none><a role=treeitem title="Mixer is Istio's abstraction on top of infrastructure backends." href=/v1.1/docs/reference/commands/mixs/>mixs</a></li><li role=none><a role=treeitem title="Istio security per-node agent." href=/v1.1/docs/reference/commands/node_agent/>node_agent</a></li><li role=none><a role=treeitem title="Istio Pilot agent." href=/v1.1/docs/reference/commands/pilot-agent/>pilot-agent</a></li><li role=none><a role=treeitem title="Istio Pilot." href=/v1.1/docs/reference/commands/pilot-discovery/>pilot-discovery</a></li><li role=none><a role=treeitem title="Kubernetes webhook for automatic Istio sidecar injection." href=/v1.1/docs/reference/commands/sidecar-injector/>sidecar-injector</a></li></ul></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.1/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.1/docs/ title="Learn how to deploy, use, and operate Istio.">Docs</a></li><li><a href=/v1.1/docs/tasks/ title="How to do single specific targeted activities with the Istio system.">Tasks</a></li><li><a href=/v1.1/docs/tasks/security/ title="Demonstrates how to secure the mesh.">Security</a></li><li>Provisioning Identity through SDS</li></ol></nav><article aria-labelledby=title><div class=title-area><div><h1 id=title>Provisioning Identity through SDS</h1><p class=byline><span title="1410 words"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#clock"/></svg><span> </span>7 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Before you begin"><a href=#before-you-begin>Before you begin</a><li role=none aria-label="Service-to-service mutual TLS using key/certificate provisioned through SDS"><a href=#service-to-service-mutual-tls-using-key-certificate-provisioned-through-sds>Service-to-service mutual TLS using key/certificate provisioned through SDS</a><li role=none aria-label="Verifying no secret-volume mounted file is generated"><a href=#verifying-no-secret-volume-mounted-file-is-generated>Verifying no secret-volume mounted file is generated</a><li role=none aria-label="Increasing security with pod security policies"><a href=#increasing-security-with-pod-security-policies>Increasing security with pod security policies</a><li role=none aria-label=Cleanup><a href=#cleanup>Cleanup</a><li role=none aria-label=Caveats><a href=#caveats>Caveats</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>This task shows how to enable
|
|
<a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/secret#config-secret-discovery-service>SDS (secret discovery service)</a>
|
|
for Istio identity provisioning.</p><p>Prior to Istio 1.1, the keys and certificates of Istio workloads were generated
|
|
by Citadel and distributed to sidecars through secret-volume mounted files,
|
|
this approach has the following minor drawbacks:</p><ul><li><p>Performance regression during certificate rotation:
|
|
When certificate rotation happens, Envoy is hot restarted to pick up the new
|
|
key and certificate, causing performance regression.</p></li><li><p>Potential security vulnerability:
|
|
The workload private keys are distributed through Kubernetes secrets,
|
|
with known
|
|
<a href=https://kubernetes.io/docs/concepts/configuration/secret/#risks>risks</a>.</p></li></ul><p>These issues are addressed in Istio 1.1 through the SDS identity provision flow.
|
|
The workflow can be described as follows.</p><ol><li><p>The workload sidecar Envoy requests the key and certificates from the Citadel
|
|
agent: The Citadel agent is a SDS server, which runs as per-node <code>DaemonSet</code>.
|
|
In the request, Envoy passes a Kubernetes service account JWT to the agent.</p></li><li><p>The Citadel agent generates a key pair and sends the CSR request to Citadel:
|
|
Citadel verifies the JWT and issues the certificate to the Citadel agent.</p></li><li><p>The Citadel agent sends the key and certificate back to the workload sidecar.</p></li></ol><p>This approach has the following benefits:</p><ul><li><p>The private key never leaves the node: It is only in the Citadel agent
|
|
and Envoy sidecar’s memory.</p></li><li><p>The secret volume mount is no longer needed: The reliance on the Kubernetes
|
|
secrets is eliminated.</p></li><li><p>The sidecar Envoy is able to dynamically renew the key and certificate
|
|
through the SDS API: Certificate rotations no longer require Envoy to restart.</p></li></ul><h2 id=before-you-begin>Before you begin</h2><ul><li><p>Set up Istio by following the instructions using
|
|
<a href=/v1.1/docs/setup/kubernetes/install/helm/>Helm</a> with SDS setup and global mutual
|
|
TLS enabled:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/install/kubernetes/helm/istio/values-istio-sds-auth.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true>$ cat install/kubernetes/namespace.yaml > istio-auth-sds.yaml
|
|
$ cat install/kubernetes/helm/istio-init/files/crd-* >> istio-auth-sds.yaml
|
|
$ helm template install/kubernetes/helm/istio --name istio --namespace istio-system --values @install/kubernetes/helm/istio/values-istio-sds-auth.yaml@ >> istio-auth-sds.yaml
|
|
$ kubectl create -f istio-auth-sds.yaml
|
|
</code></pre></div></li></ul><h2 id=service-to-service-mutual-tls-using-key-certificate-provisioned-through-sds>Service-to-service mutual TLS using key/certificate provisioned through SDS</h2><p>Follow the <a href=/v1.1/docs/tasks/security/authn-policy/>authentication policy task</a> to
|
|
setup test services.</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/sleep/sleep.yaml>Zip</a><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/httpbin/httpbin.yaml>Zip</a><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/sleep/sleep.yaml>Zip</a><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.1/samples/httpbin/httpbin.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true>$ kubectl create ns foo
|
|
$ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n foo
|
|
$ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@) -n foo
|
|
$ kubectl create ns bar
|
|
$ kubectl apply -f <(istioctl kube-inject -f @samples/httpbin/httpbin.yaml@) -n bar
|
|
$ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@) -n bar
|
|
</code></pre></div><p>Verify all mutual TLS requests succeed:</p><pre><code class=language-bash data-expandlinks=true>$ for from in "foo" "bar"; do for to in "foo" "bar"; do kubectl exec $(kubectl get pod -l app=sleep -n ${from} -o jsonpath={.items..metadata.name}) -c sleep -n ${from} -- curl "http://httpbin.${to}:8000/ip" -s -o /dev/null -w "sleep.${from} to httpbin.${to}: %{http_code}\n"; done; done
|
|
sleep.foo to httpbin.foo: 200
|
|
sleep.foo to httpbin.bar: 200
|
|
sleep.bar to httpbin.foo: 200
|
|
sleep.bar to httpbin.bar: 200
|
|
</code></pre><h2 id=verifying-no-secret-volume-mounted-file-is-generated>Verifying no secret-volume mounted file is generated</h2><p>To verify that no secret-volume mounted file is generated, access the deployed
|
|
workload sidecar container:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl exec -it $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name}) -c istio-proxy -n foo -- /bin/bash
|
|
</code></pre><p>As you can see there is no secret file mounted at <code>/etc/certs</code> folder.</p><h2 id=increasing-security-with-pod-security-policies>Increasing security with pod security policies</h2><p>The Istio Secret Discovery Service (SDS) uses the Citadel agent to distribute the certificate to the
|
|
Envoy sidecar via a Unix domain socket. All pods running in the same Kubernetes node share the Citadel
|
|
agent and Unix domain socket.</p><p>To prevent malicious modifications to the Unix domain socket, enable the <a href=https://kubernetes.io/docs/concepts/policy/pod-security-policy/>pod security policy</a>
|
|
to restrict the pod’s permission on the Unix domain socket. Otherwise, a malicious pod could hijack the
|
|
Unix domain socket to break the SDS service or steal the identity credentials from other pods running
|
|
on the same Kubernetes node.</p><p>To enable the pod security policy, perform the following steps:</p><ol><li><p>The Citadel agent fails to start unless it can create the required Unix domain socket. Apply the
|
|
following pod security policy to only allow the Citadel agent to modify the Unix domain socket:</p><pre><code class=language-bash data-expandlinks=true>$ cat <<EOF | kubectl apply -f -
|
|
apiVersion: extensions/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: istio-nodeagent
|
|
spec:
|
|
allowedHostPaths:
|
|
- pathPrefix: "/var/run/sds"
|
|
seLinux:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
volumes:
|
|
- '*'
|
|
---
|
|
kind: Role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: istio-nodeagent
|
|
namespace: istio-system
|
|
rules:
|
|
- apiGroups:
|
|
- extensions
|
|
resources:
|
|
- podsecuritypolicies
|
|
resourceNames:
|
|
- istio-nodeagent
|
|
verbs:
|
|
- use
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: istio-nodeagent
|
|
namespace: istio-system
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: istio-nodeagent
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: istio-nodeagent-service-account
|
|
namespace: istio-system
|
|
EOF
|
|
</code></pre></li><li><p>To stop other pods from modifying the Unix domain socket, change the <code>allowedHostPaths</code> configuration
|
|
for the the path the Citadel agent uses for the Unix domain socket to <code>readOnly: true</code>.</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-warning"/></svg></div><div class=content>The following pod security policy assumes no other pod security policy was applied before. If you
|
|
already applied another pod security policy, add the following configuration values to the existing
|
|
policies instead of applying the configuration directly.</div></aside></div><pre><code class=language-bash data-expandlinks=true>$ cat <<EOF | kubectl apply -f -
|
|
apiVersion: extensions/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: istio-sds-uds
|
|
spec:
|
|
# Protect the unix domain socket from unauthorized modification
|
|
allowedHostPaths:
|
|
- pathPrefix: "/var/run/sds"
|
|
readOnly: true
|
|
# Allow the istio sidecar injector to work
|
|
allowedCapabilities:
|
|
- NET_ADMIN
|
|
seLinux:
|
|
rule: RunAsAny
|
|
supplementalGroups:
|
|
rule: RunAsAny
|
|
runAsUser:
|
|
rule: RunAsAny
|
|
fsGroup:
|
|
rule: RunAsAny
|
|
volumes:
|
|
- '*'
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: istio-sds-uds
|
|
rules:
|
|
- apiGroups:
|
|
- extensions
|
|
resources:
|
|
- podsecuritypolicies
|
|
resourceNames:
|
|
- istio-sds-uds
|
|
verbs:
|
|
- use
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: istio-sds-uds
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: istio-sds-uds
|
|
subjects:
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: Group
|
|
name: system:serviceaccounts
|
|
EOF
|
|
</code></pre></li><li><p>Enable pod security policies for your platform. Each supported platform enables pod security
|
|
policies differently. Please refer to the pertinent documentation for your platform. If you are
|
|
using the Google Kubernetes Engine (GKE), you must <a href=https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies#enabling_podsecuritypolicy_controller>enable the pod security policy controller</a>.</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.1/img/icons.svg#callout-warning"/></svg></div><div class=content>Grant all needed permissions in the pod security policy before enabling it. Once the policy is
|
|
enabled, pods won’t start if they require any permissions not granted.</div></aside></div></li><li><p>Run the following command to restart the Citadel agents:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl delete pod -l 'app=nodeagent' -n istio-system
|
|
pod "istio-nodeagent-dplx2" deleted
|
|
pod "istio-nodeagent-jrbmx" deleted
|
|
pod "istio-nodeagent-rz878" deleted
|
|
</code></pre></li><li><p>To verify that the Citadel agents work with the enabled pod security policy, wait a few seconds
|
|
and run the following command to confirm the agents started successfully:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl get pod -l 'app=nodeagent' -n istio-system
|
|
NAME READY STATUS RESTARTS AGE
|
|
istio-nodeagent-p4p7g 1/1 Running 0 4s
|
|
istio-nodeagent-qdwj6 1/1 Running 0 5s
|
|
istio-nodeagent-zsk2b 1/1 Running 0 14s
|
|
</code></pre></li><li><p>Run the following command to start a normal pod.</p><pre><code class=language-bash data-expandlinks=true>$ cat <<EOF | kubectl apply -f -
|
|
apiVersion: extensions/v1beta1
|
|
kind: Deployment
|
|
metadata:
|
|
name: normal
|
|
spec:
|
|
replicas: 1
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: normal
|
|
spec:
|
|
containers:
|
|
- name: normal
|
|
image: pstauffer/curl
|
|
command: ["/bin/sleep", "3650d"]
|
|
imagePullPolicy: IfNotPresent
|
|
EOF
|
|
</code></pre></li><li><p>To verify that the normal pod works with the pod security policy enabled, wait a few seconds and
|
|
run the following command to confirm the normal pod started successfully.</p><pre><code class=language-bash data-expandlinks=true>$ kubectl get pod -l 'app=normal'
|
|
NAME READY STATUS RESTARTS AGE
|
|
normal-64c6956774-ptpfh 2/2 Running 0 8s
|
|
</code></pre></li><li><p>Start a malicious pod that tries to mount the Unix domain socket using a write permission.</p><pre><code class=language-bash data-expandlinks=true>$ cat <<EOF | kubectl apply -f -
|
|
apiVersion: extensions/v1beta1
|
|
kind: Deployment
|
|
metadata:
|
|
name: malicious
|
|
spec:
|
|
replicas: 1
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: malicious
|
|
spec:
|
|
containers:
|
|
- name: malicious
|
|
image: pstauffer/curl
|
|
command: ["/bin/sleep", "3650d"]
|
|
imagePullPolicy: IfNotPresent
|
|
volumeMounts:
|
|
- name: sds-uds
|
|
mountPath: /var/run/sds
|
|
volumes:
|
|
- name: sds-uds
|
|
hostPath:
|
|
path: /var/run/sds
|
|
type: ""
|
|
EOF
|
|
</code></pre></li><li><p>To verify that the Unix domain socket is protected, run the following command to confirm the
|
|
malicious pod failed to start due to the pod security policy:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl describe rs -l 'app=malicious' | grep Failed
|
|
Pods Status: 0 Running / 0 Waiting / 0 Succeeded / 0 Failed
|
|
ReplicaFailure True FailedCreate
|
|
Warning FailedCreate 4s (x13 over 24s) replicaset-controller Error creating: pods "malicious-7dcfb8d648-" is forbidden: unable to validate against any pod security policy: [spec.containers[0].volumeMounts[0].readOnly: Invalid value: false: must be read-only]
|
|
</code></pre></li></ol><h2 id=cleanup>Cleanup</h2><ol><li><p>Clean up the test services and the Istio control plane:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl delete ns foo
|
|
$ kubectl delete ns bar
|
|
$ kubectl delete -f istio-auth-sds.yaml
|
|
</code></pre></li><li><p>Disable the pod security policy in the cluster using the documentation of your platform. If you are using GKE,
|
|
<a href=https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies#disabling_podsecuritypolicy_controller>disable the pod security policy controller</a>.</p></li><li><p>Delete the pod security policy and the test deployments:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl delete psp istio-sds-uds istio-nodeagent
|
|
$ kubectl delete role istio-nodeagent -n istio-system
|
|
$ kubectl delete rolebinding istio-nodeagent -n istio-system
|
|
$ kubectl delete clusterrole istio-sds-uds
|
|
$ kubectl delete clusterrolebinding istio-sds-uds
|
|
$ kubectl delete deploy malicious
|
|
$ kubectl delete deploy normal
|
|
</code></pre></li></ol><h2 id=caveats>Caveats</h2><p>Currently, the SDS identity provision flow has the following caveats:</p><ul><li><p>You still need secret volume mount for enabling the control plane security.
|
|
Enabling SDS for the control plane security remains a work in progress.</p></li><li><p>Smoothly migrating a cluster from using secret volume mount to using
|
|
SDS is a work in progress.</p></li></ul><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/blog/2019/root-transition/>Extending Istio Self-Signed Root Certificate Lifetime</a></p><p class=desc>Learn how to extend the lifetime of Istio self-signed root certificate.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></p><p class=desc>Describe Istio's authorization feature and how to use it in various use cases.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/tasks/security/authn-policy/>Authentication Policy</a></p><p class=desc>Shows you how to use Istio authentication policy to setup mutual TLS and basic end-user authentication.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/tasks/security/authz-http/>Authorization for HTTP Services</a></p><p class=desc>Shows how to set up role-based access control for HTTP services.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/tasks/security/authz-tcp/>Authorization for TCP Services</a></p><p class=desc>Shows how to set up role-based access control for TCP services.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.1/docs/tasks/security/rbac-groups/>Authorization for groups and list claims</a></p><p class=desc>Tutorial on how to configure the groups-base authorization and configure the authorization of list-typed claims in Istio.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="Shows how to enable Citadel health checking with Kubernetes." href=/v1.1/docs/tasks/security/health-check/><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#left-arrow"/></svg>Citadel Health Checking</a></div><div class=right><a title="Shows you how to incrementally migrate your Istio services to mutual TLS." href=/v1.1/docs/tasks/security/mtls-migration/>Mutual TLS Migration<svg class="icon"><use xlink:href="/v1.1/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="Before you begin"><a href=#before-you-begin>Before you begin</a><li role=none aria-label="Service-to-service mutual TLS using key/certificate provisioned through SDS"><a href=#service-to-service-mutual-tls-using-key-certificate-provisioned-through-sds>Service-to-service mutual TLS using key/certificate provisioned through SDS</a><li role=none aria-label="Verifying no secret-volume mounted file is generated"><a href=#verifying-no-secret-volume-mounted-file-is-generated>Verifying no secret-volume mounted file is generated</a><li role=none aria-label="Increasing security with pod security policies"><a href=#increasing-security-with-pod-security-policies>Increasing security with pod security policies</a><li role=none aria-label=Cleanup><a href=#cleanup>Cleanup</a><li role=none aria-label=Caveats><a href=#caveats>Caveats</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.1.9 now" href=https://github.com/istio/istio/releases/tag/1.1.9 aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#download"/></svg>
|
|
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#discourse"/></svg></a>
|
|
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#stackoverflow"/></svg></a>
|
|
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
|
|
1.1.9<br>© 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on June 18, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#github"/></svg></a>
|
|
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#slack"/></svg></a>
|
|
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#drive"/></svg></a>
|
|
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.1/img/icons.svg#top"/></svg></button></div></body></html> |