istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v0.4/docs/tasks/security/secure-access-control.html

11 lines
20 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en" itemscope itemtype="https://schema.org/WebPage" style="overflow-y: scroll;"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="title" content="Setting up Secure Access Control"><meta name="og:title" content="Setting up Secure Access Control"><meta name="og:image" content="/v0.4/img/logo.png"/><meta name="theme-color" content="#466BB0"/><meta name="description" content="This task shows how to securely control access to a service using service accounts."><meta name="og:description" content="This task shows how to securely control access to a service using service accounts."><title>Istioldie 0.4 / Setting up Secure Access Control</title><script> window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date; ga('create', 'UA-98480406-2', 'auto'); ga('send', 'pageview'); </script> <script async src='https://www.google-analytics.com/analytics.js'></script><link rel="alternate" type="application/rss+xml" title="Istio Blog RSS" href="/v0.4/feed.xml"><link rel="shortcut icon" href="/v0.4/favicons/favicon.ico" ><link rel="apple-touch-icon" href="/v0.4/favicons/apple-touch-icon-180x180.png" sizes="180x180"><link rel="icon" type="image/png" href="/v0.4/favicons/favicon-16x16.png" sizes="16x16"><link rel="icon" type="image/png" href="/v0.4/favicons/favicon-32x32.png" sizes="32x32"><link rel="icon" type="image/png" href="/v0.4/favicons/android-36x36.png" sizes="36x36"><link rel="icon" type="image/png" href="/v0.4/favicons/android-48x48.png" sizes="48x48"><link rel="icon" type="image/png" href="/v0.4/favicons/android-72x72.png" sizes="72x72"><link rel="icon" type="image/png" href="/v0.4/favicons/android-96x196.png" sizes="96x196"><link rel="icon" type="image/png" href="/v0.4/favicons/android-144x144.png" sizes="144x144"><link rel="icon" type="image/png" href="/v0.4/favicons/android-192x192.png" sizes="192x192"><link rel="manifest" href="/v0.4/manifest.json"><meta name="apple-mobile-web-app-title" content="Istio"><meta name="application-name" content="Istio"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300,300italic,400italic,500,500italic,700,700italic,900,900italic"><link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"><link rel="stylesheet" href="/v0.4/css/all.css"><link rel="stylesheet" href="/v0.4/css/prism.css"></head><body class="language-unknown"> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script><div class="nav-hero-container" style="z-index: 200000;"><nav id="header-nav" class="navbar navbar-inverse" role="navigation" style="z-index: 200000;"><div class="container"><div class="row"><div class="col-md-11 nofloat center-block "><div class="navbar-header"> <button type="button" class="hamburger navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar-collapse-1" aria-expanded="false"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="/v0.4/"><div> <img src="/v0.4/img/istio-logo.svg" alt="Istio Logo" height="54px"/> <span class="brand-name">Istioldie 0.4</span></div></a></div><div class="collapse navbar-collapse" id="navbar-collapse-1"><ul class="nav navbar-nav navbar-right"><li><a href="/v0.4/about" >About</a></li><li><a href="/v0.4/blog/posts/2017/mixer-spof-myth.html" >Blog</a></li><li><a href="/v0.4/docs/welcome" class='current'>Docs</a></li><li><a href="/v0.4/help" >Help</a></li><li><a href="/v0.4/community" >Community</a></li><li class="dropdown"> <a class="dropdown-toggle" data-toggle="dropdown" href=""> <i class='fa fa-lg fa-cog'></i> <span class="caret"></span> </a><ul class="dropdown-menu"><h6 class="dropdown-header">Other versions of this site</h6><li> <a href="https://istio.io">Current Release</a></li><li> <a href="https://preliminary.istio.io">Next Release</a></li><li> <a href="https://archive.istio.io">Older Releases</a></li></ul></li><li><form name="cse" id="searchbox_demo" class="navbar-form navbar-right" role="search"> <input type="hidden" name="cx" value="013699703217164175118:iwwf17ikgf4" /> <input type="hidden" name="ie" value="utf-8" /> <input type="hidden" name="hl" value="en" /><div class="form-group"><div class="input-group"> <input name="q" class="form-control search-box" type="text" size="30" /><div class="input-group-addon"> <span class="btn-search glyphicon glyphicon-search"></span></div></div></div></form> <script type="text/javascript" src="https://www.google.com/cse/brand?form=searchbox_demo"></script></li></ul></div></div></div></div></nav></div><div class="container"><div class="row"><div class="col-md-11 nofloat center-block" style="margin-top: 3px;"><ul class="col-sm-10 nav nav-tabs"><li role="presentation" ><a href="/v0.4/docs/welcome/">Welcome</a></li><li role="presentation" ><a href="/v0.4/docs/concepts/">Concepts</a></li><li role="presentation" ><a href="/v0.4/docs/setup/">Setup</a></li><li role="presentation" class='active'><a href="/v0.4/docs/tasks/">Tasks</a></li><li role="presentation" ><a href="/v0.4/docs/guides/">Guides</a></li><li role="presentation" ><a href="/v0.4/docs/reference/">Reference</a></li></ul></div></div></div><script src="/v0.4/js/navtree.min.js"></script><div class="container docs"><div class="row"><div class="col-md-11 nofloat center-block"><div class="row"><div id="sidebar-container" class="col-sm-3"><ul class="sidebar"><li><h5 class='sidebar-title'>Tasks</h5></li><script type="text/javascript"> var docs = []; docs.push({path: [ "index.md", ], url: "/docs/tasks/", title: "Tasks", order: 20, overview: "Tasks show you how to do a single specific targeted activity with the Istio system."}); docs.push({path: [ "policy-enforcement", "index.md", ], url: "/docs/tasks/policy-enforcement/", title: "Policy Enforcement", order: 20, overview: "Describes tasks that demonstrate policy enforcement features."}); docs.push({path: [ "policy-enforcement", "rate-limiting.md", ], url: "/docs/tasks/policy-enforcement/rate-limiting.html", title: "Enabling Rate Limits", order: 10, overview: "This task shows you how to use Istio to dynamically limit the traffic to a service."}); docs.push({path: [ "security", "basic-access-control.md", ], url: "/docs/tasks/security/basic-access-control.html", title: "Setting up Basic Access Control", order: 20, overview: "This task shows how to control access to a service using the Kubernetes labels."}); docs.push({path: [ "security", "index.md", ], url: "/docs/tasks/security/", title: "Security", order: 40, overview: "Describes tasks that help securing the service mesh traffic."}); docs.push({path: [ "security", "mutual-tls.md", ], url: "/docs/tasks/security/mutual-tls.html", title: "Testing Istio mutual TLS authentication", order: 10, overview: "This task shows you how to verify and test Istio's automatic mutual TLS authentication."}); docs.push({path: [ "security", "per-service-mtls.md", ], url: "/docs/tasks/security/per-service-mtls.html", title: "Per-service mutual TLS authentication enablement", order: 40, overview: "This task shows how to change mutual TLS authentication for a single service."}); docs.push({path: [ "security", "plugin-ca-cert.md", ], url: "/docs/tasks/security/plugin-ca-cert.html", title: "Plugging in CA certificate and key", order: 40, overview: "This task shows how operators can plug existing certificate and key into Istio CA."}); docs.push({path: [ "security", "secure-access-control.md", ], url: "/docs/tasks/security/secure-access-control.html", title: "Setting up Secure Access Control", order: 30, overview: "This task shows how to securely control access to a service using service accounts."}); docs.push({path: [ "telemetry", "distributed-tracing.md", ], url: "/docs/tasks/telemetry/distributed-tracing.html", title: "Distributed Tracing", order: 10, overview: "How to configure the proxies to send tracing requests to Zipkin or Jaeger"}); docs.push({path: [ "telemetry", "index.md", ], url: "/docs/tasks/telemetry/", title: "Metrics, Logs, and Traces", order: 30, overview: "Describes tasks that demonstrate how to collect telemetry information from the service mesh."}); docs.push({path: [ "telemetry", "metrics-logs.md", ], url: "/docs/tasks/telemetry/metrics-logs.html", title: "Collecting Metrics and Logs", order: 20, overview: "This task shows you how to configure Istio to collect metrics and logs."}); docs.push({path: [ "telemetry", "querying-metrics.md", ], url: "/docs/tasks/telemetry/querying-metrics.html", title: "Querying Metrics from Prometheus", order: 30, overview: "This task shows you how to query for Istio Metrics using Prometheus."}); docs.push({path: [ "telemetry", "servicegraph.md", ], url: "/docs/tasks/telemetry/servicegraph.html", title: "Generating a Service Graph", order: 50, overview: "This task shows you how to generate a graph of services within an Istio mesh."}); docs.push({path: [ "telemetry", "tcp-metrics.md", ], url: "/docs/tasks/telemetry/tcp-metrics.html", title: "Collecting Metrics for TCP services", order: 25, overview: "This task shows you how to configure Istio to collect metrics for TCP services."}); docs.push({path: [ "telemetry", "using-istio-dashboard.md", ], url: "/docs/tasks/telemetry/using-istio-dashboard.html", title: "Visualizing Metrics with Grafana", order: 40, overview: "This task shows you how to setup and use the Istio Dashboard to monitor mesh traffic."}); docs.push({path: [ "traffic-management", "egress.md", ], url: "/docs/tasks/traffic-management/egress.html", title: "Control Egress Traffic", order: 40, overview: "Describes how to configure Istio to route traffic from services in the mesh to external services."}); docs.push({path: [ "traffic-management", "fault-injection.md", ], url: "/docs/tasks/traffic-management/fault-injection.html", title: "Fault Injection", order: 20, overview: "This task shows how to inject delays and test the resiliency of your application."}); docs.push({path: [ "traffic-management", "index.md", ], url: "/docs/tasks/traffic-management/", title: "Traffic Management", order: 10, overview: "Describes tasks that demonstrate traffic routing features of Istio service mesh."}); docs.push({path: [ "traffic-management", "ingress.md", ], url: "/docs/tasks/traffic-management/ingress.html", title: "Istio Ingress Controller", order: 30, overview: "Describes how to configure the Istio ingress controller on Kubernetes."}); docs.push({path: [ "traffic-management", "request-routing.md", ], url: "/docs/tasks/traffic-management/request-routing.html", title: "Configuring Request Routing", order: 10, overview: "This task shows you how to configure dynamic request routing based on weights and HTTP headers."}); docs.push({path: [ "traffic-management", "request-timeouts.md", ], url: "/docs/tasks/traffic-management/request-timeouts.html", title: "Setting Request Timeouts", order: 28, overview: "This task shows you how to setup request timeouts in Envoy using Istio."}); docs.push({path: [ "traffic-management", "traffic-shifting.md", ], url: "/docs/tasks/traffic-management/traffic-shifting.html", title: "Traffic Shifting", order: 25, overview: "This task shows you how to migrate traffic from an old to new version of a service."}); genSideBarTree(docs) </script></ul></div><div id="tab-container" class="col-xs-1 tab-neg-margin pull-left"> <a id="sidebar-tab" class="glyphicon glyphicon-chevron-left" href="javascript:void 0;"> </a></div><div id="content-container" class="thin-left-border col-sm-9 markdown"><div id="toc" class="toc"></div><div id="doc-content"><h1>Setting up Secure Access Control</h1><p>This task shows how to securely control access to a service, using the service accounts provided by Istio authentication.</p><p>When Istio mutual TLS authentication is enabled, the server authenticates the client according to its certificate, and obtains the clients service account from the certificate. The service account is in the <code>source.user</code> attribute. For the format of the service account in Istio, please refer to the <a href="/v0.4/docs/concepts/security/mutual-tls.html#identity">Istio auth identity</a>.</p><h2 id="before-you-begin">Before you begin</h2><ul><li><p>Set up Istio on auth-enabled Kubernetes by following the instructions in the <a href="/v0.4/docs/setup/kubernetes/quick-start.html">quick start</a>. Note that authentication should be enabled at step 4 in the <a href="/v0.4/docs/setup/kubernetes/quick-start.html#installation-steps">installation steps</a>.</p></li><li><p>Deploy the <a href="/v0.4/docs/guides/bookinfo.html">BookInfo</a> sample application.</p></li><li><p>Run the following command to create service account <code>bookinfo-productpage</code>, and redeploy the service <code>productpage</code> with the service account.</p><pre><code class="language-bash">kubectl apply -f &lt;(istioctl kube-inject -f samples/bookinfo/kube/bookinfo-add-serviceaccount.yaml)
</code></pre><p>You can expect to see the output similar to the following:</p><pre><code class="language-bash">serviceaccount "bookinfo-productpage" created
deployment "productpage-v1" configured
</code></pre><blockquote><p>Note: if you are using a namespace other than <code>default</code>, use <code>istioctl -n namespace ...</code> to specify the namespace.</p></blockquote></li></ul><h2 id="access-control-using-denials">Access control using <em>denials</em></h2><p>In the <a href="/v0.4/docs/guides/bookinfo.html">BookInfo</a> sample application, the <code>productpage</code> service is accessing both the <code>reviews</code> service and the <code>details</code> service. We would like the <code>details</code> service to deny the requests from the <code>productpage</code> service.</p><ol><li><p>Point your browser at the BookInfo <code>productpage</code> (http://$GATEWAY_URL/productpage).</p><p>You should see the “Book Details” section in the lower left part of the page, including type, pages, publisher, etc. The <code>productpage</code> service obtains the “Book Details” information from the <code>details</code> service.</p></li><li><p>Explicitly deny the requests from <code>productpage</code> to <code>details</code>.</p><p>Run the following command to set up the deny rule along with a handler and an instance.</p><pre><code class="language-bash">istioctl create -f samples/bookinfo/kube/mixer-rule-deny-serviceaccount.yaml
</code></pre><p>You can expect to see the output similar to the following:</p><pre><code class="language-bash">Created config denier/default/denyproductpagehandler at revision 2877836
Created config checknothing/default/denyproductpagerequest at revision 2877837
Created config rule/default/denyproductpage at revision 2877838
</code></pre><p>Notice the following in the <code>denyproductpage</code> rule:</p><pre><code>match: destination.labels["app"] == "details" &amp;&amp; source.user == "cluster.local/ns/default/sa/bookinfo-productpage"
</code></pre><p>It matches requests coming from the serivce account “<em>cluster.local/ns/default/sa/bookinfo-productpage</em>” on the <code>details</code> service.</p><blockquote><p>Note: If you are using a namespace other than <code>default</code>, replace the <code>default</code> with your namespace in the value of <code>source.user</code>.</p></blockquote><p>This rule uses the <code>denier</code> adapter to deny these requests. The adapter always denies requests with a pre-configured status code and message. The status code and message are specified in the <a href="/v0.4/docs/reference/config/mixer/adapters/denier.html">denier</a> adapter configuration.</p></li><li><p>Refresh the <code>productpage</code> in your browser.</p><p>You will see the message</p><p><em>Error fetching product details! Sorry, product details are currently unavailable for this book.</em></p><p>in the lower left section of the page. This validates that the access from <code>productpage</code> to <code>details</code> is denied.</p></li></ol><h2 id="cleanup">Cleanup</h2><ul><li><p>Remove the mixer configuration:</p><pre><code class="language-bash">istioctl delete -f samples/bookinfo/kube/mixer-rule-deny-serviceaccount.yaml
</code></pre></li><li><p>If you are not planning to explore any follow-on tasks, refer to the <a href="/v0.4/docs/guides/bookinfo.html#cleanup">BookInfo cleanup</a> instructions to shutdown the application.</p></li></ul><h2 id="further-reading">Further reading</h2><ul><li><p>Learn more about <a href="/v0.4/docs/concepts/policy-and-control/mixer.html">Mixer</a> and <a href="/v0.4/docs/concepts/policy-and-control/mixer-config.html">Mixer Config</a>.</p></li><li><p>Discover the full <a href="/v0.4/docs/reference/config/mixer/attribute-vocabulary.html">Attribute Vocabulary</a>.</p></li><li><p>Read the reference guide to <a href="/v0.4/docs/reference/writing-config.html">Writing Config</a>.</p></li><li><p>Understand the differences between Kubernetes network policies and Istio access control policies from this <a href="/v0.4/blog/using-network-policy-in-concert-with-istio.html">blog</a>.</p></li></ul></div></div></div></div></div></div><script src="/v0.4/js/sidebar.min.js"></script><footer><div class="container"><div class="row"><div class="col-lg-2 col-md-2 col-sm-2"></div><div class="col-lg-3 col-md-3 col-sm-3 col-xs-12 center-block"><ul><li><a class="header" href="/v0.4/docs/welcome">Docs</a></li><li><a href="/v0.4/docs/concepts">Concepts</a></li><li><a href="/v0.4/docs/setup">Setup</a></li><li><a href="/v0.4/docs/tasks">Tasks</a></li><li><a href="/v0.4/docs/guides">Guides</a></li><li><a href="/v0.4/docs/reference">Reference</a></li></ul></div><div class="col-lg-3 col-md-3 col-sm-3 col-xs-12 center-block"><ul><li><a class="header" href="/v0.4/help">Help</a></li><li><a href="/v0.4/faq">FAQ</a></li><li><a href="/v0.4/glossary">Glossary</a></li><li><a href="/v0.4/troubleshooting">Troubleshooting</a></li><li><a href="/v0.4/bugs">Report Bugs</a></li><li><a href="https://github.com/istio/istio.github.io/issues/new?title=Issue with _docs/tasks/security/secure-access-control.md">Doc Bugs & Gaps</a></li><li><a href="https://github.com/istio/istio.github.io/edit/master/_docs/tasks/security/secure-access-control.md">Edit This Page</a></li></ul></div><div class="col-lg-3 col-md-3 col-sm-3 col-xs-12 center-block"><ul><li> <a class="header" href="/v0.4/community">Community</a></li><li> <a href="https://groups.google.com/forum/#!forum/istio-users" target="_blank" rel="noopener">User</a> | <a href="https://groups.google.com/forum/#!forum/istio-dev" target="_blank" rel="noopener">Dev Mailing Lists</a></li><li><a href="https://twitter.com/IstioMesh" target="_blank" rel="noopener">Twitter</a></li><li><a href="https://stackoverflow.com/questions/tagged/istio" target="_blank" rel="noopener">Stack Overflow</a></li><li><a href="https://github.com/istio/community" target="_blank" rel="noopener">GitHub</a></li><li><a href="https://github.com/istio/community/blob/master/WORKING-GROUPS.md" target="_blank" rel="noopener">Working Groups</a></li></ul></div><div class="col-lg-1 col-md-1 col-sm-1"></div></div><div class="row"><p class="description small text-center"> Istio 0.4, Copyright &copy; 2017 Istio Authors<br> Archived on 20-Dec-2017</p></div></div></footer><script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.15.0/jquery.validate.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery.form/4.2.1/jquery.form.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-visible/1.2.0/jquery.visible.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.6.0/slick.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/1.7.1/clipboard.min.js"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> <script src="/v0.4/js/common.min.js"></script> <script src="/v0.4/js/search.js"></script> <script src="/v0.4/js/prism.min.js"></script></body></html>
Reference in New Issue View Git Blame Copy Permalink