mirror of https://github.com/istio/istio.io.git
395 lines
57 KiB
HTML
395 lines
57 KiB
HTML
<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Monitoring and Access Policies for HTTP Egress Traffic"><meta name=description content="Describes how to configure Istio for monitoring and access policies of HTTP egress traffic."><meta name=author content="Vadim Eisenberg and Ronen Schaffer (IBM)"><meta name=keywords content="microservices,services,mesh,egress,traffic-management,access-control,monitoring"><meta property="og:title" content="Monitoring and Access Policies for HTTP Egress Traffic"><meta property="og:type" content="website"><meta property="og:description" content="Describes how to configure Istio for monitoring and access policies of HTTP egress traffic."><meta property="og:url" content="/v1.19/blog/2018/egress-monitoring-access-control/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-social.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1200"><meta property="og:image:height" content="600"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.19 / Monitoring and Access Policies for HTTP Egress Traffic</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script>
|
|
<script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.19/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.19/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.19/feed.xml><link rel="shortcut icon" href=/v1.19/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.19/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.19/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.19/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.19/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.19/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.19/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.19/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.19/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.19/favicons/android-192x192.png sizes=192x192><link rel=icon type=image/svg+xml href=/v1.19/favicons/favicon.svg><link rel=icon type=image/png href=/v1.19/favicons/favicon.png><link rel=mask-icon href=/v1.19/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.19/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.19/css/all.css><link rel=preconnect href=https://fonts.googleapis.com><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.19/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.19",docTitle="Monitoring and Access Policies for HTTP Egress Traffic",iconFile="/v1.19/img/icons.svg",buttonCopy="Copy to clipboard",buttonPrint="Print",buttonDownload="Download"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script>
|
|
<script src=/v1.19/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.19/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.19/img/icons.svg#menu-hamburger"/></svg></button>
|
|
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.19/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.19/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.19/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.19/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.19/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.19/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.19/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title='Search this site' aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.19/img/icons.svg#magnifier"/></svg></button>
|
|
<a href=/v1.19/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
|
|
<input type=hidden name=ie value=utf-8>
|
|
<input type=hidden name=hl value=en>
|
|
<input type=hidden id=search-page-url value=/search>
|
|
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label='Search this site' placeholder=Search>
|
|
<button id=search-close title='Cancel search' type=reset aria-label='Cancel search'><svg class="icon menu-close"><use xlink:href="/v1.19/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container><a href=/v1.19/news/releases/1.19.x/announcing-1.19.4/ class=banner data-title="Latest Release-2023-11-13 00:00:00 +0000 UTC" data-period-start=1699833600000 data-period-end=1700438400000 data-max-impressions=3 data-timeout><div class=content><p>Istio 1.19.4 is now available! Click here to learn more</p></div><div class=frame></div></a></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Monitoring and Access Policies for HTTP Egress Traffic</h1><p>Describes how to configure Istio for monitoring and access policies of HTTP egress traffic.</p></div><p class=post-author>Jun 22, 2018 <span>|</span> By Vadim Eisenberg and Ronen Schaffer - IBM</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.19/img/icons.svg#callout-warning"/></svg></div><div class=content>This blog post was written assuming Istio 1.1, so some of this content may now be outdated.</div></aside></div><div><p>While Istio’s main focus is management of traffic between microservices inside a service mesh, Istio can also manage
|
|
ingress (from outside into the mesh) and egress (from the mesh outwards) traffic. Istio can uniformly enforce access
|
|
policies and aggregate telemetry data for mesh-internal, ingress and egress traffic.</p><p>In this blog post, we show how to apply monitoring and access policies to HTTP egress traffic with Istio.</p><h2 id=use-case>Use case</h2><p>Consider an organization that runs applications that process content from <em>cnn.com</em>. The applications are decomposed
|
|
into microservices deployed in an Istio service mesh. The applications access pages of various topics from <em>cnn.com</em>: <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a>, <a href=https://edition.cnn.com/sport>edition.cnn.com/sport</a> and <a href=https://edition.cnn.com/health>edition.cnn.com/health</a>. The organization <a href=/v1.19/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>configures Istio to allow access to edition.cnn.com</a> and everything works fine. However, at some
|
|
point in time, the organization decides to banish politics. Practically, it means blocking access to
|
|
<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> and allowing access to
|
|
<a href=https://edition.cnn.com/sport>edition.cnn.com/sport</a> and <a href=https://edition.cnn.com/health>edition.cnn.com/health</a>
|
|
only. The organization will grant permissions to individual applications and to particular users to access <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a>, on a case-by-case basis.</p><p>To achieve that goal, the organization’s operations people monitor access to the external services and
|
|
analyze Istio logs to verify that no unauthorized request was sent to
|
|
<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a>. They also configure Istio to prevent access to
|
|
<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> automatically.</p><p>The organization is resolved to prevent any tampering with the new policy. It decides to put mechanisms in place that
|
|
will prevent any possibility for a malicious application to access the forbidden topic.</p><h2 id=related-tasks-and-examples>Related tasks and examples</h2><ul><li>The <a href=/v1.19/docs/tasks/traffic-management/egress/>Control Egress Traffic</a> task demonstrates how external (outside the
|
|
Kubernetes cluster) HTTP and HTTPS services can be accessed by applications inside the mesh.</li><li>The <a href=/v1.19/docs/tasks/traffic-management/egress/egress-gateway/>Configure an Egress Gateway</a> example describes how to configure
|
|
Istio to direct egress traffic through a dedicated gateway service called <em>egress gateway</em>.</li><li>The <a href=/v1.19/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateway with TLS Origination</a> example
|
|
demonstrates how to allow applications to send HTTP requests to external servers that require HTTPS, while directing
|
|
traffic through egress gateway.</li><li>The <a href=/v1.19/docs/tasks/observability/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a>
|
|
describes the Istio Dashboard to monitor mesh traffic.</li><li>The <a href=https://istio.io/v1.6/docs/tasks/policy-enforcement/denial-and-list/>Basic Access Control</a> task shows how to control access to
|
|
in-mesh services.</li><li>The <a href=https://istio.io/v1.6/docs/tasks/policy-enforcement/denial-and-list/>Denials and White/Black Listing</a> task shows how to configure
|
|
access policies using black or white list checkers.</li></ul><p>As opposed to the observability and security tasks above, this blog post describes Istio’s monitoring and access policies
|
|
applied exclusively to the egress traffic.</p><h2 id=before-you-begin>Before you begin</h2><p>Follow the steps in the <a href=/v1.19/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateway with TLS Origination</a> example, <strong>with mutual TLS authentication enabled</strong>, without
|
|
the <a href=/v1.19/docs/tasks/traffic-management/egress/egress-gateway-tls-origination//#cleanup>Cleanup</a> step.
|
|
After completing that example, you can access <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> from an in-mesh container with <code>curl</code> installed. This blog post assumes that the <code>SOURCE_POD</code> environment variable contains the source pod’s name and that the container’s name is <code>sleep</code>.</p><h2 id=configure-monitoring-and-access-policies>Configure monitoring and access policies</h2><p>Since you want to accomplish your tasks in a <em>secure way</em>, you should direct egress traffic through
|
|
<em>egress gateway</em>, as described in the <a href=/v1.19/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateway with TLS Origination</a>
|
|
task. The <em>secure way</em> here means that you want to prevent malicious applications from bypassing Istio monitoring and
|
|
policy enforcement.</p><p>According to our scenario, the organization performed the instructions in the
|
|
<a href=#before-you-begin>Before you begin</a> section, enabled HTTP traffic to <em>edition.cnn.com</em>, and configured that traffic
|
|
to pass through the egress gateway. The egress gateway performs TLS origination to <em>edition.cnn.com</em>, so the traffic
|
|
leaves the mesh encrypted. At this point, the organization is ready to configure Istio to monitor and apply access policies for
|
|
the traffic to <em>edition.cnn.com</em>.</p><h3 id=logging>Logging</h3><p>Configure Istio to log access to <em>*.cnn.com</em>. You create a <code>logentry</code> and two
|
|
<a href=https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/adapters/stdio/>stdio</a> <code>handlers</code>, one for logging forbidden access
|
|
(<em>error</em> log level) and another one for logging all access to <em>*.cnn.com</em> (<em>info</em> log level). Then you create <code>rules</code> to
|
|
direct your <code>logentry</code> instances to your <code>handlers</code>. One rule directs access to <em>*.cnn.com/politics</em> to the handler for
|
|
logging forbidden access, another rule directs log entries to the handler that outputs each access to <em>*.cnn.com</em> as an
|
|
<em>info</em> log entry. To understand the Istio <code>logentries</code>, <code>rules</code>, and <code>handlers</code>, see
|
|
<a href=/v1.19/blog/2017/adapter-model/>Istio Adapter Model</a>. A diagram with the involved entities and dependencies between them
|
|
appears below:</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:46.46700562636976%><a data-skipendnotes=true href=/v1.19/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring.svg title="Instances, rules and handlers for egress monitoring"><img class=element-to-stretch src=/v1.19/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring.svg alt="Instances, rules and handlers for egress monitoring"></a></div><figcaption>Instances, rules and handlers for egress monitoring</figcaption></figure><ol><li><p>Create the <code>logentry</code>, <code>rules</code> and <code>handlers</code>. Note that you specify <code>context.reporter.uid</code> as
|
|
<code>kubernetes://istio-egressgateway</code> in the rules to get logs from the egress gateway only.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat <<EOF | kubectl apply -f -
|
|
# Log entry for egress access
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: logentry
|
|
metadata:
|
|
name: egress-access
|
|
namespace: istio-system
|
|
spec:
|
|
severity: '"info"'
|
|
timestamp: request.time
|
|
variables:
|
|
destination: request.host | "unknown"
|
|
path: request.path | "unknown"
|
|
responseCode: response.code | 0
|
|
responseSize: response.size | 0
|
|
reporterUID: context.reporter.uid | "unknown"
|
|
sourcePrincipal: source.principal | "unknown"
|
|
monitored_resource_type: '"UNSPECIFIED"'
|
|
---
|
|
# Handler for error egress access entries
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: stdio
|
|
metadata:
|
|
name: egress-error-logger
|
|
namespace: istio-system
|
|
spec:
|
|
severity_levels:
|
|
info: 2 # output log level as error
|
|
outputAsJson: true
|
|
---
|
|
# Rule to handle access to *.cnn.com/politics
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: rule
|
|
metadata:
|
|
name: handle-politics
|
|
namespace: istio-system
|
|
spec:
|
|
match: request.host.endsWith("cnn.com") && request.path.startsWith("/politics") && context.reporter.uid.startsWith("kubernetes://istio-egressgateway")
|
|
actions:
|
|
- handler: egress-error-logger.stdio
|
|
instances:
|
|
- egress-access.logentry
|
|
---
|
|
# Handler for info egress access entries
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: stdio
|
|
metadata:
|
|
name: egress-access-logger
|
|
namespace: istio-system
|
|
spec:
|
|
severity_levels:
|
|
info: 0 # output log level as info
|
|
outputAsJson: true
|
|
---
|
|
# Rule to handle access to *.cnn.com
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: rule
|
|
metadata:
|
|
name: handle-cnn-access
|
|
namespace: istio-system
|
|
spec:
|
|
match: request.host.endsWith(".cnn.com") && context.reporter.uid.startsWith("kubernetes://istio-egressgateway")
|
|
actions:
|
|
- handler: egress-access-logger.stdio
|
|
instances:
|
|
- egress-access.logentry
|
|
EOF
|
|
</code></pre></li><li><p>Send three HTTP requests to <em>cnn.com</em>, to <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a>, <a href=https://edition.cnn.com/sport>edition.cnn.com/sport</a> and <a href=https://edition.cnn.com/health>edition.cnn.com/health</a>.
|
|
All three should return <em>200 OK</em>.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
|
200
|
|
200
|
|
200
|
|
</code></pre></li><li><p>Query the Mixer log and see that the information about the requests appears in the log:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
|
|
{"level":"info","time":"2019-01-29T07:43:24.611462Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":1883355,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
|
{"level":"info","time":"2019-01-29T07:43:24.886316Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/sport","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2094561,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
|
{"level":"info","time":"2019-01-29T07:43:25.369663Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/health","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2157009,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
|
{"level":"error","time":"2019-01-29T07:43:24.611462Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":1883355,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
|
</code></pre><p>You see four log entries related to your three requests. Three <em>info</em> entries about the access to <em>edition.cnn.com</em>
|
|
and one <em>error</em> entry about the access to <em>edition.cnn.com/politics</em>. The service mesh operators can see all the
|
|
access instances, and can also search the log for <em>error</em> log entries that represent forbidden accesses. This is the
|
|
first security measure the organization can apply before blocking the forbidden accesses automatically, namely
|
|
logging all the forbidden access instances as errors. In some settings this can be a sufficient security measure.</p><p>Note the attributes:</p><ul><li><code>destination</code>, <code>path</code>, <code>responseCode</code>, <code>responseSize</code> are related to HTTP parameters of the requests</li><li><code>sourcePrincipal</code>:<code>cluster.local/ns/default/sa/sleep</code> - a string that represents the <code>sleep</code> service account in
|
|
the <code>default</code> namespace</li><li><code>reporterUID</code>: <code>kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system</code> - a UID of the reporting pod, in
|
|
this case <code>istio-egressgateway-747b6764b8-44rrh</code> in the <code>istio-system</code> namespace</li></ul></li></ol><h3 id=access-control-by-routing>Access control by routing</h3><p>After enabling logging of access to <em>edition.cnn.com</em>, automatically enforce an access policy, namely allow
|
|
accessing <em>/health</em> and <em>/sport</em> URL paths only. Such a simple policy control can be implemented with Istio routing.</p><ol><li><p>Redefine your <code>VirtualService</code> for <em>edition.cnn.com</em>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat <<EOF | kubectl apply -f -
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: VirtualService
|
|
metadata:
|
|
name: direct-cnn-through-egress-gateway
|
|
spec:
|
|
hosts:
|
|
- edition.cnn.com
|
|
gateways:
|
|
- istio-egressgateway
|
|
- mesh
|
|
http:
|
|
- match:
|
|
- gateways:
|
|
- mesh
|
|
port: 80
|
|
route:
|
|
- destination:
|
|
host: istio-egressgateway.istio-system.svc.cluster.local
|
|
subset: cnn
|
|
port:
|
|
number: 443
|
|
weight: 100
|
|
- match:
|
|
- gateways:
|
|
- istio-egressgateway
|
|
port: 443
|
|
uri:
|
|
regex: "/health|/sport"
|
|
route:
|
|
- destination:
|
|
host: edition.cnn.com
|
|
port:
|
|
number: 443
|
|
weight: 100
|
|
EOF
|
|
</code></pre><p>Note that you added a <code>match</code> by <code>uri</code> condition that checks that the URL path is
|
|
either <em>/health</em> or <em>/sport</em>. Also note that this condition is added to the <code>istio-egressgateway</code>
|
|
section of the <code>VirtualService</code>, since the egress gateway is a hardened component in terms of security (see
|
|
[egress gateway security considerations]
|
|
(/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations)). You don’t want any tampering
|
|
with your policies.</p></li><li><p>Send the previous three HTTP requests to <em>cnn.com</em>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
|
404
|
|
200
|
|
200
|
|
</code></pre><p>The request to <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> returned <em>404 Not Found</em>, while requests
|
|
to <a href=https://edition.cnn.com/sport>edition.cnn.com/sport</a> and
|
|
<a href=https://edition.cnn.com/health>edition.cnn.com/health</a> returned <em>200 OK</em>, as expected.</p><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.19/img/icons.svg#callout-tip"/></svg></div><div class=content>You may need to wait several seconds for the update of the <code>VirtualService</code> to propagate to the egress
|
|
gateway.</div></aside></div></li><li><p>Query the Mixer log and see that the information about the requests appears again in the log:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
|
|
{"level":"info","time":"2019-01-29T07:55:59.686082Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":404,"responseSize":0,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
|
{"level":"info","time":"2019-01-29T07:55:59.697565Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/sport","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2094561,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
|
{"level":"info","time":"2019-01-29T07:56:00.264498Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/health","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2157009,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
|
{"level":"error","time":"2019-01-29T07:55:59.686082Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":404,"responseSize":0,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
|
</code></pre><p>You still get info and error messages regarding accesses to
|
|
<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a>, however this time the <code>responseCode</code> is <code>404</code>, as
|
|
expected.</p></li></ol><p>While implementing access control using Istio routing worked for us in this simple case, it would not suffice for more
|
|
complex cases. For example, the organization may want to allow access to
|
|
<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> under certain conditions, so more complex policy logic than
|
|
just filtering by URL paths will be required. You may want to apply <a href=/v1.19/blog/2017/adapter-model/>Istio Mixer Adapters</a>,
|
|
for example
|
|
<a href=https://istio.io/v1.6/docs/tasks/policy-enforcement/denial-and-list/#attribute-based-whitelists-or-blacklists>white lists or black lists</a>
|
|
of allowed/forbidden URL paths, respectively.
|
|
<a href=https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/>Policy Rules</a> allow specifying complex conditions,
|
|
specified in a <a href=https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/expression-language/>rich expression language</a>, which
|
|
includes AND and OR logical operators. The rules can be reused for both logging and policy checks. More advanced users
|
|
may want to apply <a href=/v1.19/docs/concepts/security/#authorization>Istio Role-Based Access Control</a>.</p><p>An additional aspect is integration with remote access policy systems. If the organization in our use case operates some
|
|
<a href=https://en.wikipedia.org/wiki/Identity_management>Identity and Access Management</a> system, you may want to configure
|
|
Istio to use access policy information from such a system. You implement this integration by applying
|
|
<a href=/v1.19/blog/2017/adapter-model/>Istio Mixer Adapters</a>.</p><p>Cancel the access control by routing you used in this section and implement access control by Mixer policy checks
|
|
in the next section.</p><ol><li><p>Replace the <code>VirtualService</code> for <em>edition.cnn.com</em> with your previous version from the <a href=/v1.19/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/#perform-tls-origination-with-an-egress-gateway>Configure an Egress Gateway</a> example:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat <<EOF | kubectl apply -f -
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: VirtualService
|
|
metadata:
|
|
name: direct-cnn-through-egress-gateway
|
|
spec:
|
|
hosts:
|
|
- edition.cnn.com
|
|
gateways:
|
|
- istio-egressgateway
|
|
- mesh
|
|
http:
|
|
- match:
|
|
- gateways:
|
|
- mesh
|
|
port: 80
|
|
route:
|
|
- destination:
|
|
host: istio-egressgateway.istio-system.svc.cluster.local
|
|
subset: cnn
|
|
port:
|
|
number: 443
|
|
weight: 100
|
|
- match:
|
|
- gateways:
|
|
- istio-egressgateway
|
|
port: 443
|
|
route:
|
|
- destination:
|
|
host: edition.cnn.com
|
|
port:
|
|
number: 443
|
|
weight: 100
|
|
EOF
|
|
</code></pre></li><li><p>Send the previous three HTTP requests to <em>cnn.com</em>, this time you should get three <em>200 OK</em> responses as
|
|
previously:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
|
200
|
|
200
|
|
200
|
|
</code></pre></li></ol><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.19/img/icons.svg#callout-tip"/></svg></div><div class=content>You may need to wait several seconds for the update of the <code>VirtualService</code> to propagate to the egress
|
|
gateway.</div></aside></div><h3 id=access-control-by-mixer-policy-checks>Access control by Mixer policy checks</h3><p>In this step you use a Mixer
|
|
<a href=https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/adapters/list/><code>Listchecker</code> adapter</a>, its whitelist
|
|
variety. You define a <code>listentry</code> with the URL path of the request and a <code>listchecker</code> to check the <code>listentry</code> using a
|
|
static list of allowed URL paths, specified by the <code>overrides</code> field. For an external <a href=https://en.wikipedia.org/wiki/Identity_management>Identity and Access Management</a> system, use the <code>providerurl</code> field instead. The updated
|
|
diagram of the instances, rules and handlers appears below. Note that you reuse the same policy rule, <code>handle-cnn-access</code>
|
|
both for logging and for access policy checks.</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:52.79420593027812%><a data-skipendnotes=true href=/v1.19/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring-policy.svg title="Instances, rules and handlers for egress monitoring and access policies"><img class=element-to-stretch src=/v1.19/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring-policy.svg alt="Instances, rules and handlers for egress monitoring and access policies"></a></div><figcaption>Instances, rules and handlers for egress monitoring and access policies</figcaption></figure><ol><li><p>Define <code>path-checker</code> and <code>request-path</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat <<EOF | kubectl create -f -
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: listchecker
|
|
metadata:
|
|
name: path-checker
|
|
namespace: istio-system
|
|
spec:
|
|
overrides: ["/health", "/sport"] # overrides provide a static list
|
|
blacklist: false
|
|
---
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: listentry
|
|
metadata:
|
|
name: request-path
|
|
namespace: istio-system
|
|
spec:
|
|
value: request.path
|
|
EOF
|
|
</code></pre></li><li><p>Modify the <code>handle-cnn-access</code> policy rule to send <code>request-path</code> instances to the <code>path-checker</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat <<EOF | kubectl apply -f -
|
|
# Rule handle egress access to cnn.com
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: rule
|
|
metadata:
|
|
name: handle-cnn-access
|
|
namespace: istio-system
|
|
spec:
|
|
match: request.host.endsWith(".cnn.com") && context.reporter.uid.startsWith("kubernetes://istio-egressgateway")
|
|
actions:
|
|
- handler: egress-access-logger.stdio
|
|
instances:
|
|
- egress-access.logentry
|
|
- handler: path-checker.listchecker
|
|
instances:
|
|
- request-path.listentry
|
|
EOF
|
|
</code></pre></li><li><p>Perform your usual test by sending HTTP requests to
|
|
<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a>, <a href=https://edition.cnn.com/sport>edition.cnn.com/sport</a>
|
|
and <a href=https://edition.cnn.com/health>edition.cnn.com/health</a>. As expected, the request to
|
|
<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> returns <em>403</em> (Forbidden).</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
|
403
|
|
200
|
|
200
|
|
</code></pre></li></ol><h3 id=access-control-by-mixer-policy-checks-part-2>Access control by Mixer policy checks, part 2</h3><p>After the organization in our use case managed to configure logging and access control, it decided to extend its access
|
|
policy by allowing the applications with a special
|
|
<a href=https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/>Service Account</a> to access any topic of <em>cnn.com</em>, without being monitored. You’ll see how this requirement can be configured in Istio.</p><ol><li><p>Start the <a href=https://github.com/istio/istio/tree/release-1.19/samples/sleep>sleep</a> sample with the <code>politics</code> service account.</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.19/samples/sleep/sleep.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ sed 's/: sleep/: politics/g' @samples/sleep/sleep.yaml@ | kubectl create -f -
|
|
serviceaccount "politics" created
|
|
service "politics" created
|
|
deployment "politics" created
|
|
</code></pre></div></li><li><p>Define the <code>SOURCE_POD_POLITICS</code> shell variable to hold the name of the source pod with the <code>politics</code> service
|
|
account, for sending requests to external services.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ export SOURCE_POD_POLITICS=$(kubectl get pod -l app=politics -o jsonpath={.items..metadata.name})
|
|
</code></pre></li><li><p>Perform your usual test of sending three HTTP requests this time from <code>SOURCE_POD_POLITICS</code>.
|
|
The request to <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> returns <em>403</em>, since you did not configure
|
|
the exception for the <em>politics</em> namespace.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it $SOURCE_POD_POLITICS -c politics -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
|
403
|
|
200
|
|
200
|
|
</code></pre></li><li><p>Query the Mixer log and see that the information about the requests from the <em>politics</em> namespace appears in
|
|
the log:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
|
|
{"level":"info","time":"2019-01-29T08:04:42.559812Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":403,"responseSize":84,"sourcePrincipal":"cluster.local/ns/default/sa/politics"}
|
|
{"level":"info","time":"2019-01-29T08:04:42.568424Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/sport","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2094561,"sourcePrincipal":"cluster.local/ns/default/sa/politics"}
|
|
{"level":"error","time":"2019-01-29T08:04:42.559812Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":403,"responseSize":84,"sourcePrincipal":"cluster.local/ns/default/sa/politics"}
|
|
{"level":"info","time":"2019-01-29T08:04:42.615641Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/health","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2157009,"sourcePrincipal":"cluster.local/ns/default/sa/politics"}
|
|
</code></pre><p>Note that <code>sourcePrincipal</code> is <code>cluster.local/ns/default/sa/politics</code> which represents the <code>politics</code> service
|
|
account in the <code>default</code> namespace.</p></li><li><p>Redefine <code>handle-cnn-access</code> and <code>handle-politics</code> policy rules, to make the applications in the <em>politics</em>
|
|
namespace exempt from monitoring and policy enforcement.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ cat <<EOF | kubectl apply -f -
|
|
# Rule to handle access to *.cnn.com/politics
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: rule
|
|
metadata:
|
|
name: handle-politics
|
|
namespace: istio-system
|
|
spec:
|
|
match: request.host.endsWith("cnn.com") && context.reporter.uid.startsWith("kubernetes://istio-egressgateway") && request.path.startsWith("/politics") && source.principal != "cluster.local/ns/default/sa/politics"
|
|
actions:
|
|
- handler: egress-error-logger.stdio
|
|
instances:
|
|
- egress-access.logentry
|
|
---
|
|
# Rule handle egress access to cnn.com
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: rule
|
|
metadata:
|
|
name: handle-cnn-access
|
|
namespace: istio-system
|
|
spec:
|
|
match: request.host.endsWith(".cnn.com") && context.reporter.uid.startsWith("kubernetes://istio-egressgateway") && source.principal != "cluster.local/ns/default/sa/politics"
|
|
actions:
|
|
- handler: egress-access-logger.stdio
|
|
instances:
|
|
- egress-access.logentry
|
|
- handler: path-checker.listchecker
|
|
instances:
|
|
- request-path.listentry
|
|
EOF
|
|
</code></pre></li><li><p>Perform your usual test from <code>SOURCE_POD</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
|
403
|
|
200
|
|
200
|
|
</code></pre><p>Since <code>SOURCE_POD</code> does not have <code>politics</code> service account, access to
|
|
<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> is forbidden, as previously.</p></li><li><p>Perform the previous test from <code>SOURCE_POD_POLITICS</code>:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl exec -it $SOURCE_POD_POLITICS -c politics -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
|
200
|
|
200
|
|
200
|
|
</code></pre><p>Access to all the topics of <em>edition.cnn.com</em> is allowed.</p></li><li><p>Examine the Mixer log and see that no more requests with <code>sourcePrincipal</code> equal
|
|
<code>cluster.local/ns/default/sa/politics</code> appear in the log.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
|
|
</code></pre></li></ol><h2 id=comparison-with-https-egress-traffic-control>Comparison with HTTPS egress traffic control</h2><p>In this use case the applications use HTTP and Istio Egress Gateway performs TLS origination for them. Alternatively,
|
|
the applications could originate TLS themselves by issuing HTTPS requests to <em>edition.cnn.com</em>. In this section we
|
|
describe both approaches and their pros and cons.</p><p>In the HTTP approach, the requests are sent unencrypted on the local host, intercepted by the Istio sidecar proxy and
|
|
forwarded to the egress gateway. Since you configure Istio to use mutual TLS between the sidecar proxy and the egress
|
|
gateway, the traffic leaves the pod encrypted. The egress gateway decrypts the traffic, inspects the URL path, the
|
|
HTTP method and headers, reports telemetry and performs policy checks. If the request is not blocked by some policy
|
|
check, the egress gateway performs TLS origination to the external destination (<em>cnn.com</em> in our case), so the request
|
|
is encrypted again and sent encrypted to the external destination. The diagram below demonstrates the network flow of
|
|
this approach. The HTTP protocol inside the gateway designates the protocol as seen by the gateway after decryption.</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:64.81718469808756%><a data-skipendnotes=true href=/v1.19/blog/2018/egress-monitoring-access-control/http-to-gateway.svg title="HTTP egress traffic through an egress gateway"><img class=element-to-stretch src=/v1.19/blog/2018/egress-monitoring-access-control/http-to-gateway.svg alt="HTTP egress traffic through an egress gateway"></a></div><figcaption>HTTP egress traffic through an egress gateway</figcaption></figure><p>The drawback of this approach is that the requests are sent unencrypted inside the pod, which may be against security
|
|
policies in some organizations. Also some SDKs have external service URLs hard-coded, including the protocol, so
|
|
sending HTTP requests could be impossible. The advantage of this approach is the ability to inspect HTTP methods,
|
|
headers and URL paths, and to apply policies based on them.</p><p>In the HTTPS approach, the requests are encrypted end-to-end, from the application to the external destination. The
|
|
diagram below demonstrates the network flow of this approach. The HTTPS protocol inside the gateway designates the
|
|
protocol as seen by the gateway.</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:64.81718469808756%><a data-skipendnotes=true href=/v1.19/blog/2018/egress-monitoring-access-control/https-to-gateway.svg title="HTTPS egress traffic through an egress gateway"><img class=element-to-stretch src=/v1.19/blog/2018/egress-monitoring-access-control/https-to-gateway.svg alt="HTTPS egress traffic through an egress gateway"></a></div><figcaption>HTTPS egress traffic through an egress gateway</figcaption></figure><p>The end-to-end HTTPS is considered a better approach from the security point of view. However, since the traffic is
|
|
encrypted the Istio proxies and the egress gateway can only see the source and destination IPs and the <a href=https://en.wikipedia.org/wiki/Server_Name_Indication>SNI</a> of the destination. Since you configure Istio to use mutual TLS between the sidecar proxy
|
|
and the egress gateway, the <a href=/v1.19/docs/concepts/security/#istio-identity>identity of the source</a> is also known.
|
|
The gateway is unable to inspect the URL path, the HTTP method and the headers of the requests, so no monitoring and
|
|
policies based on the HTTP information can be possible.
|
|
In our use case, the organization would be able to allow access to <em>edition.cnn.com</em> and to specify which applications
|
|
are allowed to access <em>edition.cnn.com</em>.
|
|
However, it will not be possible to allow or block access to specific URL paths of <em>edition.cnn.com</em>.
|
|
Neither blocking access to <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> nor monitoring such access are
|
|
possible with the HTTPS approach.</p><p>We guess that each organization will consider the pros and cons of the two approaches and choose the one most
|
|
appropriate to its needs.</p><h2 id=summary>Summary</h2><p>In this blog post we showed how different monitoring and policy mechanisms of Istio can be applied to HTTP egress
|
|
traffic. Monitoring can be implemented by configuring a logging adapter. Access
|
|
policies can be implemented by configuring <code>VirtualServices</code> or by configuring various policy check adapters. We
|
|
demonstrated a simple policy that allowed certain URL paths only. We also showed a more complex policy that extended the
|
|
simple policy by making an exemption to the applications with a certain service account. Finally, we compared
|
|
HTTP-with-TLS-origination egress traffic with HTTPS egress traffic, in terms of control possibilities by Istio.</p><h2 id=cleanup>Cleanup</h2><ol><li><p>Perform the instructions in <a href=/v1.19/docs/tasks/traffic-management/egress/egress-gateway//#cleanup>Cleanup</a> section of the
|
|
<a href=/v1.19/docs/tasks/traffic-management/egress/egress-gateway/>Configure an Egress Gateway</a> example.</p></li><li><p>Delete the logging and policy checks configuration:</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl delete logentry egress-access -n istio-system
|
|
$ kubectl delete stdio egress-error-logger -n istio-system
|
|
$ kubectl delete stdio egress-access-logger -n istio-system
|
|
$ kubectl delete rule handle-politics -n istio-system
|
|
$ kubectl delete rule handle-cnn-access -n istio-system
|
|
$ kubectl delete -n istio-system listchecker path-checker
|
|
$ kubectl delete -n istio-system listentry request-path
|
|
</code></pre></li><li><p>Delete the <em>politics</em> source pod:</p><div><a data-skipendnotes=true style=display:none href=https://raw.githubusercontent.com/istio/istio/release-1.19/samples/sleep/sleep.yaml>Zip</a><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ sed 's/: sleep/: politics/g' @samples/sleep/sleep.yaml@ | kubectl delete -f -
|
|
serviceaccount "politics" deleted
|
|
service "politics" deleted
|
|
deployment "politics" deleted
|
|
</code></pre></div></li></ol></div><nav class=pagenav><div class=left><a title="How to export Istio Access Logs to different sinks like BigQuery, GCS, Pub/Sub through Stackdriver." href=/v1.19/blog/2018/export-logs-through-stackdriver/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.19/img/icons.svg#left-arrow"/></svg>Exporting Logs to BigQuery, GCS, Pub/Sub through Stackdriver</a></div><div class=right><a title="Introduction, motivation and design principles for the Istio v1alpha3 routing API." href=/v1.19/blog/2018/v1alpha3-routing/ class=next-link>Introducing the Istio v1alpha3 routing API<svg class="icon right-arrow"><use xlink:href="/v1.19/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title='GitHub is where development takes place on Istio code' href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.19/img/icons.svg#github"/></svg></a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.19/img/icons.svg#drive"/></svg></a><a class=channel title='Interactively discuss issues with the Istio community on Slack' href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.19/img/icons.svg#slack"/></svg></a><a class=channel title='Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio' href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.19/img/icons.svg#stackoverflow"/></svg></a><a class=channel title='Follow us on Twitter to get the latest news' href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.19/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.19/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.19/img/icons.svg#tick"/></svg>English</a>
|
|
<a tabindex=-1 lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://www.linuxfoundation.org/legal/terms>Terms and Conditions</a> |
|
|
<a class=footer-policies-link href=https://www.linuxfoundation.org/legal/privacy-policy>Privacy policy</a> |
|
|
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.19/content/en/blog/2018/egress-monitoring-access-control/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>© 2023 the Istio Authors.</span>
|
|
<span class=footer-base-version>Version
|
|
Archive
|
|
1.19.4</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2018/egress-monitoring-access-control/"),!1'>current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2018/egress-monitoring-access-control/"),!1'>next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title='Back to top' tabindex=-1><svg class="icon top"><use xlink:href="/v1.19/img/icons.svg#top"/></svg></button></div></body></html> |