istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.2/blog/2017/0.1-using-network-policy/index.html

72 lines
34 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Using Network Policy with Istio"><meta name=description content="How Kubernetes Network Policy relates to Istio policy."><meta name=author content="Spike Curtis"><meta name=keywords content=microservices,services,mesh><meta property=og:title content="Using Network Policy with Istio"><meta property=og:type content=website><meta property=og:description content="How Kubernetes Network Policy relates to Istio policy."><meta property=og:url content=/v1.2/blog/2017/0.1-using-network-policy/><meta property=og:image content=/v1.2/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.2 / Using Network Policy with Istio</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.2/feed.xml><link rel="shortcut icon" href=/v1.2/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.2/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.2/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.2/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.2/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.2/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.2/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.2/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.2/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.2/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.2/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.2/css/all.css><script src=/v1.2/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.2";const docTitle="Using Network Policy with Istio";const iconFile="\/v1.2/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.2/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.2/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.2</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.2/docs/>Docs</a>
<span title="Posts about using Istio.">Blog</span>
<a title="Frequently Asked Questions about Istio." href=/v1.2/faq/>FAQ</a>
<a title="Get a bit more in-depth info about the Istio project." href=/v1.2/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/blog\/2017\/0.1-using-network-policy\/');return false;">Current Release</a>
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/blog\/2017\/0.1-using-network-policy\/');return false;">Next Release</a>
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/v1.2/search.html>
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card0 title="Blog posts for 2019." aria-controls=card0-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#blog"/></svg>2019 Posts</button><div class=body aria-labelledby=card0 role=region id=card0-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card0><li role=none><a role=treeitem title="Istio 1.1.14 patch release." href=/v1.2/blog/2019/announcing-1.1.14/>Announcing Istio 1.1.14</a></li><li role=none><a role=treeitem title="Istio 1.2.5 patch release." href=/v1.2/blog/2019/announcing-1.2.5/>Announcing Istio 1.2.5</a></li><li role=none><a role=treeitem title="Upcoming Istio 1.1 end of life announcement." href=/v1.2/blog/2019/announcing-1.1-eol/>Support for Istio 1.1 ends on September 19th, 2019</a></li><li role=none><a role=treeitem title="Istio 1.1.13 patch release." href=/v1.2/blog/2019/announcing-1.1.13/>Announcing Istio 1.1.13</a></li><li role=none><a role=treeitem title="Istio 1.2.4 patch release." href=/v1.2/blog/2019/announcing-1.2.4/>Announcing Istio 1.2.4</a></li><li role=none><a role=treeitem title="Security vulnerability disclosure for multiple CVEs." href=/v1.2/blog/2019/istio-security-003-004/>Security Update - ISTIO-SECURITY-003 and ISTIO-SECURITY-004</a></li><li role=none><a role=treeitem title="The design principles behind Istio's APIs and how those APIs are evolving." href=/v1.2/blog/2019/evolving-istios-apis/>The Evolution of Istio&#39;s APIs</a></li><li role=none><a role=treeitem title="Istio 1.1.12 patch release." href=/v1.2/blog/2019/announcing-1.1.12/>Announcing Istio 1.1.12</a></li><li role=none><a role=treeitem title="Istio 1.2.3 patch release." href=/v1.2/blog/2019/announcing-1.2.3/>Announcing Istio 1.2.3</a></li><li role=none><a role=treeitem title="Comparison of alternative solutions to control egress traffic including performance considerations." href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></li><li role=none><a role=treeitem title="Use Istio Egress Traffic Control to prevent attacks involving egress traffic." href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></li><li role=none><a role=treeitem title="Tools and guidance for evaluating Istio's data plane performance." href=/v1.2/blog/2019/performance-best-practices/>Best Practices: Benchmarking Service Mesh Performance</a></li><li role=none><a role=treeitem title="Istio 1.1.11 patch release." href=/v1.2/blog/2019/announcing-1.1.11/>Announcing Istio 1.1.11</a></li><li role=none><a role=treeitem title="Istio 1.0.9 patch release." href=/v1.2/blog/2019/announcing-1.0.9/>Announcing Istio 1.0.9</a></li><li role=none><a role=treeitem title="Istio 1.1.10 patch release." href=/v1.2/blog/2019/announcing-1.1.10/>Announcing Istio 1.1.10</a></li><li role=none><a role=treeitem title="Istio 1.2.2 patch release." href=/v1.2/blog/2019/announcing-1.2.2/>Announcing Istio 1.2.2</a></li><li role=none><a role=treeitem title="Security vulnerability disclosure for CVE-2019-12995." href=/v1.2/blog/2019/cve-2019-12995/>Security Update - CVE-2019-12995</a></li><li role=none><a role=treeitem title="Istio 1.2.1 patch release." href=/v1.2/blog/2019/announcing-1.2.1/>Announcing Istio 1.2.1</a></li><li role=none><a role=treeitem title="Istio 1.0 end of life announcement." href=/v1.2/blog/2019/announcing-1.0-eol-final/>Support for Istio 1.0 has ended</a></li><li role=none><a role=treeitem title="Istio 1.2 release announcement." href=/v1.2/blog/2019/announcing-1.2/>Announcing Istio 1.2</a></li><li role=none><a role=treeitem title="Istio 1.1.9 patch release." href=/v1.2/blog/2019/announcing-1.1.9/>Announcing Istio 1.1.9</a></li><li role=none><a role=treeitem title="Istio 1.0.8 patch release." href=/v1.2/blog/2019/announcing-1.0.8/>Announcing Istio 1.0.8</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of Istio self-signed root certificate." href=/v1.2/blog/2019/root-transition/>Extending Istio Self-Signed Root Certificate Lifetime</a></li><li role=none><a role=treeitem title="Istio 1.1.8 patch release." href=/v1.2/blog/2019/announcing-1.1.8/>Announcing Istio 1.1.8</a></li><li role=none><a role=treeitem title="Security vulnerability disclosure for CVE-2019-12243." href=/v1.2/blog/2019/cve-2019-12243/>Security Update - CVE-2019-12243</a></li><li role=none><a role=treeitem title="Upcoming Istio 1.0 end of life announcement." href=/v1.2/blog/2019/announcing-1.0-eol/>Support for Istio 1.0 ends on June 19th, 2019</a></li><li role=none><a role=treeitem title="Attacks involving egress traffic and requirements for egress traffic control." href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-1/>Secure Control of Egress Traffic in Istio, part 1</a></li><li role=none><a role=treeitem title="Istio 1.1.7 patch release." href=/v1.2/blog/2019/announcing-1.1.7/>Announcing Istio 1.1.7</a></li><li role=none><a role=treeitem title="Istio 1.1.6 patch release." href=/v1.2/blog/2019/announcing-1.1.6/>Announcing Istio 1.1.6</a></li><li role=none><a role=treeitem title="Istio 1.1.5 patch release." href=/v1.2/blog/2019/announcing-1.1.5/>Announcing Istio 1.1.5</a></li><li role=none><a role=treeitem title="Istio 1.1.4 patch release." href=/v1.2/blog/2019/announcing-1.1.4/>Announcing Istio 1.1.4</a></li><li role=none><a role=treeitem title="Istio 1.1.3 patch release." href=/v1.2/blog/2019/announcing-1.1.3/>Announcing Istio 1.1.3</a></li><li role=none><a role=treeitem title="Istio 1.0.7 patch releases." href=/v1.2/blog/2019/announcing-1.0.7/>Announcing Istio 1.0.7 with Important Security Update</a></li><li role=none><a role=treeitem title="Istio 1.1.2 patch release." href=/v1.2/blog/2019/announcing-1.1.2/>Announcing Istio 1.1.2 with Important Security Update</a></li><li role=none><a role=treeitem title="Istio 1.1.1 patch release." href=/v1.2/blog/2019/announcing-1.1.1/>Announcing Istio 1.1.1</a></li><li role=none><a role=treeitem title="Istio 1.1 release announcement." href=/v1.2/blog/2019/announcing-1.1/>Announcing Istio 1.1</a></li><li role=none><a role=treeitem title="An overview of Istio 1.1 performance." href=/v1.2/blog/2019/istio1.1_perf/>Architecting Istio 1.1 for Performance</a></li><li role=none><a role=treeitem title="Istio 1.0.6 patch release." href=/v1.2/blog/2019/announcing-1.0.6/>Announcing Istio 1.0.6</a></li><li role=none><a role=treeitem title="Configuring Istio route rules in a multicluster service mesh." href=/v1.2/blog/2019/multicluster-version-routing/>Version Routing in a Multicluster Service Mesh</a></li><li role=none><a role=treeitem title="Announces the new Istio blog policy." href=/v1.2/blog/2019/sail-the-blog/>Sail the Blog!</a></li><li role=none><a role=treeitem title="De-mystify how Istio manages to plugin its data-plane components into an existing deployment." href=/v1.2/blog/2019/data-plane-setup/>Demystifying Istio&#39;s Sidecar Injection Model</a></li><li role=none><a role=treeitem title="Verifies the performance impact of adding an egress gateway." href=/v1.2/blog/2019/egress-performance/>Egress Gateway Performance Investigation</a></li><li role=none><a role=treeitem title="Addressing application startup ordering and startup latency using AppSwitch." href=/v1.2/blog/2019/appswitch/>Sidestepping Dependency Ordering with AppSwitch</a></li><li role=none><a role=treeitem title="Istio has a new discussion board." href=/v1.2/blog/2019/announcing-discuss.istio.io/>Announcing discuss.istio.io</a></li><li role=none><a role=treeitem title="Describes how to deploy a custom ingress gateway using cert-manager manually." href=/v1.2/blog/2019/custom-ingress-gateway/>Deploy a Custom Ingress Gateway Using Cert-Manager</a></li></ul></div></div><div class=card><button class="header dynamic" id=card1 title="Blog posts for 2018." aria-controls=card1-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#blog"/></svg>2018 Posts</button><div class=body aria-labelledby=card1 role=region id=card1-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card1><li role=none><a role=treeitem title="Istio 1.0.5 patch release." href=/v1.2/blog/2018/announcing-1.0.5/>Announcing Istio 1.0.5</a></li><li role=none><a role=treeitem title="Istio 1.0.4 patch release." href=/v1.2/blog/2018/announcing-1.0.4/>Announcing Istio 1.0.4</a></li><li role=none><a role=treeitem title="How to use Istio for traffic management without deploying sidecar proxies." href=/v1.2/blog/2018/incremental-traffic-management/>Incremental Istio Part 1, Traffic Management</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example." href=/v1.2/blog/2018/egress-mongo/>Consuming External MongoDB Services</a></li><li role=none><a role=treeitem title="Istio 1.0.3 patch release." href=/v1.2/blog/2018/announcing-1.0.3/>Announcing Istio 1.0.3</a></li><li role=none><a role=treeitem title="Istio 1.0.2 patch release." href=/v1.2/blog/2018/announcing-1.0.2/>Announcing Istio 1.0.2</a></li><li role=none><a role=treeitem title="Istio 1.0.1 patch release." href=/v1.2/blog/2018/announcing-1.0.1/>Announcing Istio 1.0.1</a></li><li role=none><a role=treeitem title="Istio hosting an all day Twitch stream to celebrate the 1.0 release." href=/v1.2/blog/2018/istio-twitch-stream/>All Day Istio Twitch Stream</a></li><li role=none><a role=treeitem title="Istio is ready for production use with its 1.0 release." href=/v1.2/blog/2018/announcing-1.0/>Announcing Istio 1.0</a></li><li role=none><a role=treeitem title="How HP is building its next-generation footwear personalization platform on Istio." href=/v1.2/blog/2018/hp/>Istio a Game Changer for HP&#39;s FitStation Platform</a></li><li role=none><a role=treeitem title="Automatic application onboarding and latency optimizations using AppSwitch." href=/v1.2/blog/2018/delayering-istio/>Delayering Istio with AppSwitch</a></li><li role=none><a role=treeitem title="Describe Istio's authorization feature and how to use it in various use cases." href=/v1.2/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></li><li role=none><a role=treeitem title="How to export Istio Access Logs to different sinks like BigQuery, GCS, Pub/Sub through Stackdriver." href=/v1.2/blog/2018/export-logs-through-stackdriver/>Exporting Logs to BigQuery, GCS, Pub/Sub through Stackdriver</a></li><li role=none><a role=treeitem title="Describes how to configure Istio for monitoring and access policies of HTTP egress traffic." href=/v1.2/blog/2018/egress-monitoring-access-control/>Monitoring and Access Policies for HTTP Egress Traffic</a></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1alpha3 routing API." href=/v1.2/blog/2018/v1alpha3-routing/>Introducing the Istio v1alpha3 routing API</a></li><li role=none><a role=treeitem title="Describes how to configure Istio ingress with a network load balancer on AWS." href=/v1.2/blog/2018/aws-nlb/>Configuring Istio Ingress with AWS NLB</a></li><li role=none><a role=treeitem title="Using Kubernetes namespaces and RBAC to create an Istio soft multi-tenancy environment." href=/v1.2/blog/2018/soft-multitenancy/>Istio Soft Multi-Tenancy Support</a></li><li role=none><a role=treeitem title="An introduction to safer, lower-risk deployments and release to production." href=/v1.2/blog/2018/traffic-mirroring/>Traffic Mirroring with Istio for Testing in Production</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example." href=/v1.2/blog/2018/egress-tcp/>Consuming External TCP Services</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example." href=/v1.2/blog/2018/egress-https/>Consuming External Web Services</a></li></ul></div></div><div class=card><button class="header dynamic" id=card2 title="Blog posts for 2017." aria-controls=card2-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#blog"/></svg>2017 Posts</button><div class="body default" aria-labelledby=card2 role=region id=card2-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card2><li role=none><a role=treeitem title="Improving availability and reducing latency." href=/v1.2/blog/2017/mixer-spof-myth/>Mixer and the SPOF Myth</a></li><li role=none><a role=treeitem title="Provides an overview of Mixer's plug-in architecture." href=/v1.2/blog/2017/adapter-model/>Mixer Adapter Model</a></li><li role=none><a role=treeitem title="Istio 0.2 announcement." href=/v1.2/blog/2017/0.2-announcement/>Announcing Istio 0.2</a></li><li role=none><span role=treeitem class=current title="How Kubernetes Network Policy relates to Istio policy.">Using Network Policy with Istio</span></li><li role=none><a role=treeitem title="Using Istio to create autoscaled canary deployments." href=/v1.2/blog/2017/0.1-canary/>Canary Deployments using Istio</a></li><li role=none><a role=treeitem title="Istio Auth 0.1 announcement." href=/v1.2/blog/2017/0.1-auth/>Using Istio to Improve End-to-End Security</a></li><li role=none><a role=treeitem title="Istio 0.1 announcement." href=/v1.2/blog/2017/0.1-announcement/>Introducing Istio</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.2/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.2/blog/ title="Posts about using Istio.">Blog</a></li><li><a href=/v1.2/blog/2017/ title="Blog posts for 2017.">2017 Posts</a></li><li>Using Network Policy with Istio</li></ol></nav><article aria-labelledby=title><div class=title-area><div><h1 id=title>Using Network Policy with Istio</h1><p class=byline><span>By</span>
<span class=attribution>Spike Curtis</span><span> | </span><span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#calendar"/></svg><span>&nbsp;</span>August 10, 2017</span><span> | </span><span title="1168 words"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#clock"/></svg><span>&nbsp;</span>6 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label=Layer><a href=#layer>Layer</a><li role=none aria-label=Implementation><a href=#implementation>Implementation</a><li role=none aria-label="Enforcement Point"><a href=#enforcement-point>Enforcement Point</a><li role=none aria-label=Examples><a href=#examples>Examples</a><ol><li role=none aria-label="Reduce attack surface of the application ingress"><a href=#reduce-attack-surface-of-the-application-ingress>Reduce attack surface of the application ingress</a><li role=none aria-label="Enforce fine-grained isolation within the application"><a href=#enforce-fine-grained-isolation-within-the-application>Enforce fine-grained isolation within the application</a></ol></li><li role=none aria-label=Summary><a href=#summary>Summary</a></ol><hr></div></nav><p>The use of Network Policy to secure applications running on Kubernetes is a now a widely accepted industry best practice. Given that Istio also supports policy, we want to spend some time explaining how Istio policy and Kubernetes Network Policy interact and support each other to deliver your application securely.</p><p>Lets start with the basics: why might you want to use both Istio and Kubernetes Network Policy? The short answer is that they are good at different things. Consider the main differences between Istio and Network Policy (we will describe &ldquo;typical” implementations, e.g. Calico, but implementation details can vary with different network providers):</p><table><thead><tr><th></th><th>Istio Policy</th><th>Network Policy</th></tr></thead><tbody><tr><td><strong>Layer</strong></td><td>&ldquo;Service&rdquo; &mdash; L7</td><td>&ldquo;Network&rdquo; &mdash; L3-4</td></tr><tr><td><strong>Implementation</strong></td><td>User space</td><td>Kernel</td></tr><tr><td><strong>Enforcement Point</strong></td><td>Pod</td><td>Node</td></tr></tbody></table><h2 id=layer>Layer</h2><p>Istio policy operates at the &ldquo;service” layer of your network application. This is Layer 7 (Application) from the perspective of the OSI model, but the de facto model of cloud native applications is that Layer 7 actually consists of at least two layers: a service layer and a content layer. The service layer is typically HTTP, which encapsulates the actual application data (the content layer). It is at this service layer of HTTP that the Istios Envoy proxy operates. In contrast, Network Policy operates at Layers 3 (Network) and 4 (Transport) in the OSI model.</p><p>Operating at the service layer gives the Envoy proxy a rich set of attributes to base policy decisions on, for protocols it understands, which at present includes HTTP/1.1 &amp; HTTP/2 (gRPC operates over HTTP/2). So, you can apply policy based on virtual host, URL, or other HTTP headers. In the future, Istio will support a wide range of Layer 7 protocols, as well as generic TCP and UDP transport.</p><p>In contrast, operating at the network layer has the advantage of being universal, since all network applications use IP. At the network layer you can apply policy regardless of the layer 7 protocol: DNS, SQL databases, real-time streaming, and a plethora of other services that do not use HTTP can be secured. Network Policy isnt limited to a classic firewalls tuple of IP addresses, proto, and ports. Both Istio and Network Policy are aware of rich Kubernetes labels to describe pod endpoints.</p><h2 id=implementation>Implementation</h2><p>The Istios proxy is based on <a href=https://envoyproxy.github.io/envoy/>Envoy</a>, which is implemented as a user space daemon in the data plane that
interacts with the network layer using standard sockets. This gives it a large amount of flexibility in processing, and allows it to be
distributed (and upgraded!) in a container.</p><p>Network Policy data plane is typically implemented in kernel space (e.g. using iptables, eBPF filters, or even custom kernel modules). Being in kernel space
allows them to be extremely fast, but not as flexible as the Envoy proxy.</p><h2 id=enforcement-point>Enforcement Point</h2><p>Policy enforcement using the Envoy proxy is implemented inside the pod, as a sidecar container in the same network namespace. This allows a simple deployment model. Some containers are given permission to reconfigure the networking inside their pod (CAP_NET_ADMIN). If such a service instance is compromised, or misbehaves (as in a malicious tenant) the proxy can be bypassed.</p><p>While this wont let an attacker access other Istio-enabled pods, so long as they are correctly configured, it opens several attack vectors:</p><ul><li>Attacking unprotected pods</li><li>Attempting to deny service to protected pods by sending lots of traffic</li><li>Exfiltrating data collected in the pod</li><li>Attacking the cluster infrastructure (servers or Kubernetes services)</li><li>Attacking services outside the mesh, like databases, storage arrays, or legacy systems.</li></ul><p>Network Policy is typically enforced at the host node, outside the network namespace of the guest pods. This means that compromised or misbehaving pods must break into the root namespace to avoid enforcement. With the addition of egress policy due in Kubernetes 1.8, this difference makes Network Policy a key part of protecting your infrastructure from compromised workloads.</p><h2 id=examples>Examples</h2><p>Lets walk through a few examples of what you might want to do with Kubernetes Network Policy for an Istio-enabled application. Consider the Bookinfo sample application. Were going to cover the following use cases for Network Policy:</p><ul><li>Reduce attack surface of the application ingress</li><li>Enforce fine-grained isolation within the application</li></ul><h3 id=reduce-attack-surface-of-the-application-ingress>Reduce attack surface of the application ingress</h3><p>Our application ingress controller is the main entry-point to our application from the outside world. A quick peek at <code>istio.yaml</code> (used to install Istio) defines the Istio ingress like this:</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: v1
kind: Service
metadata:
name: istio-ingress
labels:
istio: ingress
spec:
type: LoadBalancer
ports:
- port: 80
name: http
- port: 443
name: https
selector:
istio: ingress
</code></pre><p>The <code>istio-ingress</code> exposes ports 80 and 443. Lets limit incoming traffic to just these two ports. Envoy has a <a href=https://www.envoyproxy.io/docs/envoy/latest/operations/admin.html#operations-admin-interface>built-in administrative interface</a>, and we dont want a misconfigured <code>istio-ingress</code> image to accidentally expose our admin interface to the outside world. This is an example of defense in depth: a properly configured image should not expose the interface, and a properly configured Network Policy will prevent anyone from connecting to it. Either can fail or be misconfigured and we are still protected.</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: istio-ingress-lockdown
namespace: default
spec:
podSelector:
matchLabels:
istio: ingress
ingress:
- ports:
- protocol: TCP
port: 80
- protocol: TCP
port: 443
</code></pre><h3 id=enforce-fine-grained-isolation-within-the-application>Enforce fine-grained isolation within the application</h3><p>Here is the service graph for the Bookinfo application.</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:59.086918235567985%><a data-skipendnotes=true href=/v1.2/docs/examples/bookinfo/withistio.svg title="Bookinfo Service Graph"><img class=element-to-stretch src=/v1.2/docs/examples/bookinfo/withistio.svg alt="Bookinfo Service Graph"></a></div><figcaption>Bookinfo Service Graph</figcaption></figure><p>This graph shows every connection that a correctly functioning application should be allowed to make. All other connections, say from the Istio Ingress directly to the Rating service, are not part of the application. Lets lock out those extraneous connections so they cannot be used by an attacker. Imagine, for example, that the Ingress pod is compromised by an exploit that allows an attacker to run arbitrary code. If we only allow connections to the Product Page pods using Network Policy, the attacker has gained no more access to my application backends <em>even though they have compromised a member of the service mesh</em>.</p><pre><code class=language-yaml data-expandlinks=true>apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: product-page-ingress
namespace: default
spec:
podSelector:
matchLabels:
app: productpage
ingress:
- ports:
- protocol: TCP
port: 9080
from:
- podSelector:
matchLabels:
istio: ingress
</code></pre><p>You can and should write a similar policy for each service to enforce which other pods are allowed to access each.</p><h2 id=summary>Summary</h2><p>Our take is that Istio and Network Policy have different strengths in applying policy. Istio is application-protocol aware and highly flexible, making it ideal for applying policy in support of operational goals, like service routing, retries, circuit-breaking, etc, and for security that operates at the application layer, such as token validation. Network Policy is universal, highly efficient, and isolated from the pods, making it ideal for applying policy in support of network security goals. Furthermore, having policy that operates at different layers of the network stack is a really good thing as it gives each layer specific context without commingling of state and allows separation of responsibility.</p><p>This post is based on the three part blog series by Spike Curtis, one of the Istio team members at Tigera. The full series can be found here: <a href=https://www.projectcalico.org/using-network-policy-in-concert-with-istio/>https://www.projectcalico.org/using-network-policy-in-concert-with-istio/</a></p></article><nav class=pagenav><div class=left><a title="Istio 0.2 announcement." href=/v1.2/blog/2017/0.2-announcement/><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#left-arrow"/></svg>Announcing Istio 0.2</a></div><div class=right><a title="Using Istio to create autoscaled canary deployments." href=/v1.2/blog/2017/0.1-canary/>Canary Deployments using Istio<svg class="icon"><use xlink:href="/v1.2/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label=Layer><a href=#layer>Layer</a><li role=none aria-label=Implementation><a href=#implementation>Implementation</a><li role=none aria-label="Enforcement Point"><a href=#enforcement-point>Enforcement Point</a><li role=none aria-label=Examples><a href=#examples>Examples</a><ol><li role=none aria-label="Reduce attack surface of the application ingress"><a href=#reduce-attack-surface-of-the-application-ingress>Reduce attack surface of the application ingress</a><li role=none aria-label="Enforce fine-grained isolation within the application"><a href=#enforce-fine-grained-isolation-within-the-application>Enforce fine-grained isolation within the application</a></ol></li><li role=none aria-label=Summary><a href=#summary>Summary</a></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.2.5 now" href=https://github.com/istio/istio/releases/tag/1.2.5 aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#download"/></svg>
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#discourse"/></svg></a>
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#stackoverflow"/></svg></a>
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#slack"/></svg></a>
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
1.2.5<br>&copy; 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on September 12, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#github"/></svg></a>
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#drive"/></svg></a>
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink