mirror of https://github.com/istio/istio.io.git
400 lines
66 KiB
HTML
400 lines
66 KiB
HTML
<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content=#466BB0><meta name=title content="Monitoring and Access Policies for HTTP Egress Traffic"><meta name=description content="Describes how to configure Istio for monitoring and access policies of HTTP egress traffic."><meta name=author content="Vadim Eisenberg and Ronen Schaffer (IBM)"><meta name=keywords content=microservices,services,mesh,egress,traffic-management,access-control,monitoring><meta property=og:title content="Monitoring and Access Policies for HTTP Egress Traffic"><meta property=og:type content=website><meta property=og:description content="Describes how to configure Istio for monitoring and access policies of HTTP egress traffic."><meta property=og:url content=/v1.2/blog/2018/egress-monitoring-access-control/><meta property=og:image content=/v1.2/img/istio-whitelogo-bluebackground-framed.svg><meta property=og:image:alt content="Istio Logo"><meta property=og:image:width content=112><meta property=og:image:height content=150><meta property=og:site_name content=Istio><meta name=twitter:card content=summary><meta name=twitter:site content=@IstioMesh><title>Istioldie 1.2 / Monitoring and Access Policies for HTTP Egress Traffic</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script><script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments);}
|
|
gtag('js',new Date());gtag('config','UA-98480406-2');</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.2/feed.xml><link rel="shortcut icon" href=/v1.2/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.2/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.2/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.2/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.2/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.2/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.2/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.2/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.2/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.2/favicons/android-192x192.png sizes=192x192><link rel=manifest href=/v1.2/manifest.json><meta name=apple-mobile-web-app-title content=Istio><meta name=application-name content=Istio><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Work+Sans:400|Chivo:400|Work+Sans:500,300,600,300italic,400italic,500italic,600italic|Chivo:500,300,600,300italic,400italic,500italic,600italic"><link rel=stylesheet href=/v1.2/css/all.css><script src=/v1.2/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.2";const docTitle="Monitoring and Access Policies for HTTP Egress Traffic";const iconFile="\/v1.2/img/icons.svg";const buttonCopy='Copy to clipboard';const buttonPrint='Print';const buttonDownload='Download';</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script><script src=/v1.2/js/all.min.js data-manual defer></script><header><nav><a id=brand href=/v1.2/><span class=logo><svg viewBox="0 0 300 300"><circle cx="150" cy="150" r="146" stroke-width="2" /><path d="M65 240H225L125 270z"/><path d="M65 230l60-10V110z"/><path d="M135 220l90 10L135 30z"/></svg></span><span class=name>Istioldie 1.2</span></a><div id=hamburger><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#hamburger"/></svg></div><div id=header-links><a title="Learn how to deploy, use, and operate Istio." href=/v1.2/docs/>Docs</a>
|
|
<span title="Posts about using Istio.">Blog</span>
|
|
<a title="Frequently Asked Questions about Istio." href=/v1.2/faq/>FAQ</a>
|
|
<a title="Get a bit more in-depth info about the Istio project." href=/v1.2/about/>About</a><div class=menu><button id=gearDropdownButton class=menu-trigger title="Options and settings" aria-label="Options and Settings" aria-controls=gearDropdownContent><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#gear"/></svg></button><div id=gearDropdownContent class=menu-content aria-labelledby=gearDropdownButton role=menu><a tabindex=-1 role=menuitem lang=en id=switch-lang-en class=active>English</a>
|
|
<a tabindex=-1 role=menuitem lang=zh id=switch-lang-zh>中文</a><div role=separator></div><a tabindex=-1 role=menuitem class=active id=light-theme-item>Light Theme</a>
|
|
<a tabindex=-1 role=menuitem id=dark-theme-item>Dark Theme</a><div role=separator></div><a tabindex=-1 role=menuitem id=syntax-coloring-item>Color Examples</a><div role=separator></div><h6>Other versions of this site</h6><a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://istio.io/blog\/2018\/egress-monitoring-access-control\/');return false;">Current Release</a>
|
|
<a tabindex=-1 role=menuitem onclick="navigateToUrlOrRoot('https://preliminary.istio.io/blog\/2018\/egress-monitoring-access-control\/');return false;">Next Release</a>
|
|
<a tabindex=-1 role=menuitem href=https://archive.istio.io>Older Releases</a></div></div><button id=search-show title="Search this site" aria-label=Search><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#magnifier"/></svg></button></div><form id=search-form name=cse role=search><input type=hidden name=cx value=013699703217164175118:iwwf17ikgf4>
|
|
<input type=hidden name=ie value=utf-8>
|
|
<input type=hidden name=hl value=en>
|
|
<input type=hidden id=search-page-url value=/v1.2/search.html>
|
|
<input id=search-textbox class=form-control name=q type=search aria-label="Search this site">
|
|
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#cancel-x"/></svg></button></form></nav></header><main class=primary><div id=sidebar-container class="sidebar-container sidebar-offcanvas"><nav id=sidebar aria-label="Section Navigation"><div class=directory><div class=card><button class="header dynamic" id=card0 title="Blog posts for 2019." aria-controls=card0-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#blog"/></svg>2019 Posts</button><div class=body aria-labelledby=card0 role=region id=card0-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card0><li role=none><a role=treeitem title="Istio 1.1.14 patch release." href=/v1.2/blog/2019/announcing-1.1.14/>Announcing Istio 1.1.14</a></li><li role=none><a role=treeitem title="Istio 1.2.5 patch release." href=/v1.2/blog/2019/announcing-1.2.5/>Announcing Istio 1.2.5</a></li><li role=none><a role=treeitem title="Upcoming Istio 1.1 end of life announcement." href=/v1.2/blog/2019/announcing-1.1-eol/>Support for Istio 1.1 ends on September 19th, 2019</a></li><li role=none><a role=treeitem title="Istio 1.1.13 patch release." href=/v1.2/blog/2019/announcing-1.1.13/>Announcing Istio 1.1.13</a></li><li role=none><a role=treeitem title="Istio 1.2.4 patch release." href=/v1.2/blog/2019/announcing-1.2.4/>Announcing Istio 1.2.4</a></li><li role=none><a role=treeitem title="Security vulnerability disclosure for multiple CVEs." href=/v1.2/blog/2019/istio-security-003-004/>Security Update - ISTIO-SECURITY-003 and ISTIO-SECURITY-004</a></li><li role=none><a role=treeitem title="The design principles behind Istio's APIs and how those APIs are evolving." href=/v1.2/blog/2019/evolving-istios-apis/>The Evolution of Istio's APIs</a></li><li role=none><a role=treeitem title="Istio 1.1.12 patch release." href=/v1.2/blog/2019/announcing-1.1.12/>Announcing Istio 1.1.12</a></li><li role=none><a role=treeitem title="Istio 1.2.3 patch release." href=/v1.2/blog/2019/announcing-1.2.3/>Announcing Istio 1.2.3</a></li><li role=none><a role=treeitem title="Comparison of alternative solutions to control egress traffic including performance considerations." href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></li><li role=none><a role=treeitem title="Use Istio Egress Traffic Control to prevent attacks involving egress traffic." href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></li><li role=none><a role=treeitem title="Tools and guidance for evaluating Istio's data plane performance." href=/v1.2/blog/2019/performance-best-practices/>Best Practices: Benchmarking Service Mesh Performance</a></li><li role=none><a role=treeitem title="Istio 1.1.11 patch release." href=/v1.2/blog/2019/announcing-1.1.11/>Announcing Istio 1.1.11</a></li><li role=none><a role=treeitem title="Istio 1.0.9 patch release." href=/v1.2/blog/2019/announcing-1.0.9/>Announcing Istio 1.0.9</a></li><li role=none><a role=treeitem title="Istio 1.1.10 patch release." href=/v1.2/blog/2019/announcing-1.1.10/>Announcing Istio 1.1.10</a></li><li role=none><a role=treeitem title="Istio 1.2.2 patch release." href=/v1.2/blog/2019/announcing-1.2.2/>Announcing Istio 1.2.2</a></li><li role=none><a role=treeitem title="Security vulnerability disclosure for CVE-2019-12995." href=/v1.2/blog/2019/cve-2019-12995/>Security Update - CVE-2019-12995</a></li><li role=none><a role=treeitem title="Istio 1.2.1 patch release." href=/v1.2/blog/2019/announcing-1.2.1/>Announcing Istio 1.2.1</a></li><li role=none><a role=treeitem title="Istio 1.0 end of life announcement." href=/v1.2/blog/2019/announcing-1.0-eol-final/>Support for Istio 1.0 has ended</a></li><li role=none><a role=treeitem title="Istio 1.2 release announcement." href=/v1.2/blog/2019/announcing-1.2/>Announcing Istio 1.2</a></li><li role=none><a role=treeitem title="Istio 1.1.9 patch release." href=/v1.2/blog/2019/announcing-1.1.9/>Announcing Istio 1.1.9</a></li><li role=none><a role=treeitem title="Istio 1.0.8 patch release." href=/v1.2/blog/2019/announcing-1.0.8/>Announcing Istio 1.0.8</a></li><li role=none><a role=treeitem title="Learn how to extend the lifetime of Istio self-signed root certificate." href=/v1.2/blog/2019/root-transition/>Extending Istio Self-Signed Root Certificate Lifetime</a></li><li role=none><a role=treeitem title="Istio 1.1.8 patch release." href=/v1.2/blog/2019/announcing-1.1.8/>Announcing Istio 1.1.8</a></li><li role=none><a role=treeitem title="Security vulnerability disclosure for CVE-2019-12243." href=/v1.2/blog/2019/cve-2019-12243/>Security Update - CVE-2019-12243</a></li><li role=none><a role=treeitem title="Upcoming Istio 1.0 end of life announcement." href=/v1.2/blog/2019/announcing-1.0-eol/>Support for Istio 1.0 ends on June 19th, 2019</a></li><li role=none><a role=treeitem title="Attacks involving egress traffic and requirements for egress traffic control." href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-1/>Secure Control of Egress Traffic in Istio, part 1</a></li><li role=none><a role=treeitem title="Istio 1.1.7 patch release." href=/v1.2/blog/2019/announcing-1.1.7/>Announcing Istio 1.1.7</a></li><li role=none><a role=treeitem title="Istio 1.1.6 patch release." href=/v1.2/blog/2019/announcing-1.1.6/>Announcing Istio 1.1.6</a></li><li role=none><a role=treeitem title="Istio 1.1.5 patch release." href=/v1.2/blog/2019/announcing-1.1.5/>Announcing Istio 1.1.5</a></li><li role=none><a role=treeitem title="Istio 1.1.4 patch release." href=/v1.2/blog/2019/announcing-1.1.4/>Announcing Istio 1.1.4</a></li><li role=none><a role=treeitem title="Istio 1.1.3 patch release." href=/v1.2/blog/2019/announcing-1.1.3/>Announcing Istio 1.1.3</a></li><li role=none><a role=treeitem title="Istio 1.0.7 patch releases." href=/v1.2/blog/2019/announcing-1.0.7/>Announcing Istio 1.0.7 with Important Security Update</a></li><li role=none><a role=treeitem title="Istio 1.1.2 patch release." href=/v1.2/blog/2019/announcing-1.1.2/>Announcing Istio 1.1.2 with Important Security Update</a></li><li role=none><a role=treeitem title="Istio 1.1.1 patch release." href=/v1.2/blog/2019/announcing-1.1.1/>Announcing Istio 1.1.1</a></li><li role=none><a role=treeitem title="Istio 1.1 release announcement." href=/v1.2/blog/2019/announcing-1.1/>Announcing Istio 1.1</a></li><li role=none><a role=treeitem title="An overview of Istio 1.1 performance." href=/v1.2/blog/2019/istio1.1_perf/>Architecting Istio 1.1 for Performance</a></li><li role=none><a role=treeitem title="Istio 1.0.6 patch release." href=/v1.2/blog/2019/announcing-1.0.6/>Announcing Istio 1.0.6</a></li><li role=none><a role=treeitem title="Configuring Istio route rules in a multicluster service mesh." href=/v1.2/blog/2019/multicluster-version-routing/>Version Routing in a Multicluster Service Mesh</a></li><li role=none><a role=treeitem title="Announces the new Istio blog policy." href=/v1.2/blog/2019/sail-the-blog/>Sail the Blog!</a></li><li role=none><a role=treeitem title="De-mystify how Istio manages to plugin its data-plane components into an existing deployment." href=/v1.2/blog/2019/data-plane-setup/>Demystifying Istio's Sidecar Injection Model</a></li><li role=none><a role=treeitem title="Verifies the performance impact of adding an egress gateway." href=/v1.2/blog/2019/egress-performance/>Egress Gateway Performance Investigation</a></li><li role=none><a role=treeitem title="Addressing application startup ordering and startup latency using AppSwitch." href=/v1.2/blog/2019/appswitch/>Sidestepping Dependency Ordering with AppSwitch</a></li><li role=none><a role=treeitem title="Istio has a new discussion board." href=/v1.2/blog/2019/announcing-discuss.istio.io/>Announcing discuss.istio.io</a></li><li role=none><a role=treeitem title="Describes how to deploy a custom ingress gateway using cert-manager manually." href=/v1.2/blog/2019/custom-ingress-gateway/>Deploy a Custom Ingress Gateway Using Cert-Manager</a></li></ul></div></div><div class=card><button class="header dynamic" id=card1 title="Blog posts for 2018." aria-controls=card1-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#blog"/></svg>2018 Posts</button><div class="body default" aria-labelledby=card1 role=region id=card1-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card1><li role=none><a role=treeitem title="Istio 1.0.5 patch release." href=/v1.2/blog/2018/announcing-1.0.5/>Announcing Istio 1.0.5</a></li><li role=none><a role=treeitem title="Istio 1.0.4 patch release." href=/v1.2/blog/2018/announcing-1.0.4/>Announcing Istio 1.0.4</a></li><li role=none><a role=treeitem title="How to use Istio for traffic management without deploying sidecar proxies." href=/v1.2/blog/2018/incremental-traffic-management/>Incremental Istio Part 1, Traffic Management</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example." href=/v1.2/blog/2018/egress-mongo/>Consuming External MongoDB Services</a></li><li role=none><a role=treeitem title="Istio 1.0.3 patch release." href=/v1.2/blog/2018/announcing-1.0.3/>Announcing Istio 1.0.3</a></li><li role=none><a role=treeitem title="Istio 1.0.2 patch release." href=/v1.2/blog/2018/announcing-1.0.2/>Announcing Istio 1.0.2</a></li><li role=none><a role=treeitem title="Istio 1.0.1 patch release." href=/v1.2/blog/2018/announcing-1.0.1/>Announcing Istio 1.0.1</a></li><li role=none><a role=treeitem title="Istio hosting an all day Twitch stream to celebrate the 1.0 release." href=/v1.2/blog/2018/istio-twitch-stream/>All Day Istio Twitch Stream</a></li><li role=none><a role=treeitem title="Istio is ready for production use with its 1.0 release." href=/v1.2/blog/2018/announcing-1.0/>Announcing Istio 1.0</a></li><li role=none><a role=treeitem title="How HP is building its next-generation footwear personalization platform on Istio." href=/v1.2/blog/2018/hp/>Istio a Game Changer for HP's FitStation Platform</a></li><li role=none><a role=treeitem title="Automatic application onboarding and latency optimizations using AppSwitch." href=/v1.2/blog/2018/delayering-istio/>Delayering Istio with AppSwitch</a></li><li role=none><a role=treeitem title="Describe Istio's authorization feature and how to use it in various use cases." href=/v1.2/blog/2018/istio-authorization/>Micro-Segmentation with Istio Authorization</a></li><li role=none><a role=treeitem title="How to export Istio Access Logs to different sinks like BigQuery, GCS, Pub/Sub through Stackdriver." href=/v1.2/blog/2018/export-logs-through-stackdriver/>Exporting Logs to BigQuery, GCS, Pub/Sub through Stackdriver</a></li><li role=none><span role=treeitem class=current title="Describes how to configure Istio for monitoring and access policies of HTTP egress traffic.">Monitoring and Access Policies for HTTP Egress Traffic</span></li><li role=none><a role=treeitem title="Introduction, motivation and design principles for the Istio v1alpha3 routing API." href=/v1.2/blog/2018/v1alpha3-routing/>Introducing the Istio v1alpha3 routing API</a></li><li role=none><a role=treeitem title="Describes how to configure Istio ingress with a network load balancer on AWS." href=/v1.2/blog/2018/aws-nlb/>Configuring Istio Ingress with AWS NLB</a></li><li role=none><a role=treeitem title="Using Kubernetes namespaces and RBAC to create an Istio soft multi-tenancy environment." href=/v1.2/blog/2018/soft-multitenancy/>Istio Soft Multi-Tenancy Support</a></li><li role=none><a role=treeitem title="An introduction to safer, lower-risk deployments and release to production." href=/v1.2/blog/2018/traffic-mirroring/>Traffic Mirroring with Istio for Testing in Production</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example." href=/v1.2/blog/2018/egress-tcp/>Consuming External TCP Services</a></li><li role=none><a role=treeitem title="Describes a simple scenario based on Istio's Bookinfo example." href=/v1.2/blog/2018/egress-https/>Consuming External Web Services</a></li></ul></div></div><div class=card><button class="header dynamic" id=card2 title="Blog posts for 2017." aria-controls=card2-body><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#blog"/></svg>2017 Posts</button><div class=body aria-labelledby=card2 role=region id=card2-body><ul role=tree aria-expanded=true class=leaf-section aria-labelledby=card2><li role=none><a role=treeitem title="Improving availability and reducing latency." href=/v1.2/blog/2017/mixer-spof-myth/>Mixer and the SPOF Myth</a></li><li role=none><a role=treeitem title="Provides an overview of Mixer's plug-in architecture." href=/v1.2/blog/2017/adapter-model/>Mixer Adapter Model</a></li><li role=none><a role=treeitem title="Istio 0.2 announcement." href=/v1.2/blog/2017/0.2-announcement/>Announcing Istio 0.2</a></li><li role=none><a role=treeitem title="How Kubernetes Network Policy relates to Istio policy." href=/v1.2/blog/2017/0.1-using-network-policy/>Using Network Policy with Istio</a></li><li role=none><a role=treeitem title="Using Istio to create autoscaled canary deployments." href=/v1.2/blog/2017/0.1-canary/>Canary Deployments using Istio</a></li><li role=none><a role=treeitem title="Istio Auth 0.1 announcement." href=/v1.2/blog/2017/0.1-auth/>Using Istio to Improve End-to-End Security</a></li><li role=none><a role=treeitem title="Istio 0.1 announcement." href=/v1.2/blog/2017/0.1-announcement/>Introducing Istio</a></li></ul></div></div></div></nav></div><div class=article-container><button tabindex=-1 id=sidebar-toggler title="Toggle the navigation bar"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#pull"/></svg></button><nav aria-label=Breadcrumb><ol><li><a href=/v1.2/ title="Connect, secure, control, and observe services.">Istio</a></li><li><a href=/v1.2/blog/ title="Posts about using Istio.">Blog</a></li><li><a href=/v1.2/blog/2018/ title="Blog posts for 2018.">2018 Posts</a></li><li>Monitoring and Access Policies for HTTP Egress Traffic</li></ol></nav><article aria-labelledby=title><div class=title-area><div><h1 id=title>Monitoring and Access Policies for HTTP Egress Traffic</h1><p class=byline><span>By</span>
|
|
<span class=attribution>Vadim Eisenberg and Ronen Schaffer (IBM)</span><span> | </span><span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#calendar"/></svg><span> </span>June 22, 2018<span> </span>(updated on March 4, 2019)</span><span> | </span><span title="3150 words"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#clock"/></svg><span> </span>15 minute read</span></p></div></div><nav class=toc-inlined aria-label="Table of Contents"><div><hr><ol><li role=none aria-label="Use case"><a href=#use-case>Use case</a><li role=none aria-label="Related tasks and examples"><a href=#related-tasks-and-examples>Related tasks and examples</a><li role=none aria-label="Before you begin"><a href=#before-you-begin>Before you begin</a><li role=none aria-label="Configure monitoring and access policies"><a href=#configure-monitoring-and-access-policies>Configure monitoring and access policies</a><ol><li role=none aria-label=Logging><a href=#logging>Logging</a><li role=none aria-label="Access control by routing"><a href=#access-control-by-routing>Access control by routing</a><li role=none aria-label="Access control by Mixer policy checks"><a href=#access-control-by-mixer-policy-checks>Access control by Mixer policy checks</a><li role=none aria-label="Access control by Mixer policy checks, part 2"><a href=#access-control-by-mixer-policy-checks-part-2>Access control by Mixer policy checks, part 2</a></ol></li><li role=none aria-label="Comparison with HTTPS egress traffic control"><a href=#comparison-with-https-egress-traffic-control>Comparison with HTTPS egress traffic control</a><li role=none aria-label=Summary><a href=#summary>Summary</a><li role=none aria-label=Cleanup><a href=#cleanup>Cleanup</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol><hr></div></nav><p>While Istio’s main focus is management of traffic between microservices inside a service mesh, Istio can also manage
|
|
ingress (from outside into the mesh) and egress (from the mesh outwards) traffic. Istio can uniformly enforce access
|
|
policies and aggregate telemetry data for mesh-internal, ingress and egress traffic.</p><p>In this blog post, we show how to apply monitoring and access policies to HTTP egress traffic with Istio.</p><h2 id=use-case>Use case</h2><p>Consider an organization that runs applications that process content from <em>cnn.com</em>. The applications are decomposed
|
|
into microservices deployed in an Istio service mesh. The applications access pages of various topics from <em>cnn.com</em>: <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a>, <a href=https://edition.cnn.com/sport>edition.cnn.com/sport</a> and <a href=https://edition.cnn.com/health>edition.cnn.com/health</a>. The organization <a href=/v1.2/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>configures Istio to allow access to edition.cnn.com</a> and everything works fine. However, at some
|
|
point in time, the organization decides to banish politics. Practically, it means blocking access to
|
|
<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> and allowing access to
|
|
<a href=https://edition.cnn.com/sport>edition.cnn.com/sport</a> and <a href=https://edition.cnn.com/health>edition.cnn.com/health</a>
|
|
only. The organization will grant permissions to individual applications and to particular users to access <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a>, on a case-by-case basis.</p><p>To achieve that goal, the organization’s operations people monitor access to the external services and
|
|
analyze Istio logs to verify that no unauthorized request was sent to
|
|
<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a>. They also configure Istio to prevent access to
|
|
<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> automatically.</p><p>The organization is resolved to prevent any tampering with the new policy. It decides to put mechanisms in place that
|
|
will prevent any possibility for a malicious application to access the forbidden topic.</p><h2 id=related-tasks-and-examples>Related tasks and examples</h2><ul><li>The <a href=/v1.2/docs/tasks/traffic-management/egress/>Control Egress Traffic</a> task demonstrates how external (outside the
|
|
Kubernetes cluster) HTTP and HTTPS services can be accessed by applications inside the mesh.</li><li>The <a href=/v1.2/docs/tasks/traffic-management/egress/egress-gateway/>Configure an Egress Gateway</a> example describes how to configure
|
|
Istio to direct egress traffic through a dedicated gateway service called <em>egress gateway</em>.</li><li>The <a href=/v1.2/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateway with TLS Origination</a> example
|
|
demonstrates how to allow applications to send HTTP requests to external servers that require HTTPS, while directing
|
|
traffic through egress gateway.</li><li>The <a href=/v1.2/docs/tasks/telemetry/metrics/collecting-metrics/>Collecting Metrics</a> task describes how to configure metrics for services in a mesh.</li><li>The <a href=/v1.2/docs/tasks/telemetry/metrics/using-istio-dashboard/>Visualizing Metrics with Grafana</a>
|
|
describes the Istio Dashboard to monitor mesh traffic.</li><li>The <a href=/v1.2/docs/tasks/policy-enforcement/denial-and-list/>Basic Access Control</a> task shows how to control access to
|
|
in-mesh services.</li><li>The <a href=/v1.2/docs/tasks/policy-enforcement/denial-and-list/>Denials and White/Black Listing</a> task shows how to configure
|
|
access policies using black or white list checkers.</li></ul><p>As opposed to the telemetry and security tasks above, this blog post describes Istio’s monitoring and access policies
|
|
applied exclusively to the egress traffic.</p><h2 id=before-you-begin>Before you begin</h2><p>Follow the steps in the <a href=/v1.2/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateway with TLS Origination</a> example, <strong>with mutual TLS authentication enabled</strong>, without
|
|
the <a href=/v1.2/docs/tasks/traffic-management/egress/egress-gateway-tls-origination//#cleanup>Cleanup</a> step.
|
|
After completing that example, you can access <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> from an in-mesh container with <code>curl</code> installed. This blog post assumes that the <code>SOURCE_POD</code> environment variable contains the source pod’s name and that the container’s name is <code>sleep</code>.</p><h2 id=configure-monitoring-and-access-policies>Configure monitoring and access policies</h2><p>Since you want to accomplish your tasks in a <em>secure way</em>, you should direct egress traffic through
|
|
<em>egress gateway</em>, as described in the <a href=/v1.2/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/>Egress Gateway with TLS Origination</a>
|
|
task. The <em>secure way</em> here means that you want to prevent malicious applications from bypassing Istio monitoring and
|
|
policy enforcement.</p><p>According to our scenario, the organization performed the instructions in the
|
|
<a href=#before-you-begin>Before you begin</a> section, enabled HTTP traffic to <em>edition.cnn.com</em>, and configured that traffic
|
|
to pass through the egress gateway. The egress gateway performs TLS origination to <em>edition.cnn.com</em>, so the traffic
|
|
leaves the mesh encrypted. At this point, the organization is ready to configure Istio to monitor and apply access policies for
|
|
the traffic to <em>edition.cnn.com</em>.</p><h3 id=logging>Logging</h3><p>Configure Istio to log access to <em>*.cnn.com</em>. You create a <code>logentry</code> and two
|
|
<a href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/stdio/>stdio</a> <code>handlers</code>, one for logging forbidden access
|
|
(<em>error</em> log level) and another one for logging all access to <em>*.cnn.com</em> (<em>info</em> log level). Then you create <code>rules</code> to
|
|
direct your <code>logentry</code> instances to your <code>handlers</code>. One rule directs access to <em>*.cnn.com/politics</em> to the handler for
|
|
logging forbidden access, another rule directs log entries to the handler that outputs each access to <em>*.cnn.com</em> as an
|
|
<em>info</em> log entry. To understand the Istio <code>logentries</code>, <code>rules</code>, and <code>handlers</code>, see
|
|
<a href=/v1.2/blog/2017/adapter-model/>Istio Adapter Model</a>. A diagram with the involved entities and dependencies between them
|
|
appears below:</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:46.46700562636976%><a data-skipendnotes=true href=/v1.2/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring.svg title="Instances, rules and handlers for egress monitoring"><img class=element-to-stretch src=/v1.2/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring.svg alt="Instances, rules and handlers for egress monitoring"></a></div><figcaption>Instances, rules and handlers for egress monitoring</figcaption></figure><ol><li><p>Create the <code>logentry</code>, <code>rules</code> and <code>handlers</code>. Note that you specify <code>context.reporter.uid</code> as
|
|
<code>kubernetes://istio-egressgateway</code> in the rules to get logs from the egress gateway only.</p><pre><code class=language-bash data-expandlinks=true>$ cat <<EOF | kubectl apply -f -
|
|
# Log entry for egress access
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: logentry
|
|
metadata:
|
|
name: egress-access
|
|
namespace: istio-system
|
|
spec:
|
|
severity: '"info"'
|
|
timestamp: request.time
|
|
variables:
|
|
destination: request.host | "unknown"
|
|
path: request.path | "unknown"
|
|
responseCode: response.code | 0
|
|
responseSize: response.size | 0
|
|
reporterUID: context.reporter.uid | "unknown"
|
|
sourcePrincipal: source.principal | "unknown"
|
|
monitored_resource_type: '"UNSPECIFIED"'
|
|
---
|
|
# Handler for error egress access entries
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: stdio
|
|
metadata:
|
|
name: egress-error-logger
|
|
namespace: istio-system
|
|
spec:
|
|
severity_levels:
|
|
info: 2 # output log level as error
|
|
outputAsJson: true
|
|
---
|
|
# Rule to handle access to *.cnn.com/politics
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: rule
|
|
metadata:
|
|
name: handle-politics
|
|
namespace: istio-system
|
|
spec:
|
|
match: request.host.endsWith("cnn.com") && request.path.startsWith("/politics") && context.reporter.uid.startsWith("kubernetes://istio-egressgateway")
|
|
actions:
|
|
- handler: egress-error-logger.stdio
|
|
instances:
|
|
- egress-access.logentry
|
|
---
|
|
# Handler for info egress access entries
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: stdio
|
|
metadata:
|
|
name: egress-access-logger
|
|
namespace: istio-system
|
|
spec:
|
|
severity_levels:
|
|
info: 0 # output log level as info
|
|
outputAsJson: true
|
|
---
|
|
# Rule to handle access to *.cnn.com
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: rule
|
|
metadata:
|
|
name: handle-cnn-access
|
|
namespace: istio-system
|
|
spec:
|
|
match: request.host.endsWith(".cnn.com") && context.reporter.uid.startsWith("kubernetes://istio-egressgateway")
|
|
actions:
|
|
- handler: egress-access-logger.stdio
|
|
instances:
|
|
- egress-access.logentry
|
|
EOF
|
|
</code></pre></li><li><p>Send three HTTP requests to <em>cnn.com</em>, to <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a>, <a href=https://edition.cnn.com/sport>edition.cnn.com/sport</a> and <a href=https://edition.cnn.com/health>edition.cnn.com/health</a>.
|
|
All three should return <em>200 OK</em>.</p><pre><code class=language-bash data-expandlinks=true>$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
|
200
|
|
200
|
|
200
|
|
</code></pre></li><li><p>Query the Mixer log and see that the information about the requests appears in the log:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
|
|
{"level":"info","time":"2019-01-29T07:43:24.611462Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":1883355,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
|
{"level":"info","time":"2019-01-29T07:43:24.886316Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/sport","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2094561,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
|
{"level":"info","time":"2019-01-29T07:43:25.369663Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/health","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2157009,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
|
{"level":"error","time":"2019-01-29T07:43:24.611462Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":1883355,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
|
</code></pre><p>You see four log entries related to your three requests. Three <em>info</em> entries about the access to <em>edition.cnn.com</em>
|
|
and one <em>error</em> entry about the access to <em>edition.cnn.com/politics</em>. The service mesh operators can see all the
|
|
access instances, and can also search the log for <em>error</em> log entries that represent forbidden accesses. This is the
|
|
first security measure the organization can apply before blocking the forbidden accesses automatically, namely
|
|
logging all the forbidden access instances as errors. In some settings this can be a sufficient security measure.</p><p>Note the attributes:</p><ul><li><code>destination</code>, <code>path</code>, <code>responseCode</code>, <code>responseSize</code> are related to HTTP parameters of the requests</li><li><code>sourcePrincipal</code>:<code>cluster.local/ns/default/sa/sleep</code> - a string that represents the <code>sleep</code> service account in
|
|
the <code>default</code> namespace</li><li><code>reporterUID</code>: <code>kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system</code> - a UID of the reporting pod, in
|
|
this case <code>istio-egressgateway-747b6764b8-44rrh</code> in the <code>istio-system</code> namespace</li></ul></li></ol><h3 id=access-control-by-routing>Access control by routing</h3><p>After enabling logging of access to <em>edition.cnn.com</em>, automatically enforce an access policy, namely allow
|
|
accessing <em>/health</em> and <em>/sport</em> URL paths only. Such a simple policy control can be implemented with Istio routing.</p><ol><li><p>Redefine your <code>VirtualService</code> for <em>edition.cnn.com</em>:</p><pre><code class=language-bash data-expandlinks=true>$ cat <<EOF | kubectl apply -f -
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: VirtualService
|
|
metadata:
|
|
name: direct-cnn-through-egress-gateway
|
|
spec:
|
|
hosts:
|
|
- edition.cnn.com
|
|
gateways:
|
|
- istio-egressgateway
|
|
- mesh
|
|
http:
|
|
- match:
|
|
- gateways:
|
|
- mesh
|
|
port: 80
|
|
route:
|
|
- destination:
|
|
host: istio-egressgateway.istio-system.svc.cluster.local
|
|
subset: cnn
|
|
port:
|
|
number: 443
|
|
weight: 100
|
|
- match:
|
|
- gateways:
|
|
- istio-egressgateway
|
|
port: 443
|
|
uri:
|
|
regex: "/health|/sport"
|
|
route:
|
|
- destination:
|
|
host: edition.cnn.com
|
|
port:
|
|
number: 443
|
|
weight: 100
|
|
EOF
|
|
</code></pre><p>Note that you added a <code>match</code> by <code>uri</code> condition that checks that the URL path is
|
|
either <em>/health</em> or <em>/sport</em>. Also note that this condition is added to the <code>istio-egressgateway</code>
|
|
section of the <code>VirtualService</code>, since the egress gateway is a hardened component in terms of security (see
|
|
<a href=/v1.2/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations>egress gateway security considerations</a>). You don’t want any tampering
|
|
with your policies.</p></li><li><p>Send the previous three HTTP requests to <em>cnn.com</em>:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
|
404
|
|
200
|
|
200
|
|
</code></pre><p>The request to <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> returned <em>404 Not Found</em>, while requests
|
|
to <a href=https://edition.cnn.com/sport>edition.cnn.com/sport</a> and
|
|
<a href=https://edition.cnn.com/health>edition.cnn.com/health</a> returned <em>200 OK</em>, as expected.</p><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.2/img/icons.svg#callout-tip"/></svg></div><div class=content>You may need to wait several seconds for the update of the <code>VirtualService</code> to propagate to the egress
|
|
gateway.</div></aside></div></li><li><p>Query the Mixer log and see that the information about the requests appears again in the log:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
|
|
{"level":"info","time":"2019-01-29T07:55:59.686082Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":404,"responseSize":0,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
|
{"level":"info","time":"2019-01-29T07:55:59.697565Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/sport","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2094561,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
|
{"level":"info","time":"2019-01-29T07:56:00.264498Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/health","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2157009,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
|
{"level":"error","time":"2019-01-29T07:55:59.686082Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":404,"responseSize":0,"sourcePrincipal":"cluster.local/ns/default/sa/sleep"}
|
|
</code></pre><p>You still get info and error messages regarding accesses to
|
|
<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a>, however this time the <code>responseCode</code> is <code>404</code>, as
|
|
expected.</p></li></ol><p>While implementing access control using Istio routing worked for us in this simple case, it would not suffice for more
|
|
complex cases. For example, the organization may want to allow access to
|
|
<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> under certain conditions, so more complex policy logic than
|
|
just filtering by URL paths will be required. You may want to apply <a href=/v1.2/blog/2017/adapter-model/>Istio Mixer Adapters</a>,
|
|
for example
|
|
<a href=/v1.2/docs/tasks/policy-enforcement/denial-and-list/#attribute-based-whitelists-or-blacklists>white lists or black lists</a>
|
|
of allowed/forbidden URL paths, respectively.
|
|
<a href=/v1.2/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/>Policy Rules</a> allow specifying complex conditions,
|
|
specified in a <a href=/v1.2/docs/reference/config/policy-and-telemetry/expression-language/>rich expression language</a>, which
|
|
includes AND and OR logical operators. The rules can be reused for both logging and policy checks. More advanced users
|
|
may want to apply <a href=/v1.2/docs/concepts/security/#authorization>Istio Role-Based Access Control</a>.</p><p>An additional aspect is integration with remote access policy systems. If the organization in our use case operates some
|
|
<a href=https://en.wikipedia.org/wiki/Identity_management>Identity and Access Management</a> system, you may want to configure
|
|
Istio to use access policy information from such a system. You implement this integration by applying
|
|
<a href=/v1.2/blog/2017/adapter-model/>Istio Mixer Adapters</a>.</p><p>Cancel the access control by routing you used in this section and implement access control by Mixer policy checks
|
|
in the next section.</p><ol><li><p>Replace the <code>VirtualService</code> for <em>edition.cnn.com</em> with your previous version from the <a href=/v1.2/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/#perform-tls-origination-with-an-egress-gateway>Configure an Egress Gateway</a> example:</p><pre><code class=language-bash data-expandlinks=true>$ cat <<EOF | kubectl apply -f -
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: VirtualService
|
|
metadata:
|
|
name: direct-cnn-through-egress-gateway
|
|
spec:
|
|
hosts:
|
|
- edition.cnn.com
|
|
gateways:
|
|
- istio-egressgateway
|
|
- mesh
|
|
http:
|
|
- match:
|
|
- gateways:
|
|
- mesh
|
|
port: 80
|
|
route:
|
|
- destination:
|
|
host: istio-egressgateway.istio-system.svc.cluster.local
|
|
subset: cnn
|
|
port:
|
|
number: 443
|
|
weight: 100
|
|
- match:
|
|
- gateways:
|
|
- istio-egressgateway
|
|
port: 443
|
|
route:
|
|
- destination:
|
|
host: edition.cnn.com
|
|
port:
|
|
number: 443
|
|
weight: 100
|
|
EOF
|
|
</code></pre></li><li><p>Send the previous three HTTP requests to <em>cnn.com</em>, this time you should get three <em>200 OK</em> responses as
|
|
previously:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
|
200
|
|
200
|
|
200
|
|
</code></pre></li></ol><div><aside class="callout tip"><div class=type><svg class="large-icon"><use xlink:href="/v1.2/img/icons.svg#callout-tip"/></svg></div><div class=content>You may need to wait several seconds for the update of the <code>VirtualService</code> to propagate to the egress
|
|
gateway.</div></aside></div><h3 id=access-control-by-mixer-policy-checks>Access control by Mixer policy checks</h3><p>In this step you use a Mixer
|
|
<a href=/v1.2/docs/reference/config/policy-and-telemetry/adapters/list/><code>Listchecker</code> adapter</a>, its whitelist
|
|
variety. You define a <code>listentry</code> with the URL path of the request and a <code>listchecker</code> to check the <code>listentry</code> using a
|
|
static list of allowed URL paths, specified by the <code>overrides</code> field. For an external <a href=https://en.wikipedia.org/wiki/Identity_management>Identity and Access Management</a> system, use the <code>providerurl</code> field instead. The updated
|
|
diagram of the instances, rules and handlers appears below. Note that you reuse the same policy rule, <code>handle-cnn-access</code>
|
|
both for logging and for access policy checks.</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:52.79420593027812%><a data-skipendnotes=true href=/v1.2/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring-policy.svg title="Instances, rules and handlers for egress monitoring and access policies"><img class=element-to-stretch src=/v1.2/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring-policy.svg alt="Instances, rules and handlers for egress monitoring and access policies"></a></div><figcaption>Instances, rules and handlers for egress monitoring and access policies</figcaption></figure><ol><li><p>Define <code>path-checker</code> and <code>request-path</code>:</p><pre><code class=language-bash data-expandlinks=true>$ cat <<EOF | kubectl create -f -
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: listchecker
|
|
metadata:
|
|
name: path-checker
|
|
namespace: istio-system
|
|
spec:
|
|
overrides: ["/health", "/sport"] # overrides provide a static list
|
|
blacklist: false
|
|
---
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: listentry
|
|
metadata:
|
|
name: request-path
|
|
namespace: istio-system
|
|
spec:
|
|
value: request.path
|
|
EOF
|
|
</code></pre></li><li><p>Modify the <code>handle-cnn-access</code> policy rule to send <code>request-path</code> instances to the <code>path-checker</code>:</p><pre><code class=language-bash data-expandlinks=true>$ cat <<EOF | kubectl apply -f -
|
|
# Rule handle egress access to cnn.com
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: rule
|
|
metadata:
|
|
name: handle-cnn-access
|
|
namespace: istio-system
|
|
spec:
|
|
match: request.host.endsWith(".cnn.com") && context.reporter.uid.startsWith("kubernetes://istio-egressgateway")
|
|
actions:
|
|
- handler: egress-access-logger.stdio
|
|
instances:
|
|
- egress-access.logentry
|
|
- handler: path-checker.listchecker
|
|
instances:
|
|
- request-path.listentry
|
|
EOF
|
|
</code></pre></li><li><p>Perform your usual test by sending HTTP requests to
|
|
<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a>, <a href=https://edition.cnn.com/sport>edition.cnn.com/sport</a>
|
|
and <a href=https://edition.cnn.com/health>edition.cnn.com/health</a>. As expected, the request to
|
|
<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> returns <em>403</em> (Forbidden).</p><pre><code class=language-bash data-expandlinks=true>$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
|
403
|
|
200
|
|
200
|
|
</code></pre></li></ol><h3 id=access-control-by-mixer-policy-checks-part-2>Access control by Mixer policy checks, part 2</h3><p>After the organization in our use case managed to configure logging and access control, it decided to extend its access
|
|
policy by allowing the applications with a special
|
|
<a href=https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/>Service Account</a> to access any topic of <em>cnn.com</em>, without being monitored. You’ll see how this requirement can be configured in Istio.</p><ol><li><p>Start the <a href=https://github.com/istio/istio/tree/release-1.2/samples/sleep>sleep</a> sample with the <code>politics</code> service account.</p><pre><code class=language-bash data-expandlinks=true>$ sed 's/: sleep/: politics/g' samples/sleep/sleep.yaml | kubectl create -f -
|
|
serviceaccount "politics" created
|
|
service "politics" created
|
|
deployment "politics" created
|
|
</code></pre></li><li><p>Define the <code>SOURCE_POD_POLITICS</code> shell variable to hold the name of the source pod with the <code>politics</code> service
|
|
account, for sending requests to external services.</p><pre><code class=language-bash data-expandlinks=true>$ export SOURCE_POD_POLITICS=$(kubectl get pod -l app=politics -o jsonpath={.items..metadata.name})
|
|
</code></pre></li><li><p>Perform your usual test of sending three HTTP requests this time from <code>SOURCE_POD_POLITICS</code>.
|
|
The request to <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> returns <em>403</em>, since you did not configure
|
|
the exception for the <em>politics</em> namespace.</p><pre><code class=language-bash data-expandlinks=true>$ kubectl exec -it $SOURCE_POD_POLITICS -c politics -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
|
403
|
|
200
|
|
200
|
|
</code></pre></li><li><p>Query the Mixer log and see that the information about the requests from the <em>politics</em> namespace appears in
|
|
the log:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
|
|
{"level":"info","time":"2019-01-29T08:04:42.559812Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":403,"responseSize":84,"sourcePrincipal":"cluster.local/ns/default/sa/politics"}
|
|
{"level":"info","time":"2019-01-29T08:04:42.568424Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/sport","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2094561,"sourcePrincipal":"cluster.local/ns/default/sa/politics"}
|
|
{"level":"error","time":"2019-01-29T08:04:42.559812Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/politics","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":403,"responseSize":84,"sourcePrincipal":"cluster.local/ns/default/sa/politics"}
|
|
{"level":"info","time":"2019-01-29T08:04:42.615641Z","instance":"egress-access.logentry.istio-system","destination":"edition.cnn.com","path":"/health","reporterUID":"kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system","responseCode":200,"responseSize":2157009,"sourcePrincipal":"cluster.local/ns/default/sa/politics"}
|
|
</code></pre><p>Note that <code>sourcePrincipal</code> is <code>cluster.local/ns/default/sa/politics</code> which represents the <code>politics</code> service
|
|
account in the <code>default</code> namespace.</p></li><li><p>Redefine <code>handle-cnn-access</code> and <code>handle-politics</code> policy rules, to make the applications in the <em>politics</em>
|
|
namespace exempt from monitoring and policy enforcement.</p><pre><code class=language-bash data-expandlinks=true>$ cat <<EOF | kubectl apply -f -
|
|
# Rule to handle access to *.cnn.com/politics
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: rule
|
|
metadata:
|
|
name: handle-politics
|
|
namespace: istio-system
|
|
spec:
|
|
match: request.host.endsWith("cnn.com") && context.reporter.uid.startsWith("kubernetes://istio-egressgateway") && request.path.startsWith("/politics") && source.principal != "cluster.local/ns/default/sa/politics"
|
|
actions:
|
|
- handler: egress-error-logger.stdio
|
|
instances:
|
|
- egress-access.logentry
|
|
---
|
|
# Rule handle egress access to cnn.com
|
|
apiVersion: "config.istio.io/v1alpha2"
|
|
kind: rule
|
|
metadata:
|
|
name: handle-cnn-access
|
|
namespace: istio-system
|
|
spec:
|
|
match: request.host.endsWith(".cnn.com") && context.reporter.uid.startsWith("kubernetes://istio-egressgateway") && source.principal != "cluster.local/ns/default/sa/politics"
|
|
actions:
|
|
- handler: egress-access-logger.stdio
|
|
instances:
|
|
- egress-access.logentry
|
|
- handler: path-checker.listchecker
|
|
instances:
|
|
- request-path.listentry
|
|
EOF
|
|
</code></pre></li><li><p>Perform your usual test from <code>SOURCE_POD</code>:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
|
403
|
|
200
|
|
200
|
|
</code></pre><p>Since <code>SOURCE_POD</code> does not have <code>politics</code> service account, access to
|
|
<a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> is forbidden, as previously.</p></li><li><p>Perform the previous test from <code>SOURCE_POD_POLITICS</code>:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl exec -it $SOURCE_POD_POLITICS -c politics -- sh -c 'curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/politics; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/sport; curl -sL -o /dev/null -w "%{http_code}\n" http://edition.cnn.com/health'
|
|
200
|
|
200
|
|
200
|
|
</code></pre><p>Access to all the topics of <em>edition.cnn.com</em> is allowed.</p></li><li><p>Examine the Mixer log and see that no more requests with <code>sourcePrincipal</code> equal
|
|
<code>cluster.local/ns/default/sa/politics</code> appear in the log.</p><pre><code class=language-bash data-expandlinks=true>$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
|
|
</code></pre></li></ol><h2 id=comparison-with-https-egress-traffic-control>Comparison with HTTPS egress traffic control</h2><p>In this use case the applications use HTTP and Istio Egress Gateway performs TLS origination for them. Alternatively,
|
|
the applications could originate TLS themselves by issuing HTTPS requests to <em>edition.cnn.com</em>. In this section we
|
|
describe both approaches and their pros and cons.</p><p>In the HTTP approach, the requests are sent unencrypted on the local host, intercepted by the Istio sidecar proxy and
|
|
forwarded to the egress gateway. Since you configure Istio to use mutual TLS between the sidecar proxy and the egress
|
|
gateway, the traffic leaves the pod encrypted. The egress gateway decrypts the traffic, inspects the URL path, the
|
|
HTTP method and headers, reports telemetry and performs policy checks. If the request is not blocked by some policy
|
|
check, the egress gateway performs TLS origination to the external destination (<em>cnn.com</em> in our case), so the request
|
|
is encrypted again and sent encrypted to the external destination. The diagram below demonstrates the network flow of
|
|
this approach. The HTTP protocol inside the gateway designates the protocol as seen by the gateway after decryption.</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:64.81718469808756%><a data-skipendnotes=true href=/v1.2/blog/2018/egress-monitoring-access-control/http-to-gateway.svg title="HTTP egress traffic through an egress gateway"><img class=element-to-stretch src=/v1.2/blog/2018/egress-monitoring-access-control/http-to-gateway.svg alt="HTTP egress traffic through an egress gateway"></a></div><figcaption>HTTP egress traffic through an egress gateway</figcaption></figure><p>The drawback of this approach is that the requests are sent unencrypted inside the pod, which may be against security
|
|
policies in some organizations. Also some SDKs have external service URLs hard-coded, including the protocol, so
|
|
sending HTTP requests could be impossible. The advantage of this approach is the ability to inspect HTTP methods,
|
|
headers and URL paths, and to apply policies based on them.</p><p>In the HTTPS approach, the requests are encrypted end-to-end, from the application to the external destination. The
|
|
diagram below demonstrates the network flow of this approach. The HTTPS protocol inside the gateway designates the
|
|
protocol as seen by the gateway.</p><figure style=width:80%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:64.81718469808756%><a data-skipendnotes=true href=/v1.2/blog/2018/egress-monitoring-access-control/https-to-gateway.svg title="HTTPS egress traffic through an egress gateway"><img class=element-to-stretch src=/v1.2/blog/2018/egress-monitoring-access-control/https-to-gateway.svg alt="HTTPS egress traffic through an egress gateway"></a></div><figcaption>HTTPS egress traffic through an egress gateway</figcaption></figure><p>The end-to-end HTTPS is considered a better approach from the security point of view. However, since the traffic is
|
|
encrypted the Istio proxies and the egress gateway can only see the source and destination IPs and the <a href=https://en.wikipedia.org/wiki/Server_Name_Indication>SNI</a> of the destination. Since you configure Istio to use mutual TLS between the sidecar proxy
|
|
and the egress gateway, the <a href=/v1.2/docs/concepts/security/#istio-identity>identity of the source</a> is also known.
|
|
The gateway is unable to inspect the URL path, the HTTP method and the headers of the requests, so no monitoring and
|
|
policies based on the HTTP information can be possible.
|
|
In our use case, the organization would be able to allow access to <em>edition.cnn.com</em> and to specify which applications
|
|
are allowed to access <em>edition.cnn.com</em>.
|
|
However, it will not be possible to allow or block access to specific URL paths of <em>edition.cnn.com</em>.
|
|
Neither blocking access to <a href=https://edition.cnn.com/politics>edition.cnn.com/politics</a> nor monitoring such access are
|
|
possible with the HTTPS approach.</p><p>We guess that each organization will consider the pros and cons of the two approaches and choose the one most
|
|
appropriate to its needs.</p><h2 id=summary>Summary</h2><p>In this blog post we showed how different monitoring and policy mechanisms of Istio can be applied to HTTP egress
|
|
traffic. Monitoring can be implemented by configuring a logging adapter. Access
|
|
policies can be implemented by configuring <code>VirtualServices</code> or by configuring various policy check adapters. We
|
|
demonstrated a simple policy that allowed certain URL paths only. We also showed a more complex policy that extended the
|
|
simple policy by making an exemption to the applications with a certain service account. Finally, we compared
|
|
HTTP-with-TLS-origination egress traffic with HTTPS egress traffic, in terms of control possibilities by Istio.</p><h2 id=cleanup>Cleanup</h2><ol><li><p>Perform the instructions in <a href=/v1.2/docs/tasks/traffic-management/egress/egress-gateway//#cleanup>Cleanup</a> section of the
|
|
<a href=/v1.2/docs/tasks/traffic-management/egress/egress-gateway//>Configure an Egress Gateway</a> example.</p></li><li><p>Delete the logging and policy checks configuration:</p><pre><code class=language-bash data-expandlinks=true>$ kubectl delete logentry egress-access -n istio-system
|
|
$ kubectl delete stdio egress-error-logger -n istio-system
|
|
$ kubectl delete stdio egress-access-logger -n istio-system
|
|
$ kubectl delete rule handle-politics -n istio-system
|
|
$ kubectl delete rule handle-cnn-access -n istio-system
|
|
$ kubectl delete -n istio-system listchecker path-checker
|
|
$ kubectl delete -n istio-system listentry request-path
|
|
</code></pre></li><li><p>Delete the <em>politics</em> source pod:</p><pre><code class=language-bash data-expandlinks=true>$ sed 's/: sleep/: politics/g' samples/sleep/sleep.yaml | kubectl delete -f -
|
|
serviceaccount "politics" deleted
|
|
service "politics" deleted
|
|
deployment "politics" deleted
|
|
</code></pre></li></ol><nav id=see-also><h2>See also</h2><div class=see-also><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-3/>Secure Control of Egress Traffic in Istio, part 3</a></p><p class=desc>Comparison of alternative solutions to control egress traffic including performance considerations.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-2/>Secure Control of Egress Traffic in Istio, part 2</a></p><p class=desc>Use Istio Egress Traffic Control to prevent attacks involving egress traffic.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/blog/2019/egress-traffic-control-in-istio-part-1/>Secure Control of Egress Traffic in Istio, part 1</a></p><p class=desc>Attacks involving egress traffic and requirements for egress traffic control.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/blog/2019/egress-performance/>Egress Gateway Performance Investigation</a></p><p class=desc>Verifies the performance impact of adding an egress gateway.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/blog/2018/egress-mongo/>Consuming External MongoDB Services</a></p><p class=desc>Describes a simple scenario based on Istio's Bookinfo example.</p></div><div class=entry><p class=link><a data-skipendnotes=true href=/v1.2/blog/2018/egress-tcp/>Consuming External TCP Services</a></p><p class=desc>Describes a simple scenario based on Istio's Bookinfo example.</p></div></div></nav></article><nav class=pagenav><div class=left><a title="How to export Istio Access Logs to different sinks like BigQuery, GCS, Pub/Sub through Stackdriver." href=/v1.2/blog/2018/export-logs-through-stackdriver/><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#left-arrow"/></svg>Exporting Logs to BigQuery, GCS, Pub/Sub through Stackdriver</a></div><div class=right><a title="Introduction, motivation and design principles for the Istio v1alpha3 routing API." href=/v1.2/blog/2018/v1alpha3-routing/>Introducing the Istio v1alpha3 routing API<svg class="icon"><use xlink:href="/v1.2/img/icons.svg#right-arrow"/></svg></a></div></nav><div id=endnotes-container aria-hidden=true><h2>Links</h2><ol id=endnotes></ol></div></div><div class=toc-container><nav class=toc aria-label="Table of Contents"><div id=toc><ol><li role=none aria-label="Use case"><a href=#use-case>Use case</a><li role=none aria-label="Related tasks and examples"><a href=#related-tasks-and-examples>Related tasks and examples</a><li role=none aria-label="Before you begin"><a href=#before-you-begin>Before you begin</a><li role=none aria-label="Configure monitoring and access policies"><a href=#configure-monitoring-and-access-policies>Configure monitoring and access policies</a><ol><li role=none aria-label=Logging><a href=#logging>Logging</a><li role=none aria-label="Access control by routing"><a href=#access-control-by-routing>Access control by routing</a><li role=none aria-label="Access control by Mixer policy checks"><a href=#access-control-by-mixer-policy-checks>Access control by Mixer policy checks</a><li role=none aria-label="Access control by Mixer policy checks, part 2"><a href=#access-control-by-mixer-policy-checks-part-2>Access control by Mixer policy checks, part 2</a></ol></li><li role=none aria-label="Comparison with HTTPS egress traffic control"><a href=#comparison-with-https-egress-traffic-control>Comparison with HTTPS egress traffic control</a><li role=none aria-label=Summary><a href=#summary>Summary</a><li role=none aria-label=Cleanup><a href=#cleanup>Cleanup</a><li role=none aria-label="See also"><a href=#see-also>See also</a></li></ol></div></nav></div></main><footer><div class=user-links><a class=channel title="Go download Istio 1.2.5 now" href=https://github.com/istio/istio/releases/tag/1.2.5 aria-label="Download Istio"><span>download</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#download"/></svg>
|
|
</a><a class=channel title="Join the Istio discussion board to participate in discussions and get help troubleshooting problems" href=https://discuss.istio.io aria-label="Istio discussion board"><span>discuss</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#discourse"/></svg></a>
|
|
<a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><span>stack overflow</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#stackoverflow"/></svg></a>
|
|
<a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://istio.slack.com aria-label=slack><span>slack</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#slack"/></svg></a>
|
|
<a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><span>twitter</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#twitter"/></svg></a><div class=tag>for everyone</div></div><div class=info><p class=copyright>Istio Archive
|
|
1.2.5<br>© 2019 Istio Authors, <a href=https://policies.google.com/privacy>Privacy Policy</a><br>Archived on September 12, 2019</p></div><div class=dev-links><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><span>github</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#github"/></svg></a>
|
|
<a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><span>drive</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#drive"/></svg></a>
|
|
<a class=channel title="If you'd like to contribute to the Istio project, consider participating in our working groups" href=https://github.com/istio/community/blob/master/WORKING-GROUPS.md aria-label="working groups"><span>working groups</span><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#working-groups"/></svg></a><div class=tag>for developers</div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top"><svg class="icon"><use xlink:href="/v1.2/img/icons.svg#top"/></svg></button></div></body></html> |