mirror of https://github.com/istio/istio.io.git
12661 lines
1010 KiB
XML
12661 lines
1010 KiB
XML
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Istio Blog</title><description>Connect, secure, control, and observe services.</description><link>/v1.12</link><image><url>/v1.12/favicons/android-192x192.png</url><link>/v1.12</link></image><category>Service mesh</category><item><title>An easier way to add virtual machines to Istio service mesh</title><description>
|
||
<p><img src="./traffic-flow.png" alt="Virtual Machine Traffic Flow" /></p>
|
||
<p>Some of the complexities involved with joining a virtual machine are due to the sheer number of features that a service mesh provides. But, what if you only need a subset of those features? For example, secure communication from your virtual machine to services running inside your service mesh. With only a few tradeoffs, you can give your virtual machine service mesh features without all of the overhead.</p>
|
||
<p>What about local development? As more and more micro-services are deployed to Kubernetes and as your dependency graph resembles a spider web, it has become increasingly difficult to do local development. What if a local machine could simply join a service mesh and make calls to mesh applications. This solution could potentially save time and money by not requiring developers to wait for their code to be deployed.</p>
|
||
<h2 id="reduce-complexity">Reduce Complexity</h2>
|
||
<p><img src="./istio-current-vm-process.png" alt="Virtual Machine Istio Installation" /></p>
|
||
<p>Today, adding a virtual machine to your Istio service mesh involves a lot of <a href="/v1.12/docs/setup/install/virtual-machine/">moving parts</a>. You must create a Kubernetes service account, Istio workload entry and then generate configuration all before on-boarding a single virtual machine. There are also complexities to automating this, especially for auto scaling VMs. Finally you are required to expose Istiod externally to your cluster.</p>
|
||
<p>The complexity of adding a virtual machine comes from the expectation that the VM should participate 100% within the service mesh. For many this is not a necessity, by looking at the actual requirements of your system you may be able to simplify your virtual machine on-boarding and still get the features you need.</p>
|
||
<p>So what are some use cases that could be met but yet still make virtual machines easier to work with service mesh?</p>
|
||
<h3 id="single-direction-traffic-flow">Single Direction Traffic Flow</h3>
|
||
<p>Sometimes a virtual machine just needs to talk securely to applications within the service mesh. This is often the case when migrating VM based applications to Kubernetes in which other VMs may have depended on those applications. With the described approach below you can still achieve this without all of the operational overhead as shown above.</p>
|
||
<p><img src="./single-direction-traffic-flow.png" alt="Single Direction Traffic Flow" /></p>
|
||
<h3 id="developer-access-to-service-mesh">Developer Access to Service Mesh</h3>
|
||
<p>Engineers often do not have the resources to run all of the required micro-services for their environment. The approach below explains how you can achieve this in the same way that virtual machines securely communicate with mesh applications.</p>
|
||
<p><img src="./local-machine.png" alt="Local Machine Service Mesh" /></p>
|
||
<h2 id="decouple-envoy-and-istio">Decouple Envoy and Istio</h2>
|
||
<p>The largest amount of complexity as it relates to virtual machines is the connecting of envoy to istiod to get its configuration. A simpler approach is to just not connect them anymore. Even though Istio will no longer know about the virtual machines that are communicating in the mesh, that communication can still be secure and authenticated. The trick is issuing virtual machines their own workload certificates that are rooted in the same trust chain as the mesh workloads. This also means that the end user will be responsible for configuring envoy manually on the virtual machine. For most this shouldn&rsquo;t be an issue because it is not expected that it will change very often.</p>
|
||
<h2 id="a-simpler-on-boarding-experience">A Simpler On-boarding Experience</h2>
|
||
<p><img src="./traffic-flow.png" alt="Virtual Machine Traffic Flow" /></p>
|
||
<p>We can achieve a simpler setup by utilizing some built-in Istio features. First we need to expose a secure tunnel for applications outside the mesh to communicate with applications within.</p>
|
||
<p>To do this we simply need to create an Istio east-west gateway and enable <code>AUTO_PASSTHROUGH</code>. This automatically configures the east-west gateway to pass traffic through to the correct service over mTLS. This gives your virtual machine end to end authenticated encryption with the application its trying to reach.</p>
|
||
<p><img src="./virtual-machine-on-boarding-steps.png" alt="Virtual Machine On-boarding Steps" /></p>
|
||
<p>Due to the complexity involved in configuring envoy to talk to istiod, it is more practical to directly configure the virtual machine envoy. At first this sounds quite daunting, but due to the reduced complexity we only need to enable a few features to make this work. Envoy will need to be configured to know about each service mesh application that the virtual machine will need to communicate with. We then will configure these as <code>clusters</code> within envoy and set them up to use mTLS communication passing through the east-west gateway in the service mesh. Secondly a listener will need to be exposed to handle incoming traffic from the virtual machine application. Finally certificates will need to be issued for each virtual machine that share the same root of trust as the service mesh applications. This allows end to end encryption as well as the ability to authorize which applications the virtual machine can communicate with.</p>
|
||
<h3 id="easier-to-automate">Easier to Automate</h3>
|
||
<p>Given that no initialization has to occur on the service mesh cluster when on-boarding a virtual machine, it is much easier to automate. The configuration needed for the virtual machine envoy can be added to your pipeline; the envoy container can either be pulled via docker, or added to your image building infrastructure; the mTLS certificates can also be provisioned and maintained by a third party such as Hashicorp&rsquo;s Vault.</p>
|
||
<h3 id="more-runtime-support">More Runtime Support</h3>
|
||
<p>Due to the fact that this installation method does not require access to the underlying OS networking. You can run this approach in more types of environments including Windows and Docker. The only requirement is that your Envoy include the Istio extensions found <a href="https://github.com/istio/proxy/tree/master/extensions">here</a>. Using Docker, you can now run the Envoy proxy on your local machine and communicate with the service mesh directly.</p>
|
||
<p><img src="runtime-support.png" alt="Runtime Support" /></p>
|
||
<h2 id="advanced-use-cases">Advanced Use Cases</h2>
|
||
<h3 id="grpc-to-json">gRPC to JSON</h3>
|
||
<p>This technique can also be leveraged to enable virtual machine applications to communicate with gRPC applications without having to implement the gRPC endpoints. Using envoys gRPC / JSON transformation, the virtual machine application can communicate with its local envoy over REST and envoy will translate that to gRPC.</p>
|
||
<p><img src="./grpc-json-transcoding.png" alt="gRPC to JSON Transformation" /></p>
|
||
<h3 id="multi-direction">Multi Direction</h3>
|
||
<p>Even though your service mesh may not know about the virtual machines that are communicating with it, you can still add them as external endpoints using Service Entries. That service entry could be an HTTPS Load Balancer endpoint that manages traffic to multiple virtual machines. This setup is still often more feasible than fully on-boarding virtual machines into the virtual mesh.</p>
|
||
<p><img src="./multi-direction-traffic-flow.png" alt="Multi Direction Traffic Flow" /></p>
|
||
<h3 id="forwarding-proxy">Forwarding Proxy</h3>
|
||
<p>Maybe installing envoy on every virtual machine is still too complex. An alternative is to run envoy (or an autoscaling group) to run on its own virtual machine and act as a forwarding proxy into the mesh. This is a much simpler solution to accessing mesh services as the virtual machines that run the applications are left untouched.</p>
|
||
<p><img src="./forwarding-proxy.png" alt="Forwarding Proxy" /></p>
|
||
<h2 id="part-2">Part 2…</h2>
|
||
<p>In part 2, I will explain how to configure Istio as well as a virtual machine to communicate within the mesh. If you would like a preview, feel free to reach out to nick.nellis@solo.io</p>
|
||
<h3 id="special-thanks">Special Thanks</h3>
|
||
<p>A special thanks to Dave Ortiz for this virtual machine idea and congrats to Constant Contact <a href="https://github.com/istio/istio.io/pull/10571">a new registered Istio user!</a></p></description><pubDate>Mon, 20 Dec 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/simple-vms/</link><author>Nick Nellis (Solo.io)</author><guid isPermaLink="true">/v1.12/blog/2021/simple-vms/</guid><category>virtualmachine</category><category>Istio</category><category>networking</category><category>envoy</category></item><item><title>Announcing the alpha availability of WebAssembly Plugins</title><description>
|
||
<p><a href="../wasm-progress/">Istio 1.9 introduced</a> experimental support for WebAssembly (Wasm) module distribution and a Wasm extensions ecosystem repository with canonical examples and use cases for extension development. Over the past 9 months, the Istio, Envoy, and Proxy-Wasm communities have continued our joint effort to make Wasm extensibility stable, reliable, and easy to adopt, and we are pleased to announce Alpha support for Wasm extensibility in Istio 1.12! In the following sections, we&rsquo;ll walk through the updates that have been made to the Wasm support for the 1.12 release.</p>
|
||
<h2 id="new-wasmplugin-api">New WasmPlugin API</h2>
|
||
<p>With the new <code>WasmPlugin</code> CRD in the <code>extensions.istio.io</code> namespace, we’re introducing a new high-level API for extending the functionality of the Istio proxy with custom Wasm modules. This effort builds on the excellent work that has gone into the <a href="https://github.com/proxy-wasm">Proxy-Wasm</a> specification and implementation over the last two years. From now on, you no longer need to use <code>EnvoyFilter</code> resources to add custom Wasm modules to your proxies. Instead, you can now use a <code>WasmPlugin</code> resource:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: extensions.istio.io/v1alpha1
|
||
kind: WasmPlugin
|
||
metadata:
|
||
name: your-filter
|
||
spec:
|
||
selector:
|
||
matchLabels:
|
||
app: server
|
||
phase: AUTHN
|
||
priority: 10
|
||
pluginConfig:
|
||
someSetting: true
|
||
someOtherSetting: false
|
||
youNameIt:
|
||
- first
|
||
- second
|
||
url: docker.io/your-org/your-filter:1.0.0
|
||
</code></pre>
|
||
<p>There are a lot of similarities and a few differences between <code>WasmPlugin</code> and <code>EnvoyFilter</code>, so let’s go through the fields one by one.</p>
|
||
<p>The above example deploys a Wasm module to all workloads (including gateway pods) that match the <code>selector</code> field - this very much works the same as in an <code>EnvoyFilter</code>.</p>
|
||
<p>The next field below that is the <code>phase</code>. This determines where in the proxy’s filter chain the Wasm module will be injected. We have defined four distinct phases for injection:</p>
|
||
<ul>
|
||
<li><code>AUTHN</code>: prior to any Istio authentication and authorization filters.</li>
|
||
<li><code>AUTHZ</code>: after the Istio authentication filters and before any first-class authorization filters, i.e., before <code>AuthorizationPolicy</code> resources have been applied.</li>
|
||
<li><code>STATS</code>: after all authorization filters and prior to the Istio stats filter.</li>
|
||
<li><code>UNSPECIFIED_PHASE</code>: let the control plane decide where to insert. This will generally be at the end of the filter chain, right before the router. This is the default value for this <code>phase</code> field.</li>
|
||
</ul>
|
||
<p>The <code>pluginConfig</code> field is used for configuring your Wasm plugin. Whatever you put into this field will be encoded in JSON and passed on to your filter, where you can access it in the configuration callback of the Proxy-Wasm SDKs. For example, you can retrieve the config with <code>onConfigure</code> in the <a href="https://github.com/proxy-wasm/proxy-wasm-cpp-sdk/blob/fd0be8405db25de0264bdb78fae3a82668c03782/proxy_wasm_api.h#L329-L331">C++ SDK</a>, <code>on_configure</code> in the <a href="https://github.com/proxy-wasm/proxy-wasm-rust-sdk/blob/v0.1.4/src/dispatcher.rs#L255">Rust SDK</a> or the <code>OnPluginStart</code> call back in the <a href="https://github.com/tetratelabs/proxy-wasm-go-sdk/blob/v0.15.0/proxywasm/types/context.go#L74">Go SDK</a>.</p>
|
||
<p>The <code>url</code> field specifies where to pull the Wasm module. You’ll notice that the <code>url</code> in this example is a docker URI. Apart from loading Wasm modules via HTTP, HTTPS and the local file system (using file://), we are introducing the OCI image format as the preferred mechanism for distributing Wasm modules.</p>
|
||
<p>One last thing to note is currently the Wasm Plugin API only applies to inbound HTTP filter chains.
|
||
Support for network filters and outbound traffic will be added in the future.</p>
|
||
<h2 id="wasm-image-specification">Wasm image specification</h2>
|
||
<p>We believe that containers are the ideal way to store, publish and manage proxy extensions, so we worked with Solo.io to extend their existing Proxy-Wasm container format with a variant that aims to be compatible with all registries and the CLI toolchain. Depending on your processes, you can now build your proxy extension containers using your existing container CLI tooling such as Docker CLI or <a href="https://buildah.io/">buildah</a>.</p>
|
||
<p>To learn how to build OCI images, please refer to <a href="https://github.com/istio-ecosystem/wasm-extensions/blob/master/doc/how-to-build-oci-images.md">these instructions</a>.</p>
|
||
<h2 id="image-fetcher-in-istio-agent">Image fetcher in Istio agent</h2>
|
||
<p>Since Istio 1.9, Istio-agent has provided a reliable solution for loading Wasm binaries, fetched from remote HTTP sources configured in the <code>EnvoyFilters</code>, by leveraging the xDS proxy inside istio-agent and Envoy’s Extension Configuration Discovery Service (ECDS). The same mechanism applies for the new Wasm API implementation in Istio 1.12. You can use HTTP remote resources reliably without concern that Envoy might get stuck with a bad configuration when a remote fetch fails.</p>
|
||
<p>In addition, Istio 1.12 expands this capability to Wasm OCI images. This means the Istio-agent is now able to fetch Wasm images from any OCI registry including Docker Hub, Google Container Registry(GCR), Amazon Elastic Container Registry (Amazon ECR), etc. After fetching images, Istio-agent extracts and caches Wasm binaries from them, and then inserts them into the Envoy filter chains.</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:67.90606653620353%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/wasm-api-alpha/istio-agent-architecture.svg" title="Remote Wasm module fetch flow">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/wasm-api-alpha/istio-agent-architecture.svg" alt="Remote Wasm module fetch flow" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Remote Wasm module fetch flow</figcaption>
|
||
</figure>
|
||
<h2 id="improvements-in-envoy-wasm-runtime">Improvements in Envoy Wasm runtime</h2>
|
||
<p>The Wasm runtime powered by V8 in Envoy has been shipped since Istio 1.5 and there have been a lot of improvements since then.</p>
|
||
<h3 id="wasi-supports">WASI supports</h3>
|
||
<p>First, some of the WASI (WebAssembly System Interface) system calls are now supported. For example, the <code>clock_time_get</code> system call can be made from Wasm programs so you can use <code>std::time::SystemTime::now()</code> in Rust or <code>time.Now().UnixNano()</code> in Go in your Envoy Wasm extensions, just like any other native platform. Another example is <code>random_get</code> is now supported by Envoy, so the &ldquo;crypto/rand&rdquo; package is available in Go as a cryptographically secure random number generator. We are also currently looking into file system support as we have seen requests for reading and writing local files from Wasm programs running in Envoy.</p>
|
||
<h3 id="debuggability">Debuggability</h3>
|
||
<p>Next is the improvement in debuggability. The Envoy runtime now emits the stack trace of your program when it causes runtime errors, for example, when null pointer exceptions occur in C++ or the panic function is called in Go or Rust. While Envoy error messages did not previously include anything about the cause, they now show the trace which you can use to debug your program:</p>
|
||
<pre><code class='language-plain' data-expandlinks='true' data-repo='istio' >Function: proxy_on_request_headers failed: Uncaught RuntimeError: unreachable
|
||
Proxy-Wasm plugin in-VM backtrace:
|
||
0: 0xdbd - runtime._panic
|
||
1: 0x103ab - main.anotherCalculation
|
||
2: 0x10399 - main.someCalculation
|
||
3: 0xea57 - main.myHeaderHandler
|
||
4: 0xea15 - proxy_on_request_headers
|
||
</code></pre>
|
||
<p>The above is an example stack trace from a Go SDK based Wasm extension. You might notice that the output does not include file names and line numbers in the trace. This is an important future work item and open issue related to the DWARF format for WebAssembly and the Exception Handling proposal for the WebAssembly specification.</p>
|
||
<h3 id="strace-support-for-wasm-programs">Strace support for Wasm programs</h3>
|
||
<p>You can see <code>strace</code> equivalent logs emitted by Envoy. With Istio proxy’s component log level <code>wasm:trace</code>, you can observe all the system calls and Proxy-Wasm ABI calls that go across the boundary between Wasm virtual machines and Envoy. The following is an example of such an <code>strace</code> log stream:</p>
|
||
<pre><code class='language-plain' data-expandlinks='true' data-repo='istio' >[host-&gt;vm] proxy_on_context_create(2, 1)
|
||
[host&lt;-vm] proxy_on_context_create return: void
|
||
[host-&gt;vm] proxy_on_request_headers(2, 8, 1)
|
||
[vm-&gt;host] wasi_snapshot_preview1.random_get(86928, 32)
|
||
[vm&lt;-host] wasi_snapshot_preview1.random_get return: 0
|
||
[vm-&gt;host] env.proxy_log(2, 87776, 18)
|
||
</code></pre>
|
||
<p>This is especially useful to debug a Wasm program&rsquo;s execution at runtime, for example, to verify it is not making any malicious system calls.</p>
|
||
<h3 id="arbitrary-prometheus-namespace-for-in-wasm-metrics">Arbitrary Prometheus namespace for in-Wasm metrics</h3>
|
||
<p>The last update is about metrics. Wasm extensions have been able to define their own custom metrics and expose them in Envoy, just like any other metric, but prior to Istio 1.12, all of these custom metrics were prefixed with the <code>envoy_</code> Prometheus namespace and users were not able to use their own namespaces. Now, you can choose whatever namespace you want, and your metrics will be exposed in Envoy as-is, without being prefixed by <code>envoy_</code>.</p>
|
||
<p>Note that in order to actually expose these custom metrics, you have to configure <a href="../../../docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig-ProxyStatsMatcher"><code>ProxyConfig.proxyStatsMatcher</code></a> in <code>meshConfig</code> for global configuration or in <code>proxy.istio.io/config</code> for per proxy configuration. For detail, please refer to <a href="../../../docs/ops/configuration/telemetry/envoy-stats/"><code>Envoy Statistics</code></a>.</p>
|
||
<h2 id="future-work-and-looking-for-feedback">Future work and looking for feedback</h2>
|
||
<p>Although we have announced the alpha availability of Wasm plugins, there is still a lot of work left to be done. One important work item is &ldquo;Image pull secrets” support in the Wasm API which will allow you to easily consume OCI images in a private repository. Others include first-class support for L4 filters, signature verification of Wasm binaries, runtime improvements in Envoy, Proxy-Wasm SDK improvements, documentation, etc.</p>
|
||
<p>This is just the beginning of our plan to provide 1st-class Wasm support in Istio. We would love to hear your feedback so that we can improve the developer experience using Wasm plugins, in future releases of Istio!</p></description><pubDate>Thu, 16 Dec 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/wasm-api-alpha/</link><author>Daniel Grimm (Red Hat), Pengyuan Bian (Google), Takeshi Yoneda (Tetrate)</author><guid isPermaLink="true">/v1.12/blog/2021/wasm-api-alpha/</guid><category>wasm</category><category>extensibility</category><category>WebAssembly</category></item><item><title>gRPC Proxyless Service Mesh</title><description>
|
||
<p>Istio dynamically configures its Envoy sidecar proxies using a set of discovery APIs, collectively known as the
|
||
<a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/dynamic_configuration">xDS APIs</a>.
|
||
These APIs aim to become a <a href="https://blog.envoyproxy.io/the-universal-data-plane-api-d15cec7a?gi=64aa2eea0283">universal data-plane API</a>.
|
||
The gRPC project has significant support for the xDS APIs, which means you can manage gRPC workloads
|
||
without having to deploy an Envoy sidecar along with them. You can learn more about the integration in a
|
||
<a href="https://www.youtube.com/watch?v=cGJXkZ7jiDk">KubeCon EU 2021 talk from Megan Yahya</a>. The latest updates on gRPC&rsquo;s
|
||
support can be found in their <a href="https://github.com/grpc/proposal/search?q=xds">proposals</a> along with implementation
|
||
status.</p>
|
||
<p>Istio 1.11 adds experimental support for adding gRPC services directly to the mesh. We support basic service
|
||
discovery, some VirtualService based traffic policy, and mutual TLS.</p>
|
||
<h2 id="supported-features">Supported Features</h2>
|
||
<p>The current implementation of the xDS APIs within gRPC is limited in some areas compared to Envoy. The following
|
||
features should work, although this is not an exhaustive list and other features may have partial functionality:</p>
|
||
<ul>
|
||
<li>Basic service discovery. Your gRPC service can reach other pods and virtual machines registered in the mesh.</li>
|
||
<li><a href="/v1.12/docs/reference/config/networking/destination-rule/"><code>DestinationRule</code></a>:
|
||
<ul>
|
||
<li>Subsets: Your gRPC service can split traffic based on label selectors to different groups of instances.</li>
|
||
<li>The only Istio <code>loadBalancer</code> currently supported is <code>ROUND_ROBIN</code>, <code>consistentHash</code> will be added in
|
||
future versions of Istio (it is supported by gRPC).</li>
|
||
<li><code>tls</code> settings are restricted to <code>DISABLE</code> or <code>ISTIO_MUTUAL</code>. Other modes will be treated as <code>DISABLE</code>.</li>
|
||
</ul></li>
|
||
<li><a href="/v1.12/docs/reference/config/networking/virtual-service/"><code>VirtualService</code></a>:
|
||
<ul>
|
||
<li>Header match and URI match in the format <code>/ServiceName/RPCName</code>.</li>
|
||
<li>Override destination host and subset.</li>
|
||
<li>Weighted traffic shifting.</li>
|
||
</ul></li>
|
||
<li><a href="/v1.12/docs/reference/config/security/peer_authentication/"><code>PeerAuthentication</code></a>:
|
||
<ul>
|
||
<li>Only <code>DISABLE</code> and <code>STRICT</code> are supported. Other modes will be treated as <code>DISABLE</code>.</li>
|
||
<li>Support for auto-mTLS may exist in a future release.</li>
|
||
</ul></li>
|
||
</ul>
|
||
<p>Other features including faults, retries, timeouts, mirroring and rewrite rules may be supported in a future release.
|
||
Some of these features are awaiting implementation in gRPC, and others require work in Istio to support. The status
|
||
of xDS features in gRPC can be found <a href="https://github.com/grpc/grpc/blob/master/doc/grpc_xds_features.md">here</a>. The
|
||
status of Istio&rsquo;s support will exist in future official docs.</p>
|
||
<div>
|
||
<aside class="callout warning">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-warning"/></svg>
|
||
</div>
|
||
<div class="content">This is feature is <a href="/v1.12/docs/releases/feature-stages/">experimental</a>. Standard Istio features will become supported
|
||
over time along with improvements to the overall design.</div>
|
||
</aside>
|
||
</div>
|
||
<h2 id="architecture-overview">Architecture Overview</h2>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:44.32692307692307%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/proxyless-grpc/architecture.svg" title="Diagram of how gRPC services communicate with the istiod">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/proxyless-grpc/architecture.svg" alt="Diagram of how gRPC services communicate with the istiod" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Diagram of how gRPC services communicate with the istiod</figcaption>
|
||
</figure>
|
||
<p>Although this doesn&rsquo;t use a proxy for data plane communication, it still requires an agent for initialization and
|
||
communication with the control-plane. First, the agent generates a <a href="https://github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md#xdsclient-and-bootstrap-file">bootstrap file</a>
|
||
at startup the same way it would generate bootstrap for Envoy. This tells the <code>gRPC</code> library how to connect to <code>istiod</code>,
|
||
where it can find certificates for data plane communication, and what metadata to send to the control plane. Next, the
|
||
agent acts as an <code>xDS</code> proxy, connecting and authenticating with <code>istiod</code> on the application&rsquo;s behalf. Finally, the
|
||
agent fetches and rotates certificates used in data plane traffic.</p>
|
||
<h2 id="changes-to-application-code">Changes to application code</h2>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">This section covers gRPC’s XDS support in Go. Similar APIs exist for other languages.</div>
|
||
</aside>
|
||
</div>
|
||
<p>To enable the xDS features in gRPC, there are a handful of required changes your application must make. Your gRPC version should be at least <code>1.39.0</code>.</p>
|
||
<h3 id="in-the-client">In the client</h3>
|
||
<p>The following side-effect import will register the xDS resolvers and balancers within gRPC. It should be added in your
|
||
<code>main</code> package or in the same package calling <code>grpc.Dial</code>.</p>
|
||
<pre><code class='language-go' data-expandlinks='true' data-repo='istio' >import _ &#34;google.golang.org/grpc/xds&#34;
|
||
</code></pre>
|
||
<p>When creating a gRPC connection the URL must use the <code>xds:///</code> scheme.</p>
|
||
<pre><code class='language-go' data-expandlinks='true' data-repo='istio' >conn, err := grpc.DialContext(ctx, &#34;xds:///foo.ns.svc.cluster.local:7070&#34;)
|
||
</code></pre>
|
||
<p>Additionally, for (m)TLS support, a special <code>TransportCredentials</code> option has to be passed to <code>DialContext</code>.
|
||
The <code>FallbackCreds</code> allow us to succeed when istiod doesn’t send security config.</p>
|
||
<pre><code class='language-go' data-expandlinks='true' data-repo='istio' >import &#34;google.golang.org/grpc/credentials/xds&#34;
|
||
...
|
||
creds, err := xds.NewClientCredentials(xds.ClientOptions{
|
||
FallbackCreds: insecure.NewCredentials()
|
||
})
|
||
// handle err
|
||
conn, err := grpc.DialContext(
|
||
ctx,
|
||
&#34;xds:///foo.ns.svc.cluster.local:7070&#34;,
|
||
grpc.WithTransportCredentials(creds),
|
||
)
|
||
</code></pre>
|
||
<h3 id="on-the-server">On the server</h3>
|
||
<p>To support server-side configurations, such as mTLS, there are a couple of modifications that must be made.</p>
|
||
<p>First, we use a special constructor to create the <code>GRPCServer</code>:</p>
|
||
<pre><code class='language-go' data-expandlinks='true' data-repo='istio' >import &#34;google.golang.org/grpc/xds&#34;
|
||
...
|
||
server = xds.NewGRPCServer()
|
||
RegisterFooServer(server, &amp;fooServerImpl)
|
||
</code></pre>
|
||
<p>If your <code>protoc</code> generated Go code is out of date, you may need to regenerate it to be compatible with the xDS server.
|
||
Your generated <code>RegisterFooServer</code> function should look like the following:</p>
|
||
<pre><code class='language-go' data-expandlinks='true' data-repo='istio' >func RegisterFooServer(s grpc.ServiceRegistrar, srv FooServer) {
|
||
s.RegisterService(&amp;FooServer_ServiceDesc, srv)
|
||
}
|
||
</code></pre>
|
||
<p>Finally, as with the client-side changes, we must enable security support:</p>
|
||
<pre><code class='language-go' data-expandlinks='true' data-repo='istio' >creds, err := xds.NewServerCredentials(xdscreds.ServerOptions{FallbackCreds: insecure.NewCredentials()})
|
||
// handle err
|
||
server = xds.NewGRPCServer(grpc.Creds(creds))
|
||
</code></pre>
|
||
<h3 id="in-your-kubernetes-deployment">In your Kubernetes Deployment</h3>
|
||
<p>Assuming your application code is compatible, the Pod simply needs the annotation <code>inject.istio.io/templates: grpc-agent</code>.
|
||
This adds a sidecar container running the agent described above, and some environment variables that gRPC uses to find
|
||
the bootstrap file and enable certain features.</p>
|
||
<p>For gRPC servers, your Pod should also be annotated with <code>proxy.istio.io/config: '{&quot;holdApplicationUntilProxyStarts&quot;: true}'</code>
|
||
to make sure the in-agent xDS proxy and bootstrap file are ready before your gRPC server is initialized.</p>
|
||
<h2 id="example">Example</h2>
|
||
<p>In this guide you will deploy <code>echo</code>, an application that already supports both server-side and client-side
|
||
proxyless gRPC. With this app you can try out some supported traffic policies enabling mTLS.</p>
|
||
<h3 id="prerequisites">Prerequisites</h3>
|
||
<p>This guide requires the Istio (1.11+) control plane <a href="/v1.12/docs/setup/install/">to be installed</a> before proceeding.</p>
|
||
<h3 id="deploy-the-application">Deploy the application</h3>
|
||
<p>Create an injection-enabled namespace <code>echo-grpc</code>. Next deploy two instances of the <code>echo</code> app as well as the Service.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl create namespace echo-grpc
|
||
$ kubectl label namespace echo-grpc istio-injection=enabled
|
||
$ kubectl -n echo-grpc apply -f samples/grpc-echo/grpc-echo.yaml
|
||
</code></pre>
|
||
<p>Make sure the two pods are running:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl -n echo-grpc get pods
|
||
NAME READY STATUS RESTARTS AGE
|
||
echo-v1-69d6d96cb7-gpcpd 2/2 Running 0 58s
|
||
echo-v2-5c6cbf6dc7-dfhcb 2/2 Running 0 58s
|
||
</code></pre>
|
||
<h3 id="test-the-grpc-resolver">Test the gRPC resolver</h3>
|
||
<p>First, port-forward <code>17171</code> to one of the Pods. This port is a non-xDS backed gRPC server that allows making
|
||
requests from the port-forwarded Pod.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl -n echo-grpc port-forward $(kubectl -n echo-grpc get pods -l version=v1 -ojsonpath=&#39;{.items[0].metadata.name}&#39;) 17171 &amp;
|
||
</code></pre>
|
||
<p>Next, we can fire off a batch of 5 requests:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ grpcurl -plaintext -d &#39;{&#34;url&#34;: &#34;xds:///echo.echo-grpc.svc.cluster.local:7070&#34;, &#34;count&#34;: 5}&#39; :17171 proto.EchoTestService/ForwardEcho | jq -r &#39;.output | join(&#34;&#34;)&#39; | grep Hostname
|
||
Handling connection for 17171
|
||
[0 body] Hostname=echo-v1-7cf5b76586-bgn6t
|
||
[1 body] Hostname=echo-v2-cf97bd94d-qf628
|
||
[2 body] Hostname=echo-v1-7cf5b76586-bgn6t
|
||
[3 body] Hostname=echo-v2-cf97bd94d-qf628
|
||
[4 body] Hostname=echo-v1-7cf5b76586-bgn6t
|
||
</code></pre>
|
||
<p>You can also use Kubernetes-like name resolution for short names:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ grpcurl -plaintext -d &#39;{&#34;url&#34;: &#34;xds:///echo:7070&#34;}&#39; :17171 proto.EchoTestService/ForwardEcho | jq -r &#39;.output | join
|
||
(&#34;&#34;)&#39; | grep Hostname
|
||
[0 body] Hostname=echo-v1-7cf5b76586-ltr8q
|
||
$ grpcurl -plaintext -d &#39;{&#34;url&#34;: &#34;xds:///echo.echo-grpc:7070&#34;}&#39; :17171 proto.EchoTestService/ForwardEcho | jq -r
|
||
&#39;.output | join(&#34;&#34;)&#39; | grep Hostname
|
||
[0 body] Hostname=echo-v1-7cf5b76586-ltr8q
|
||
$ grpcurl -plaintext -d &#39;{&#34;url&#34;: &#34;xds:///echo.echo-grpc.svc:7070&#34;}&#39; :17171 proto.EchoTestService/ForwardEcho | jq -r
|
||
&#39;.output | join(&#34;&#34;)&#39; | grep Hostname
|
||
[0 body] Hostname=echo-v2-cf97bd94d-jt5mf
|
||
</code></pre>
|
||
<h3 id="creating-subsets-with-destination-rule">Creating subsets with destination rule</h3>
|
||
<p>First, create a subset for each version of the workload.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | kubectl apply -f -
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: echo-versions
|
||
namespace: echo-grpc
|
||
spec:
|
||
host: echo.echo-grpc.svc.cluster.local
|
||
subsets:
|
||
- name: v1
|
||
labels:
|
||
version: v1
|
||
- name: v2
|
||
labels:
|
||
version: v2
|
||
EOF
|
||
</code></pre>
|
||
<h3 id="traffic-shifting">Traffic shifting</h3>
|
||
<p>Using the subsets defined above, you can send 80 percent of the traffic to a specific version:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | kubectl apply -f -
|
||
apiVersion: networking.istio.io/v1beta1
|
||
kind: VirtualService
|
||
metadata:
|
||
name: echo-weights
|
||
namespace: echo-grpc
|
||
spec:
|
||
hosts:
|
||
- echo.echo-grpc.svc.cluster.local
|
||
http:
|
||
- route:
|
||
- destination:
|
||
host: echo.echo-grpc.svc.cluster.local
|
||
subset: v1
|
||
weight: 20
|
||
- destination:
|
||
host: echo.echo-grpc.svc.cluster.local
|
||
subset: v2
|
||
weight: 80
|
||
EOF
|
||
</code></pre>
|
||
<p>Now, send a set of 10 requests:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ grpcurl -plaintext -d &#39;{&#34;url&#34;: &#34;xds:///echo.echo-grpc.svc.cluster.local:7070&#34;, &#34;count&#34;: 10}&#39; :17171 proto.EchoTestService/ForwardEcho | jq -r &#39;.output | join(&#34;&#34;)&#39; | grep ServiceVersion
|
||
</code></pre>
|
||
<p>The response should contain mostly <code>v2</code> responses:</p>
|
||
<pre><code class='language-plain' data-expandlinks='true' data-repo='istio' >[0 body] ServiceVersion=v2
|
||
[1 body] ServiceVersion=v2
|
||
[2 body] ServiceVersion=v1
|
||
[3 body] ServiceVersion=v2
|
||
[4 body] ServiceVersion=v1
|
||
[5 body] ServiceVersion=v2
|
||
[6 body] ServiceVersion=v2
|
||
[7 body] ServiceVersion=v2
|
||
[8 body] ServiceVersion=v2
|
||
[9 body] ServiceVersion=v2
|
||
</code></pre>
|
||
<h3 id="enabling-mtls">Enabling mTLS</h3>
|
||
<p>Due to the changes to the application itself required to enable security in gRPC, Istio&rsquo;s traditional method of
|
||
automatically detecting mTLS support is unreliable. For this reason, the initial release requires explicitly enabling
|
||
mTLS on both the client and server.</p>
|
||
<p>To enable client-side mTLS, apply a <code>DestinationRule</code> with <code>tls</code> settings:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | kubectl apply -f -
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: echo-mtls
|
||
namespace: echo-grpc
|
||
spec:
|
||
host: echo.echo-grpc.svc.cluster.local
|
||
trafficPolicy:
|
||
tls:
|
||
mode: ISTIO_MUTUAL
|
||
EOF
|
||
</code></pre>
|
||
<p>Now an attempt to call the server that is not yet configured for mTLS will fail.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ grpcurl -plaintext -d &#39;{&#34;url&#34;: &#34;xds:///echo.echo-grpc.svc.cluster.local:7070&#34;}&#39; :17171 proto.EchoTestService/ForwardEcho | jq -r &#39;.output | join(&#34;&#34;)&#39;
|
||
Handling connection for 17171
|
||
ERROR:
|
||
Code: Unknown
|
||
Message: 1/1 requests had errors; first error: rpc error: code = Unavailable desc = all SubConns are in TransientFailure
|
||
</code></pre>
|
||
<p>To enable server-side mTLS, apply a <code>PeerAuthentication</code>.</p>
|
||
<div>
|
||
<aside class="callout warning">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-warning"/></svg>
|
||
</div>
|
||
<div class="content">The following policy forces STRICT mTLS for the entire namespace.</div>
|
||
</aside>
|
||
</div>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | kubectl apply -f -
|
||
apiVersion: security.istio.io/v1beta1
|
||
kind: PeerAuthentication
|
||
metadata:
|
||
name: echo-mtls
|
||
namespace: echo-grpc
|
||
spec:
|
||
mtls:
|
||
mode: STRICT
|
||
EOF
|
||
</code></pre>
|
||
<p>Requests will start to succeed after applying the policy.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ grpcurl -plaintext -d &#39;{&#34;url&#34;: &#34;xds:///echo.echo-grpc.svc.cluster.local:7070&#34;}&#39; :17171 proto.EchoTestService/ForwardEcho | jq -r &#39;.output | join(&#34;&#34;)&#39;
|
||
Handling connection for 17171
|
||
[0] grpcecho.Echo(&amp;{xds:///echo.echo-grpc.svc.cluster.local:7070 map[] 0 5s false })
|
||
[0 body] x-request-id=0
|
||
[0 body] Host=echo.echo-grpc.svc.cluster.local:7070
|
||
[0 body] content-type=application/grpc
|
||
[0 body] user-agent=grpc-go/1.39.1
|
||
[0 body] StatusCode=200
|
||
[0 body] ServiceVersion=v1
|
||
[0 body] ServicePort=17070
|
||
[0 body] Cluster=
|
||
[0 body] IP=10.68.1.18
|
||
[0 body] IstioVersion=
|
||
[0 body] Echo=
|
||
[0 body] Hostname=echo-v1-7cf5b76586-z5p8l
|
||
</code></pre>
|
||
<h2 id="limitations">Limitations</h2>
|
||
<p>The initial release comes with several limitations that may be fixed in a future version:</p>
|
||
<ul>
|
||
<li>Auto-mTLS isn&rsquo;t supported, and permissive mode isn&rsquo;t supported. Instead we require explicit mTLS configuration with
|
||
<code>STRICT</code> on the server and <code>ISTIO_MUTUAL</code> on the client. Envoy can be used during the migration to <code>STRICT</code>.</li>
|
||
<li><code>grpc.Serve(listener)</code> or <code>grpc.Dial(&quot;xds:///...&quot;)</code> called before the bootstrap is written or xDS proxy is ready can
|
||
cause a failure. <code>holdApplicationUntilProxyStarts</code> can be used to work around this, or the application can be more
|
||
robust to these failures.</li>
|
||
<li>If the xDS-enabled gRPC server uses mTLS then you will need to make sure your health checks can work around this.
|
||
Either a separate port should be used, or your health-checking client needs a way to get the proper client
|
||
certificates.</li>
|
||
<li>The implementation of xDS in gRPC does not match Envoys. Certain behaviors may be different, and some features may
|
||
be missing. The <a href="https://github.com/grpc/grpc/blob/master/doc/grpc_xds_features.md">feature status for gRPC</a> provides more detail. Make sure to test that any Istio
|
||
configuration actually applies on your proxyless gRPC apps.</li>
|
||
</ul>
|
||
<h2 id="performance">Performance</h2>
|
||
<h3 id="experiment-setup">Experiment Setup</h3>
|
||
<ul>
|
||
<li>Using Fortio, a Go-based load testing app
|
||
<ul>
|
||
<li>Slightly modified, to support gRPC’s XDS features (PR)</li>
|
||
</ul></li>
|
||
<li>Resources:
|
||
<ul>
|
||
<li>GKE 1.20 cluster with 3 <code>e2-standard-16</code> nodes (16 CPUs + 64 GB memory each)</li>
|
||
<li>Fortio client and server apps: 1.5 vCPU, 1000 MiB memory</li>
|
||
<li>Sidecar (istio-agent and possibly Envoy proxy): 1 vCPU, 512 MiB memory</li>
|
||
</ul></li>
|
||
<li>Workload types tested:
|
||
<ul>
|
||
<li>Baseline: regular gRPC with no Envoy proxy or Proxyless xDS in use</li>
|
||
<li>Envoy: standard istio-agent + Envoy proxy sidecar</li>
|
||
<li>Proxyless: gRPC using the xDS gRPC server implementation and <code>xds:///</code> resolver on the client</li>
|
||
<li>mTLS enabled/disabled via <code>PeerAuthentication</code> and <code>DestinationRule</code></li>
|
||
</ul></li>
|
||
</ul>
|
||
<h3 id="latency">Latency</h3>
|
||
<p><figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:75%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/proxyless-grpc/latencies_p50.svg" title="p50 latency comparison chart">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/proxyless-grpc/latencies_p50.svg" alt="p50 latency comparison chart" />
|
||
</a>
|
||
</div>
|
||
<figcaption>p50 latency comparison chart</figcaption>
|
||
</figure>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:75%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/proxyless-grpc/latencies_p99.svg" title="p99 latency comparison chart">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/proxyless-grpc/latencies_p99.svg" alt="p99 latency comparison chart" />
|
||
</a>
|
||
</div>
|
||
<figcaption>p99 latency comparison chart</figcaption>
|
||
</figure></p>
|
||
<p>There is a marginal increase in latency when using the proxyless gRPC resolvers. Compared to Envoy this is a massive
|
||
improvement that still allows for advanced traffic management features and mTLS.</p>
|
||
<h3 id="istio-proxy-container-resource-usage">istio-proxy container resource usage</h3>
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
<th></th>
|
||
<th>Client <code>mCPU</code></th>
|
||
<th>Client Memory (<code>MiB</code>)</th>
|
||
<th>Server <code>mCPU</code></th>
|
||
<th>Server Memory (<code>MiB</code>)</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td>Envoy Plaintext</td>
|
||
<td>320.44</td>
|
||
<td>66.93</td>
|
||
<td>243.78</td>
|
||
<td>64.91</td>
|
||
</tr>
|
||
<tr>
|
||
<td>Envoy mTLS</td>
|
||
<td>340.87</td>
|
||
<td>66.76</td>
|
||
<td>309.82</td>
|
||
<td>64.82</td>
|
||
</tr>
|
||
<tr>
|
||
<td>Proxyless Plaintext</td>
|
||
<td>0.72</td>
|
||
<td>23.54</td>
|
||
<td>0.84</td>
|
||
<td>24.31</td>
|
||
</tr>
|
||
<tr>
|
||
<td>Proxyless mTLS</td>
|
||
<td>0.73</td>
|
||
<td>25.05</td>
|
||
<td>0.78</td>
|
||
<td>25.43</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<p>Even though we still require an agent, the agent uses less than 0.1% of a full vCPU, and only 25 MiB of memory,
|
||
which is less than half of what running Envoy requires.</p>
|
||
<p>These metrics don’t include additional resource usage by gRPC in the application container,
|
||
but serve to demonstrate the resource usage impact of the istio-agent when running in this mode.</p></description><pubDate>Thu, 28 Oct 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/proxyless-grpc/</link><author>Steven Landow (Google)</author><guid isPermaLink="true">/v1.12/blog/2021/proxyless-grpc/</guid></item><item><title>Aeraki — Manage Any Layer-7 Protocol in Istio Service Mesh</title><description>
|
||
<p>Aeraki [Air-rah-ki] is the Greek word for &lsquo;breeze&rsquo;. While Istio connects microservices in a service mesh, Aeraki provides a framework to allow Istio to support more layer-7 protocols other than just HTTP and gRPC. We hope this breeze can help Istio sail a little further.</p>
|
||
<h2 id="lack-of-protocols-support-in-service-mesh">Lack of Protocols Support in Service Mesh</h2>
|
||
<p>We are now facing some challenges with service meshes:</p>
|
||
<ul>
|
||
<li>Istio and other popular service mesh implementations have very limited support for layer 7 protocols other than HTTP and gRPC.</li>
|
||
<li>Envoy RDS(Route Discovery Service) is solely designed for HTTP. Other protocols such as Dubbo and Thrift can only use listener in-line routes for traffic management, which breaks existing connections when routes change.</li>
|
||
<li>It takes a lot of effort to introduce a proprietary protocol into a service mesh. You’ll need to write an Envoy filter to handle the traffic in the data plane, and a control plane to manage those Envoys.</li>
|
||
</ul>
|
||
<p>Those obstacles make it very hard, if not impossible, for users to manage the traffic of other widely-used layer-7 protocols in microservices. For example, in a microservices application, we may have the below protocols:</p>
|
||
<ul>
|
||
<li>RPC: HTTP, gRPC, Thrift, Dubbo, Proprietary RPC Protocol …</li>
|
||
<li>Messaging: Kafka, RabbitMQ …</li>
|
||
<li>Cache: Redis, Memcached …</li>
|
||
<li>Database: MySQL, PostgreSQL, MongoDB …</li>
|
||
</ul>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:44.800000000000004%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/aeraki/protocols.png" title="Common Layer-7 Protocols Used in Microservices">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/aeraki/protocols.png" alt="Common Layer-7 Protocols Used in Microservices" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Common Layer-7 Protocols Used in Microservices</figcaption>
|
||
</figure>
|
||
<p>If you have already invested a lot of effort in migrating to a service mesh, of course, you want to get the most out of it — managing the traffic of all the protocols in your microservices.</p>
|
||
<h2 id="aeraki-s-approach">Aeraki&rsquo;s approach</h2>
|
||
<p>To address these problems, we create an open-source project, <a href="https://github.com/aeraki-framework">Aeraki</a>, to provide a non-intrusive, extendable way to manage any layer-7 traffic in an Istio service mesh.</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:51.35135135135135%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/aeraki/aeraki-architecture.png" title="Aeraki Architecture">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/aeraki/aeraki-architecture.png" alt="Aeraki Architecture" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Aeraki Architecture</figcaption>
|
||
</figure>
|
||
<p>As this diagram shows, Aeraki Framework consists of the following components:</p>
|
||
<ul>
|
||
<li>Aeraki: <a href="https://github.com/aeraki-framework/aeraki">Aeraki</a> provides high-level, user-friendly traffic management rules to operations, translates the rules to envoy filter configurations, and leverages Istio’s <code>EnvoyFilter</code> API to push the configurations to the sidecar proxies. Aeraki also serves as the RDS server for MetaProtocol proxies in the data plane. Contrary to Envoy RDS, which focuses on HTTP, Aeraki RDS is aimed to provide a general dynamic route capability for all layer-7 protocols.</li>
|
||
<li>MetaProtocol Proxy: <a href="https://github.com/aeraki-framework/meta-protocol-proxy">MetaProtocol Proxy</a> provides common capabilities for Layer-7 protocols, such as load balancing, circuit breaker, load balancing, routing, rate limiting, fault injection, and auth. Layer-7 protocols can be built on top of MetaProtocol. To add a new protocol into the service mesh, the only thing you need to do is implementing the <a href="https://github.com/aeraki-framework/meta-protocol-proxy/blob/ac788327239bd794e745ce18b382da858ddf3355/src/meta_protocol_proxy/codec/codec.h#L118">codec interface</a> and a couple of lines of configuration. If you have special requirements which can’t be accommodated by the built-in capabilities, MetaProtocol Proxy also has an application-level filter chain mechanism, allowing users to write their own layer-7 filters to add custom logic into MetaProtocol Proxy.</li>
|
||
</ul>
|
||
<p><a href="https://github.com/aeraki-framework/meta-protocol-proxy/tree/master/src/application_protocols/dubbo">Dubbo</a> and <a href="https://github.com/aeraki-framework/meta-protocol-proxy/tree/master/src/application_protocols/thrift">Thrift</a> have already been implemented based on MetaProtocol. More protocols are on the way. If you&rsquo;re using a close-source, proprietary protocol, you can also manage it in your service mesh simply by writing a MetaProtocol codec for it.</p>
|
||
<p>Most request/response style, stateless protocols can be built on top of the MetaProtocol Proxy. However, some protocols&rsquo; routing policies are too &ldquo;special&rdquo; to be normalized in MetaProtocol. For example, Redis proxy uses a slot number to map a client query to a specific Redis server node, and the slot number is computed by the key in the request. Aeraki can still manage those protocols as long as there&rsquo;s an available Envoy Filter in the Envoy proxy side. Currently, for protocols in this category, <a href="https://github.com/aeraki-framework/aeraki/blob/master/docs/zh/redis.md">Redis</a> and Kafka are supported in Aeraki.</p>
|
||
<h2 id="deep-dive-into-metaprotocol">Deep Dive Into MetaProtocol</h2>
|
||
<p>Let’s look into how MetaProtocol works. Before MetaProtocol is introduced, if we want to proxy traffic for a specific protocol, we need to write an Envoy filter that understands that protocol and add the code to manipulate the traffic, including routing, header modification, fault injection, traffic mirroring, etc.</p>
|
||
<p>For most request/response style protocols, the code for traffic manipulation is very similar. Therefore, to avoid duplicating these functionalities in different Envoy filters, Aeraki Framework implements most of the common functions of a layer-7 protocol proxy in a single place — the MetaProtocol Proxy filter.</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:29.301948051948052%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/aeraki/metaprotocol-proxy.png" title="MetaProtocol Proxy">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/aeraki/metaprotocol-proxy.png" alt="MetaProtocol Proxy" />
|
||
</a>
|
||
</div>
|
||
<figcaption>MetaProtocol Proxy</figcaption>
|
||
</figure>
|
||
<p>This approach significantly lowers the barrier to write a new Envoy filter: instead of writing a fully functional filter, now you only need to implement the codec interface. In addition to that, the control plane is already in place — Aeraki works at the control plane to provides MetaProtocol configuration and dynamic routes for all protocols built on top of MetaProtocol.</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:44.68571428571428%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/aeraki/metaprotocol-proxy-codec.png" title="Writing an Envoy Filter Before and After MetProtocol">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/aeraki/metaprotocol-proxy-codec.png" alt="Writing an Envoy Filter Before and After MetProtocol" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Writing an Envoy Filter Before and After MetProtocol</figcaption>
|
||
</figure>
|
||
<p>There are two important data structures in MetaProtocol Proxy: Metadata and Mutation. Metadata is used for routing, and Mutation is used for header manipulation.</p>
|
||
<p>At the request path, the decoder(the decode method of the codec implementation) populates the Metadata data structure with key-value pairs parsed from the request, then the Metadata will be passed to the MetaProtocol Router. The Router selects an appropriate upstream cluster after matching the route configuration it receives from Aeraki via RDS and the Metadata.</p>
|
||
<p>A custom filter can populate the Mutation data structure with arbitrary key-value pairs if the request needs to be modified: adding a header or changing the value of a header. Then the Mutation data structure will be passed to the encoder(the encode method of the codec implementation). The encoder is responsible for writing the key-value pairs into the wire protocol.</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:35.98183881952327%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/aeraki/request-path.png" title="The Request Path">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/aeraki/request-path.png" alt="The Request Path" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The Request Path</figcaption>
|
||
</figure>
|
||
<p>The response path is similar to the request path, only in a different direction.</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:34.39273552780931%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/aeraki/response-path.png" title="The Response Path">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/aeraki/response-path.png" alt="The Response Path" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The Response Path</figcaption>
|
||
</figure>
|
||
<h2 id="an-example">An Example</h2>
|
||
<p>If you need to implement an application protocol based on MetaProtocol, you can follow the below steps(use Thrift as an example):</p>
|
||
<h3 id="data-plane">Data Plane</h3>
|
||
<ul>
|
||
<li><p>Implement the <a href="https://github.com/aeraki-framework/meta-protocol-proxy/blob/ac788327239bd794e745ce18b382da858ddf3355/src/meta_protocol_proxy/codec/codec.h#L118">codec interface</a> to encode and decode the protocol package. You can refer to <a href="https://github.com/aeraki-framework/meta-protocol-proxy/tree/master/src/application_protocols/dubbo">Dubbo codec</a> and <a href="https://github.com/aeraki-framework/meta-protocol-proxy/tree/master/src/application_protocols/thrift">Thrift codec</a> as writing your own implementation.</p></li>
|
||
<li><p>Define the protocol with Aeraki <code>ApplicationProtocol</code> CRD, as this YAML snippet shows:</p></li>
|
||
</ul>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: metaprotocol.aeraki.io/v1alpha1
|
||
kind: ApplicationProtocol
|
||
metadata:
|
||
name: thrift
|
||
namespace: istio-system
|
||
spec:
|
||
protocol: thrift
|
||
codec: aeraki.meta_protocol.codec.thrift
|
||
</code></pre>
|
||
<h3 id="control-plane">Control Plane</h3>
|
||
<p>You don’t need to implement the control plane. Aeraki watches services and traffic rules, generates the configurations for the sidecar proxies, and sends the configurations to the data plane via <code>EnvoyFilter</code> and MetaProtocol RDS.</p>
|
||
<h3 id="protocol-selection">Protocol selection</h3>
|
||
<p>Similar to Istio, protocols are identified by service port prefix. Please name service ports with this pattern: tcp-metaprotocol-{application protocol}-xxx. For example, a Thrift service port should be named tcp-metaprotocol-thrift.</p>
|
||
<h3 id="traffic-management">Traffic management</h3>
|
||
<p>You can change the route via <code>MetaRouter</code> CRD. For example: send 20% of the requests to v1 and 80% to v2:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: metaprotocol.aeraki.io/v1alpha1
|
||
kind: MetaRouter
|
||
metadata:
|
||
name: test-metaprotocol-route
|
||
spec:
|
||
hosts:
|
||
- thrift-sample-server.thrift.svc.cluster.local
|
||
routes:
|
||
- name: traffic-spilt
|
||
route:
|
||
- destination:
|
||
host: thrift-sample-server.thrift.svc.cluster.local
|
||
subset: v1
|
||
weight: 20
|
||
- destination:
|
||
host: thrift-sample-server.thrift.svc.cluster.local
|
||
subset: v2
|
||
weight: 80
|
||
</code></pre>
|
||
<p>Hope this helps if you need to manage protocols other than HTTP in a service mesh. Reach out to <a href="https://zhaohuabing.com/">zhaohuabing</a> if you have any questions.</p>
|
||
<h2 id="reference">Reference</h2>
|
||
<ul>
|
||
<li><a href="https://github.com/aeraki-framework">Aeraki GitHub</a></li>
|
||
<li><a href="http://aeraki.zhaohuabing.com:20001/">Live Demo: Kiali Dashboard</a></li>
|
||
<li><a href="http://aeraki.zhaohuabing.com:3000/d/pgz7wp-Gz/aeraki-demo?orgId=1&amp;refresh=10s&amp;kiosk">Live Demo: Service Metrics: Grafana</a></li>
|
||
<li><a href="http://aeraki.zhaohuabing.com:9090/new/graph?g0.expr=envoy_dubbo_inbound_20880___response_success&amp;g0.tab=0&amp;g0.stacked=1&amp;g0.range_input=1h&amp;g1.expr=envoy_dubbo_outbound_20880__org_apache_dubbo_samples_basic_api_demoservice_request&amp;g1.tab=0&amp;g1.stacked=1&amp;g1.range_input=1h&amp;g2.expr=envoy_thrift_inbound_9090___response&amp;g2.tab=0&amp;g2.stacked=1&amp;g2.range_input=1h&amp;g3.expr=envoy_thrift_outbound_9090__thrift_sample_server_thrift_svc_cluster_local_response_success&amp;g3.tab=0&amp;g3.stacked=1&amp;g3.range_input=1h&amp;g4.expr=envoy_thrift_outbound_9090__thrift_sample_server_thrift_svc_cluster_local_request&amp;g4.tab=0&amp;g4.stacked=1&amp;g4.range_input=1h">Live Demo: Service Metrics: Prometheus</a></li>
|
||
<li>Istio meetup China(Chinese): <a href="https://www.youtube.com/watch?v=Bq5T3OR3iTM">Full Stack Service Mesh - Manage Any Layer-7 Traffic in an Istio Service Mesh with Aeraki</a></li>
|
||
<li>IstioCon 2021: <a href="https://www.youtube.com/watch?v=sBS4utF68d8">How to Manage Any Layer-7 Traffic in an Istio Service Mesh?</a></li>
|
||
</ul></description><pubDate>Tue, 28 Sep 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/aeraki/</link><author>Huabing Zhao (Tencent)</author><guid isPermaLink="true">/v1.12/blog/2021/aeraki/</guid><category>istio</category><category>envoy</category><category>aeraki</category></item><item><title>Announcing Extended Support for Istio 1.9</title><description><p>In keeping with our 2021 theme of improving Day 2 Istio operations, the Istio team has been evaluating extending the support window for our releases to give users more time to upgrade. For starters, we are extending the support window of Istio 1.9 by six weeks, to October 5, 2021. We hope that this additional support window will allow the many users who are currently using Istio 1.9 to upgrade, either to Istio 1.10 or directly to Istio 1.11. By overlapping support between 1.9 and 1.11, we intend to create a stable cadence of upgrade windows twice a year for users upgrading directly across two minor versions (i.e. 1.9 to 1.11). Users who prefer upgrading through each minor release to get all the latest and greatest features may continue doing so quarterly.</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:55.55555555555556%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/extended-support/extended_support.png" title="Extended Support and Upgrades">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/extended-support/extended_support.png" alt="Extended Support and Upgrades" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Extended Support and Upgrades</figcaption>
|
||
</figure>
|
||
<p>During this extended period of support, Istio 1.9 will receive CVE and critical bug fixes only, as our goal is simply to provide users with time to migrate off the release and on to 1.10 or 1.11. And speaking of users, we would love to hear how we’re doing at improving your Day 2 experience of Istio. Is two upgrades per year not the right number? Is a six week upgrade window too short? Please share your thoughts with us on <a href="https://slack.istio.io">slack</a> (in the user-experience channel), or on <a href="https://twitter.com/istiomesh">twitter</a>. Thanks!</p></description><pubDate>Fri, 03 Sep 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/extended-support/</link><author>Mitch Connors (Google), Lin Sun (Solo.io)</author><guid isPermaLink="true">/v1.12/blog/2021/extended-support/</guid><category>upgrade</category><category>Istio</category><category>support</category></item><item><title>Announcing the results of Istio’s first security assessment</title><description>
|
||
<p>The Istio service mesh has gained wide production adoption across a wide variety of
|
||
industries. The success of the project, and its critical usage for enforcing key
|
||
security policies in infrastructure warranted an open and neutral assessment of
|
||
the security risks associated with the project.</p>
|
||
<p>To achieve this goal, the Istio community contracted the
|
||
<a href="https://www.nccgroup.com/">NCC Group</a> last year to
|
||
conduct a third-party security assessment of the project. The goal of the review
|
||
was &ldquo;to identify security issues related to the Istio code base, highlight
|
||
high-risk configurations commonly used by administrators, and provide
|
||
perspective on whether security features sufficiently address the concerns they
|
||
are designed to provide&rdquo;.</p>
|
||
<p>NCC Group carried out the review over a period of five weeks with collaboration
|
||
from subject matter experts across the Istio community. In this blog, we will
|
||
examine the key findings of the report, actions taken to implement various fixes
|
||
and recommendations, and our plan of action for continuous security evaluation
|
||
and improvement of the Istio project. You can download and read the
|
||
unabridged version of the
|
||
<a href="./NCC_Group_Google_GOIST2005_Report_2020-08-06_v1.1.pdf">security assessment report</a>.</p>
|
||
<h2 id="scope-and-key-findings">Scope and Key Findings</h2>
|
||
<p>The assessment evaluated Istio’s architecture as a whole for security related
|
||
issues with focus on key components like istiod (Pilot), Ingress/Egress
|
||
gateways, and Istio’s overall Envoy usage as its data plane proxy. Additionally,
|
||
Istio documentation, including security guides, were audited for correctness and
|
||
clarity. The report was compiled against Istio version 1.6.5, and since then the
|
||
Product Security Working Group has issued several security releases as new
|
||
vulnerabilities were disclosed, along with fixes to address concerns raised in
|
||
the new report.</p>
|
||
<p>An important conclusion from the report is that the auditors found no &ldquo;Critical&rdquo;
|
||
issues within the Istio project. This finding validates the continuous and
|
||
proactive security review and vulnerability management process implemented by
|
||
Istio’s Product Security Working Group (PSWG). For the remaining issues surfaced
|
||
by the report, the PSWG went to work on addressing them, and we are glad to
|
||
report that all issues marked &ldquo;High&rdquo;, and several marked &ldquo;Medium/Low&rdquo;, have been
|
||
resolved in the releases following the report.</p>
|
||
<p>The report also makes strategic recommendations around creating a hardening
|
||
guide which is now available in our
|
||
<a href="/v1.12/docs/ops/best-practices/security/">Security Best Practices</a>
|
||
guide. This is a comprehensive document which pulls together recommendations
|
||
from security experts within the Istio community, and industry leaders running
|
||
Istio in production. Work is underway to create an opinionated and hardened
|
||
security profile for installing Istio in secure environments, but in the interim
|
||
we recommend users follow the Security Best Practices guide and configure Istio
|
||
to meet their security requirements. With that, let’s look at the analysis and
|
||
resolution for various issues raised in the report.</p>
|
||
<h2 id="resolution-and-learnings">Resolution and learnings</h2>
|
||
<h3 id="inability-to-secure-control-plane-network-communications">Inability to secure control plane network communications</h3>
|
||
<p>The report flags configuration options that were available in older versions of
|
||
Istio to control how communication is secured to the control plane. Since 1.7,
|
||
Istio by default secures all control plane communication and many configuration
|
||
options mentioned in the report to manage control plane encryption are no longer
|
||
required.</p>
|
||
<p>The debug endpoint mentioned in the report is enabled by default (as of Istio
|
||
1.10) to allow users to debug their Istio service mesh using the <code>istioctl</code> tool.
|
||
It can be disabled by setting the environment variable <code>ENABLE_DEBUG_ON_HTTP</code> to
|
||
false as mentioned in the <a href="/v1.12/docs/ops/best-practices/security/#control-plane">Security Best
|
||
Practices</a>
|
||
guide. Additionally, in an upcoming version (1.11), this debug endpoint will
|
||
be secured by default and a valid Kubernetes service account token will be
|
||
required to gain access.</p>
|
||
<h3 id="lack-of-security-related-documentation">Lack of security related documentation</h3>
|
||
<p>The report points out gaps in the security related documentation published with
|
||
Istio 1.6. Since then, we have created a detailed <a href="/v1.12/docs/ops/best-practices/security/">Security Best Practices</a>
|
||
guide with recommendations to ensure users can deploy Istio securely to meet
|
||
their requirements. Moving forward, we will continue to augment this
|
||
documentation with more hardening recommendations. We advise users to monitor
|
||
the guide for updates.</p>
|
||
<h3 id="lack-of-virtualservice-gateway-field-validation-enables-request-hijacking">Lack of VirtualService Gateway field validation enables request hijacking</h3>
|
||
<p>For this issue, the report uses a valid but permissive Gateway configuration
|
||
that can cause requests to be routed incorrectly. Similar to the Kubernetes
|
||
RBAC, Istio APIs, including Gateways, can be tuned to be permissive or
|
||
restrictive depending upon your requirements. However, the report surfaced
|
||
missing links in our documentation related to best practices and guiding our
|
||
users to secure their environments. To address them, we have added a section to
|
||
our Security Best Practices guide with steps for running
|
||
<a href="/v1.12/docs/ops/best-practices/security/#gateways">Gateways</a> securely.
|
||
In particular, the section describing <a href="/v1.12/docs/ops/best-practices/security/#avoid-overly-broad-hosts-configurations">using namespace prefixes in hosts
|
||
specification</a>
|
||
on Gateway resources is strongly recommended to harden your
|
||
configuration and prevent this type of request hijacking.</p>
|
||
<h3 id="ingress-gateway-configuration-generation-enables-request-hijacking">Ingress Gateway configuration generation enables request hijacking</h3>
|
||
<p>The report raises possible request hijacking when using the default mechanism of
|
||
selecting gateway workloads by labels across namespaces in a Gateway resource.
|
||
This behavior was chosen by default as it allows delegation of managing Gateway
|
||
and VirtualService resources to the applications team while allowing operations
|
||
teams to centrally manage the ingress gateway workloads for meeting their unique
|
||
security requirements like running on dedicated nodes for instance. As
|
||
highlighted in the report, if this deployment topology is not a requirement in
|
||
your environment it is strongly recommended to co-locate Gateway resources with
|
||
your gateway workloads and set the environment variable
|
||
<code>PILOT_SCOPE_GATEWAY_TO_NAMESPACE</code> to true.</p>
|
||
<p>Please refer to the <a href="/v1.12/docs/setup/additional-setup/gateway/#gateway-deployment-topologies">gateway deployment topologies guide</a>
|
||
to understand the various recommended deployment models by the
|
||
Istio community. Additionally, as mentioned in the
|
||
<a href="/v1.12/docs/ops/best-practices/security/#restrict-gateway-creation-privileges">Security Best Practices</a>
|
||
guide, Gateway resource creation should be access controlled using Kubernetes
|
||
RBAC or other policy enforcement mechanisms to ensure only authorized entities
|
||
can create them.</p>
|
||
<h3 id="other-medium-and-low-severity-issues">Other Medium and Low Severity Issues</h3>
|
||
<p>There are two medium severity issues reported related to debug information
|
||
exposed at various levels within the project which can be used to gain access to
|
||
sensitive information or orchestrate Denial of Service (DOS) attacks. While
|
||
Istio by default enables these debug interfaces for profiling or enabling tools
|
||
like &ldquo;istioctl&rdquo;, they can be disabled by setting the environment variable
|
||
<code>ENABLE_DEBUG_ON_HTTP</code> to false as discussed above.</p>
|
||
<p>The report correctly points out that various utilities like <code>sudo</code>, <code>tcpdump</code>, etc.
|
||
installed in the default images shipped by Istio can lead to privilege
|
||
escalation attacks. These utilities are provided to aid runtime debugging of
|
||
packets flowing through the mesh, and users are recommended to use
|
||
<a href="/v1.12/docs/ops/configuration/security/harden-docker-images/">hardened versions</a>
|
||
of these images in production.</p>
|
||
<p>The report also surfaces a known architectural limitation with any sidecar
|
||
proxy-based service mesh implementation which uses <code>iptables</code> for intercepting
|
||
traffic. This mechanism is susceptible to
|
||
<a href="/v1.12/docs/ops/best-practices/security/#understand-traffic-capture-limitations">sidecar proxy bypass</a>,
|
||
which is a valid concern for secure environments. It can be addressed by following the
|
||
<a href="/v1.12/docs/ops/best-practices/security/#defense-in-depth-with-networkpolicy">defense-in-depth</a>
|
||
recommendation of the Security Best Practices guide. We are
|
||
also investigating more secure options in collaboration with the Kubernetes
|
||
community.</p>
|
||
<h2 id="the-tradeoff-between-useful-and-secure">The tradeoff between useful and secure</h2>
|
||
<p>You may have noticed a trend in the findings of the assessment and the
|
||
recommendations made to address them. Istio provides various configuration
|
||
options to create a more secure installation based on your requirement, and we
|
||
have introduced a comprehensive <a href="/v1.12/docs/ops/best-practices/security">Security Best Practices</a>
|
||
guide for our users to follow. As Istio is widely adopted in production, it is
|
||
a tradeoff for us between switching to secure defaults and possible migration
|
||
issues for our existing users on upgrades. The Istio Product Security Working
|
||
Group evaluates each of these issues and creates a plan of action to enable
|
||
secure default on a case-by-case basis after giving our users a number of
|
||
releases to opt-in the secure configuration and migrate their workloads.</p>
|
||
<p>Lastly, there were several lessons for us during and after undergoing a neutral
|
||
security assessment. The primary one was to ensure our security practices are
|
||
robust to quickly respond to the findings, and more importantly making security
|
||
enhancements while maintaining our standards for upgrades without disruption.</p>
|
||
<p>To continue this endeavor, we are always looking for feedback and participation
|
||
in the Istio Product Security Working Group, so
|
||
<a href="https://github.com/istio/community/blob/master/WORKING-GROUPS.md">join our public meetings</a>
|
||
to raise issues or learn about what we are doing to keep Istio secure!</p></description><pubDate>Tue, 13 Jul 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/ncc-security-assessment/</link><author>Neeraj Poddar (Aspen Mesh), on behalf of Istio Product Security Working Group</author><guid isPermaLink="true">/v1.12/blog/2021/ncc-security-assessment/</guid><category>istio</category><category>security</category><category>audit</category><category>ncc</category><category>assessment</category></item><item><title>Join us at the Istio Community Meetup in China</title><description>
|
||
<p>With the rapid popularization of cloud native technology in China, Istio has also gained popularity in this corner of the world. Almost all Chinese CSPs have creating and are running service mesh products based on Istio.</p>
|
||
<p>We welcomed thousands of Istio users and developers to the first IstioCon in February 2021, and the attendees expressed an interest in participating in more meetups and helping to grow the community at the local level.</p>
|
||
<p>To this end, the Istio community united six partners — the China Academy of Information and Communications Technology, Alibaba Cloud, Huawei Cloud, Intel, Tencent Cloud, and Tetrate — to co-host the first official Istio Community Meetup China. We have invited a number of industry experts to share comprehensive Istio technical practices with everyone at an in-person meetup. We will serve some refreshments, and seats are limited, so we will operate on a first-come first-served basis. <strong><a href="https://www.huodongxing.com/event/7604616393700?td=3381727549788">Please register to attend</a></strong>.</p>
|
||
<p><strong>Time and day:</strong> 13:30-17:30 (CST), July 10, 2021</p>
|
||
<p><strong>Venue:</strong> Industrial Internet Exhibition Hall, 2nd Floor, Research Building, China Academy of Information and Communications Technology, No. 52 Huayuan North Road, Haidian District, Beijing</p>
|
||
<h2 id="agenda">Agenda</h2>
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
<th>Session time (CST)</th>
|
||
<th>Title</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td>13:30 - 13:50</td>
|
||
<td>Sign in</td>
|
||
</tr>
|
||
<tr>
|
||
<td>13:50 - 14:00</td>
|
||
<td><em>Welcome</em><br>Craig Box, Istio Steering Committee member, Google Cloud<br>Iris Ding, cloud computing engineer, Intel</td>
|
||
</tr>
|
||
<tr>
|
||
<td>14:00 - 14:30</td>
|
||
<td><em>Interpretation of the &ldquo;Service Grid Technical Capability Requirements&rdquo; Standard</em><br>Yin Xia Mengxue, Engineer, Cloud Computing Department, Academy of Information and Communications Technology</td>
|
||
</tr>
|
||
<tr>
|
||
<td>14:30 - 15:00</td>
|
||
<td><em>Service Mesh Data Plane Hot Upgrade</em><br>Shi Zehuan, Alibaba Cloud</td>
|
||
</tr>
|
||
<tr>
|
||
<td>15:00 - 15:30</td>
|
||
<td><em>Envoy Principle Introduction and Online Problem Pit</em><br>Zhang Wei, Data Plane Technical Expert, Huawei Cloud Service Mesh</td>
|
||
</tr>
|
||
<tr>
|
||
<td>15:30 - 15:45</td>
|
||
<td>Coffee break</td>
|
||
</tr>
|
||
<tr>
|
||
<td>15:45 - 16:15</td>
|
||
<td><em>Use eBPF to accelerate Istio/Envoy networking</em><br>Zhong Luyao, Intel</td>
|
||
</tr>
|
||
<tr>
|
||
<td>16:15 - 16:45</td>
|
||
<td><em>Full-stack service mesh: how Aeraki helps you manage any Layer 7 traffic in Istio</em><br>Huabing Zhao, Senior Engineer, Tencent Cloud</td>
|
||
</tr>
|
||
<tr>
|
||
<td>16:45 - 17:15</td>
|
||
<td><em>Securing workload deployment with Istio CNI</em><br>Zhang Zhihan, Tetrate</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<p>We want to thank our community in China who have worked on this event, especially Iris Ding, Wei W Hu, Jimmy Song, Zhonghu Xu, Xining Wang, and Huabing Zhao. We hope you can join!</p></description><pubDate>Tue, 06 Jul 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/istio-community-meetup-china/</link><author>Iris Ding (Intel), Maria Cruz (Google)</author><guid isPermaLink="true">/v1.12/blog/2021/istio-community-meetup-china/</guid><category>community</category><category>meetup</category><category>China</category></item><item><title>Steering and TOC updates</title><description>
|
||
<p>Last year we <a href="/v1.12/blog/2020/steering-changes/">introduced a new Steering Committee charter</a>, which shares governance responsibilities between Contribution Seats, selected based on contributions to the project, and Community Seats, elected by the project members. We <a href="/v1.12/blog/2020/steering-election-results/">elected four members</a>, with the committee representing seven different companies.</p>
|
||
<p>It&rsquo;s now time to kick off our 2021 election for Community Seats. Members have two weeks to submit nominations, and voting will run from 12 to 25 July. You can learn all about the election, including how to stand and how to vote, in the <a href="https://github.com/istio/community/tree/master/steering/elections/2021"><code>istio/community</code> repository on GitHub</a>.</p>
|
||
<p>Just like last year, any <a href="https://github.com/istio/community/blob/master/ROLES.md#member">project member</a> can stand for election. All Istio members who have been active in the last 12 months are eligible to vote.</p>
|
||
<h2 id="technical-oversight-committee-updates">Technical Oversight Committee updates</h2>
|
||
<p>We wish to offer our thanks to Dan Berg and Joshua Blatt, both long-time contributors to the Istio project, who have recently taken new jobs outside the service mesh space. That left two vacancies on the <a href="https://github.com/istio/community/blob/master/TECH-OVERSIGHT-COMMITTEE.md">Istio Technical Oversight Committee</a> (TOC), responsible for cross-cutting product and design decisions.</p>
|
||
<p>TOC members are elected by the Steering Committee from the <a href="https://github.com/istio/community/blob/master/WORKING-GROUPS.md#working-group-leads">working group leads</a>, and last week we voted for two new members:</p>
|
||
<ul>
|
||
<li><strong><a href="http://github.com/howardjohn">John Howard</a></strong>, from Google, has become one of the most active contributors to Istio since joining the project in January 2019. He is currently a lead in the Networking working group, and has also served as an Environments working group lead and release manager for version 1.4.</li>
|
||
<li><strong><a href="https://github.com/brian-avery">Brian Avery</a></strong>, from Red Hat, has been active in the Istio community for over 3 years. He served as Release Manager for Istio 1.3 and 1.6, and has remained actively involved in the Istio release process, including introducing tooling for release notes, streamlining the feature maturity process, and working on documentation testing. Most recently, Brian was a lead in the Test and Release and Product Security working groups.</li>
|
||
</ul>
|
||
<p>Congratulations to John and Brian!</p>
|
||
<p>As our new TOC members step into their roles, they will be vacating their current positions as working group leads. We are always on the lookout for community members who are interested in joining, or leading, Istio working groups. If you’re interested, please reach out in the working group channels <a href="https://slack.istio.io/">on Slack</a>, or during the <a href="https://github.com/istio/community/blob/master/WORKING-GROUPS.md#working-group-meetings">public working group meetings</a> of your interest.</p></description><pubDate>Tue, 29 Jun 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/steering-election/</link><author>Istio Steering Committee</author><guid isPermaLink="true">/v1.12/blog/2021/steering-election/</guid><category>istio</category><category>steering</category><category>governance</category><category>community</category><category>election</category></item><item><title>Configuring failover for external services</title><description>
|
||
<p>Istio’s powerful APIs can be used to solve a variety of service mesh use cases. Many users know about its strong ingress and east-west capabilities but it also offers many features for egress (outgoing) traffic. This is especially useful when your application needs to talk to an external service - such as a database endpoint provided by a cloud provider. There are often multiple endpoints to chose from depending on where your workload is running. For example, Amazon&rsquo;s DynamoDB provides <a href="https://docs.aws.amazon.com/general/latest/gr/ddb.html">several endpoints</a> across their regions. You typically want to choose the endpoint closest to your workload for latency reasons, but you may need to configure automatic failover to another endpoint in case things are not working as expected.</p>
|
||
<p>Similar to services running inside the service mesh, you can configure Istio to detect outliers and failover to a healthy endpoint, while still being completely transparent to your application. In this example, we’ll use Amazon DynamoDB endpoints and pick a primary region that is the same or close to workloads running in a Google Kubernetes Engine (GKE) cluster. We’ll also configure a failover region.</p>
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
<th>Routing</th>
|
||
<th>Endpoint</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td>Primary</td>
|
||
<td><a href="http://dynamodb.us-east-1.amazonaws.com">http://dynamodb.us-east-1.amazonaws.com</a></td>
|
||
</tr>
|
||
<tr>
|
||
<td>Failover</td>
|
||
<td><a href="http://dynamodb.us-west-1.amazonaws.com">http://dynamodb.us-west-1.amazonaws.com</a></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<p><img src="./external-locality-failover.png" alt="failover" /></p>
|
||
<h2 id="define-external-endpoints-using-a-serviceentry">Define external endpoints using a ServiceEntry</h2>
|
||
<p><a href="/v1.12/docs/tasks/traffic-management/locality-load-balancing/">Locality load balancing</a> works based on <code>region</code> or <code>zone</code>, which are usually inferred from labels set on the Kubernetes nodes. First, determine the location of your workloads:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl describe node | grep failure-domain.beta.kubernetes.io/region
|
||
failure-domain.beta.kubernetes.io/region=us-east1
|
||
failure-domain.beta.kubernetes.io/region=us-east1
|
||
</code></pre>
|
||
<p>In this example, the GKE cluster nodes are running in <code>us-east1</code>.</p>
|
||
<p>Next, create a <code>ServiceEntry</code> which aggregates the endpoints you want to use. In this example, we have selected <code>mydb.com</code> as the host. This is the address your application should be configured to connect to. Set the <code>locality</code> of the primary endpoint to the same region as your workload:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1beta1
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: external-svc-dns
|
||
spec:
|
||
hosts:
|
||
- mydb.com
|
||
location: MESH_EXTERNAL
|
||
ports:
|
||
- number: 80
|
||
name: http
|
||
protocol: HTTP
|
||
resolution: DNS
|
||
endpoints:
|
||
- address: dynamodb.us-east-1.amazonaws.com
|
||
locality: us-east1
|
||
ports:
|
||
http: 80
|
||
- address: dynamodb.us-west-1.amazonaws.com
|
||
locality: us-west
|
||
ports:
|
||
http: 80
|
||
</code></pre>
|
||
<p>Let’s deploy a sleep container to use as a test source for sending requests.</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/sleep/sleep.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/sleep/sleep.yaml@
|
||
</code></pre></div>
|
||
<p>From the sleep container try going to <code>http://mydb.com</code> 5 times:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ for i in {1..5}; do kubectl exec deploy/sleep -c sleep -- curl -sS http://mydb.com; echo; sleep 2; done
|
||
healthy: dynamodb.us-east-1.amazonaws.com
|
||
healthy: dynamodb.us-west-1.amazonaws.com
|
||
healthy: dynamodb.us-west-1.amazonaws.com
|
||
healthy: dynamodb.us-east-1.amazonaws.com
|
||
healthy: dynamodb.us-east-1.amazonaws.com
|
||
</code></pre>
|
||
<p>You will see that Istio is sending requests to both endpoints. We only want it to send to the endpoint marked with the same region as our nodes.</p>
|
||
<p>For that, we need to configure a <code>DestinationRule</code>.</p>
|
||
<h2 id="set-failover-conditions-using-a-destinationrule">Set failover conditions using a <code>DestinationRule</code></h2>
|
||
<p>Istio’s <code>DestinationRule</code> lets you configure load balancing, connection pool, and outlier detection settings. We can specify the conditions used to identify an endpoint as unhealthy and remove it from the load balancing pool.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1beta1
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: mydynamodb
|
||
spec:
|
||
host: mydb.com
|
||
trafficPolicy:
|
||
outlierDetection:
|
||
consecutive5xxErrors: 1
|
||
interval: 15s
|
||
baseEjectionTime: 1m
|
||
</code></pre>
|
||
<p>The above <code>DestinationRule</code> configures the endpoints to be scanned every 15 seconds, and if any endpoint fails with a 5xx error code, even once, it will be marked unhealthy for one minute. If this circuit breaker is not triggered, the traffic will route to the same region as the pod.</p>
|
||
<p>If we run our curl again, we should see that traffic is always going to the <code>us-east1</code> endpoint.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ for i in {1..5}; do kubectl exec deploy/sleep -c sleep -- curl -sS http://mydb.com; echo; sleep 2; done
|
||
healthy: dynamodb.us-east-1.amazonaws.com
|
||
healthy: dynamodb.us-east-1.amazonaws.com
|
||
healthy: dynamodb.us-east-1.amazonaws.com
|
||
healthy: dynamodb.us-east-1.amazonaws.com
|
||
healthy: dynamodb.us-east-1.amazonaws.com
|
||
</code></pre>
|
||
<h2 id="simulate-a-failure">Simulate a failure</h2>
|
||
<p>Next, let&rsquo;s see what happens if the us-east endpoint goes down. To simulate this, let’s modify the ServiceEntry and set the <code>us-east</code> endpoint to an invalid port:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1beta1
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: external-svc-dns
|
||
spec:
|
||
hosts:
|
||
- mydb.com
|
||
location: MESH_EXTERNAL
|
||
ports:
|
||
- number: 80
|
||
name: http
|
||
protocol: HTTP
|
||
resolution: DNS
|
||
endpoints:
|
||
- address: dynamodb.us-east-1.amazonaws.com
|
||
locality: us-east1
|
||
ports:
|
||
http: 81 # INVALID - This is purposefully wrong to trigger failover
|
||
- address: dynamodb.us-west-1.amazonaws.com
|
||
locality: us-west
|
||
ports:
|
||
http: 80
|
||
</code></pre>
|
||
<p>Running our curl again shows that traffic is automatically failed over to our us-west region after failing to connect to the us-east endpoint:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ for i in {1..5}; do kubectl exec deploy/sleep -c sleep -- curl -sS http://mydb.com; echo; sleep 2; done
|
||
upstream connect error or disconnect/reset before headers. reset reason: connection failure
|
||
healthy: dynamodb.us-west-1.amazonaws.com
|
||
healthy: dynamodb.us-west-1.amazonaws.com
|
||
healthy: dynamodb.us-west-1.amazonaws.com
|
||
healthy: dynamodb.us-west-1.amazonaws.com
|
||
</code></pre>
|
||
<p>You can check the outlier status of the us-east endpoint by running:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl pc endpoints &lt;sleep-pod&gt; | grep mydb
|
||
ENDPOINT STATUS OUTLIER CHECK CLUSTER
|
||
52.119.226.80:81 HEALTHY FAILED outbound|80||mydb.com
|
||
52.94.12.144:80 HEALTHY OK outbound|80||mydb.com
|
||
</code></pre>
|
||
<h2 id="failover-for-https">Failover for HTTPS</h2>
|
||
<p>Configuring failover for external HTTPS services is just as easy. Your application can still continue to use plain HTTP, and you can let the Istio proxy perform the TLS origination to the HTTPS endpoint.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1beta1
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: external-svc-dns
|
||
spec:
|
||
hosts:
|
||
- mydb.com
|
||
ports:
|
||
- number: 80
|
||
name: http-port
|
||
protocol: HTTP
|
||
targetPort: 443
|
||
resolution: DNS
|
||
endpoints:
|
||
- address: dynamodb.us-east-1.amazonaws.com
|
||
locality: us-east1
|
||
- address: dynamodb.us-west-1.amazonaws.com
|
||
locality: us-west
|
||
</code></pre>
|
||
<p>The above ServiceEntry defines the <code>mydb.com</code> service on port 80 and redirects traffic to the real DynamoDB endpoints on port 443.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1beta1
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: mydynamodb
|
||
spec:
|
||
host: mydb.com
|
||
trafficPolicy:
|
||
tls:
|
||
mode: SIMPLE
|
||
loadBalancer:
|
||
simple: ROUND_ROBIN
|
||
localityLbSetting:
|
||
enabled: true
|
||
failover:
|
||
- from: us-east1
|
||
to: us-west
|
||
outlierDetection:
|
||
consecutive5xxErrors: 1
|
||
interval: 15s
|
||
baseEjectionTime: 1m
|
||
</code></pre>
|
||
<p>The <code>DestinationRule</code> now performs TLS origination and configures the outlier detection. The rule also has a <a href="/v1.12/docs/reference/config/networking/destination-rule/#LocalityLoadBalancerSetting">failover</a> field configured where you can specify exactly what regions are failover targets. This is useful when you have several regions defined.</p>
|
||
<h2 id="wrapping-up">Wrapping Up</h2>
|
||
<p>Istio’s <code>VirtualService</code> and <code>DestinationRule</code> API’s provide traffic routing, failure recovery and fault injection features so that you can create resilient applications. The ServiceEntry API extends many of these features to external services that are not part of your service mesh.</p></description><pubDate>Fri, 04 Jun 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/external-locality-failover/</link><author>Ram Vennam (Solo.io)</author><guid isPermaLink="true">/v1.12/blog/2021/external-locality-failover/</guid><category>locality</category><category>region</category><category>failover</category><category>Istio</category><category>outlier</category><category>external</category></item><item><title>Safely upgrade the Istio control plane with revisions and tags</title><description>
|
||
<p>Like all security software, your service mesh should be kept up-to-date. The Istio community <a href="/v1.12/docs/releases/supported-releases/">releases new versions every quarter</a>, with regular patch releases for bug fixes <a href="/v1.12/blog/2021/patch-tuesdays/">and security vulnerabilities</a>. The operator of a service mesh will need to upgrade the control plane and data plane components many times. You must take care when upgrading, as a mistake could affect your business traffic. Istio has many mechanisms to make it safe to perform upgrades in a controlled manner, and in Istio 1.10 we further improve this operational experience.</p>
|
||
<h2 id="background">Background</h2>
|
||
<p><a href="/v1.12/news/releases/1.6.x/announcing-1.6/change-notes/">In Istio 1.6</a>, we added <a href="/v1.12/blog/2020/multiple-control-planes/">basic support for upgrading the service mesh following a canary pattern using revisions</a>. Using this approach, you can run multiple control planes side-by-side without impacting an existing deployment and slowly migrate workloads from the old control plane to the new.</p>
|
||
<p>To support this revision-based upgrade, Istio introduced a <code>istio.io/rev</code> label for namespaces. This indicates which control plane revision should inject sidecar proxies for the workloads in the respective namespace. For example, a label of <code>istio.io/rev=1-9-5</code> indicates the control plane revision <code>1-9-5</code> should inject the data plane using proxies for <code>1-9-5</code> for workloads in that namespace.</p>
|
||
<p>If you wanted to upgrade the data-plane proxies for a particular namespace, you would update the <code>istio.io/rev</code> label to point to a new version, such as <code>istio.io/rev=1-10-0</code>. Manually changing (or even trying to orchestrate) changes of labels across a large number of namespaces can be error-prone and lead to unintended downtime.</p>
|
||
<h2 id="introducing-revision-tags">Introducing Revision Tags</h2>
|
||
<p><a href="/v1.12/news/releases/1.10.x/announcing-1.10/">In Istio 1.10</a>, we&rsquo;ve improved revision-based upgrades with a new feature called <em><a href="/v1.12/docs/setup/upgrade/canary/#stable-revision-labels-experimental">revision tags</a></em>. A revision tag reduces the number of changes an operator has to make to use revisions, and safely upgrade an Istio control plane. You use the tag as the label for your namespaces, and assign a revision to that tag. This means you don&rsquo;t have to change the labels on a namespace while upgrading, and minimizes the number of manual steps and configuration changes.</p>
|
||
<p>For example, you can define a tag named <code>prod-stable</code> and point it to the <code>1-9-5</code> revision of a control plane. You can also define another tag named <code>prod-canary</code> which points to the <code>1-10-0</code> revision. You may have a lot of important namespaces in your cluster, and you can label those namespaces with <code>istio.io/rev=prod-stable</code>. In other namespaces you may be willing to test the new version of Istio, and you can label that namespace <code>istio.io/rev=prod-canary</code>. The tag will indirectly associate those namespaces with the <code>1-9-5</code> revision for <code>prod-stable</code> and <code>1-10-0</code> for <code>prod-canary</code> respectively.</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:55.51282051282052%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/revision-tags/tags.png" title="Stable revision tags">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/revision-tags/tags.png" alt="Stable revision tags" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Stable revision tags</figcaption>
|
||
</figure>
|
||
<p>Once you&rsquo;ve determined the new control plane is suitable for the rest of the <code>prod-stable</code> namespaces, you can change the tag to point to the new revision. This enables you to update all the namespaces labeled <code>prod-stable</code> to the new <code>1-10-0</code> revision without making any changes to the labels on the namespaces. You will need to restart the workloads in a namespace once you&rsquo;ve changed the tag to point to a different revision.</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:55.51282051282052%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/revision-tags/tags-updated.png" title="Updated revision tags">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/revision-tags/tags-updated.png" alt="Updated revision tags" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Updated revision tags</figcaption>
|
||
</figure>
|
||
<p>Once you&rsquo;re satisfied with the upgrade to the new control-plane revision, you can remove the old control plane.</p>
|
||
<h2 id="stable-revision-tags-in-action">Stable revision tags in action</h2>
|
||
<p>To create a new <code>prod-stable</code> tag for a revision <code>1-9-5</code>, run the following command:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl x revision tag set prod-stable --revision 1-9-5
|
||
</code></pre>
|
||
<p>You can then label your namespaces with the <code>istio.io/rev=prod-stable</code> label. Note, if you installed a <code>default</code> revision (i.e., no revision) of Istio, you will first have to remove the standard injection label:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl label ns istioinaction istio-injection-
|
||
$ kubectl label ns istioinaction istio.io/rev=prod-stable
|
||
</code></pre>
|
||
<p>You can list the tags in your mesh with the following:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl x revision tag list
|
||
TAG REVISION NAMESPACES
|
||
prod-stable 1-9-5 istioinaction
|
||
</code></pre>
|
||
<p>A tag is implemented with a <code>MutatingWebhookConfiguration</code>. You can verify a corresponding <code>MutatingWebhookConfiguration</code> has been created:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get MutatingWebhookConfiguration
|
||
NAME WEBHOOKS AGE
|
||
istio-revision-tag-prod-stable 2 75s
|
||
istio-sidecar-injector 1 5m32s
|
||
</code></pre>
|
||
<p>Let&rsquo;s say you are trying to canary a new revision of the control plane based on 1.10.0. First you would install the new version using a revision:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl install -y --set profile=minimal --revision 1-10-0
|
||
</code></pre>
|
||
<p>You can create a new tag called <code>prod-canary</code> and point that to your <code>1-10-0</code> revision:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl x revision tag set prod-canary --revision 1-10-0
|
||
</code></pre>
|
||
<p>Then label your namespaces accordingly:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl label ns istioinaction-canary istio.io/rev=prod-canary
|
||
</code></pre>
|
||
<p>If you list out the tags in your mesh, you will see two stable tags pointing to two different revisions:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl x revision tag list
|
||
TAG REVISION NAMESPACES
|
||
prod-stable 1-9-5 istioinaction
|
||
prod-canary 1-10-0 istioinaction-canary
|
||
</code></pre>
|
||
<p>Any of the namespaces that you have labeled with <code>istio.io/rev=prod-canary</code> will be injected by the control plane that corresponds to the <code>prod-canary</code> stable tag name (which in this example points to the <code>1-10-0</code> revision). When you&rsquo;re ready, you can switch the <code>prod-stable</code> tag to the new control plane with:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl x revision tag set prod-stable --revision 1-10-0 --overwrite
|
||
</code></pre>
|
||
<p>Any time you switch a tag to point to a new revision, you will need to restart the workloads in any respective namespace to pick up the new revision&rsquo;s proxy.</p>
|
||
<p>When both the <code>prod-stable</code> and <code>prod-canary</code> no longer point to the old revision, it may be safe to remove the old revision as follows:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl x uninstall --revision 1-9-5
|
||
</code></pre>
|
||
<h2 id="wrapping-up">Wrapping up</h2>
|
||
<p>Using revisions makes it safer to canary changes to an Istio control plane. In large environments with lots of namespaces, you may prefer to use stable tags, as we&rsquo;ve introduced in this blog, to remove the number of moving pieces and simplify any automation you may build around updating an Istio control plane. Please check out the <a href="/v1.12/news/releases/1.10.x/announcing-1.10/">1.10 release</a> <a href="/v1.12/docs/setup/upgrade/canary/#stable-revision-labels-experimental">and the new tag feature</a> and give us your feedback!</p></description><pubDate>Wed, 26 May 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/revision-tags/</link><author>Christian Posta (Solo.io), Lin Sun (Solo.io), Sam Naser (Google)</author><guid isPermaLink="true">/v1.12/blog/2021/revision-tags/</guid><category>upgrades</category><category>revisions</category><category>operations</category><category>canary</category></item><item><title>Happy Birthday, Istio!</title><description>
|
||
<h2 id="celebrating-istio-s-4th-birthday">Celebrating Istio’s 4th birthday</h2>
|
||
<p>Four years ago today, the Istio project was born to the open source world. To celebrate this anniversary,
|
||
we are hosting a week-long birthday celebration that focuses on contributions to the Istio project that
|
||
stem from using Istio in production. Read on to learn how to participate in this celebration and enter a
|
||
chance to win some Istio swag.</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:56.25%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/istio-4th-birthday/1.png" title="Istio&#39;s 4th Birthday!">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/istio-4th-birthday/1.png" alt="Istio&#39;s 4th Birthday!" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Istio&#39;s 4th Birthday!</figcaption>
|
||
</figure>
|
||
<h3 id="a-year-of-important-developments-for-istio">A year of important developments for Istio</h3>
|
||
<p>Over the last 12 months, the Istio project has been very focused on the <a href="https://dzone.com/articles/defining-day-2-operations">day-0
|
||
&amp; day-1</a> experience for
|
||
users by actively listening to our users through UX surveys and GitHub issues.</p>
|
||
<ul>
|
||
<li>We <a href="/v1.12/blog/2020/istiod/">simplified the control plane architecture</a> and
|
||
made Istio easier to install, configure and upgrade.</li>
|
||
<li>We provided clarity and process to our feature status and promotion of features and APIs.</li>
|
||
<li>We simplified the debugging experience with various istioctl commands.</li>
|
||
<li>We expanded the mesh to services running in <a href="/v1.12/news/releases/1.9.x/announcing-1.9/#virtual-machine-integration-beta">VMs</a>
|
||
and <a href="/v1.12/docs/setup/install/multicluster/">multiple clusters</a>.</li>
|
||
<li>We made <a href="/v1.12/blog/2021/statefulsets-made-easier/"><code>StatefulSet</code> easier</a> to use in Istio 1.10 with zero-configuration.</li>
|
||
<li>We made various performance improvements to the Istio control plane and data plane via <a href="/v1.12/blog/2021/discovery-selectors/">discovery selectors</a>, sidecar resources etc.</li>
|
||
<li>We <a href="/v1.12/blog/2021/wasm-progress/">introduced WebAssembly</a> as our extensibility platform which has helped users tailor Istio to their needs.</li>
|
||
<li>We beefed up our CVE management and release processes to meet enterprise needs.</li>
|
||
</ul>
|
||
<p><a href="/v1.12/blog/2020/tradewinds-2020/">Read more</a> about improvements to
|
||
Istio in 2020 that made this technology easier to use.</p>
|
||
<p>In February 2021, we celebrated the first IstioCon! This community-led event was an opportunity
|
||
for users and developers to share <a href="https://www.youtube.com/playlist?list=PL7wB27eZmdffS-g_xh7X-b0echc_XZMKV">many examples</a>
|
||
of how they use Istio in production and lessons
|
||
learned from it. IstioCon was a great opportunity to feature more than 25 end-user companies,
|
||
like Salesforce, T-Mobile, and Airbnb, among others, to feature maintainers from across the Istio
|
||
ecosystem, and to share the <a href="https://www.youtube.com/watch?v=WmjTeN-jtdY">Istio project roadmap</a>.</p>
|
||
<p>This inaugural community conference was a major success, with more than 4,000 registrants from 80
|
||
countries participating. The program was conducted during US and Asia time zones,
|
||
and in English and Chinese languages to accommodate big user communities in various continents.
|
||
Learn more about the <a href="https://events.istio.io/istiocon-2021/slides/IstioCon2021-Report.pdf">impact</a>
|
||
of IstioCon and find the <a href="https://events.istio.io/istiocon-2021/sessions/">presentations</a> on
|
||
the conference website.</p>
|
||
<h3 id="how-to-participate-in-istio-s-4th-birthday-celebration">How to participate in Istio’s 4th Birthday celebration</h3>
|
||
<p>Contributions are key to the long life of an open source project. This is why, on its 4th birthday,
|
||
we want to hear about your contributions to the Istio project. To participate in this campaign,
|
||
share on Twitter a contribution you made to the project and why it matters, using the hashtag #IstioTurns4
|
||
and #IstioBirthday. You can submit posts from Monday, May 24th at 9 am Pacific, until
|
||
Friday, May 28th, at 12 pm Pacific, to enter a chance to win some Istio swag.</p>
|
||
<p>The other way of participating in this campaign is by joining the Istio community meetup, which
|
||
will take place on Thursday, May 27th at 10 am Pacific. At this event, we will have Pratima Nambiar
|
||
discuss contributions that have stemmed from using Istio in production at Salesforce. Join the event,
|
||
and ask a question or make a comment on the demo, and enter a chance to win some Istio swag.</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:56.25%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/istio-4th-birthday/2.png" title="Istio Community Meetup!">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/istio-4th-birthday/2.png" alt="Istio Community Meetup!" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Istio Community Meetup!</figcaption>
|
||
</figure></description><pubDate>Mon, 24 May 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/istio-4th-birthday/</link><author>Maria Cruz (Google), Aizhamal Nurmamat kyzy (Google)</author><guid isPermaLink="true">/v1.12/blog/2021/istio-4th-birthday/</guid><category>community</category><category>birthday</category><category>celebration</category></item><item><title>Announcing Support for 1.8 to 1.10 Direct Upgrades</title><description>
|
||
<p>As Service Mesh technology moves from cutting edge to stable infrastructure, many users have expressed an interest in upgrading their service mesh less frequently, as qualifying a new minor release can take a lot of time. Upgrading can be especially difficult for users who don’t keep up with new releases, as Istio has not supported upgrades across multiple minor versions. To upgrade from <code>1.6.x</code> to <code>1.8.x</code>, users first had to upgrade to <code>1.7.x</code> and then to <code>1.8.x</code>.</p>
|
||
<p>With the release of Istio 1.10, we are announcing Alpha level support for upgrading directly from Istio <code>1.8.x</code> to <code>1.10.x</code>, without upgrading to <code>1.9.x</code>. We hope this will reduce the operational burden of running Istio, in keeping with our 2021 theme of improving Day 2 Operations.</p>
|
||
<h2 id="upgrade-from-1-8-to-1-10">Upgrade From 1.8 to 1.10</h2>
|
||
<p>For direct upgrades we recommend using the canary upgrade method so that control plane functionality can be verified before cutting workloads over to the new version. We’ll also be using <a href="/v1.12/blog/2021/revision-tags/">revision tags</a> in this guide, an improvement to canary upgrades that was introduced in 1.10, so users don’t have to change the labels on a namespace while upgrading.</p>
|
||
<p>First, using a version <code>1.10</code> or newer <code>istioctl</code>, create a revision tag <code>stable</code> pointed to your existing <code>1.8</code> revision. From now on let’s assume this revision is called <code>1-8-5</code>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl x revision tag set stable --revision 1-8-5
|
||
</code></pre>
|
||
<p>If your 1.8 installation did not have an associated revision, we can create this revision tag with:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl x revision tag set stable --revision default
|
||
</code></pre>
|
||
<p>Now, relabel your namespaces that were previously labeled with <code>istio-injection=enabled</code> or <code>istio.io/rev=&lt;REVISION&gt;</code> with <code>istio.io/rev=stable</code>. Download the Istio 1.10.0 release and install the new control plane with a revision:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl install --revision 1-10-0 -y
|
||
</code></pre>
|
||
<p>Now evaluate that the <code>1.10</code> revision has come up correctly and is healthy. Once satisfied with the stability of new revision you can set the revision tag to the new revision:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl x revision tag set stable --revision 1-10-0 --overwrite
|
||
</code></pre>
|
||
<p>Verify that the revision tag <code>stable</code> is pointing to the new revision:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl x revision tag list
|
||
TAG REVISION NAMESPACES
|
||
stable 1-10-0 ...
|
||
</code></pre>
|
||
<p>Once prepared to move existing workloads over to the new 1.10 revision, the workloads must be restarted so that the sidecar proxies will use the new control plane. We can go through namespaces one by one and roll the workloads over to the new version:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl rollout restart deployments -n …
|
||
</code></pre>
|
||
<p>Notice an issue after rolling out workloads to the new Istio version? No problem! Since you’re using canary upgrades, the old control plane is still running and we can just switch back over.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl x revision tag set prod --revision 1-8-5
|
||
</code></pre>
|
||
<p>Then after triggering another rollout, your workloads will be back on the old version.</p>
|
||
<p>We look forward to hearing about your experience with direct upgrades, and look forward to improving and expanding this functionality in the future.</p></description><pubDate>Mon, 24 May 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/direct-upgrade/</link><author>Mitch Connors (Google), Sam Naser (Google)</author><guid isPermaLink="true">/v1.12/blog/2021/direct-upgrade/</guid><category>upgrade</category><category>Istio</category><category>revision</category></item><item><title>StatefulSets Made Easier With Istio 1.10</title><description>
|
||
<p>Kubernetes <a href="https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/"><code>StatefulSets</code></a> are commonly used to manage stateful applications. In addition to managing the deployment and scaling of a set of <code>Pods</code>, <code>StatefulSets</code> provide guarantees about the ordering and uniqueness of those <code>Pods</code>. Common applications used with <code>StatefulSets</code> include ZooKeeper, Cassandra, Elasticsearch, Redis and NiFi.</p>
|
||
<p>The Istio community has been making gradual progress towards zero-configuration support for <code>StatefulSets</code>; from automatic mTLS, to eliminating the need to create <code>DestinationRule</code> or <code>ServiceEntry</code> resources, to the most recent <a href="/v1.12/blog/2021/upcoming-networking-changes/">pod networking changes in Istio 1.10</a>.</p>
|
||
<p>What is unique about using a <code>StatefulSet</code> with a service mesh? The <code>StatefulSet</code> pods are created from the same spec, but are not interchangeable: each has a persistent identifier that it maintains across any rescheduling. The kind of apps that run in a <code>StatefulSet</code> are often those that need to communicate among their pods, and, as they come from a world of hard-coded IP addresses, may listen on the pod IP only, instead of <code>0.0.0.0</code>.</p>
|
||
<p>ZooKeeper, for example, is configured by default to not listen on all IPs for quorum communication:</p>
|
||
<pre><code class='language-plain' data-expandlinks='true' data-repo='istio' >quorumListenOnAllIPs=false
|
||
</code></pre>
|
||
<p>Over the last few releases, the Istio community has <a href="https://github.com/istio/istio/issues/10659">reported many issues</a> around support for applications running in <code>StatefulSets</code>.</p>
|
||
<h2 id="statefulsets-in-action-prior-to-istio-1-10"><code>StatefulSets</code> in action, prior to Istio 1.10</h2>
|
||
<p>In a GKE cluster running Kubernetes 1.19, we have Istio 1.9.5 installed. We enabled automatic sidecar injection in the <code>default</code> namespace, then we installed ZooKeeper using the <a href="https://artifacthub.io/packages/helm/bitnami/zookeeper">Helm charts provided by Bitnami</a>, along with the Istio <code>sleep</code> pod for interactive debugging:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ helm repo add bitnami https://charts.bitnami.com/bitnami
|
||
$ helm install my-release bitnami/zookeeper --set replicaCount=3
|
||
$ kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.12/samples/sleep/sleep.yaml
|
||
</code></pre>
|
||
<p>After a few minutes, all pods come up nicely with sidecar proxies:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-outputis='yaml' data-repo='istio' >$ kubectl get pods,svc
|
||
NAME READY STATUS RESTARTS AGE
|
||
my-release-zookeeper-0 2/2 Running 0 3h4m
|
||
my-release-zookeeper-1 2/2 Running 0 3h4m
|
||
my-release-zookeeper-2 2/2 Running 0 3h5m
|
||
pod/sleep-8f795f47d-qkgh4 2/2 Running 0 3h8m
|
||
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
|
||
my-release-zookeeper ClusterIP 10.100.1.113 &lt;none&gt; 2181/TCP,2888/TCP,3888/TCP 3h
|
||
my-release-zookeeper-headless ClusterIP None &lt;none&gt; 2181/TCP,2888/TCP,3888/TCP 3h
|
||
service/sleep ClusterIP 10.100.9.26 &lt;none&gt; 80/TCP 3h
|
||
</code></pre>
|
||
<p>Are our ZooKeeper services working and is the status <code>Running</code>? Let’s find out! ZooKeeper listens on 3 ports:</p>
|
||
<ul>
|
||
<li>Port 2181 is the TCP port for clients to connect to the ZooKeeper service</li>
|
||
<li>Port 2888 is the TCP port for peers to connect to other peers</li>
|
||
<li>Port 3888 is the dedicated TCP port for leader election</li>
|
||
</ul>
|
||
<p>By default, the ZooKeeper installation configures port 2181 to listen on <code>0.0.0.0</code> but ports 2888 and 3888 only listen on the pod IP. Let’s check out the network status on each of these ports from one of the ZooKeeper pods:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-outputis='yaml' data-repo='istio' >$ kubectl exec my-release-zookeeper-1 -c istio-proxy -- netstat -na | grep -E &#39;(2181|2888|3888)&#39;
|
||
tcp 0 0 0.0.0.0:2181 0.0.0.0:* LISTEN
|
||
tcp 0 0 10.96.7.7:3888 0.0.0.0:* LISTEN
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:37412 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:37486 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:37456 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:37498 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:37384 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:37514 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:37402 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:37434 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:37526 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:37374 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:37442 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:37464 TIME_WAIT
|
||
</code></pre>
|
||
<p>There is nothing <code>ESTABLISHED</code> on port 2888 or 3888. Next, let us get the ZooKeeper server status:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-outputis='yaml' data-repo='istio' >$ kubectl exec my-release-zookeeper-1 -c zookeeper -- /opt/bitnami/zookeeper/bin/zkServer.sh status
|
||
/opt/bitnami/java/bin/java
|
||
ZooKeeper JMX enabled by default
|
||
Using config: /opt/bitnami/zookeeper/bin/../conf/zoo.cfg
|
||
Client port found: 2181. Client address: localhost. Client SSL: false.
|
||
Error contacting service. It is probably not running.
|
||
</code></pre>
|
||
<p>From the above output, you can see the ZooKeeper service is not functioning properly. Let us check the cluster configuration for one of the ZooKeeper pods:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-outputis='yaml' data-repo='istio' >$ istioctl proxy-config cluster my-release-zookeeper-1 --port 3888 --direction inbound -o json
|
||
[
|
||
{
|
||
&#34;name&#34;: &#34;inbound|3888||&#34;,
|
||
&#34;type&#34;: &#34;STATIC&#34;,
|
||
&#34;connectTimeout&#34;: &#34;10s&#34;,
|
||
&#34;loadAssignment&#34;: {
|
||
&#34;clusterName&#34;: &#34;inbound|3888||&#34;,
|
||
&#34;endpoints&#34;: [
|
||
{
|
||
&#34;lbEndpoints&#34;: [
|
||
{
|
||
&#34;endpoint&#34;: {
|
||
&#34;address&#34;: {
|
||
&#34;socketAddress&#34;: {
|
||
&#34;address&#34;: &#34;127.0.0.1&#34;,
|
||
&#34;portValue&#34;: 3888
|
||
}
|
||
}
|
||
}
|
||
}
|
||
]
|
||
}
|
||
]
|
||
},
|
||
...
|
||
</code></pre>
|
||
<p>What is interesting here is that the inbound on port 3888 has <code>127.0.0.1</code> as its endpoint. This is because the Envoy proxy, in versions of Istio prior to 1.10, redirects the inbound traffic to the <code>loopback</code> interface, as described in <a href="/v1.12/blog/2021/upcoming-networking-changes/">our blog post about the change</a>.</p>
|
||
<h2 id="statefulsets-in-action-with-istio-1-10"><code>StatefulSets</code> in action with Istio 1.10</h2>
|
||
<p>Now, we have upgraded our cluster to Istio 1.10 and configured the <code>default</code> namespace to enable 1.10 sidecar injection. Let’s rolling restart the ZooKeeper <code>StatefulSet</code> to update the pods to use the new version of the sidecar proxy:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl rollout restart statefulset my-release-zookeeper
|
||
</code></pre>
|
||
<p>Once the ZooKeeper pods reach the running status, let’s check out the network connections for these 3 ports from any of the ZooKeeper pods:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-outputis='yaml' data-repo='istio' >$ kubectl exec my-release-zookeeper-1 -c istio-proxy -- netstat -na | grep -E &#39;(2181|2888|3888)&#39;
|
||
tcp 0 0 0.0.0.0:2181 0.0.0.0:* LISTEN
|
||
tcp 0 0 10.96.8.10:2888 0.0.0.0:* LISTEN
|
||
tcp 0 0 10.96.8.10:3888 0.0.0.0:* LISTEN
|
||
tcp 0 0 127.0.0.6:42571 10.96.8.10:2888 ESTABLISHED
|
||
tcp 0 0 10.96.8.10:2888 127.0.0.6:42571 ESTABLISHED
|
||
tcp 0 0 127.0.0.6:42655 10.96.8.10:2888 ESTABLISHED
|
||
tcp 0 0 10.96.8.10:2888 127.0.0.6:42655 ESTABLISHED
|
||
tcp 0 0 10.96.8.10:37876 10.96.6.11:3888 ESTABLISHED
|
||
tcp 0 0 10.96.8.10:44872 10.96.7.10:3888 ESTABLISHED
|
||
tcp 0 0 10.96.8.10:37878 10.96.6.11:3888 ESTABLISHED
|
||
tcp 0 0 10.96.8.10:44870 10.96.7.10:3888 ESTABLISHED
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:54508 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:54616 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:54664 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:54526 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:54532 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:54578 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:54634 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:54588 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:54610 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:54550 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:54560 TIME_WAIT
|
||
tcp 0 0 127.0.0.1:2181 127.0.0.1:54644 TIME_WAIT
|
||
</code></pre>
|
||
<p>There are <code>ESTABLISHED</code> connections on both port 2888 and 3888! Next, let us check out the ZooKeeper server status:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-outputis='yaml' data-repo='istio' >$ kubectl exec my-release-zookeeper-1 -c zookeeper -- /opt/bitnami/zookeeper/bin/zkServer.sh status
|
||
/opt/bitnami/java/bin/java
|
||
ZooKeeper JMX enabled by default
|
||
Using config: /opt/bitnami/zookeeper/bin/../conf/zoo.cfg
|
||
Client port found: 2181. Client address: localhost. Client SSL: false.
|
||
Mode: follower
|
||
</code></pre>
|
||
<p>The ZooKeeper service is now running!</p>
|
||
<p>We can connect to each of the ZooKeeper pods from the <code>sleep</code> pod and run the below command to discover the server status of each pod within the <code>StatefulSet</code>. Note that there is no need to create ServiceEntry resources for any of the ZooKeeper pods and we can call these pods directly using their DNS names (e.g. <code>my-release-zookeeper-0.my-release-zookeeper-headless</code>) from the <code>sleep</code> pod.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-outputis='yaml' data-repo='istio' >$ kubectl exec -it deploy/sleep -c sleep -- sh -c &#39;for x in my-release-zookeeper-0.my-release-zookeeper-headless my-release-zookeeper-1.my-release-zookeeper-headless my-release-zookeeper-2.my-release-zookeeper-headless; do echo $x; echo srvr|nc $x 2181; echo; done&#39;
|
||
my-release-zookeeper-0.my-release-zookeeper-headless
|
||
Zookeeper version: 3.7.0-e3704b390a6697bfdf4b0bef79e3da7a4f6bac4b, built on 2021-03-17 09:46 UTC
|
||
Latency min/avg/max: 1/7.5/20
|
||
Received: 3845
|
||
Sent: 3844
|
||
Connections: 1
|
||
Outstanding: 0
|
||
Zxid: 0x200000002
|
||
Mode: follower
|
||
Node count: 6
|
||
my-release-zookeeper-1.my-release-zookeeper-headless
|
||
Zookeeper version: 3.7.0-e3704b390a6697bfdf4b0bef79e3da7a4f6bac4b, built on 2021-03-17 09:46 UTC
|
||
Latency min/avg/max: 0/0.0/0
|
||
Received: 3856
|
||
Sent: 3855
|
||
Connections: 1
|
||
Outstanding: 0
|
||
Zxid: 0x200000002
|
||
Mode: follower
|
||
Node count: 6
|
||
my-release-zookeeper-2.my-release-zookeeper-headless
|
||
Zookeeper version: 3.7.0-e3704b390a6697bfdf4b0bef79e3da7a4f6bac4b, built on 2021-03-17 09:46 UTC
|
||
Latency min/avg/max: 0/0.0/0
|
||
Received: 3855
|
||
Sent: 3854
|
||
Connections: 1
|
||
Outstanding: 0
|
||
Zxid: 0x200000002
|
||
Mode: leader
|
||
Node count: 6
|
||
Proposal sizes last/min/max: 48/48/48
|
||
</code></pre>
|
||
<p>Now our ZooKeeper service is running, let’s use Istio to secure all communication to our regular and headless services. Apply mutual TLS to the <code>default</code> namespace:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -n default -f - &lt;&lt;EOF
|
||
apiVersion: &#34;security.istio.io/v1beta1&#34;
|
||
kind: &#34;PeerAuthentication&#34;
|
||
metadata:
|
||
name: &#34;default&#34;
|
||
spec:
|
||
mtls:
|
||
mode: STRICT
|
||
EOF
|
||
</code></pre>
|
||
<p>Continue sending some traffic from the <code>sleep</code> pod and bring up the Kiali dashboard to visualize the services in the <code>default</code> namespace:</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:38.4204909284952%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/statefulsets-made-easier/view-zookeeper-from-kiali.png" title="Visualize the ZooKeeper Services in Kiali">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/statefulsets-made-easier/view-zookeeper-from-kiali.png" alt="Visualize the ZooKeeper Services in Kiali" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Visualize the ZooKeeper Services in Kiali</figcaption>
|
||
</figure>
|
||
<p>The padlock icons on the traffic flows indicate that the connections are secure.</p>
|
||
<h2 id="wrapping-up">Wrapping up</h2>
|
||
<p>With the new networking changes in Istio 1.10, a Kubernetes pod with a sidecar has the same networking behavior as a pod without a sidecar. This change enables stateful applications to function properly in Istio as we have shown you in this post. We believe this is a huge step towards Istio’s goal of providing transparent service mesh and zero-configuration Istio.</p></description><pubDate>Wed, 19 May 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/statefulsets-made-easier/</link><author>Lin Sun (Solo.io), Christian Posta (Solo.io), John Howard (Google), Zhonghu Xu (Huawei)</author><guid isPermaLink="true">/v1.12/blog/2021/statefulsets-made-easier/</guid><category>statefulset</category><category>Istio</category><category>networking</category><category>localhost</category><category>loopback</category><category>eth0</category></item><item><title>Updates to how Istio security releases are handled: Patch Tuesday, embargoes, and 0-days</title><description>
|
||
<p>While most of the work in the Istio Product Security Working Group is done behind the scenes, we are listening
|
||
to the community in setting expectations for security releases. We understand that it is difficult for mesh
|
||
administrators, operators and vendors to be aware of security bulletins and security releases.</p>
|
||
<p>We currently disclose vulnerabilities and security releases via numerous channels:</p>
|
||
<ul>
|
||
<li><a href="https://istio.io">istio.io</a> via our <a href="/v1.12/news/releases/">Release Announcements</a> and <a href="/v1.12/news/security/">Security Bulletins</a></li>
|
||
<li><a href="https://discuss.istio.io/c/announcements/5">Discuss</a></li>
|
||
<li>announcements channel on <a href="https://istio.slack.com">Slack</a></li>
|
||
<li><a href="https://twitter.com/IstioMesh">Twitter</a></li>
|
||
<li><a href="/v1.12/news/feed.xml">RSS</a></li>
|
||
</ul>
|
||
<p>When operating any software, it is preferable to plan for possible downtime when upgrading. Given the work that the Istio
|
||
community is doing around Day 2 operations in 2021, the Environments working group has done a good job to streamline many
|
||
upgrade issues users have seen. The Product Security Working Group intends to help Day 2 operations by having routine
|
||
security release days so that upgrade operations can be planned in advance for our users.</p>
|
||
<h2 id="patch-tuesdays">Patch Tuesdays</h2>
|
||
<p>The Product Security working group is intending to ship a security release the 2nd Tuesday of each month. These security
|
||
releases may contain fixes for multiple CVEs. It is the intent of the Product Security working group to have these
|
||
security releases not contain any other fixes, although that may not always be possible.</p>
|
||
<p>When the Product Security working group intends to ship an upcoming security patch, an
|
||
announcement will be made on <a href="https://discuss.istio.io/c/announcements/5">the Istio discussion
|
||
board</a> 2 weeks prior to release. If you&rsquo;re
|
||
running Istio in production, we suggest you watch the Announcements category to be
|
||
notified of such a release. If no such announcement is made there will not be a security
|
||
release for that month, barring some exceptions listed below.</p>
|
||
<h3 id="first-patch-tuesday">First Patch Tuesday</h3>
|
||
<p>We are pleased to announce that <a href="/v1.12/news/releases/1.9.x/announcing-1.9.5/">Istio 1.9.5</a>, and the final release of Istio 1.8,
|
||
<a href="/v1.12/news/releases/1.8.x/announcing-1.8.6/">1.8.6</a>, are the first security releases to fit this pattern. As Istio 1.10 will
|
||
be shipping soon we are intending to continue this new tradition in June.</p>
|
||
<p>These releases fix 3 CVEs. Please see the release pages for information regarding the specific CVEs fixed.</p>
|
||
<h2 id="unscheduled-security-releases">Unscheduled security releases</h2>
|
||
<h3 id="0-day-vulnerabilities">0-day vulnerabilities</h3>
|
||
<p>Unfortunately, 0-day vulnerabilities cannot be planned. Upon disclosure, the Product Security Working Group will
|
||
need to issue an out-of-band security release. The above methods will be used to disclose such issues, so please use
|
||
at least one of them to be notified of such disclosures.</p>
|
||
<h3 id="third-party-embargoes">Third party embargoes</h3>
|
||
<p>Similar to 0-day vulnerabilities, security releases can be dictated by third party embargoes, namely Envoy.
|
||
When this occurs, Istio will release a same-day patch once the embargo is lifted.</p>
|
||
<h2 id="security-best-practices">Security Best Practices</h2>
|
||
<p>The <a href="/v1.12/docs/ops/best-practices/security/">Istio Security Best Practices</a> has seen many improvements over the past few
|
||
months. We recommend you check it regularly, as many of our recent security bulletins can be mitigated by utilizing
|
||
methods discussed in the Security Best Practices page.</p>
|
||
<h2 id="early-disclosure-list">Early Disclosure List</h2>
|
||
<p>If you meet <a href="https://github.com/istio/community/blob/master/EARLY-DISCLOSURE.md#membership-criteria">the criteria</a> to be
|
||
a part of the <a href="https://github.com/istio/community/blob/master/EARLY-DISCLOSURE.md">Istio Early Disclosure</a> list, please
|
||
apply for membership. Patches for upcoming security releases will be made available to the early disclosure list ~2 weeks
|
||
prior to Istio&rsquo;s Patch Tuesday.</p>
|
||
<p>There will be times when an upcoming Istio security release will also need patches from Envoy. We cannot redistribute
|
||
Envoy patches due to their embargo. <a href="https://github.com/envoyproxy/envoy/security/policy">Please refer to Envoy&rsquo;s guidance</a>
|
||
on how to join their early disclosure list.</p>
|
||
<h2 id="security-feedback">Security Feedback</h2>
|
||
<p>The Product Security Working Group holds bi-weekly meetings on Tuesdays from 9:00-9:30 Pacific. For more information see
|
||
the <a href="https://calendar.google.com/calendar/embed?src=4uhe8fi8sf1e3tvmvh6vrq2dog%40group.calendar.google.com&amp;ctz=America%2FLos_Angeles">Istio Working Group Calendar</a>.</p>
|
||
<p>Our next public meeting will be held on May 25, 2021. Please join us!</p></description><pubDate>Tue, 11 May 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/patch-tuesdays/</link><author>Jacob Delgado (Aspen Mesh)</author><guid isPermaLink="true">/v1.12/blog/2021/patch-tuesdays/</guid><category>cve</category><category>product security</category></item><item><title>Use discovery selectors to configure namespaces for your Istio service mesh</title><description>
|
||
<p>As users move their services to run in the Istio service mesh, they are often surprised that the control plane watches and processes all of the Kubernetes resources, from all namespaces in the cluster, by default. This can be an issue for very large clusters with lots of namespaces and deployments, or even for a moderately sized cluster with rapidly churning resources (for example, Spark jobs).</p>
|
||
<p>Both <a href="https://github.com/istio/istio/issues/26679">in the community</a> as well as for our large-scale customers at <a href="https://solo.io">Solo.io</a>, we need a way to dynamically restrict the set of namespaces that are part of the mesh so that the Istio control plane only processes resources in those namespaces. The ability to restrict the namespaces enables Istiod to watch and push fewer resources and associated changes to the sidecars, thus improving the overall performance on the control plane and data plane.</p>
|
||
<h2 id="background">Background</h2>
|
||
<p>By default, Istio watches all Namespaces, Services, Endpoints and Pods in a cluster. For example, in my Kubernetes cluster, I deployed the <code>sleep</code> service in the default namespace, and the <code>httpbin</code> service in the <code>ns-x</code> namespace. I’ve added the <code>sleep</code> service to the mesh, but I have no plan to add the <code>httpbin</code> service to the mesh, or have any service in the mesh interact with the <code>httpbin</code> service.</p>
|
||
<p>Use <code>istioctl proxy-config endpoint</code> command to display all the endpoints for the <code>sleep</code> deployment:</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:35.128205128205124%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/discovery-selectors/endpoints-default.png" title="Endpoints for Sleep Deployment">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/discovery-selectors/endpoints-default.png" alt="Endpoints for Sleep Deployment" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Endpoints for Sleep Deployment</figcaption>
|
||
</figure>
|
||
<p>Note that the <code>httpbin</code> service endpoint in the <code>ns-x</code> namespace is in the list of discovered endpoints. This may not be an issue when you only have a few services. However, when you have hundreds of services that don&rsquo;t interact with any of the services running in the Istio service mesh, you probably don&rsquo;t want your Istio control plane to watch these services and send their information to the sidecars of your services in the mesh.</p>
|
||
<h2 id="introducing-discovery-selectors">Introducing Discovery Selectors</h2>
|
||
<p>Starting with Istio 1.10, we are introducing the new <code>discoverySelectors</code> option to <a href="/v1.12/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig">MeshConfig</a>, which is an array of Kubernetes <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements">selectors</a>. The exact type is <code>[]LabelSelector</code>, as defined <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements">here</a>, allowing both simple selectors and set-based selectors. These selectors apply to labels on namespaces.</p>
|
||
<p>You can configure each label selector for expressing a variety of use cases, including but not limited to:</p>
|
||
<ul>
|
||
<li>Arbitrary label names/values, for example, all namespaces with label <code>istio-discovery=enabled</code></li>
|
||
<li>A list of namespace labels using set-based selectors which carries OR semantics, for example, all namespaces with label <code>istio-discovery=enabled</code> OR <code>region=us-east1</code></li>
|
||
<li>Inclusion and/or exclusion of namespaces, for example, all namespaces with label istio-discovery=enabled AND label key <code>app</code> equal to <code>helloworld</code></li>
|
||
</ul>
|
||
<p>Note: <code>discoverySelectors</code> is not a security boundary. Istiod will continue to have access to all namespaces even when you have configured your <code>discoverySelectors</code>.</p>
|
||
<h2 id="discovery-selectors-in-action">Discovery Selectors in Action</h2>
|
||
<p>Assuming you know which namespaces to include as part of the service mesh, as a mesh administrator, you can configure <code>discoverySelectors</code> at installation time or post-installation by adding your desired discovery selectors to Istio’s MeshConfig resource. For example, you can configure Istio to discover only the namespaces that have the label <code>istio-discovery=enabled</code>.</p>
|
||
<ol>
|
||
<li><p>Using our examples earlier, let’s label the <code>default</code> namespace with label <code>istio-discovery=enabled</code>.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl label namespace default istio-discovery=enabled
|
||
</code></pre></li>
|
||
<li><p>Use <code>istioctl</code> to apply the yaml with <code>discoverySelectors</code> to update your Istio installation. Note, to avoid any impact to your stable environment, we recommend that you use a different revision for your Istio installation:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl install --skip-confirmation -f - &lt;&lt;EOF
|
||
apiVersion: install.istio.io/v1alpha1
|
||
kind: IstioOperator
|
||
metadata:
|
||
namespace: istio-system
|
||
spec:
|
||
# You may override parts of meshconfig by uncommenting the following lines.
|
||
meshConfig:
|
||
discoverySelectors:
|
||
- matchLabels:
|
||
istio-discovery: enabled
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Display the endpoint configuration for the <code>sleep</code> deployment:</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:16.08212147134303%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/discovery-selectors/endpoints-with-discovery-selectors.png" title="Endpoints for Sleep Deployment With Discovery Selectors">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/discovery-selectors/endpoints-with-discovery-selectors.png" alt="Endpoints for Sleep Deployment With Discovery Selectors" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Endpoints for Sleep Deployment With Discovery Selectors</figcaption>
|
||
</figure>
|
||
<p>Note this time the <code>httpbin</code> service in the <code>ns-x</code> namespace is NOT in the list of discovered endpoints, along with many other services that are not in the default namespace. If you display routes (or cluster or listeners) information for the <code>sleep</code> deployment, you will also notice much less configuration is returned:</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:26.88356164383562%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/discovery-selectors/routes-with-discovery-selectors.png" title="Routes for Sleep Deployment With Discovery Selectors">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/discovery-selectors/routes-with-discovery-selectors.png" alt="Routes for Sleep Deployment With Discovery Selectors" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Routes for Sleep Deployment With Discovery Selectors</figcaption>
|
||
</figure></li>
|
||
</ol>
|
||
<p>You can use <code>matchLabels</code> to configure multiple labels with AND semantics or use <code>matchLabels</code> sets to configure OR semantics among multiple labels. Whether you deploy services or pods to namespaces with different sets of labels or multiple application teams in your organization use different labeling conventions, <code>discoverySelectors</code> provides the flexibility you need. Furthermore, you could use <code>matchLabels</code> and <code>matchExpressions</code> together per our <a href="https://github.com/istio/api/blob/master/mesh/v1alpha1/config.proto#L792">documentation</a>. Refer to the <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors">Kubernetes selector docs</a> for additional detail on selector semantics.</p>
|
||
<h2 id="discovery-selectors-vs-sidecar-resource">Discovery Selectors vs Sidecar Resource</h2>
|
||
<p>The <code>discoverySelectors</code> configuration enables users to dynamically restrict the set of namespaces that are part of the mesh. A <a href="/v1.12/docs/reference/config/networking/sidecar/">Sidecar</a> resource also controls the visibility of sidecar configurations and what gets pushed to the sidecar proxy. What are the differences between them?</p>
|
||
<ul>
|
||
<li>The <code>discoverySelectors</code> configuration declares what Istio control plane watches and processes. Without <code>discoverySelectors</code> configuration, the Istio control plane watches and processes all namespaces/services/endpoints/pods in the cluster regardless of the sidecar resources you have.</li>
|
||
<li><code>discoverySelectors</code> is configured globally for the mesh by the mesh administrators. While Sidecar resources can also be configured for the mesh globally by the mesh administrators in the MeshConfig root namespace, they are commonly configured by service owners for their namespaces.</li>
|
||
</ul>
|
||
<p>You can use <code>discoverySelectors</code> with Sidecar resources. You can use <code>discoverySelectors</code> to configure at the mesh-wide level what namespaces the Istio control plane should watch and process. For these namespaces in the Istio service mesh, you can create Sidecar resources globally or per namespace to further control what gets pushed to the sidecar proxies. Let us add <code>Bookinfo</code> services to the <code>ns-y</code> namespace in the mesh as shown in the diagram below. <code>discoverySelectors</code> enables us to define the <code>default</code> and <code>ns-y</code> namespaces are part of the mesh. How can we configure the <code>sleep</code> service not to see anything other than the <code>default</code> namespace? Adding a Sidecar resource for the default namespace, we can effectively configure the <code>sleep</code> sidecar to only have visibility to the clusters/routes/listeners/endpoints associated with its current namespace plus any other required namespaces.</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:83.06010928961749%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/discovery-selectors/discovery-selectors-vs-sidecar.png" title="Discovery Selectors vs Sidecar Resource">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/discovery-selectors/discovery-selectors-vs-sidecar.png" alt="Discovery Selectors vs Sidecar Resource" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Discovery Selectors vs Sidecar Resource</figcaption>
|
||
</figure>
|
||
<h2 id="wrapping-up">Wrapping up</h2>
|
||
<p>Discovery selectors are powerful configurations to tune the Istio control plane to only watch and process specific namespaces. If you don&rsquo;t want all namespaces in your Kubernetes cluster to be part of the service mesh or you have multiple Istio service meshes within your Kubernetes cluster, we highly recommend that you explore this configuration and reach out to us for feedback on our <a href="https://istio.slack.com">Istio slack</a> or GitHub.</p></description><pubDate>Fri, 30 Apr 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/discovery-selectors/</link><author>Lin Sun (Solo.io), Christian Posta (Solo.io), Harvey Xia (Solo.io)</author><guid isPermaLink="true">/v1.12/blog/2021/discovery-selectors/</guid><category>discoveryselectors</category><category>Istio</category><category>namespaces</category><category>sidecar</category></item><item><title>Upcoming networking changes in Istio 1.10</title><description>
|
||
<h2 id="background">Background</h2>
|
||
<p>While Kubernetes networking is customizable, a typical pod&rsquo;s network will look like this:</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:56.25%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/upcoming-networking-changes/pod.svg" title="A pod&#39;s network">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/upcoming-networking-changes/pod.svg" alt="A pod&#39;s network" />
|
||
</a>
|
||
</div>
|
||
<figcaption>A pod&#39;s network</figcaption>
|
||
</figure>
|
||
<p>An application may choose to bind to either the loopback interface <code>lo</code> (typically binding to <code>127.0.0.1</code>), or the pods network interface <code>eth0</code> (typically to the pod&rsquo;s IP), or both (typically binding to <code>0.0.0.0</code>).</p>
|
||
<p>Binding to <code>lo</code> allows calls such as <code>curl localhost</code> to work from within the pod.
|
||
Binding to <code>eth0</code> allows calls to the pod from other pods.</p>
|
||
<p>Typically, an application will bind to both.
|
||
However, applications which have internal logic, such as an admin interface may choose to bind to only <code>lo</code> to avoid access from other pods.
|
||
Additionally, some applications, typically stateful applications, choose to bind only to <code>eth0</code>.</p>
|
||
<h2 id="current-behavior">Current behavior</h2>
|
||
<p>In Istio prior to release 1.10, the Envoy proxy, running in the same pod as the application, binds to the <code>eth0</code> interface and redirects all inbound traffic to the <code>lo</code> interface.</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:56.25%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/upcoming-networking-changes/current.svg" title="A pod&#39;s network with Istio today">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/upcoming-networking-changes/current.svg" alt="A pod&#39;s network with Istio today" />
|
||
</a>
|
||
</div>
|
||
<figcaption>A pod&#39;s network with Istio today</figcaption>
|
||
</figure>
|
||
<p>This has two important side effects that cause the behavior to differ from standard Kubernetes:</p>
|
||
<ul>
|
||
<li>Applications binding only to <code>lo</code> will receive traffic from other pods, when otherwise this is not allowed.</li>
|
||
<li>Applications binding only to <code>eth0</code> will not receive traffic.</li>
|
||
</ul>
|
||
<p>Applications that bind to both interfaces (which is typical) will not be impacted.</p>
|
||
<h2 id="future-behavior">Future behavior</h2>
|
||
<p>Starting with Istio 1.10, the networking behavior is changed to align with the standard behavior present in Kubernetes.</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:56.25%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/upcoming-networking-changes/planned.svg" title="A pod&#39;s network with Istio in the future">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/upcoming-networking-changes/planned.svg" alt="A pod&#39;s network with Istio in the future" />
|
||
</a>
|
||
</div>
|
||
<figcaption>A pod&#39;s network with Istio in the future</figcaption>
|
||
</figure>
|
||
<p>Here we can see that the proxy no longer redirects the traffic to the <code>lo</code> interface, but instead forwards it to the application on <code>eth0</code>.
|
||
As a result, the standard behavior of Kubernetes is retained, but we still get all the benefits of Istio.
|
||
This change allows Istio to get closer to its goal of being a drop-in transparent proxy that works with existing workloads with <a href="/v1.12/blog/2021/zero-config-istio/">zero configuration</a>.
|
||
Additionally, it avoids unintended exposure of applications binding only to <code>lo</code>.</p>
|
||
<h2 id="am-i-impacted">Am I impacted?</h2>
|
||
<p>For new users, this change should only be an improvement.
|
||
However, if you are an existing user, you may have come to depend on the old behavior, intentionally or accidentally.</p>
|
||
<p>To help detect these situations, we have added a check to find pods that will be impacted.
|
||
You can run the <code>istioctl experimental precheck</code> command to get a report of any pods binding to <code>lo</code> on a port exposed in a <code>Service</code>.
|
||
This command is available in Istio 1.10+.
|
||
<strong>Without action, these ports will no longer be accessible upon upgrade.</strong></p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl experimental precheck
|
||
Error [IST0143] (Pod echo-local-849647c5bd-g9wxf.default) Port 443 is exposed in a Service but listens on localhost. It will not be exposed to other pods.
|
||
Error [IST0143] (Pod echo-local-849647c5bd-g9wxf.default) Port 7070 is exposed in a Service but listens on localhost. It will not be exposed to other pods.
|
||
Error: Issues found when checking the cluster. Istio may not be safe to install or upgrade.
|
||
See https://istio.io/latest/docs/reference/config/analysis for more information about causes and resolutions.
|
||
</code></pre>
|
||
<h3 id="migration">Migration</h3>
|
||
<p>If you are currently binding to <code>lo</code>, you have a few options:</p>
|
||
<ul>
|
||
<li>Switch your application to bind to all interfaces (<code>0.0.0.0</code> or <code>::</code>).</li>
|
||
<li><p>Explicitly configure the port using the <a href="/v1.12/docs/reference/config/networking/sidecar/#IstioIngressListener"><code>Sidecar</code> ingress configuration</a> to send to <code>lo</code>, preserving the old behavior.</p>
|
||
<p>For example, to configure request to be sent to <code>localhost</code> for the <code>ratings</code> application:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1beta1
|
||
kind: Sidecar
|
||
metadata:
|
||
name: ratings
|
||
spec:
|
||
workloadSelector:
|
||
labels:
|
||
app: ratings
|
||
ingress:
|
||
- port:
|
||
number: 8080
|
||
protocol: HTTP
|
||
name: http
|
||
defaultEndpoint: 127.0.0.1:8080
|
||
</code></pre></li>
|
||
<li><p>Disable the change entirely with the <code>PILOT_ENABLE_INBOUND_PASSTHROUGH=false</code> environment variable in Istiod, to enable the same behavior as prior to Istio 1.10. This option will be removed in the future.</p></li>
|
||
</ul></description><pubDate>Thu, 15 Apr 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/upcoming-networking-changes/</link><author>John Howard (Google)</author><guid isPermaLink="true">/v1.12/blog/2021/upcoming-networking-changes/</guid></item><item><title>Istio and Envoy WebAssembly Extensibility, One Year On</title><description>
|
||
<p>One year ago today, in the 1.5 release, we introduced <a href="/v1.12/blog/2020/wasm-announce/">WebAssembly-based extensibility</a> to Istio.
|
||
Over the course of the year, the Istio, Envoy, and Proxy-Wasm communities have continued our joint efforts to make WebAssembly (Wasm)
|
||
extensibility stable, reliable, and easy to adopt. Let&rsquo;s walk through the updates to Wasm support through the Istio 1.9 release,
|
||
and our plans for the future.</p>
|
||
<h2 id="webassembly-support-merged-in-upstream-envoy">WebAssembly support merged in upstream Envoy</h2>
|
||
<p>After adding experimental support for Wasm and the WebAssembly for Proxies (Proxy-Wasm) ABI to Istio&rsquo;s fork of Envoy, we collected some great feedback from our community of early adopters. This, combined with the experience gained from developing core Istio Wasm extensions, helped us mature and stabilize the runtime.
|
||
These improvements unblocked merging Wasm support directly into Envoy upstream in October 2020, allowing it to become part of all official Envoy releases.
|
||
This was a significant milestone, since it indicates that:</p>
|
||
<ul>
|
||
<li>The runtime is ready for wider adoption.</li>
|
||
<li>The programming ABI/API, extension configuration API, and runtime behavior, are becoming stable.</li>
|
||
<li>You can expect a larger community of adoption and support moving forward.</li>
|
||
</ul>
|
||
<h2 id="wasm-extensions-ecosystem-repository"><code>wasm-extensions</code> Ecosystem Repository</h2>
|
||
<p>As an early adopter of the Envoy Wasm runtime, the Istio Extensions and Telemetry working group gained a lot of experience in developing extensions. We built several first-class extensions, including <a href="/v1.12/docs/reference/config/proxy_extensions/metadata_exchange/">metadata exchange</a>, <a href="/v1.12/docs/reference/config/proxy_extensions/stats/">Prometheus stats</a>, and <a href="/v1.12/docs/reference/config/proxy_extensions/attributegen/">attribute generation</a>.
|
||
In order to share our learning more broadly, we created a <a href="https://github.com/istio-ecosystem/wasm-extensions"><code>wasm-extensions</code> repository</a> in the <code>istio-ecosystem</code> organization. This repository serves two purposes:</p>
|
||
<ul>
|
||
<li>It provides canonical example extensions, covering several highly demanded features (such as <a href="https://github.com/istio-ecosystem/wasm-extensions/tree/master/extensions/basic_auth">basic authentication</a>).</li>
|
||
<li>It provides a guide for Wasm extension development, testing, and release. The guide is based on the same build tool chains and test frameworks that are used, maintained and tested by the Istio extensibility team.</li>
|
||
</ul>
|
||
<p>The guide currently covers <a href="https://github.com/istio-ecosystem/wasm-extensions/blob/master/doc/write-a-wasm-extension-with-cpp.md">WebAssembly extension development</a>
|
||
and <a href="https://github.com/istio-ecosystem/wasm-extensions/blob/master/doc/write-cpp-unit-test.md">unit testing</a> with C++,
|
||
as well as <a href="https://github.com/istio-ecosystem/wasm-extensions/blob/master/doc/write-integration-test.md">integration testing</a> with a Go test framework,
|
||
which simulates a real runtime by running a Wasm module with the Istio proxy binary.
|
||
In the future, we will also add several more canonical extensions, such as an integration with Open Policy Agent, and header manipulation based on JWT tokens.</p>
|
||
<h2 id="wasm-module-distribution-via-the-istio-agent">Wasm module distribution via the Istio Agent</h2>
|
||
<p>Prior to Istio 1.9, <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#config-core-v3-remotedatasource">Envoy remote data sources</a> were needed to distribute remote Wasm modules to the proxy.
|
||
<a href="https://gist.github.com/bianpengyuan/8377898190e8052ffa36e88a16911910">In this example</a>,
|
||
you can see two <code>EnvoyFilter</code> resources are defined: one to add a remote fetch Envoy cluster, and the other one to inject a Wasm filter into the HTTP filter chain.
|
||
This method has a drawback: if remote fetch fails, either due to bad configuration or transient error, Envoy will be stuck with the bad configuration.
|
||
If a Wasm extension is configured as <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-pluginconfig">fail closed</a>, a bad remote fetch will stop Envoy from serving.
|
||
To fix this issue, <a href="https://github.com/envoyproxy/envoy/issues/9447">a fundamental change</a> is needed to the Envoy xDS protocol to make it allow asynchronous xDS responses.</p>
|
||
<p>Istio 1.9 provides a reliable distribution mechanism out of the box by leveraging the xDS proxy inside istio-agent and Envoy&rsquo;s <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/overview/extension">Extension Configuration Discovery Service</a> (ECDS).</p>
|
||
<p>istio-agent intercepts the extension config resource update from istiod, reads the remote fetch hint from it, downloads the Wasm module, and rewrites the ECDS configuration with the path of the downloaded Wasm module.
|
||
If the download fails, istio-agent will reject the ECDS update and prevent a bad configuration reaching Envoy. For more detail, please see <a href="/v1.12/docs/ops/configuration/extensibility/wasm-module-distribution/">our docs on Wasm module distribution</a>.</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:75%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/wasm-progress/architecture-istio-agent-downloading-wasm-module.svg" title="Remote Wasm module fetch flow">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/wasm-progress/architecture-istio-agent-downloading-wasm-module.svg" alt="Remote Wasm module fetch flow" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Remote Wasm module fetch flow</figcaption>
|
||
</figure>
|
||
<h2 id="istio-wasm-sig-and-future-work">Istio Wasm SIG and Future Work</h2>
|
||
<p>Although we have made a lot of progress on Wasm extensibility, there are still many aspects of the project that remain to be completed. In order to consolidate the efforts from various parties and better tackle the challenges ahead, we have formed an <a href="https://discuss.istio.io/t/introducing-wasm-sig/9930">Istio WebAssembly SIG</a>, with aim of providing a standard and reliable way for Istio to consume Wasm extensions. Here are some of the things we are working on:</p>
|
||
<ul>
|
||
<li><strong>A first-class extension API</strong>: Currently Wasm extensions needs to be injected via Istio&rsquo;s <code>EnvoyFilter</code> API. A first-class extension API will make using Wasm with Istio easier, and we expect this to be introduced in Istio 1.10.</li>
|
||
<li><strong>Distribution artifacts interoperability</strong>: Built on top of Solo.io’s <a href="https://www.solo.io/blog/announcing-the-webassembly-wasm-oci-image-spec/">WebAssembly OCI image spec effort</a>, a standard Wasm artifacts format will make it easy to build, pull, publish, and execute.</li>
|
||
<li><strong>Container Storage Interface (CSI) based artifacts distribution</strong>: Using istio-agent to distribute modules is easy for adoption, but may not be efficient as each proxy will keep a copy of the Wasm module. As a more efficient solution, with <a href="https://kubernetes-csi.github.io/docs/ephemeral-local-volumes.html">Ephemeral CSI</a>, a DaemonSet will be provided which could configure storage for pods. Working similarly to a CNI plugin, a CSI driver would fetch the Wasm module out-of-band from the xDS flow and mount it inside the <code>rootfs</code> when the pod starts up.</li>
|
||
</ul>
|
||
<p>If you would like to join us, the group will meet every other week Tuesdays at 2PM PT. You can find the meeting on the <a href="https://github.com/istio/community/blob/master/WORKING-GROUPS.md#working-group-meetings">Istio working group calendar</a>.</p>
|
||
<p>We look forward to seeing how you will use Wasm to extend Istio!</p></description><pubDate>Fri, 05 Mar 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/wasm-progress/</link><author>Pengyuan Bian (Google)</author><guid isPermaLink="true">/v1.12/blog/2021/wasm-progress/</guid><category>wasm</category><category>extensibility</category><category>WebAssembly</category></item><item><title>Migrate pre-Istio 1.4 Alpha security policy to the current APIs</title><description>
|
||
<p>In versions of Istio prior to 1.4, security policy was configured using <code>v1alpha1</code> APIs (<code>MeshPolicy</code>, <code>Policy</code>, <code>ClusterRbacConfig</code>, <code>ServiceRole</code> and <code>ServiceRoleBinding</code>). After consulting with our early adopters, we made <a href="/v1.12/blog/2019/v1beta1-authorization-policy/">major improvements to the policy system</a> and released <code>v1beta1</code> APIs along with Istio 1.4. These refreshed APIs (<code>PeerAuthentication</code>, <code>RequestAuthentication</code> and <code>AuthorizationPolicy</code>) helped standardize how we define policy targets in Istio, helped users understand where policies were applied, and cut the number of configuration objects required.</p>
|
||
<p>The old APIs were deprecated in Istio 1.4. Two releases after the <code>v1beta1</code> APIs were introduced, Istio 1.6 removed support for the <code>v1alpha1</code> APIs.</p>
|
||
<p>If you are using a version of Istio prior to 1.6 and you want to upgrade, you will have to migrate your alpha security policy objects to the beta API. This tutorial will help you make that move.</p>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">If you adopted Istio after version 1.6, or you&rsquo;re not using <code>v1alpha1</code> security APIs, you can stop reading.</div>
|
||
</aside>
|
||
</div>
|
||
<h2 id="overview">Overview</h2>
|
||
<p>Your control plane must first be upgraded to a version that supports the <code>v1beta1</code> security policy.</p>
|
||
<p>It is recommended to first upgrade to Istio 1.5 as a transitive version, because it is the only version that supports both
|
||
<code>v1alpha1</code> and <code>v1beta1</code> security policies. You will complete the security policy migration in Istio 1.5, remove the
|
||
<code>v1alpha1</code> security policy, and then continue to upgrade to later Istio versions. For a given workload, the <code>v1beta1</code>
|
||
version will take precedence over the <code>v1alpha1</code> version.</p>
|
||
<p>Alternatively, if you want to do a skip-level upgrade directly from Istio 1.4 to 1.6 or later, you should use the
|
||
<a href="/v1.12/docs/setup/upgrade/canary/">canary upgrade</a> method to install a new Istio version as a separate control plane, and
|
||
gradually migrate your workloads to the new control plane completing the security policy migration at the same time.</p>
|
||
<div>
|
||
<aside class="callout warning">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-warning"/></svg>
|
||
</div>
|
||
<div class="content">Skip-level upgrades are not supported by Istio and there might be other issues in this process. Istio 1.6 does not support
|
||
the <code>v1alpha1</code> security policy, and if you do not migrate your old policies before the upgrade, you are essentially removing
|
||
all your security policies.</div>
|
||
</aside>
|
||
</div>
|
||
<p>In either case, it is recommended to migrate using namespace granularity: for each namespace, find all the
|
||
<code>v1alpha1</code> policies that have an effect on workloads in the namespace and migrate all the policies to <code>v1beta1</code>
|
||
at the same time. This allows a safer migration as you can make sure everything is working as expected,
|
||
and then move forward to the next namespace.</p>
|
||
<h2 id="major-differences">Major differences</h2>
|
||
<p>Before starting the migration, read through the <code>v1beta1</code> <a href="/v1.12/docs/concepts/security/#authentication">authentication</a>
|
||
and <a href="/v1.12/docs/concepts/security/#authorization">authorization</a> documentation to understand the <code>v1beta1</code> policy.</p>
|
||
<p>You should examine all of your existing <code>v1alpha1</code> security policies, find out what fields are used and which policies
|
||
need migration, compare the findings with the major differences listed below and confirm there are no blocking issues
|
||
(e.g., using an alpha feature that is no longer supported in beta):</p>
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
<th>Major Differences</th>
|
||
<th><code>v1alpha1</code></th>
|
||
<th><code>v1beta1</code></th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td>API stability</td>
|
||
<td>not backward compatible</td>
|
||
<td>backward compatible</td>
|
||
</tr>
|
||
<tr>
|
||
<td>mTLS</td>
|
||
<td><code>MeshPolicy</code> and <code>Policy</code></td>
|
||
<td><code>PeerAuthentication</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>JWT</td>
|
||
<td><code>MeshPolicy</code> and <code>Policy</code></td>
|
||
<td><code>RequestAuthentication</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>Authorization</td>
|
||
<td><code>ClusterRbacConfig</code>, <code>ServiceRole</code> and <code>ServiceRoleBinding</code></td>
|
||
<td><code>AuthorizationPolicy</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>Policy target</td>
|
||
<td>service name based</td>
|
||
<td>workload selector based</td>
|
||
</tr>
|
||
<tr>
|
||
<td>Port number</td>
|
||
<td>service ports</td>
|
||
<td>workload ports</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<p>Although <code>RequestAuthentication</code> in <code>v1beta1</code> security policy is similar to the <code>v1alpha1</code> JWT policy, there is a notable
|
||
semantics change. The <code>v1alpha1</code> JWT policy needs to be migrated to two <code>v1beta1</code> resources: <code>RequestAuthentication</code> and
|
||
<code>AuthorizationPolicy</code>. This will change the JWT deny message due to the use of <code>AuthorizationPolicy</code>. In the alpha version,
|
||
the HTTP code 401 is returned with the body <code>Origin authentication failed</code>. In the beta version, the HTTP code 403 is
|
||
returned with the body <code>RBAC: access denied</code>.</p>
|
||
<p>The <code>v1alpha1</code> JWT policy <a href="https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#Jwt-TriggerRule"><code>triggerRule</code> field</a>
|
||
is replaced by the <code>AuthorizationPolicy</code> with the exception that the <a href="https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/#StringMatch"><code>regex</code> field</a>
|
||
is no longer supported.</p>
|
||
<h2 id="migration-flow">Migration flow</h2>
|
||
<p>This section describes in detail how to migrate a <code>v1alpha1</code> security policy.</p>
|
||
<h3 id="step-1-find-related-policies">Step 1: Find related policies</h3>
|
||
<p>For each namespace, find all <code>v1alpha1</code> security policies that have an effect on workloads in the namespace. The result
|
||
could include:</p>
|
||
<ul>
|
||
<li>a single <code>MeshPolicy</code> that applies to all services in the mesh;</li>
|
||
<li>a single namespace-level <code>Policy</code> that applies to all workloads in the namespace;</li>
|
||
<li>multiple service-level <code>Policy</code> objects that apply to the selected services in the namespace;</li>
|
||
<li>a single <code>ClusterRbacConfig</code> that enables the RBAC on the whole namespace or some services in the namespace;</li>
|
||
<li>multiple namespace-level <code>ServiceRole</code> and <code>ServiceRoleBinding</code> objects that apply to all services in the namespace;</li>
|
||
<li>multiple service-level <code>ServiceRole</code> and <code>ServiceRoleBinding</code> objects that apply to the selected services in the namespace;</li>
|
||
</ul>
|
||
<h3 id="step-2-convert-service-name-to-workload-selector">Step 2: Convert service name to workload selector</h3>
|
||
<p>The <code>v1alpha1</code> policy selects targets using their service name. You should refer to the corresponding service definition to decide
|
||
the workload selector that should be used in the <code>v1beta1</code> policy.</p>
|
||
<p>A single <code>v1alpha1</code> policy may include multiple services. It will need to be migrated to multiple <code>v1beta1</code> policies
|
||
because the <code>v1beta1</code> policy currently only supports at most one workload selector per policy.</p>
|
||
<p>Also note the <code>v1alpha1</code> policy uses service port but the <code>v1beta1</code> policy uses the workload port. This means the port number might be
|
||
different in the migrated <code>v1beta1</code> policy.</p>
|
||
<h3 id="step-3-migrate-authentication-policy">Step 3: Migrate authentication policy</h3>
|
||
<p>For each <code>v1alpha1</code> authentication policy, migrate with the following rules:</p>
|
||
<ol>
|
||
<li><p>If the whole namespace is enabled with mTLS or JWT, create the <code>PeerAuthentication</code>, <code>RequestAuthentication</code> and
|
||
<code>AuthorizationPolicy</code> without a workload selector for the whole namespace. Fill out the policy based on the
|
||
semantics of the corresponding <code>MeshPolicy</code> or <code>Policy</code> for the namespace.</p></li>
|
||
<li><p>If a workload is enabled with mTLS or JWT, create the <code>PeerAuthentication</code>, <code>RequestAuthentication</code> and
|
||
<code>AuthorizationPolicy</code> with a corresponding workload selector for the workload. Fill out the policy based on the
|
||
semantics of the corresponding <code>MeshPolicy</code> or <code>Policy</code> for the workload.</p></li>
|
||
<li><p>For mTLS related configuration, use <code>STRICT</code> mode if the alpha policy is using <code>STRICT</code>, or use <code>PERMISSIVE</code> in all other cases.</p></li>
|
||
<li><p>For JWT related configuration, refer to the <a href="/v1.12/docs/tasks/security/authentication/authn-policy/#end-user-authentication"><code>end-user authentication</code> documentation</a>
|
||
to learn how to migrate to <code>RequestAuthentication</code> and <code>AuthorizationPolicy</code>.</p></li>
|
||
</ol>
|
||
<p>A <a href="https://github.com/istio-ecosystem/security-policy-migrate">security policy migration tool</a> is provided to
|
||
automatically migrate authentication policy automatically. Please refer to the tool&rsquo;s README for its usage.</p>
|
||
<h3 id="step-4-migrate-rbac-policy">Step 4: Migrate RBAC policy</h3>
|
||
<p>For each <code>v1alpha1</code> RBAC policy, migrate with the following rules:</p>
|
||
<ol>
|
||
<li><p>If the whole namespace is enabled with RBAC, create an <code>AuthorizationPolicy</code> without a workload selector for the whole
|
||
namespace. Add an empty rule so that it will deny all requests to the namespace by default.</p></li>
|
||
<li><p>If a workload is enabled with RBAC, create an <code>AuthorizationPolicy</code> with a corresponding workload selector for the workload.
|
||
Add rules based on the semantics of the corresponding <code>ServiceRole</code> and <code>ServiceRoleBinding</code> for the workload.</p></li>
|
||
</ol>
|
||
<h3 id="step-5-verify-migrated-policy">Step 5: Verify migrated policy</h3>
|
||
<ol>
|
||
<li><p>Double check the migrated <code>v1beta1</code> policies: make sure there are no policies with duplicate names, the namespace
|
||
is specified correctly and all <code>v1alpha1</code> policies for the given namespace are migrated.</p></li>
|
||
<li><p>Dry-run the <code>v1beta1</code> policy with the command <code>kubectl apply --dry-run=server -f beta-policy.yaml</code> to make sure it
|
||
is valid.</p></li>
|
||
<li><p>Apply the <code>v1beta1</code> policy to the given namespace and closely monitor the effect. Make sure to test both allow and
|
||
deny scenarios if JWT or authorization are used.</p></li>
|
||
<li><p>Migrate the next namespace. Only remove the <code>v1alpha1</code> policy after completing migration for all namespaces successfully.</p></li>
|
||
</ol>
|
||
<h2 id="example">Example</h2>
|
||
<h3 id="v1alpha1-policy"><code>v1alpha1</code> policy</h3>
|
||
<p>This section gives a full example showing the migration for namespace <code>foo</code>. Assume the namespace <code>foo</code> has the following
|
||
<code>v1alpha1</code> policies that affect the workloads in it:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' ># A MeshPolicy that enables mTLS globally, including the whole foo namespace
|
||
apiVersion: &#34;authentication.istio.io/v1alpha1&#34;
|
||
kind: &#34;MeshPolicy&#34;
|
||
metadata:
|
||
name: &#34;default&#34;
|
||
spec:
|
||
peers:
|
||
- mtls: {}
|
||
---
|
||
# A Policy that enables mTLS permissive mode and enables JWT for the httpbin service on port 8000
|
||
apiVersion: authentication.istio.io/v1alpha1
|
||
kind: Policy
|
||
metadata:
|
||
name: httpbin
|
||
namespace: foo
|
||
spec:
|
||
targets:
|
||
- name: httpbin
|
||
ports:
|
||
- number: 8000
|
||
peers:
|
||
- mtls:
|
||
mode: PERMISSIVE
|
||
origins:
|
||
- jwt:
|
||
issuer: testing@example.com
|
||
jwksUri: https://www.example.com/jwks.json
|
||
triggerRules:
|
||
- includedPaths:
|
||
- prefix: /admin/
|
||
excludedPaths:
|
||
- exact: /admin/status
|
||
principalBinding: USE_ORIGIN
|
||
---
|
||
# A ClusterRbacConfig that enables RBAC globally, including the foo namespace
|
||
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
|
||
kind: ClusterRbacConfig
|
||
metadata:
|
||
name: default
|
||
spec:
|
||
mode: &#39;ON&#39;
|
||
---
|
||
# A ServiceRole that enables RBAC for the httpbin service
|
||
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
|
||
kind: ServiceRole
|
||
metadata:
|
||
name: httpbin
|
||
namespace: foo
|
||
spec:
|
||
rules:
|
||
- services: [&#34;httpbin.foo.svc.cluster.local&#34;]
|
||
methods: [&#34;GET&#34;]
|
||
---
|
||
# A ServiceRoleBinding for the above ServiceRole
|
||
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
|
||
kind: ServiceRoleBinding
|
||
metadata:
|
||
name: httpbin
|
||
namespace: foo
|
||
spec:
|
||
subjects:
|
||
- user: cluster.local/ns/foo/sa/sleep
|
||
roleRef:
|
||
kind: ServiceRole
|
||
name: httpbin
|
||
</code></pre>
|
||
<h3 id="httpbin-service"><code>httpbin</code> service</h3>
|
||
<p>The <code>httpbin</code> service has the following definition:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: httpbin
|
||
namespace: foo
|
||
spec:
|
||
ports:
|
||
- name: http
|
||
port: 8000
|
||
targetPort: 80
|
||
selector:
|
||
app: httpbin
|
||
</code></pre>
|
||
<p>This means the service name <code>httpbin</code> should be replaced by the workload selector <code>app: httpbin</code>, and the service port 8000
|
||
should be replaced by the workload port 80.</p>
|
||
<h3 id="v1beta1-authentication-policy"><code>v1beta1</code> authentication policy</h3>
|
||
<p>The migrated <code>v1beta1</code> policies for the <code>v1alpha1</code> authentication policies in <code>foo</code> namespace are listed below:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' ># A PeerAuthentication that enables mTLS for the foo namespace, migrated from the MeshPolicy
|
||
# Alternatively the MeshPolicy could also be migrated to a PeerAuthentication at mesh level
|
||
apiVersion: security.istio.io/v1beta1
|
||
kind: PeerAuthentication
|
||
metadata:
|
||
name: default
|
||
namespace: foo
|
||
spec:
|
||
mtls:
|
||
mode: STRICT
|
||
---
|
||
# A PeerAuthentication that enables mTLS for the httpbin workload, migrated from the Policy
|
||
apiVersion: security.istio.io/v1beta1
|
||
kind: PeerAuthentication
|
||
metadata:
|
||
name: httpbin
|
||
namespace: foo
|
||
spec:
|
||
selector:
|
||
matchLabels:
|
||
app: httpbin
|
||
# port level mtls set for the workload port 80 corresponding to the service port 8000
|
||
portLevelMtls:
|
||
80:
|
||
mode: PERMISSIVE
|
||
--
|
||
# A RequestAuthentication that enables JWT for the httpbin workload, migrated from the Policy
|
||
apiVersion: security.istio.io/v1beta1
|
||
kind: RequestAuthentication
|
||
metadata:
|
||
name: httpbin
|
||
namespace: foo
|
||
spec:
|
||
selector:
|
||
matchLabels:
|
||
app: httpbin
|
||
jwtRules:
|
||
- issuer: testing@example.com
|
||
jwksUri: https://www.example.com/jwks.json
|
||
---
|
||
# An AuthorizationPolicy that enforces to require JWT validation for the httpbin workload, migrated from the Policy
|
||
apiVersion: security.istio.io/v1beta1
|
||
kind: AuthorizationPolicy
|
||
metadata:
|
||
name: httpbin-jwt
|
||
namespace: foo
|
||
spec:
|
||
# Use DENY action to explicitly deny requests without JWT token
|
||
action: DENY
|
||
selector:
|
||
matchLabels:
|
||
app: httpbin
|
||
rules:
|
||
- from:
|
||
- source:
|
||
# This makes sure requests without JWT token will be denied
|
||
notRequestPrincipals: [&#34;*&#34;]
|
||
to:
|
||
- operation:
|
||
# This should be the workload port 80, not the service port 8000
|
||
ports: [&#34;80&#34;]
|
||
# The path and notPath is converted from the trigger rule in the Policy
|
||
paths: [&#34;/admin/*&#34;]
|
||
notPaths: [&#34;/admin/status&#34;]
|
||
</code></pre>
|
||
<h3 id="v1beta1-authorization-policy"><code>v1beta1</code> authorization policy</h3>
|
||
<p>The migrated <code>v1beta1</code> policies for the <code>v1alpha1</code> RBAC policies in <code>foo</code> namespace are listed below:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' ># An AuthorizationPolicy that denies by default, migrated from the ClusterRbacConfig
|
||
apiVersion: security.istio.io/v1beta1
|
||
kind: AuthorizationPolicy
|
||
metadata:
|
||
name: default
|
||
namespace: foo
|
||
spec:
|
||
# An empty rule that allows nothing
|
||
{}
|
||
---
|
||
# An AuthorizationPolicy that enforces to authorization for the httpbin workload, migrated from the ServiceRole and ServiceRoleBinding
|
||
apiVersion: security.istio.io/v1beta1
|
||
kind: AuthorizationPolicy
|
||
metadata:
|
||
name: httpbin
|
||
namespace: foo
|
||
spec:
|
||
selector:
|
||
matchLabels:
|
||
app: httpbin
|
||
version: v1
|
||
action: ALLOW
|
||
rules:
|
||
- from:
|
||
- source:
|
||
principals: [&#34;cluster.local/ns/foo/sa/sleep&#34;]
|
||
to:
|
||
- operation:
|
||
methods: [&#34;GET&#34;]
|
||
</code></pre>
|
||
<h2 id="finish-the-upgrade">Finish the upgrade</h2>
|
||
<p>Congratulations; having reached this point, you should only have <code>v1beta1</code> policy objects, and you will be able to continue upgrading Istio to 1.6 and beyond.</p></description><pubDate>Wed, 03 Mar 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/migrate-alpha-policy/</link><author>Yangmin Zhu (Google), Craig Box (Google)</author><guid isPermaLink="true">/v1.12/blog/2021/migrate-alpha-policy/</guid><category>security</category><category>policy</category><category>migrate</category><category>alpha</category><category>beta</category><category>deprecate</category><category>peer</category><category>jwt</category><category>authorization</category></item><item><title>Zero Configuration Istio</title><description>
|
||
<p>When a new user encounters Istio for the first time, they are sometimes overwhelmed by the vast feature
|
||
set it exposes. Unfortunately, this can give the impression that Istio is needlessly complex
|
||
and not fit for small teams or clusters.</p>
|
||
<p>One great part about Istio, however, is that it aims to bring as much value to users out of the box without any configuration at all.
|
||
This enables users to get most of the benefits of Istio with minimal efforts. For some users with simple requirements, custom configurations
|
||
may never be required at all. Others will be able to incrementally add Istio configurations once they are more comfortable and as they need them, such as to add
|
||
ingress routing, fine-tune networking settings, or lock down security policies.</p>
|
||
<h2 id="getting-started">Getting started</h2>
|
||
<p>To get started, check out our <a href="/v1.12/docs/setup/getting-started/">getting started</a> documentation, where you will learn how to install Istio.
|
||
If you are already familiar, you can simply run <code>istioctl install</code>.</p>
|
||
<p>Next, we will explore all the benefits Istio provides us, without any configuration or changes to application code.</p>
|
||
<h2 id="security">Security</h2>
|
||
<p>Istio automatically enables <a href="/v1.12/docs/concepts/security/#mutual-tls-authentication">mutual TLS</a> for traffic between pods in the mesh.
|
||
This enables applications to forgo complex TLS configuration and certificate management, and offload all transport layer security to the sidecar.</p>
|
||
<p>Once comfortable with automatic TLS, you may choose to <a href="/v1.12/docs/tasks/security/authentication/mtls-migration/">allow only mTLS traffic</a>, or configure custom <a href="/v1.12/docs/tasks/security/authorization/">authorization policies</a> for your needs.</p>
|
||
<h2 id="observability">Observability</h2>
|
||
<p>Istio automatically generates detailed telemetry for all service communications within a mesh.
|
||
This telemetry provides observability of service behavior, empowering operators to troubleshoot, maintain, and optimize their applications – without imposing any additional burdens on service developers.
|
||
Through Istio, operators gain a thorough understanding of how monitored services are interacting, both with other services and with the Istio components themselves.</p>
|
||
<p>All of this functionality is added by Istio without any configuration. <a href="/v1.12/docs/ops/integrations/">Integrations</a> with tools such as Prometheus, Grafana, Jaeger, Zipkin, and Kiali are also available.</p>
|
||
<p>For more information about the observability Istio provides, check out the <a href="/v1.12/docs/concepts/observability/">observability overview</a>.</p>
|
||
<h2 id="traffic-management">Traffic Management</h2>
|
||
<p>While Kubernetes provides a lot of networking functionality, such as service discovery and DNS, this is done at Layer 4, which can have unintended inefficiencies.
|
||
For example, in a simple HTTP application sending traffic to a service with 3 replicas, we can see unbalanced load:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl http://echo/{0..5} -s | grep Hostname
|
||
Hostname=echo-cb96f8d94-2ssll
|
||
Hostname=echo-cb96f8d94-2ssll
|
||
Hostname=echo-cb96f8d94-2ssll
|
||
Hostname=echo-cb96f8d94-2ssll
|
||
Hostname=echo-cb96f8d94-2ssll
|
||
Hostname=echo-cb96f8d94-2ssll
|
||
$ curl http://echo/{0..5} -s | grep Hostname
|
||
Hostname=echo-cb96f8d94-879sn
|
||
Hostname=echo-cb96f8d94-879sn
|
||
Hostname=echo-cb96f8d94-879sn
|
||
Hostname=echo-cb96f8d94-879sn
|
||
Hostname=echo-cb96f8d94-879sn
|
||
Hostname=echo-cb96f8d94-879sn
|
||
</code></pre>
|
||
<p>The problem here is Kubernetes will determine the backend to send to when the connection is established, and all future requests on the same connection will be sent to the same backend.
|
||
In our example here, our first 5 requests are all sent to <code>echo-cb96f8d94-2ssll</code>, while our next set (using a new connection) are all sent to <code>echo-cb96f8d94-879sn</code>.
|
||
Our third instance never receives any requests.</p>
|
||
<p>With Istio, HTTP traffic (including HTTP/2 and gRPC) is automatically detected, and our services will automatically be load balanced per <em>request</em>, rather than per <em>connection</em>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl http://echo/{0..5} -s | grep Hostname
|
||
Hostname=echo-cb96f8d94-wf4xk
|
||
Hostname=echo-cb96f8d94-rpfqz
|
||
Hostname=echo-cb96f8d94-cgmxr
|
||
Hostname=echo-cb96f8d94-wf4xk
|
||
Hostname=echo-cb96f8d94-rpfqz
|
||
Hostname=echo-cb96f8d94-cgmxr
|
||
</code></pre>
|
||
<p>Here we can see our requests are <a href="/v1.12/docs/concepts/traffic-management/#load-balancing-options">round-robin</a> load balanced between all backends.</p>
|
||
<p>In addition to these better defaults, Istio offers customization of a <a href="/v1.12/docs/concepts/traffic-management/">variety of traffic management settings</a>, including timeouts, retries, and much more.</p></description><pubDate>Thu, 25 Feb 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/zero-config-istio/</link><author>John Howard (Google)</author><guid isPermaLink="true">/v1.12/blog/2021/zero-config-istio/</guid></item><item><title>IstioCon 2021: Schedule Is Live!</title><description><p><a href="https://events.istio.io/istiocon-2021/">IstioCon 2021</a> is a week-long, community-led, virtual conference starting on February 22.
|
||
This event provides an opportunity to hear the lessons learned from companies like Atlassian, Airbnb, FICO, eBay, T-Mobile and
|
||
Salesforce running Istio in production, hands-on experiences from the Istio community, and will feature maintainers from across
|
||
the Istio ecosystem.</p>
|
||
<p>You can now find the <a href="https://events.istio.io/istiocon-2021/schedule/">full schedule of events</a> which includes a series of
|
||
<a href="https://events.istio.io/istiocon-2021/schedule/english/">English</a> sessions and
|
||
<a href="https://events.istio.io/istiocon-2021/schedule/chinese/">Chinese</a> sessions.</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:56.25%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/istiocon-2021-program/istiocon-program.png" title="">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/istiocon-2021-program/istiocon-program.png" alt="IstioCon logo" />
|
||
</a>
|
||
</div>
|
||
<figcaption></figcaption>
|
||
</figure>
|
||
<p>By attending the conference, you’ll connect with community members from across the globe. Each day you will find keynotes,
|
||
technical talks, lightning talks, panel discussions, workshops and roadmap sessions led by diverse speakers representing the
|
||
Istio community. You can also connect with other Istio and Open Source ecosystem community members through social hour events
|
||
that include activities on the social platform <a href="https://events.istio.io/istiocon-2021/networking/">Gather.town</a>, a live cartoonist,
|
||
virtual swag bags, raffles, live music and games.</p>
|
||
<p>Don’t miss it! <a href="https://events.istio.io/istiocon-2021/">Registration</a> is free. We look forward to seeing you at the first IstioCon!</p></description><pubDate>Tue, 16 Feb 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/istiocon-2021-program/</link><author>Istio Steering Committee</author><guid isPermaLink="true">/v1.12/blog/2021/istiocon-2021-program/</guid><category>IstioCon</category><category>Istio</category><category>conference</category></item><item><title>Better External Authorization</title><description>
|
||
<h2 id="background">Background</h2>
|
||
<p>Istio&rsquo;s authorization policy provides access control for services in the mesh. It is fast, powerful and a widely used
|
||
feature. We have made continuous improvements to make policy more flexible since its first release in Istio 1.4, including
|
||
the <a href="/v1.12/docs/tasks/security/authorization/authz-deny/"><code>DENY</code> action</a>, <a href="/v1.12/docs/tasks/security/authorization/authz-deny/">exclusion semantics</a>,
|
||
<a href="/v1.12/docs/tasks/security/authorization/authz-ingress/"><code>X-Forwarded-For</code> header support</a>, <a href="/v1.12/docs/tasks/security/authorization/authz-jwt/">nested JWT claim support</a>
|
||
and more. These features improve the flexibility of the authorization policy, but there are still many use cases that
|
||
cannot be supported with this model, for example:</p>
|
||
<ul>
|
||
<li><p>You have your own in-house authorization system that cannot be easily migrated to, or cannot be easily replaced by, the
|
||
authorization policy.</p></li>
|
||
<li><p>You want to integrate with a 3rd-party solution (e.g. <a href="https://www.openpolicyagent.org/docs/latest/envoy-introduction/">Open Policy Agent</a>
|
||
or <a href="https://github.com/oauth2-proxy/oauth2-proxy"><code>oauth2</code> proxy</a>) which may require use of the
|
||
<a href="/v1.12/docs/reference/config/networking/envoy-filter/">low-level Envoy configuration APIs</a> in Istio, or may not be possible
|
||
at all.</p></li>
|
||
<li><p>Authorization policy lacks necessary semantics for your use case.</p></li>
|
||
</ul>
|
||
<h2 id="solution">Solution</h2>
|
||
<p>In Istio 1.9, we have implemented extensibility into authorization policy by introducing a <a href="/v1.12/docs/reference/config/security/authorization-policy/#AuthorizationPolicy-Action"><code>CUSTOM</code> action</a>,
|
||
which allows you to delegate the access control decision to an external authorization service.</p>
|
||
<p>The <code>CUSTOM</code> action allows you to integrate Istio with an external authorization system that implements its own custom
|
||
authorization logic. The following diagram shows the high level architecture of this integration:</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:48.573838213459645%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2021/better-external-authz/external_authz.svg" title="External Authorization Architecture">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2021/better-external-authz/external_authz.svg" alt="External Authorization Architecture" />
|
||
</a>
|
||
</div>
|
||
<figcaption>External Authorization Architecture</figcaption>
|
||
</figure>
|
||
<p>At configuration time, the mesh admin configures an authorization policy with a <code>CUSTOM</code> action to enable the
|
||
external authorization on a proxy (either gateway or sidecar). The admin should verify the external auth service is up
|
||
and running.</p>
|
||
<p>At runtime,</p>
|
||
<ol>
|
||
<li><p>A request is intercepted by the proxy, and the proxy will send check requests to the external auth service, as
|
||
configured by the user in the authorization policy.</p></li>
|
||
<li><p>The external auth service will make the decision whether to allow it or not.</p></li>
|
||
<li><p>If allowed, the request will continue and will be enforced by any local authorization defined by <code>ALLOW</code>/<code>DENY</code> action.</p></li>
|
||
<li><p>If denied, the request will be rejected immediately.</p></li>
|
||
</ol>
|
||
<p>Let&rsquo;s look at an example authorization policy with the <code>CUSTOM</code> action:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: security.istio.io/v1beta1
|
||
kind: AuthorizationPolicy
|
||
metadata:
|
||
name: ext-authz
|
||
namespace: istio-system
|
||
spec:
|
||
# The selector applies to the ingress gateway in the istio-system namespace.
|
||
selector:
|
||
matchLabels:
|
||
app: istio-ingressgateway
|
||
# The action &#34;CUSTOM&#34; delegates the access control to an external authorizer, this is different from
|
||
# the ALLOW/DENY action that enforces the access control right inside the proxy.
|
||
action: CUSTOM
|
||
# The provider specifies the name of the external authorizer defined in the meshconfig, which tells where and how to
|
||
# talk to the external auth service. We will cover this more later.
|
||
provider:
|
||
name: &#34;my-ext-authz-service&#34;
|
||
# The rule specifies that the access control is triggered only if the request path has the prefix &#34;/admin/&#34;.
|
||
# This allows you to easily enable or disable the external authorization based on the requests, avoiding the external
|
||
# check request if it is not needed.
|
||
rules:
|
||
- to:
|
||
- operation:
|
||
paths: [&#34;/admin/*&#34;]
|
||
</code></pre>
|
||
<p>It refers to a provider called <code>my-ext-authz-service</code> which is defined in the mesh config:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >extensionProviders:
|
||
# The name &#34;my-ext-authz-service&#34; is referred to by the authorization policy in its provider field.
|
||
- name: &#34;my-ext-authz-service&#34;
|
||
# The &#34;envoyExtAuthzGrpc&#34; field specifies the type of the external authorization service is implemented by the Envoy
|
||
# ext-authz filter gRPC API. The other supported type is the Envoy ext-authz filter HTTP API.
|
||
# See more in https://www.envoyproxy.io/docs/envoy/v1.16.2/intro/arch_overview/security/ext_authz_filter.
|
||
envoyExtAuthzGrpc:
|
||
# The service and port specifies the address of the external auth service, &#34;ext-authz.istio-system.svc.cluster.local&#34;
|
||
# means the service is deployed in the mesh. It can also be defined out of the mesh or even inside the pod as a separate
|
||
# container.
|
||
service: &#34;ext-authz.istio-system.svc.cluster.local&#34;
|
||
port: 9000
|
||
</code></pre>
|
||
<p>The authorization policy of <a href="/v1.12/docs/reference/config/security/authorization-policy/#AuthorizationPolicy-Action"><code>CUSTOM</code> action</a>
|
||
enables the external authorization in runtime, it could be configured to trigger the external authorization conditionally
|
||
based on the request using the same rule that you have already been using with other actions.</p>
|
||
<p>The external authorization service is currently defined in the <a href="/v1.12/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-ExtensionProvider"><code>meshconfig</code> API</a>
|
||
and referred to by its name. It could be deployed in the mesh with or without proxy. If with the proxy, you could
|
||
further use <code>PeerAuthentication</code> to enable mTLS between the proxy and your external authorization service.</p>
|
||
<p>The <code>CUSTOM</code> action is currently in the <strong>experimental stage</strong>; the API might change in a non-backward compatible way based on user feedback.
|
||
The authorization policy rules currently don&rsquo;t support authentication fields (e.g. source principal or JWT claim) when used with the
|
||
<code>CUSTOM</code> action. Only one provider is allowed for a given workload, but you can still use different providers on different workloads.</p>
|
||
<p>For more information, please see the <a href="https://docs.google.com/document/d/1V4mCQCw7mlGp0zSQQXYoBdbKMDnkPOjeyUb85U07iSI/edit#">Better External Authorization design doc</a>.</p>
|
||
<h2 id="example-with-opa">Example with OPA</h2>
|
||
<p>In this section, we will demonstrate using the <code>CUSTOM</code> action with the Open Policy Agent as the external authorizer on
|
||
the ingress gateway. We will conditionally enable the external authorization on all paths except <code>/ip</code>.</p>
|
||
<p>You can also refer to the <a href="/v1.12/docs/tasks/security/authorization/authz-custom/">external authorization task</a> for a more
|
||
basic introduction that uses a sample <code>ext-authz</code> server.</p>
|
||
<h3 id="create-the-example-opa-policy">Create the example OPA policy</h3>
|
||
<p>Run the following command create an OPA policy that allows the request if the prefix of the path is matched with the
|
||
claim &ldquo;path&rdquo; (base64 encoded) in the JWT token:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &gt; policy.rego &lt;&lt;EOF
|
||
package envoy.authz
|
||
import input.attributes.request.http as http_request
|
||
default allow = false
|
||
token = {&#34;valid&#34;: valid, &#34;payload&#34;: payload} {
|
||
[_, encoded] := split(http_request.headers.authorization, &#34; &#34;)
|
||
[valid, _, payload] := io.jwt.decode_verify(encoded, {&#34;secret&#34;: &#34;secret&#34;})
|
||
}
|
||
allow {
|
||
is_token_valid
|
||
action_allowed
|
||
}
|
||
is_token_valid {
|
||
token.valid
|
||
now := time.now_ns() / 1000000000
|
||
token.payload.nbf &lt;= now
|
||
now &lt; token.payload.exp
|
||
}
|
||
action_allowed {
|
||
startswith(http_request.path, base64url.decode(token.payload.path))
|
||
}
|
||
EOF
|
||
$ kubectl create secret generic opa-policy --from-file policy.rego
|
||
</code></pre>
|
||
<h3 id="deploy-httpbin-and-opa">Deploy httpbin and OPA</h3>
|
||
<p>Enable the sidecar injection:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl label ns default istio-injection=enabled
|
||
</code></pre>
|
||
<p>Run the following command to deploy the example application httpbin and OPA. The OPA could be deployed either as a
|
||
separate container in the httpbin pod or completely in a separate pod:</p>
|
||
<div id="tabset-blog-2021-better-external-authz-1" role="tablist" class="tabset ">
|
||
<div class="tab-strip" data-category-name="opa-deploy" ><button aria-selected="true" data-category-value="opa-same"
|
||
aria-controls="tabset-blog-2021-better-external-authz-1-0-panel" id="tabset-blog-2021-better-external-authz-1-0-tab" role="tab"><span>Deploy OPA in the same pod</span>
|
||
</button><button tabindex="-1" data-category-value="opa-standalone"
|
||
aria-controls="tabset-blog-2021-better-external-authz-1-1-panel" id="tabset-blog-2021-better-external-authz-1-1-tab" role="tab"><span>Deploy OPA in a separate pod</span>
|
||
</button></div>
|
||
<div class="tab-content"><div id="tabset-blog-2021-better-external-authz-1-0-panel" role="tabpanel" tabindex="0" aria-labelledby="tabset-blog-2021-better-external-authz-1-0-tab">
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: httpbin-with-opa
|
||
labels:
|
||
app: httpbin-with-opa
|
||
service: httpbin-with-opa
|
||
spec:
|
||
ports:
|
||
- name: http
|
||
port: 8000
|
||
targetPort: 80
|
||
selector:
|
||
app: httpbin-with-opa
|
||
---
|
||
# Define the service entry for the local OPA service on port 9191.
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: local-opa-grpc
|
||
spec:
|
||
hosts:
|
||
- &#34;local-opa-grpc.local&#34;
|
||
endpoints:
|
||
- address: &#34;127.0.0.1&#34;
|
||
ports:
|
||
- name: grpc
|
||
number: 9191
|
||
protocol: GRPC
|
||
resolution: STATIC
|
||
---
|
||
kind: Deployment
|
||
apiVersion: apps/v1
|
||
metadata:
|
||
name: httpbin-with-opa
|
||
labels:
|
||
app: httpbin-with-opa
|
||
spec:
|
||
replicas: 1
|
||
selector:
|
||
matchLabels:
|
||
app: httpbin-with-opa
|
||
template:
|
||
metadata:
|
||
labels:
|
||
app: httpbin-with-opa
|
||
spec:
|
||
containers:
|
||
- image: docker.io/kennethreitz/httpbin
|
||
imagePullPolicy: IfNotPresent
|
||
name: httpbin
|
||
ports:
|
||
- containerPort: 80
|
||
- name: opa
|
||
image: openpolicyagent/opa:latest-envoy
|
||
securityContext:
|
||
runAsUser: 1111
|
||
volumeMounts:
|
||
- readOnly: true
|
||
mountPath: /policy
|
||
name: opa-policy
|
||
args:
|
||
- &#34;run&#34;
|
||
- &#34;--server&#34;
|
||
- &#34;--addr=localhost:8181&#34;
|
||
- &#34;--diagnostic-addr=0.0.0.0:8282&#34;
|
||
- &#34;--set=plugins.envoy_ext_authz_grpc.addr=:9191&#34;
|
||
- &#34;--set=plugins.envoy_ext_authz_grpc.query=data.envoy.authz.allow&#34;
|
||
- &#34;--set=decision_logs.console=true&#34;
|
||
- &#34;--ignore=.*&#34;
|
||
- &#34;/policy/policy.rego&#34;
|
||
livenessProbe:
|
||
httpGet:
|
||
path: /health?plugins
|
||
scheme: HTTP
|
||
port: 8282
|
||
initialDelaySeconds: 5
|
||
periodSeconds: 5
|
||
readinessProbe:
|
||
httpGet:
|
||
path: /health?plugins
|
||
scheme: HTTP
|
||
port: 8282
|
||
initialDelaySeconds: 5
|
||
periodSeconds: 5
|
||
volumes:
|
||
- name: proxy-config
|
||
configMap:
|
||
name: proxy-config
|
||
- name: opa-policy
|
||
secret:
|
||
secretName: opa-policy
|
||
EOF
|
||
</code></pre>
|
||
</div><div hidden id="tabset-blog-2021-better-external-authz-1-1-panel" role="tabpanel" tabindex="0" aria-labelledby="tabset-blog-2021-better-external-authz-1-1-tab">
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: opa
|
||
labels:
|
||
app: opa
|
||
spec:
|
||
ports:
|
||
- name: grpc
|
||
port: 9191
|
||
targetPort: 9191
|
||
selector:
|
||
app: opa
|
||
---
|
||
kind: Deployment
|
||
apiVersion: apps/v1
|
||
metadata:
|
||
name: opa
|
||
labels:
|
||
app: opa
|
||
spec:
|
||
replicas: 1
|
||
selector:
|
||
matchLabels:
|
||
app: opa
|
||
template:
|
||
metadata:
|
||
labels:
|
||
app: opa
|
||
spec:
|
||
containers:
|
||
- name: opa
|
||
image: openpolicyagent/opa:latest-envoy
|
||
securityContext:
|
||
runAsUser: 1111
|
||
volumeMounts:
|
||
- readOnly: true
|
||
mountPath: /policy
|
||
name: opa-policy
|
||
args:
|
||
- &#34;run&#34;
|
||
- &#34;--server&#34;
|
||
- &#34;--addr=localhost:8181&#34;
|
||
- &#34;--diagnostic-addr=0.0.0.0:8282&#34;
|
||
- &#34;--set=plugins.envoy_ext_authz_grpc.addr=:9191&#34;
|
||
- &#34;--set=plugins.envoy_ext_authz_grpc.query=data.envoy.authz.allow&#34;
|
||
- &#34;--set=decision_logs.console=true&#34;
|
||
- &#34;--ignore=.*&#34;
|
||
- &#34;/policy/policy.rego&#34;
|
||
ports:
|
||
- containerPort: 9191
|
||
livenessProbe:
|
||
httpGet:
|
||
path: /health?plugins
|
||
scheme: HTTP
|
||
port: 8282
|
||
initialDelaySeconds: 5
|
||
periodSeconds: 5
|
||
readinessProbe:
|
||
httpGet:
|
||
path: /health?plugins
|
||
scheme: HTTP
|
||
port: 8282
|
||
initialDelaySeconds: 5
|
||
periodSeconds: 5
|
||
volumes:
|
||
- name: proxy-config
|
||
configMap:
|
||
name: proxy-config
|
||
- name: opa-policy
|
||
secret:
|
||
secretName: opa-policy
|
||
EOF
|
||
</code></pre>
|
||
<p>Deploy the httpbin as well:</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/httpbin/httpbin.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/httpbin/httpbin.yaml@
|
||
</code></pre></div>
|
||
</div></div>
|
||
</div>
|
||
<h3 id="define-external-authorizer">Define external authorizer</h3>
|
||
<p>Run the following command to edit the <code>meshconfig</code>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl edit configmap istio -n istio-system
|
||
</code></pre>
|
||
<p>Add the following <code>extensionProviders</code> to the <code>meshconfig</code>:</p>
|
||
<div id="tabset-blog-2021-better-external-authz-2" role="tablist" class="tabset ">
|
||
<div class="tab-strip" data-category-name="opa-deploy" ><button aria-selected="true" data-category-value="opa-same"
|
||
aria-controls="tabset-blog-2021-better-external-authz-2-0-panel" id="tabset-blog-2021-better-external-authz-2-0-tab" role="tab"><span>Deploy OPA in the same pod</span>
|
||
</button><button tabindex="-1" data-category-value="opa-standalone"
|
||
aria-controls="tabset-blog-2021-better-external-authz-2-1-panel" id="tabset-blog-2021-better-external-authz-2-1-tab" role="tab"><span>Deploy OPA in a separate pod</span>
|
||
</button></div>
|
||
<div class="tab-content"><div id="tabset-blog-2021-better-external-authz-2-0-panel" role="tabpanel" tabindex="0" aria-labelledby="tabset-blog-2021-better-external-authz-2-0-tab">
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
|
||
data:
|
||
mesh: |-
|
||
# Add the following contents:
|
||
extensionProviders:
|
||
- name: &#34;opa.local&#34;
|
||
envoyExtAuthzGrpc:
|
||
service: &#34;local-opa-grpc.local&#34;
|
||
port: &#34;9191&#34;
|
||
</code></pre>
|
||
</div><div hidden id="tabset-blog-2021-better-external-authz-2-1-panel" role="tabpanel" tabindex="0" aria-labelledby="tabset-blog-2021-better-external-authz-2-1-tab">
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
|
||
data:
|
||
mesh: |-
|
||
# Add the following contents:
|
||
extensionProviders:
|
||
- name: &#34;opa.default&#34;
|
||
envoyExtAuthzGrpc:
|
||
service: &#34;opa.default.svc.cluster.local&#34;
|
||
port: &#34;9191&#34;
|
||
</code></pre>
|
||
</div></div>
|
||
</div>
|
||
<h3 id="create-an-authorizationpolicy-with-a-custom-action">Create an AuthorizationPolicy with a CUSTOM action</h3>
|
||
<p>Run the following command to create the authorization policy that enables the external authorization on all paths
|
||
except <code>/ip</code>:</p>
|
||
<div id="tabset-blog-2021-better-external-authz-3" role="tablist" class="tabset ">
|
||
<div class="tab-strip" data-category-name="opa-deploy" ><button aria-selected="true" data-category-value="opa-same"
|
||
aria-controls="tabset-blog-2021-better-external-authz-3-0-panel" id="tabset-blog-2021-better-external-authz-3-0-tab" role="tab"><span>Deploy OPA in the same pod</span>
|
||
</button><button tabindex="-1" data-category-value="opa-standalone"
|
||
aria-controls="tabset-blog-2021-better-external-authz-3-1-panel" id="tabset-blog-2021-better-external-authz-3-1-tab" role="tab"><span>Deploy OPA in a separate pod</span>
|
||
</button></div>
|
||
<div class="tab-content"><div id="tabset-blog-2021-better-external-authz-3-0-panel" role="tabpanel" tabindex="0" aria-labelledby="tabset-blog-2021-better-external-authz-3-0-tab">
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: security.istio.io/v1beta1
|
||
kind: AuthorizationPolicy
|
||
metadata:
|
||
name: httpbin-opa
|
||
spec:
|
||
selector:
|
||
matchLabels:
|
||
app: httpbin-with-opa
|
||
action: CUSTOM
|
||
provider:
|
||
name: &#34;opa.local&#34;
|
||
rules:
|
||
- to:
|
||
- operation:
|
||
notPaths: [&#34;/ip&#34;]
|
||
EOF
|
||
</code></pre>
|
||
</div><div hidden id="tabset-blog-2021-better-external-authz-3-1-panel" role="tabpanel" tabindex="0" aria-labelledby="tabset-blog-2021-better-external-authz-3-1-tab">
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: security.istio.io/v1beta1
|
||
kind: AuthorizationPolicy
|
||
metadata:
|
||
name: httpbin-opa
|
||
spec:
|
||
selector:
|
||
matchLabels:
|
||
app: httpbin
|
||
action: CUSTOM
|
||
provider:
|
||
name: &#34;opa.default&#34;
|
||
rules:
|
||
- to:
|
||
- operation:
|
||
notPaths: [&#34;/ip&#34;]
|
||
EOF
|
||
</code></pre>
|
||
</div></div>
|
||
</div>
|
||
<h3 id="test-the-opa-policy">Test the OPA policy</h3>
|
||
<ol>
|
||
<li><p>Create a client pod to send the request:</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/sleep/sleep.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/sleep/sleep.yaml@
|
||
$ export SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
|
||
</code></pre></div></li>
|
||
<li><p>Use a test JWT token signed by the OPA:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export TOKEN_PATH_HEADERS=&#34;eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXRoIjoiTDJobFlXUmxjbk09IiwibmJmIjoxNTAwMDAwMDAwLCJleHAiOjE5MDAwMDAwMDB9.9yl8LcZdq-5UpNLm0Hn0nnoBHXXAnK4e8RSl9vn6l98&#34;
|
||
</code></pre>
|
||
<p>The test JWT token has the following claims:</p>
|
||
<pre><code class='language-json' data-expandlinks='true' data-repo='istio' >{
|
||
&#34;path&#34;: &#34;L2hlYWRlcnM=&#34;,
|
||
&#34;nbf&#34;: 1500000000,
|
||
&#34;exp&#34;: 1900000000
|
||
}
|
||
</code></pre>
|
||
<p>The <code>path</code> claim has value <code>L2hlYWRlcnM=</code> which is the base64 encode of <code>/headers</code>.</p></li>
|
||
<li><p>Send a request to path <code>/headers</code> without a token. This should be rejected with 403 because there is no JWT token:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/headers -s -o /dev/null -w &#34;%{http_code}\n&#34;
|
||
403
|
||
</code></pre></li>
|
||
<li><p>Send a request to path <code>/get</code> with a valid token. This should be rejected with 403 because the path <code>/get</code> is not matched with the token <code>/headers</code>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/get -H &#34;Authorization: Bearer $TOKEN_PATH_HEADERS&#34; -s -o /dev/null -w &#34;%{http_code}\n&#34;
|
||
403
|
||
</code></pre></li>
|
||
<li><p>Send a request to path <code>/headers</code> with valid token. This should be allowed with 200 because the path is matched with the token:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/headers -H &#34;Authorization: Bearer $TOKEN_PATH_HEADERS&#34; -s -o /dev/null -w &#34;%{http_code}\n&#34;
|
||
200
|
||
</code></pre></li>
|
||
<li><p>Send request to path <code>/ip</code> without token. This should be allowed with 200 because the path <code>/ip</code> is excluded from
|
||
authorization:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec ${SLEEP_POD} -c sleep -- curl http://httpbin-with-opa:8000/ip -s -o /dev/null -w &#34;%{http_code}\n&#34;
|
||
200
|
||
</code></pre></li>
|
||
<li><p>Check the proxy and OPA logs to confirm the result.</p></li>
|
||
</ol>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>In Istio 1.9, the <code>CUSTOM</code> action in the authorization policy allows you to easily integrate Istio with any external
|
||
authorization system with the following benefits:</p>
|
||
<ul>
|
||
<li><p>First-class support in the authorization policy API</p></li>
|
||
<li><p>Ease of usage: define the external authorizer simply with a URL and enable with the authorization policy, no more
|
||
hassle with the <code>EnvoyFilter</code> API</p></li>
|
||
<li><p>Conditional triggering, allowing improved performance</p></li>
|
||
<li><p>Support for various deployment type of the external authorizer:</p>
|
||
<ul>
|
||
<li><p>A normal service and pod with or without proxy</p></li>
|
||
<li><p>Inside the workload pod as a separate container</p></li>
|
||
<li><p>Outside the mesh</p></li>
|
||
</ul></li>
|
||
</ul>
|
||
<p>We&rsquo;re working to promote this feature to a more stable stage in following versions and welcome your feedback at
|
||
<a href="https://discuss.istio.io/c/security/">discuss.istio.io</a>.</p>
|
||
<h2 id="acknowledgements">Acknowledgements</h2>
|
||
<p>Thanks to <code>Craig Box</code>, <code>Christian Posta</code> and <code>Limin Wang</code> for reviewing drafts of this blog.</p></description><pubDate>Tue, 09 Feb 2021 00:00:00 +0000</pubDate><link>/v1.12/blog/2021/better-external-authz/</link><author>Yangmin Zhu (Google)</author><guid isPermaLink="true">/v1.12/blog/2021/better-external-authz/</guid><category>authorization</category><category>access control</category><category>opa</category><category>oauth2</category></item><item><title>Proxying legacy services using Istio egress gateways</title><description>
|
||
<p>At <a href="https://pan-net.cloud/aboutus">Deutsche Telekom Pan-Net</a>, we have embraced Istio as the umbrella to cover our services. Unfortunately, there are services which have not yet been migrated to Kubernetes, or cannot be.</p>
|
||
<p>We can set Istio up as a proxy service for these upstream services. This allows us to benefit from capabilities like authorization/authentication, traceability and observability, even while legacy services stand as they are.</p>
|
||
<p>At the end of this article there is a hands-on exercise where you can simulate the scenario. In the exercise, an upstream service hosted at <a href="https://httpbin.org">https://httpbin.org</a> will be proxied by an Istio egress gateway.</p>
|
||
<p>If you are familiar with Istio, one of the methods offered to connect to upstream services is through an <a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway/">egress gateway</a>.</p>
|
||
<p>You can deploy one to control all the upstream traffic or you can deploy multiple in order to have fine-grained control and satisfy the <a href="https://en.wikipedia.org/wiki/Single-responsibility_principle">single-responsibility principle</a> as this picture shows:</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:45.34%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/proxying-legacy-services-using-egress-gateways/proxying-legacy-services-using-egress-gateways-overview.svg" title="Overview multiple Egress Gateways">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/proxying-legacy-services-using-egress-gateways/proxying-legacy-services-using-egress-gateways-overview.svg" alt="Overview multiple Egress Gateways" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Overview multiple Egress Gateways</figcaption>
|
||
</figure>
|
||
<p>With this model, one egress gateway is in charge of exactly one upstream service.</p>
|
||
<p>Although the Operator spec allows you to deploy multiple egress gateways, the manifest can become unmanageable:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: install.istio.io/v1alpha1
|
||
kind: IstioOperator
|
||
[...]
|
||
spec:
|
||
egressGateways:
|
||
- name: egressgateway-1
|
||
enabled: true
|
||
- name: egressgateway-2
|
||
enabled: true
|
||
[egressgateway-3, egressgateway-4, ...]
|
||
- name: egressgateway-N
|
||
enabled: true
|
||
[...]
|
||
</code></pre>
|
||
<p>As a benefit of decoupling egress getaways from the Operator manifest, you have enabled the possibility of setting up custom readiness probes to have both services (Gateway and upstream Service) aligned.</p>
|
||
<p>You can also inject OPA as a sidecar into the pod to perform authorization with complex rules (<a href="https://github.com/open-policy-agent/opa-envoy-plugin">OPA envoy plugin</a>).</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:45.34%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/proxying-legacy-services-using-egress-gateways/proxying-legacy-services-using-egress-gateways-authz.svg" title="Authorization with OPA and `healthcheck` to external">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/proxying-legacy-services-using-egress-gateways/proxying-legacy-services-using-egress-gateways-authz.svg" alt="Authorization with OPA and `healthcheck` to upstream service" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Authorization with OPA and `healthcheck` to external</figcaption>
|
||
</figure>
|
||
<p>As you can see, your possibilities increase and Istio becomes very extensible.</p>
|
||
<p>Let&rsquo;s look at how you can implement this pattern.</p>
|
||
<h2 id="solution">Solution</h2>
|
||
<p>There are several ways to perform this task, but here you will find how to define multiple Operators and deploy the generated resources.</p>
|
||
<div>
|
||
<aside class="callout quote">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-quote"/></svg>
|
||
</div>
|
||
<div class="content">Yes! <code>Istio 1.8.0</code> introduced the possibility to have fine-grained control over the objects that Operator deploys. This gives you the opportunity to patch them as you wish. Exactly what you need to proxy legacy services using Istio egress gateways.</div>
|
||
</aside>
|
||
</div>
|
||
<p>In the following section you will deploy an egress gateway to connect to an upstream service: <code>httpbin</code> (<a href="https://httpbin.org/">https://httpbin.org/</a>)</p>
|
||
<p>At the end, you will have:</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:45.34%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/proxying-legacy-services-using-egress-gateways/proxying-legacy-services-using-egress-gateways-communication.svg" title="Communication">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/proxying-legacy-services-using-egress-gateways/proxying-legacy-services-using-egress-gateways-communication.svg" alt="Communication" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Communication</figcaption>
|
||
</figure>
|
||
<h2 id="hands-on">Hands on</h2>
|
||
<h3 id="prerequisites">Prerequisites</h3>
|
||
<ul>
|
||
<li><a href="https://kind.sigs.k8s.io/docs/user/quick-start/">kind</a> (Kubernetes-in-Docker - perfect for local development)</li>
|
||
<li><a href="/v1.12/docs/setup/getting-started/#download">istioctl</a></li>
|
||
</ul>
|
||
<h4 id="kind">Kind</h4>
|
||
<div>
|
||
<aside class="callout warning">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-warning"/></svg>
|
||
</div>
|
||
<div class="content">If you use <code>kind</code>, do not forget to set up <code>service-account-issuer</code> and <code>service-account-signing-key-file</code> as described below. Otherwise, Istio may not install correctly.</div>
|
||
</aside>
|
||
</div>
|
||
<p>Save this as <code>config.yaml</code>.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >kind: Cluster
|
||
apiVersion: kind.x-k8s.io/v1alpha4
|
||
kubeadmConfigPatches:
|
||
- |
|
||
apiVersion: kubeadm.k8s.io/v1beta2
|
||
kind: ClusterConfiguration
|
||
metadata:
|
||
name: config
|
||
apiServer:
|
||
extraArgs:
|
||
&#34;service-account-issuer&#34;: &#34;kubernetes.default.svc&#34;
|
||
&#34;service-account-signing-key-file&#34;: &#34;/etc/kubernetes/pki/sa.key&#34;
|
||
</code></pre>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kind create cluster --name &lt;my-cluster-name&gt; --config config.yaml
|
||
</code></pre>
|
||
<p>Where <code>&lt;my-cluster-name&gt;</code> is the name for the cluster.</p>
|
||
<h4 id="istio-operator-with-istioctl">Istio Operator with Istioctl</h4>
|
||
<p>Install the Operator</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl operator init --watchedNamespaces=istio-operator
|
||
</code></pre>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl create ns istio-system
|
||
</code></pre>
|
||
<p>Save this as <code>operator.yaml</code>:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: install.istio.io/v1alpha1
|
||
kind: IstioOperator
|
||
metadata:
|
||
name: istio-operator
|
||
namespace: istio-operator
|
||
spec:
|
||
profile: default
|
||
tag: 1.8.0
|
||
meshConfig:
|
||
accessLogFile: /dev/stdout
|
||
outboundTrafficPolicy:
|
||
mode: REGISTRY_ONLY
|
||
</code></pre>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content"><code>outboundTrafficPolicy.mode: REGISTRY_ONLY</code> is used to block all external communications which are not specified by a <code>ServiceEntry</code> resource.</div>
|
||
</aside>
|
||
</div>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f operator.yaml
|
||
</code></pre>
|
||
<h3 id="deploy-egress-gateway">Deploy Egress Gateway</h3>
|
||
<p>The steps for this task assume:</p>
|
||
<ul>
|
||
<li>The service is installed under the namespace: <code>httpbin</code>.</li>
|
||
<li>The service name is: <code>http-egress</code>.</li>
|
||
</ul>
|
||
<p>Istio 1.8 introduced the possibility to apply overlay configuration, to give fine-grain control over the created resources.</p>
|
||
<p>Save this as <code>egress.yaml</code>:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: install.istio.io/v1alpha1
|
||
kind: IstioOperator
|
||
spec:
|
||
profile: empty
|
||
tag: 1.8.0
|
||
namespace: httpbin
|
||
components:
|
||
egressGateways:
|
||
- name: httpbin-egress
|
||
enabled: true
|
||
label:
|
||
app: istio-egressgateway
|
||
istio: egressgateway
|
||
custom-egress: httpbin-egress
|
||
k8s:
|
||
overlays:
|
||
- kind: Deployment
|
||
name: httpbin-egress
|
||
patches:
|
||
- path: spec.template.spec.containers[0].readinessProbe
|
||
value:
|
||
failureThreshold: 30
|
||
exec:
|
||
command:
|
||
- /bin/sh
|
||
- -c
|
||
- curl http://localhost:15021/healthz/ready &amp;&amp; curl https://httpbin.org/status/200
|
||
initialDelaySeconds: 1
|
||
periodSeconds: 2
|
||
successThreshold: 1
|
||
timeoutSeconds: 1
|
||
values:
|
||
gateways:
|
||
istio-egressgateway:
|
||
runAsRoot: true
|
||
</code></pre>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">Notice the block under <code>overlays</code>. You are patching the default <code>egressgateway</code> to deploy only that component with the new <code>readinessProbe</code>.</div>
|
||
</aside>
|
||
</div>
|
||
<p>Create the namespace where you will install the egress gateway:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl create ns httpbin
|
||
</code></pre>
|
||
<p>As it is described in the <a href="/v1.12/docs/setup/install/istioctl/#customize-kubernetes-settings">documentation</a>, you can deploy several Operator resources. However, they have to be pre-parsed and then applied to the cluster.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl manifest generate -f egress.yaml | kubectl apply -f -
|
||
</code></pre>
|
||
<h3 id="istio-configuration">Istio configuration</h3>
|
||
<p>Now you will configure Istio to allow connections to the upstream service at <a href="https://httpbin.org">https://httpbin.org</a>.</p>
|
||
<h4 id="certificate-for-tls">Certificate for TLS</h4>
|
||
<p>You need a certificate to make a secure connection from outside the cluster to your egress service.</p>
|
||
<p>How to generate a certificate is explained in the <a href="/v1.12/docs/tasks/traffic-management/ingress/secure-ingress/#generate-client-and-server-certificates-and-keys">Istio ingress documentation</a>.</p>
|
||
<p>Create and apply one to be used at the end of this article to access the service from outside the cluster (<code>&lt;my-proxied-service-hostname&gt;</code>):</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl create -n istio-system secret tls &lt;my-secret-name&gt; --key=&lt;key&gt; --cert=&lt;cert&gt;
|
||
</code></pre>
|
||
<p>Where <code>&lt;my-secret-name&gt;</code> is the name used later for the <code>Gateway</code> resource. <code>&lt;key&gt;</code> and <code>&lt;cert&gt;</code> are the files for the certificate. <code>&lt;cert&gt;</code>.</p>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">You need to remember <code>&lt;my-proxied-service-hostname&gt;</code>, <code>&lt;cert&gt;</code> and <code>&lt;my-secret-name&gt;</code> because you will use them later in the article.</div>
|
||
</aside>
|
||
</div>
|
||
<h4 id="ingress-gateway">Ingress Gateway</h4>
|
||
<p>Create a <code>Gateway</code> resource to operate ingress gateway to accept requests.</p>
|
||
<div>
|
||
<aside class="callout warning">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-warning"/></svg>
|
||
</div>
|
||
<div class="content">Make sure that only one Gateway spec matches the hostname. Istio gets confused when there are multiple Gateway definitions covering the same hostname.</div>
|
||
</aside>
|
||
</div>
|
||
<p>An example:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1beta1
|
||
kind: Gateway
|
||
metadata:
|
||
name: my-ingressgateway
|
||
namespace: istio-system
|
||
spec:
|
||
selector:
|
||
istio: ingressgateway
|
||
servers:
|
||
- hosts:
|
||
- &#34;&lt;my-proxied-service-hostname&gt;&#34;
|
||
port:
|
||
name: http
|
||
number: 80
|
||
protocol: HTTP
|
||
tls:
|
||
httpsRedirect: true
|
||
- port:
|
||
number: 443
|
||
name: https
|
||
protocol: https
|
||
hosts:
|
||
- &#34;&lt;my-proxied-service-hostname&gt;&#34;
|
||
tls:
|
||
mode: SIMPLE
|
||
credentialName: &lt;my-secret-name&gt;
|
||
</code></pre>
|
||
<p>Where <code>&lt;my-proxied-service-hostname&gt;</code> is the hostname to access the service through the <code>my-ingressgateway</code> and <code>&lt;my-secret-name&gt;</code> is the secret which contains the certificate.</p>
|
||
<h4 id="egress-gateway">Egress Gateway</h4>
|
||
<p>Create another Gateway object, but this time to operate the egress gateway you have already installed:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: Gateway
|
||
metadata:
|
||
name: &#34;httpbin-egress&#34;
|
||
namespace: &#34;httpbin&#34;
|
||
spec:
|
||
selector:
|
||
istio: egressgateway
|
||
service.istio.io/canonical-name: &#34;httpbin-egress&#34;
|
||
servers:
|
||
- hosts:
|
||
- &#34;&lt;my-proxied-service-hostname&gt;&#34;
|
||
port:
|
||
number: 80
|
||
name: http
|
||
protocol: HTTP
|
||
</code></pre>
|
||
<p>Where <code>&lt;my-proxied-service-hostname&gt;</code> is the hostname to access through the <code>my-ingressgateway</code>.</p>
|
||
<h4 id="virtual-service">Virtual Service</h4>
|
||
<p>Create a <code>VirtualService</code> for three use cases:</p>
|
||
<ul>
|
||
<li><strong>Mesh</strong> gateway for service-to-service communications within the mesh</li>
|
||
<li><strong>Ingress Gateway</strong> for the communication from outside the mesh</li>
|
||
<li><strong>Egress Gateway</strong> for the communication to the upstream service</li>
|
||
</ul>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">Mesh and Ingress Gateway will share the same specification. It will redirect the traffic to your egress gateway service.</div>
|
||
</aside>
|
||
</div>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: &#34;httpbin-egress&#34;
|
||
namespace: &#34;httpbin&#34;
|
||
spec:
|
||
hosts:
|
||
- &#34;&lt;my-proxied-service-hostname&gt;&#34;
|
||
gateways:
|
||
- mesh
|
||
- &#34;istio-system/my-ingressgateway&#34;
|
||
- &#34;httpbin/httpbin-egress&#34;
|
||
http:
|
||
- match:
|
||
- gateways:
|
||
- &#34;istio-system/my-ingressgateway&#34;
|
||
- mesh
|
||
uri:
|
||
prefix: &#34;/&#34;
|
||
route:
|
||
- destination:
|
||
host: &#34;httpbin-egress.httpbin.svc.cluster.local&#34;
|
||
port:
|
||
number: 80
|
||
- match:
|
||
- gateways:
|
||
- &#34;httpbin/httpbin-egress&#34;
|
||
uri:
|
||
prefix: &#34;/&#34;
|
||
route:
|
||
- destination:
|
||
host: &#34;httpbin.org&#34;
|
||
subset: &#34;http-egress-subset&#34;
|
||
port:
|
||
number: 443
|
||
</code></pre>
|
||
<p>Where <code>&lt;my-proxied-service-hostname&gt;</code> is the hostname to access through the <code>my-ingressgateway</code>.</p>
|
||
<h4 id="service-entry">Service Entry</h4>
|
||
<p>Create a <code>ServiceEntry</code> to allow the communication to the upstream service:</p>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">Notice that the port is configured for TLS protocol</div>
|
||
</aside>
|
||
</div>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: &#34;httpbin-egress&#34;
|
||
namespace: &#34;httpbin&#34;
|
||
spec:
|
||
hosts:
|
||
- &#34;httpbin.org&#34;
|
||
location: MESH_EXTERNAL
|
||
ports:
|
||
- number: 443
|
||
name: https
|
||
protocol: TLS
|
||
resolution: DNS
|
||
</code></pre>
|
||
<h4 id="destination-rule">Destination Rule</h4>
|
||
<p>Create a <code>DestinationRule</code> to allow TLS origination for egress traffic as explained in the <a href="/v1.12/docs/tasks/traffic-management/egress/egress-tls-origination/#tls-origination-for-egress-traffic">documentation</a></p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: &#34;httpbin-egress&#34;
|
||
namespace: &#34;httpbin&#34;
|
||
spec:
|
||
host: &#34;httpbin.org&#34;
|
||
subsets:
|
||
- name: &#34;http-egress-subset&#34;
|
||
trafficPolicy:
|
||
loadBalancer:
|
||
simple: ROUND_ROBIN
|
||
portLevelSettings:
|
||
- port:
|
||
number: 443
|
||
tls:
|
||
mode: SIMPLE
|
||
</code></pre>
|
||
<h4 id="peer-authentication">Peer Authentication</h4>
|
||
<p>To secure the service-to-service, you need to enforce mTLS:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &#34;security.istio.io/v1beta1&#34;
|
||
kind: &#34;PeerAuthentication&#34;
|
||
metadata:
|
||
name: &#34;httpbin-egress&#34;
|
||
namespace: &#34;httpbin&#34;
|
||
spec:
|
||
mtls:
|
||
mode: STRICT
|
||
</code></pre>
|
||
<h3 id="test">Test</h3>
|
||
<p>Verify that your objects were all specified correctly:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl analyze --all-namespaces
|
||
</code></pre>
|
||
<h4 id="external-access">External access</h4>
|
||
<p>Test the egress gateway from outside the cluster forwarding the <code>ingressgateway</code> service&rsquo;s port and calling the service</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl -n istio-system port-forward svc/istio-ingressgateway 15443:443
|
||
</code></pre>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl -vvv -k -HHost:&lt;my-proxied-service-hostname&gt; --resolve &#34;&lt;my-proxied-service-hostname&gt;:15443:127.0.0.1&#34; --cacert &lt;cert&gt; &#34;https://&lt;my-proxied-service-hostname&gt;:15443/status/200&#34;
|
||
</code></pre>
|
||
<p>Where <code>&lt;my-proxied-service-hostname&gt;</code> is the hostname to access through the <code>my-ingressgateway</code> and <code>&lt;cert&gt;</code> is the certificate defined for the <code>ingressgateway</code> object. This is due to <code>tls.mode: SIMPLE</code> which <a href="/v1.12/docs/tasks/traffic-management/ingress/secure-ingress/">does not terminate TLS</a></p>
|
||
<h4 id="service-to-service-access">Service-to-service access</h4>
|
||
<p>Test the egress gateway from inside the cluster deploying the sleep service. This is useful when you design failover.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl label namespace httpbin istio-injection=enabled --overwrite
|
||
</code></pre>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -n httpbin -f https://raw.githubusercontent.com/istio/istio/release-1.12/samples/sleep/sleep.yaml
|
||
</code></pre>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl -n httpbin &#34;$(kubectl get pod -n httpbin -l app=sleep -o jsonpath={.items..metadata.name})&#34; -- curl -vvv http://&lt;my-proxied-service-hostname&gt;/status/200
|
||
</code></pre>
|
||
<p>Where <code>&lt;my-proxied-service-hostname&gt;</code> is the hostname to access through the <code>my-ingressgateway</code>.</p>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">Notice that <code>http</code> (and not <code>https</code>) is the protocol used for service-to-service communication. This is due to Istio handling the <code>TLS</code> itself. Developers do not care anymore about certificates management. <strong>Fancy!</strong></div>
|
||
</aside>
|
||
</div>
|
||
<div>
|
||
<aside class="callout quote">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-quote"/></svg>
|
||
</div>
|
||
<div class="content">Eat, Sleep, Rave, <strong>REPEAT!</strong></div>
|
||
</aside>
|
||
</div>
|
||
<p>Now it is time to create a second, third and fourth egress gateway pointing to other upstream services.</p>
|
||
<h2 id="final-thoughts">Final thoughts</h2>
|
||
<div>
|
||
<aside class="callout quote">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-quote"/></svg>
|
||
</div>
|
||
<div class="content">Is the juice worth the squeeze?</div>
|
||
</aside>
|
||
</div>
|
||
<p>Istio might seem complex to configure. But it is definitely worthwhile, due to the huge set of benefits it brings to your services (with an extra <strong>Olé!</strong> for Kiali).</p>
|
||
<p>The way Istio is developed allows us, with minimal effort, to satisfy uncommon requirements like the one presented in this article.</p>
|
||
<p>To finish, I just wanted to point out that Istio, as a good cloud native technology, does not require a large team to maintain. For example, our current team is composed of 3 engineers.</p>
|
||
<p>To discuss more about Istio and its possibilities, please contact one of us:</p>
|
||
<ul>
|
||
<li><a href="https://twitter.com/antonio_berben">Antonio Berben</a></li>
|
||
<li><a href="https://www.linkedin.com/in/piotr-ciazynski">Piotr Ciążyński</a></li>
|
||
<li><a href="https://www.linkedin.com/in/patlevic">Kristián Patlevič</a></li>
|
||
</ul></description><pubDate>Wed, 16 Dec 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/proxying-legacy-services-using-egress-gateways/</link><author>Antonio Berben (Deutsche Telekom - PAN-NET)</author><guid isPermaLink="true">/v1.12/blog/2020/proxying-legacy-services-using-egress-gateways/</guid><category>configuration</category><category>egress</category><category>gateway</category><category>external</category><category>service</category></item><item><title>Proxy protocol on AWS NLB and Istio ingress gateway</title><description>
|
||
<p>This blog presents my latest experience about how to configure and enable proxy protocol with stack of AWS NLB and Istio Ingress gateway. The <a href="https://www.haproxy.com/blog/haproxy/proxy-protocol/">Proxy Protocol</a> was designed to chain proxies and reverse-proxies without losing the client information. The proxy protocol prevents the need for infrastructure changes or <code>NATing</code> firewalls, and offers the benefits of being protocol agnostic and providing good scalability. Additionally, we also enable the <code>X-Forwarded-For</code> HTTP header in the deployment to make the client IP address easy to read. In this blog, traffic management of Istio ingress is shown with an httpbin service on ports 80 and 443 to demonstrate the use of proxy protocol. Note that both v1 and v2 of the proxy protocol work for the purpose of this example, but because the AWS NLB currently only supports v2, proxy protocol v2 is used in the rest of this blog by default. The following image shows the use of proxy protocol v2 with an AWS NLB.</p>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content"><p>A receiver may be configured to support both version 1 and version 2 of the
|
||
protocol. Identifying the protocol version is easy:</p>
|
||
<ul>
|
||
<li><p>If the incoming byte count is 16 or more and the first 13 bytes match the protocol signature block <code>\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A\x02</code>, the protocol is version 2.</p></li>
|
||
<li><p>Otherwise, if the incoming byte count is 8 or more, and the 5 first characters match the <code>US-ASCII</code> representation of &ldquo;PROXY&rdquo;(<code>\x50\x52\x4F\x58\x59</code>), then the protocol must be parsed as version 1.</p></li>
|
||
<li><p>Otherwise the protocol is not covered by this specification and the connection must be dropped.</p></li>
|
||
</ul>
|
||
</div>
|
||
</aside>
|
||
</div>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:80.81149619611158%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/show-source-ip/aws-proxy-protocol.png" title="AWS NLB portal to enable proxy protocol">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/show-source-ip/aws-proxy-protocol.png" alt="AWS NLB portal to enable proxy protocol" />
|
||
</a>
|
||
</div>
|
||
<figcaption>AWS NLB portal to enable proxy protocol</figcaption>
|
||
</figure>
|
||
<h2 id="separate-setups-for-80-and-443">Separate setups for 80 and 443</h2>
|
||
<p>Before going through the following steps, an AWS environment that is configured with the proper VPC, IAM, and Kubernetes setup is assumed.</p>
|
||
<h3 id="step-1-install-istio-with-aws-nlb">Step 1: Install Istio with AWS NLB</h3>
|
||
<p>The blog <a href="/v1.12/blog/2018/aws-nlb/">Configuring Istio Ingress with AWS NLB</a> provides detailed steps to set up AWS IAM roles and enable the usage of AWS NLB by Helm. You can also use other automation tools, such as Terraform, to achieve the same goal. In the following example, more complete configurations are shown in order to enable proxy protocol and <code>X-Forwarded-For</code> at the same time.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
annotations:
|
||
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: &#34;*&#34;
|
||
service.beta.kubernetes.io/aws-load-balancer-type: &#34;nlb&#34;
|
||
proxy.istio.io/config: &#39;{&#34;gatewayTopology&#34; : { &#34;numTrustedProxies&#34;: 2 } }&#39;
|
||
labels:
|
||
app: istio-ingressgateway
|
||
istio: ingressgateway
|
||
release: istio
|
||
name: istio-ingressgateway
|
||
</code></pre>
|
||
<h3 id="step-2-create-proxy-protocol-envoy-filter">Step 2: Create proxy-protocol Envoy Filter</h3>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: EnvoyFilter
|
||
metadata:
|
||
name: proxy-protocol
|
||
namespace: istio-system
|
||
spec:
|
||
workloadSelector:
|
||
labels:
|
||
istio: ingressgateway
|
||
configPatches:
|
||
- applyTo: LISTENER
|
||
patch:
|
||
operation: MERGE
|
||
value:
|
||
listener_filters:
|
||
- name: envoy.filters.listener.proxy_protocol
|
||
- name: envoy.filters.listener.tls_inspector
|
||
</code></pre>
|
||
<h3 id="step-3-enable-x-forwarded-for-header">Step 3: Enable <code>X-Forwarded-For</code> header</h3>
|
||
<p>This <a href="/v1.12/docs/ops/configuration/traffic-management/network-topologies/">blog</a> includes several samples of configuring Gateway Network Topology. In the following example, the configurations are tuned to enable <code>X-Forwarded-For</code> without any middle proxy.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: EnvoyFilter
|
||
metadata:
|
||
name: ingressgateway-settings
|
||
namespace: istio-system
|
||
spec:
|
||
configPatches:
|
||
- applyTo: NETWORK_FILTER
|
||
match:
|
||
listener:
|
||
filterChain:
|
||
filter:
|
||
name: envoy.http_connection_manager
|
||
patch:
|
||
operation: MERGE
|
||
value:
|
||
name: envoy.http_connection_manager
|
||
typed_config:
|
||
&#34;@type&#34;: type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
|
||
skip_xff_append: false
|
||
use_remote_address: true
|
||
xff_num_trusted_hops: 1
|
||
</code></pre>
|
||
<h3 id="step-4-deploy-ingress-gateway-for-httpbin-on-port-80-and-443">Step 4: Deploy ingress gateway for httpbin on port 80 and 443</h3>
|
||
<div>
|
||
<aside class="callout warning">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-warning"/></svg>
|
||
</div>
|
||
<div class="content">When following the <a href="/v1.12/docs/tasks/traffic-management/ingress/secure-ingress/">secure ingress setup</a>, macOS users must add an additional patch to generate certificates for TLS.</div>
|
||
</aside>
|
||
</div>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: Gateway
|
||
metadata:
|
||
name: httpbin-gateway
|
||
spec:
|
||
selector:
|
||
istio: ingressgateway # use Istio default gateway implementation
|
||
servers:
|
||
- port:
|
||
number: 80
|
||
name: http
|
||
protocol: HTTP
|
||
hosts:
|
||
- &#34;a25fa0b4835b.elb.us-west-2.amazonaws.com&#34;
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: httpbin
|
||
spec:
|
||
hosts:
|
||
- &#34;a25fa0b4835b.elb.us-west-2.amazonaws.com&#34;
|
||
gateways:
|
||
- httpbin-gateway
|
||
http:
|
||
- match:
|
||
- uri:
|
||
prefix: /headers
|
||
route:
|
||
- destination:
|
||
port:
|
||
number: 8000
|
||
host: httpbin
|
||
</code></pre>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: Gateway
|
||
metadata:
|
||
name: mygateway2
|
||
spec:
|
||
selector:
|
||
istio: ingressgateway # use istio default ingress gateway
|
||
servers:
|
||
- port:
|
||
number: 443
|
||
name: https
|
||
protocol: HTTPS
|
||
tls:
|
||
mode: SIMPLE
|
||
credentialName: httpbin-credential # must be the same as secret
|
||
hosts:
|
||
- &#34;a25fa0b4835b.elb.us-west-2.amazonaws.com&#34;
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: httpbin
|
||
spec:
|
||
hosts:
|
||
- &#34;a25fa0b4835b.elb.us-west-2.amazonaws.com&#34;
|
||
gateways:
|
||
- mygateway2
|
||
http:
|
||
- match:
|
||
- uri:
|
||
prefix: /headers
|
||
route:
|
||
- destination:
|
||
port:
|
||
number: 8000
|
||
host: httpbin
|
||
</code></pre>
|
||
<h3 id="step-5-check-header-output-of-httpbin">Step 5: Check header output of httpbin</h3>
|
||
<p>Check port 443 (80 will be similar) and compare the cases with and without proxy protocol.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >//////with proxy_protocal enabled in the stack
|
||
* Trying YY.XXX.141.26...
|
||
* TCP_NODELAY set
|
||
* Connection failed
|
||
* connect to YY.XXX.141.26 port 443 failed: Operation timed out
|
||
* Trying YY.XXX.205.117...
|
||
* TCP_NODELAY set
|
||
* Connected to a25fa0b4835b.elb.us-west-2.amazonaws.com (XX.YYY.205.117) port 443 (#0)
|
||
* ALPN, offering h2
|
||
* ALPN, offering http/1.1
|
||
* successfully set certificate verify locations:
|
||
* CAfile: new_certificates/example.com.crt
|
||
CApath: none
|
||
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
|
||
* TLSv1.2 (IN), TLS handshake, Server hello (2):
|
||
* TLSv1.2 (IN), TLS handshake, Certificate (11):
|
||
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
|
||
* TLSv1.2 (IN), TLS handshake, Server finished (14):
|
||
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
|
||
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
|
||
* TLSv1.2 (OUT), TLS handshake, Finished (20):
|
||
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
|
||
* TLSv1.2 (IN), TLS handshake, Finished (20):
|
||
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
|
||
* ALPN, server accepted to use h2
|
||
* Server certificate:
|
||
* subject: CN=a25fa0b4835b.elb.us-west-2.amazonaws.com; O=httpbin organization
|
||
* start date: Oct 29 20:39:12 2020 GMT
|
||
* expire date: Oct 29 20:39:12 2021 GMT
|
||
* common name: a25fa0b4835b.elb.us-west-2.amazonaws.com (matched)
|
||
* issuer: O=example Inc.; CN=example.com
|
||
* SSL certificate verify ok.
|
||
* Using HTTP2, server supports multi-use
|
||
* Connection state changed (HTTP/2 confirmed)
|
||
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
|
||
* Using Stream ID: 1 (easy handle 0x7fc6c8810800)
|
||
&gt; GET /headers?show_env=1 HTTP/2
|
||
&gt; Host: a25fa0b4835b.elb.us-west-2.amazonaws.com
|
||
&gt; User-Agent: curl/7.64.1
|
||
&gt; Accept: */*
|
||
&gt;
|
||
* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
|
||
&lt; HTTP/2 200
|
||
&lt; server: istio-envoy
|
||
&lt; date: Thu, 29 Oct 2020 21:39:46 GMT
|
||
&lt; content-type: application/json
|
||
&lt; content-length: 629
|
||
&lt; access-control-allow-origin: *
|
||
&lt; access-control-allow-credentials: true
|
||
&lt; x-envoy-upstream-service-time: 2
|
||
&lt;
|
||
{
|
||
&#34;headers&#34;: {
|
||
&#34;Accept&#34;: &#34;*/*&#34;,
|
||
&#34;Content-Length&#34;: &#34;0&#34;,
|
||
&#34;Host&#34;: &#34;a25fa0b4835b.elb.us-west-2.amazonaws.com&#34;,
|
||
&#34;User-Agent&#34;: &#34;curl/7.64.1&#34;,
|
||
&#34;X-B3-Sampled&#34;: &#34;0&#34;,
|
||
&#34;X-B3-Spanid&#34;: &#34;74f99a1c6fc29975&#34;,
|
||
&#34;X-B3-Traceid&#34;: &#34;85db86fe6aa322a074f99a1c6fc29975&#34;,
|
||
&#34;X-Envoy-Attempt-Count&#34;: &#34;1&#34;,
|
||
&#34;X-Envoy-Decorator-Operation&#34;: &#34;httpbin.default.svc.cluster.local:8000/headers*&#34;,
|
||
&#34;X-Envoy-External-Address&#34;: &#34;XX.110.54.41&#34;,
|
||
&#34;X-Forwarded-For&#34;: &#34;XX.110.54.41&#34;,
|
||
&#34;X-Forwarded-Proto&#34;: &#34;https&#34;,
|
||
&#34;X-Request-Id&#34;: &#34;5c3bc236-0c49-4401-b2fd-2dbfbce506fc&#34;
|
||
}
|
||
}
|
||
* Connection #0 to host a25fa0b4835b.elb.us-west-2.amazonaws.com left intact
|
||
* Closing connection 0
|
||
</code></pre>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >//////////without proxy_protocal
|
||
* Trying YY.XXX.141.26...
|
||
* TCP_NODELAY set
|
||
* Connection failed
|
||
* connect to YY.XXX.141.26 port 443 failed: Operation timed out
|
||
* Trying YY.XXX.205.117...
|
||
* TCP_NODELAY set
|
||
* Connected to a25fa0b4835b.elb.us-west-2.amazonaws.com (YY.XXX.205.117) port 443 (#0)
|
||
* ALPN, offering h2
|
||
* ALPN, offering http/1.1
|
||
* successfully set certificate verify locations:
|
||
* CAfile: new_certificates/example.com.crt
|
||
CApath: none
|
||
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
|
||
* TLSv1.2 (IN), TLS handshake, Server hello (2):
|
||
* TLSv1.2 (IN), TLS handshake, Certificate (11):
|
||
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
|
||
* TLSv1.2 (IN), TLS handshake, Server finished (14):
|
||
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
|
||
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
|
||
* TLSv1.2 (OUT), TLS handshake, Finished (20):
|
||
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
|
||
* TLSv1.2 (IN), TLS handshake, Finished (20):
|
||
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
|
||
* ALPN, server accepted to use h2
|
||
* Server certificate:
|
||
* subject: CN=a25fa0b4835b.elb.us-west-2.amazonaws.com; O=httpbin organization
|
||
* start date: Oct 29 20:39:12 2020 GMT
|
||
* expire date: Oct 29 20:39:12 2021 GMT
|
||
* common name: a25fa0b4835b.elb.us-west-2.amazonaws.com (matched)
|
||
* issuer: O=example Inc.; CN=example.com
|
||
* SSL certificate verify ok.
|
||
* Using HTTP2, server supports multi-use
|
||
* Connection state changed (HTTP/2 confirmed)
|
||
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
|
||
* Using Stream ID: 1 (easy handle 0x7fbf8c808200)
|
||
&gt; GET /headers?show_env=1 HTTP/2
|
||
&gt; Host: a25fa0b4835b.elb.us-west-2.amazonaws.com
|
||
&gt; User-Agent: curl/7.64.1
|
||
&gt; Accept: */*
|
||
&gt;
|
||
* Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
|
||
&lt; HTTP/2 200
|
||
&lt; server: istio-envoy
|
||
&lt; date: Thu, 29 Oct 2020 20:44:01 GMT
|
||
&lt; content-type: application/json
|
||
&lt; content-length: 612
|
||
&lt; access-control-allow-origin: *
|
||
&lt; access-control-allow-credentials: true
|
||
&lt; x-envoy-upstream-service-time: 1
|
||
&lt;
|
||
{
|
||
&#34;headers&#34;: {
|
||
&#34;Accept&#34;: &#34;*/*&#34;,
|
||
&#34;Content-Length&#34;: &#34;0&#34;,
|
||
&#34;Host&#34;: &#34;a25fa0b4835b.elb.us-west-2.amazonaws.com&#34;,
|
||
&#34;User-Agent&#34;: &#34;curl/7.64.1&#34;,
|
||
&#34;X-B3-Sampled&#34;: &#34;0&#34;,
|
||
&#34;X-B3-Spanid&#34;: &#34;69913a6e6e949334&#34;,
|
||
&#34;X-B3-Traceid&#34;: &#34;729d5da3618545da69913a6e6e949334&#34;,
|
||
&#34;X-Envoy-Attempt-Count&#34;: &#34;1&#34;,
|
||
&#34;X-Envoy-Decorator-Operation&#34;: &#34;httpbin.default.svc.cluster.local:8000/headers*&#34;,
|
||
&#34;X-Envoy-Internal&#34;: &#34;true&#34;,
|
||
&#34;X-Forwarded-For&#34;: &#34;172.16.5.30&#34;,
|
||
&#34;X-Forwarded-Proto&#34;: &#34;https&#34;,
|
||
&#34;X-Request-Id&#34;: &#34;299c7f8a-5f89-480a-82c9-028c76d45d84&#34;
|
||
}
|
||
}
|
||
* Connection #0 to host a25fa0b4835b.elb.us-west-2.amazonaws.com left intact
|
||
* Closing connection 0
|
||
</code></pre>
|
||
<h2 id="conclusion">Conclusion</h2>
|
||
<p>This blog presents the deployment of a stack that consists of an AWS NLB and Istio ingress gateway that are enabled with proxy-protocol. We hope it is useful to you if you are interested in protocol enabling in an anecdotal, experiential, and more informal way. However, note that the <code>X-Forwarded-For</code> header should be used only for the convenience of reading in test, as dealing with fake <code>X-Forwarded-For</code> attacks is not within the scope of this blog.</p>
|
||
<h2 id="references">References</h2>
|
||
<ul>
|
||
<li><p><a href="https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/">protocol settings</a></p></li>
|
||
<li><p><a href="https://www.haproxy.com/blog/haproxy/proxy-protocol/">protocol introduction</a></p></li>
|
||
</ul></description><pubDate>Fri, 11 Dec 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/show-source-ip/</link><author>Xinhui Li (Salesforce)</author><guid isPermaLink="true">/v1.12/blog/2020/show-source-ip/</guid><category>trafficManagement</category><category>protocol extending</category></item><item><title>Join us for the first IstioCon in 2021!</title><description><p>IstioCon 2021 will be the inaugural conference for Istio, the industry&rsquo;s <a href="https://www.cncf.io/wp-content/uploads/2020/11/CNCF_Survey_Report_2020.pdf">most popular service mesh</a>. In its inaugural year, IstioCon will be 100% virtual, connecting community members across the globe with Istio&rsquo;s ecosystem. This conference will take place at the end of February.</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:40.3125%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/istiocon-2021/istioconlogo.jpg" title="">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/istiocon-2021/istioconlogo.jpg" alt="IstioCon logo" />
|
||
</a>
|
||
</div>
|
||
<figcaption></figcaption>
|
||
</figure>
|
||
<p>All the information related to IstioCon will be published on the <a href="https://events.istio.io/">conference website</a>. IstioCon provides an opportunity to showcase the lessons learned from running Istio in production, hands-on experiences from the Istio community, and will feature maintainers from across the Istio ecosystem. At this time, we encourage Istio users, developers, partners, and advocates to <a href="https://sessionize.com/istiocon-2021/">submit a session proposal through the conference&rsquo;s CFP portal</a>. The conference offers a mix of keynotes, technical talks, lightning talks, workshops, and roadmap sessions. Choose from the following formats to submit a session proposal for IstioCon:</p>
|
||
<ul>
|
||
<li><strong>Presentation:</strong> 40 minute presentation, maximum of 2 speakers</li>
|
||
<li><strong>Panel:</strong> 40 minutes of discussion among 3 to 5 speakers</li>
|
||
<li><strong>Workshop:</strong> 160 minute (2h 40m), in-depth, hands-on presentation with 1–4 speakers</li>
|
||
<li><strong>Lighting Talk:</strong> 10 minute presentation, limited to 1 speaker</li>
|
||
</ul>
|
||
<p>This community-led event also has in store two social hours to take the load off and mesh with the Istio community, vendors, and maintainers. Participation in the event is free of charge, and will only require participants to register in order to join.</p>
|
||
<p>Stay tuned to hear more about this conference, and we hope you can join us at the first IstioCon in 2021!</p></description><pubDate>Tue, 08 Dec 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/istiocon-2021/</link><author>Istio Steering Committee</author><guid isPermaLink="true">/v1.12/blog/2020/istiocon-2021/</guid><category>IstioCon</category><category>Istio</category><category>conference</category></item><item><title>Handling Docker Hub rate limiting</title><description>
|
||
<p>Since November 20th, 2020, Docker Hub has introduced <a href="https://www.docker.com/increase-rate-limits">rate limits</a> on image pulls.</p>
|
||
<p>Because Istio uses <a href="https://hub.docker.com/u/istio">Docker Hub</a> as the default registry, usage on a large cluster may lead
|
||
to pods failing to startup due to exceeding rate limits. This can be especially problematic for Istio, as there is typically
|
||
the Istio sidecar image alongside most pods in the cluster.</p>
|
||
<h2 id="mitigations">Mitigations</h2>
|
||
<p>Istio allows you to specify a custom docker registry which you can use to make container images be fetched from your private registry. This can be configured by passing <code>--set hub=&lt;some-custom-registry&gt;</code> at installation time.</p>
|
||
<p>Istio provides official mirrors to <a href="https://gcr.io/istio-release">Google Container Registry</a>. This can be configured with <code>--set hub=gcr.io/istio-release</code>. This is available for Istio 1.5+.</p>
|
||
<p>Alternatively, you can copy the official Istio images to your own registry. This is especially useful if your cluster runs in an environment with a registry tailored for your use case (for example, on AWS you may want to mirror images to Amazon ECR) or you have air gapped security requirements where access to public registries is restricted. This can be done with the following script:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ SOURCE_HUB=istio
|
||
$ DEST_HUB=my-registry # Replace this with the destination hub
|
||
$ IMAGES=( install-cni operator pilot proxyv2 ) # Images to mirror.
|
||
$ VERSIONS=( 1.7.5 1.8.0 ) # Versions to copy
|
||
$ VARIANTS=( &#34;&#34; &#34;-distroless&#34; ) # Variants to copy
|
||
$ for image in $IMAGES; do
|
||
$ for version in $VERSIONS; do
|
||
$ for variant in $VARIANTS; do
|
||
$ name=$image:$version$variant
|
||
$ docker pull $SOURCE_HUB/$name
|
||
$ docker tag $SOURCE_HUB/$name $DEST_HUB/$name
|
||
$ docker push $DEST_HUB/$name
|
||
$ docker rmi $SOURCE_HUB/$name
|
||
$ docker rmi $DEST_HUB/$name
|
||
$ done
|
||
$ done
|
||
$ done
|
||
</code></pre></description><pubDate>Mon, 07 Dec 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/docker-rate-limit/</link><author>John Howard (Google)</author><guid isPermaLink="true">/v1.12/blog/2020/docker-rate-limit/</guid><category>docker</category></item><item><title>Expanding into New Frontiers - Smart DNS Proxying in Istio</title><description>
|
||
<p>DNS resolution is a vital component of any application infrastructure
|
||
on Kubernetes. When your application code attempts to access another
|
||
service in the Kubernetes cluster or even a service on the internet,
|
||
it has to first lookup the IP address corresponding to the hostname of
|
||
the service, before initiating a connection to the service. This name
|
||
lookup process is often referred to as <strong>service discovery</strong>. In
|
||
Kubernetes, the cluster DNS server, be it <code>kube-dns</code> or CoreDNS,
|
||
resolves the service&rsquo;s hostname to a unique non-routable virtual IP (VIP),
|
||
if it is a service of type <code>clusterIP</code>. The <code>kube-proxy</code> on each node
|
||
maps this VIP to a set of pods of the service, and forwards the traffic
|
||
to one of them selected at random. When using a service mesh, the
|
||
sidecar works similarly to the <code>kube-proxy</code> as far as traffic forwarding
|
||
is concerned.</p>
|
||
<p>The following diagram depicts the role of DNS today:</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:57.00636942675159%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/dns-proxy/role-of-dns-today.png" title="Role of DNS in Istio, today">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/dns-proxy/role-of-dns-today.png" alt="Role of DNS in Istio, today" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Role of DNS in Istio, today</figcaption>
|
||
</figure>
|
||
<h2 id="problems-posed-by-dns">Problems posed by DNS</h2>
|
||
<p>While the role of DNS within the service mesh may seem insignificant,
|
||
it has consistently stood in the way of expanding the mesh to VMs and
|
||
enabling seamless multicluster access.</p>
|
||
<h3 id="vm-access-to-kubernetes-services">VM access to Kubernetes services</h3>
|
||
<p>Consider the case of a VM with a sidecar. As shown in the illustration
|
||
below, applications on the VM look up the IP addresses of services
|
||
inside the Kubernetes cluster as they typically have no access to the
|
||
cluster&rsquo;s DNS server.</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:42.37837837837838%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/dns-proxy/vm-dns-resolution-issues.png" title="DNS resolution issues on VMs accessing Kubernetes services">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/dns-proxy/vm-dns-resolution-issues.png" alt="DNS resolution issues on VMs accessing Kubernetes services" />
|
||
</a>
|
||
</div>
|
||
<figcaption>DNS resolution issues on VMs accessing Kubernetes services</figcaption>
|
||
</figure>
|
||
<p>It is technically possible to use <code>kube-dns</code> as a name server on the VM if one is
|
||
willing to engage in some convoluted workarounds involving <code>dnsmasq</code> and
|
||
external exposure of <code>kube-dns</code> using <code>NodePort</code> services: assuming you
|
||
manage to convince your cluster administrator to do so. Even so, you are
|
||
opening the door to a host of <a href="https://blog.aquasec.com/dns-spoofing-kubernetes-clusters">security
|
||
issues</a>. At
|
||
the end of the day, these are point solutions that are typically out
|
||
of scope for those with limited organizational capability and domain
|
||
expertise.</p>
|
||
<h3 id="external-tcp-services-without-vips">External TCP services without VIPs</h3>
|
||
<p>It is not just the VMs in the mesh that suffer from the DNS issue. For
|
||
the sidecar to accurately distinguish traffic between two different
|
||
TCP services that are outside the mesh, the services must be on
|
||
different ports or they need to have a globally unique VIP, much like
|
||
the <code>clusterIP</code> assigned to Kubernetes services. But what if there is
|
||
no VIP? Cloud hosted services like hosted databases, typically do not
|
||
have a VIP. Instead, the provider&rsquo;s DNS server returns one of the
|
||
instance IPs that can then be directly accessed by the
|
||
application. For example, consider the two service entries below,
|
||
pointing to two different AWS RDS services:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: db1
|
||
namespace: ns1
|
||
spec:
|
||
hosts:
|
||
- mysql-instance1.us-east-1.rds.amazonaws.com
|
||
ports:
|
||
- name: mysql
|
||
number: 3306
|
||
protocol: TCP
|
||
resolution: DNS
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: db2
|
||
namespace: ns1
|
||
spec:
|
||
hosts:
|
||
- mysql-instance2.us-east-1.rds.amazonaws.com
|
||
ports:
|
||
- name: mysql
|
||
number: 3306
|
||
protocol: TCP
|
||
resolution: DNS
|
||
</code></pre>
|
||
<p>The sidecar has a single listener on <code>0.0.0.0:3306</code> that looks up the
|
||
IP address of <code>mysql-instance1.us-east1.rds.amazonaws.com</code> from public
|
||
DNS servers and forwards traffic to it. It cannot route traffic to
|
||
<code>db2</code> as it has no way of distinguishing whether traffic arriving at
|
||
<code>0.0.0.0:3306</code> is bound for <code>db1</code> or <code>db2</code>. The only way to accomplish
|
||
this is to set the resolution to <code>NONE</code> causing the sidecar to
|
||
<em>blindly forward any traffic</em> on port <code>3306</code> to the original IP
|
||
requested by the application. This is akin to punching a hole in the
|
||
firewall allowing all traffic to port <code>3306</code> irrespective of the
|
||
destination IP. To get traffic flowing, you are now forced to
|
||
compromise on the security posture of your system.</p>
|
||
<h3 id="resolving-dns-for-services-in-remote-clusters">Resolving DNS for services in remote clusters</h3>
|
||
<p>The DNS limitations of a multicluster mesh are well known. Services in
|
||
one cluster cannot lookup the IP addresses of services in other
|
||
clusters, without clunky workarounds such as creating stub services in
|
||
the caller namespace.</p>
|
||
<h2 id="taking-control-of-dns">Taking control of DNS</h2>
|
||
<p>All in all, DNS has been a thorny issue in Istio for a while. It was
|
||
time to slay the beast. We (the Istio networking team) decided to
|
||
tackle the problem once and for all in a way that is completely
|
||
transparent to you, the end user. Our first attempt involved utilizing
|
||
Envoy&rsquo;s DNS proxy. It turned out to be very unreliable, and
|
||
disappointing overall due to the general lack of sophistication in
|
||
the c-ares DNS library used by Envoy. Determined to solve the
|
||
problem, we decided to implement the DNS proxy in the Istio sidecar
|
||
agent, written in Go. We were able to optimize the implementation to
|
||
handle all the scenarios that we wanted to tackle without compromising
|
||
on scale and stability. The Go DNS library we use is the same one
|
||
used by scalable DNS implementations such as CoreDNS, Consul,
|
||
Mesos, etc. It has been battle tested in production for scale and stability.</p>
|
||
<p>Starting with Istio 1.8, the Istio agent on the sidecar will ship with
|
||
a caching DNS proxy, programmed dynamically by Istiod. Istiod pushes
|
||
the hostname-to-IP-address mappings for all the services that the
|
||
application may access based on the Kubernetes services and service
|
||
entries in the cluster. DNS lookup queries from the application are
|
||
transparently intercepted and served by the Istio agent in the pod or
|
||
VM. If the query is for a service within the mesh, <em>irrespective of
|
||
the cluster that the service is in</em>, the agent responds directly to the
|
||
application. If not, it forwards the query to the upstream name
|
||
servers defined in <code>/etc/resolv.conf</code>. The following diagram depicts
|
||
the interactions that occur when an application tries to access a
|
||
service using its hostname.</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:41.07929515418502%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/dns-proxy/dns-interception-in-istio.png" title="Smart DNS proxying in Istio sidecar agent">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/dns-proxy/dns-interception-in-istio.png" alt="Smart DNS proxying in Istio sidecar agent" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Smart DNS proxying in Istio sidecar agent</figcaption>
|
||
</figure>
|
||
<p>As you will see in the following sections, <em>the DNS proxying feature
|
||
has had an enormous impact across many aspects of Istio.</em></p>
|
||
<h3 id="reduced-load-on-your-dns-servers-w-faster-resolution">Reduced load on your DNS servers w/ faster resolution</h3>
|
||
<p>The load on your cluster’s Kubernetes DNS server drops drastically as
|
||
almost all DNS queries are resolved within the pod by Istio. The
|
||
bigger the footprint of mesh on a cluster, the lesser the load on your
|
||
DNS servers. Implementing our own DNS proxy in the Istio agent has
|
||
allowed us to implement cool optimizations such as <a href="https://coredns.io/plugins/autopath/">CoreDNS
|
||
auto-path</a> without the
|
||
correctness issues that CoreDNS currently faces.</p>
|
||
<p>To understand the impact of this optimization, lets take a simple DNS
|
||
lookup scenario, in a standard Kubernetes cluster without any custom
|
||
DNS setup for pods - i.e., with the default setting of <code>ndots:5</code> in <code>/etc/resolv.conf</code>.
|
||
When your application starts a DNS lookup for
|
||
<code>productpage.ns1.svc.cluster.local</code>, it appends the DNS search
|
||
namespaces in <code>/etc/resolv.conf</code> (e.g., <code>ns1.svc.cluster.local</code>) as part
|
||
of the DNS query, before querying the host as-is. As a result, the
|
||
first DNS query that is actually sent out will look like
|
||
<code>productpage.ns1.svc.cluster.local.ns1.svc.cluster.local</code>, which will
|
||
inevitably fail DNS resolution when Istio is not involved. If your
|
||
<code>/etc/resolv.conf</code> has 5 search namespaces, the application will send
|
||
two DNS queries for each search namespace, one for the IPv4 <code>A</code> record
|
||
and another for the IPv6 <code>AAAA</code> record, and then a final pair of
|
||
queries with the exact hostname used in the code. <em>Before establishing the
|
||
connection, the application performs 12 DNS lookup queries for each host!</em></p>
|
||
<p>With Istio&rsquo;s implementation of the CoreDNS style auto-path technique,
|
||
the sidecar agent will detect the real hostname being queried within
|
||
the first query and return a <code>cname</code> record to
|
||
<code>productpage.ns1.svc.cluster.local</code> as part of this DNS response, as
|
||
well as the <code>A/AAAA</code> record for
|
||
<code>productpage.ns1.svc.cluster.local</code>. The application receiving this
|
||
response can now extract the IP address immediately and proceed to
|
||
establishing a TCP connection to that IP. <em>The smart DNS proxy in the
|
||
Istio agent dramatically cuts down the number of DNS queries from 12
|
||
to just 2!</em></p>
|
||
<h3 id="vms-to-kubernetes-integration">VMs to Kubernetes integration</h3>
|
||
<p>Since the Istio agent performs local DNS resolution for services
|
||
within the mesh, DNS lookup queries for Kubernetes services from VMs will now
|
||
succeed without requiring clunky workarounds for exposing <code>kube-dns</code>
|
||
outside the cluster. The ability to seamlessly resolve internal
|
||
services in a cluster will now simplify your monolith to microservice
|
||
journey, as the monolith on VMs can now access microservices on
|
||
Kubernetes without additional levels of indirection via API gateways.</p>
|
||
<h3 id="automatic-vip-allocation-where-possible">Automatic VIP allocation where possible</h3>
|
||
<p>You may ask, how does this DNS functionality in the agent solve the
|
||
problem of distinguishing between multiple external TCP services
|
||
without VIPs on the same port?</p>
|
||
<p>Taking inspiration from Kubernetes, Istio will now automatically
|
||
allocate non-routable VIPs (from the Class E subnet) to such services
|
||
as long as they do not use a wildcard host. The Istio agent on the
|
||
sidecar will use the VIPs as responses to the DNS lookup queries from
|
||
the application. Envoy can now clearly distinguish traffic bound for
|
||
each external TCP service and forward it to the right target. With the
|
||
introduction of the DNS proxying, you will no longer need to use
|
||
<code>resolution: NONE</code> for non-wildcard TCP services, improving your
|
||
overall security posture. Istio cannot help much with wildcard
|
||
external services (e.g., <code>*.us-east1.rds.amazonaws.com</code>). You will
|
||
have to resort to NONE resolution mode to handle such services.</p>
|
||
<h3 id="multicluster-dns-lookup">Multicluster DNS lookup</h3>
|
||
<p>For the adventurous lot, attempting to weave a multicluster mesh where
|
||
applications directly call internal services of a namespace in a
|
||
remote cluster, the DNS proxy functionality comes in quite handy. Your
|
||
applications can <em>resolve Kubernetes services on any cluster in any
|
||
namespace</em>, without the need to create stub Kubernetes services in
|
||
every cluster.</p>
|
||
<p>The benefits of the DNS proxy extend beyond the multicluster models
|
||
that are currently described in Istio today. At Tetrate, we use this
|
||
mechanism extensively in our customers&rsquo; multicluster deployments to
|
||
enable sidecars to resolve DNS for hosts exposed at ingress gateways
|
||
of all the clusters in a mesh, and access them over mutual TLS.</p>
|
||
<h2 id="concluding-thoughts">Concluding thoughts</h2>
|
||
<p>The problems caused by lack of control over DNS have often been
|
||
overlooked and ignored in its entirety when it comes to weaving a mesh
|
||
across many clusters, different environments, and integrating external
|
||
services. The introduction of a caching DNS proxy in the Istio sidecar
|
||
agent solves these issues. Exercising control over the
|
||
application’s DNS resolution allows Istio to accurately identify the
|
||
target service to which traffic is bound, and enhance the overall
|
||
security, routing, and telemetry posture in Istio within and across
|
||
clusters.</p>
|
||
<p>Smart DNS proxying is enabled in the <code>preview</code>
|
||
profile in Istio 1.8. Please try it out!</p></description><pubDate>Thu, 12 Nov 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/dns-proxy/</link><author>Shriram Rajagopalan (Tetrate.io) on behalf of Istio Networking WG</author><guid isPermaLink="true">/v1.12/blog/2020/dns-proxy/</guid><category>dns</category><category>sidecar</category><category>multicluster</category><category>vm</category><category>external services</category></item><item><title>2020 Steering Committee Election Results</title><description><p>Last month, we <a href="../steering-changes/">announced a revision to our Steering Committee charter</a>, opening up governance roles to more contributors and community members. The Steering Committee now consists of 9 proportionally-allocated Contribution Seats, and 4 elected Community Seats.</p>
|
||
<p>We have now concluded our <a href="https://github.com/istio/community/tree/master/steering/elections/2020">inaugural election</a> for the Community Seats, and we&rsquo;re excited to welcome the following new members to the Committee:</p>
|
||
<ul>
|
||
<li><a href="https://github.com/istio/community/blob/master/steering/elections/2020/nrjpoddar.md">Neeraj Poddar</a> (Aspen Mesh)</li>
|
||
<li><a href="https://github.com/istio/community/blob/master/steering/elections/2020/zackbutcher.md">Zack Butcher</a> (Tetrate)</li>
|
||
<li><a href="https://github.com/istio/community/blob/master/steering/elections/2020/ceposta.md">Christian Posta</a> (Solo.io)</li>
|
||
<li><a href="https://github.com/istio/community/blob/master/steering/elections/2020/hzxuzhonghu.md">Zhonghu Xu</a> (Huawei)</li>
|
||
</ul>
|
||
<p>They join Contribution Seat holders from Google, IBM/Red Hat and Salesforce. We now have representation from 7 organizations on Steering, reflecting the breadth of our contributor ecosystem.</p>
|
||
<p>Thank you to everyone who participated in the election process. The next election will be in July 2021.</p></description><pubDate>Tue, 29 Sep 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/steering-election-results/</link><author>Istio Steering Committee</author><guid isPermaLink="true">/v1.12/blog/2020/steering-election-results/</guid><category>istio</category><category>steering</category><category>governance</category><category>community</category><category>election</category></item><item><title>Large Scale Security Policy Performance Tests</title><description>
|
||
<h2 id="overview">Overview</h2>
|
||
<p>Istio has a wide range of security policies which can be easily configured into systems of services. As the number of applied policies increases, it is important to understand the relationship of latency, memory usage, and CPU usage of the system.</p>
|
||
<p>This blog post goes over common security policies use cases and how the number of security policies or the number of specific rules in a security policy can affect the overall latency of requests.</p>
|
||
<h2 id="setup">Setup</h2>
|
||
<p>There are a wide range of security policies and many more combinations of those policies. We will go over 6 of the most commonly used test cases.</p>
|
||
<p>The following test cases are run in an environment which consists of a <a href="https://fortio.org/">Fortio</a> client sending requests to a Fortio server, with a baseline of no Envoy sidecars deployed. The following data was gathered by using the <a href="https://github.com/istio/tools/tree/master/perf/benchmark">Istio performance benchmarking tool</a>.
|
||
<figure style="width:55%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:45.34%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/large-scale-security-policy-performance-tests/istio_setup.svg" title="">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/large-scale-security-policy-performance-tests/istio_setup.svg" alt="Environment setup" />
|
||
</a>
|
||
</div>
|
||
<figcaption></figcaption>
|
||
</figure></p>
|
||
<p>In these test cases, requests either do not match any rules or match only the very last rule in the security policies. This ensures that the RBAC filter is applied to all policy rules, and never matches a policy rule before before viewing all the policies. Even though this is not necessarily what will happen in your own system, this policy setup provides data for the worst possible performance of each test case.</p>
|
||
<h2 id="test-cases">Test cases</h2>
|
||
<ol>
|
||
<li><p>Mutual TLS STRICT vs plaintext.</p></li>
|
||
<li><p>A single authorization policy with a variable number of principal rules as well as a <code>PeerAuthentication</code> policy. The principal rule is dependent on the <code>PeerAuthentication</code> policy being applied to the system.</p></li>
|
||
<li><p>A single authorization policy with a variable number of <code>requestPrincipal</code> rules as well as a <code>RequestAuthentication</code> policy. The <code>requestPrincipal</code> is dependent on the <code>RequestAuthentication</code> policy being applied to the system.</p></li>
|
||
<li><p>A single authorization policy with a variable number of <code>paths</code> vs <code>sourceIP</code> rules.</p></li>
|
||
<li><p>A variable number of authorization policies consisting of a single path or <code>sourceIP</code> rule.</p></li>
|
||
<li><p>A single <code>RequestAuthentication</code> policy with variable number of <code>JWTRules</code> rules.</p></li>
|
||
</ol>
|
||
<h2 id="data">Data</h2>
|
||
<p>The y-axis of each test is the latency in milliseconds, and the x-axis is the number of concurrent connections. The x-axis of each graph consists of 3 data points that represent a small load (qps=100, conn=8), medium load (qps=500, conn=32), and large load (qps=1000, conn=64).</p>
|
||
<div id="tabset-blog-2020-large-scale-security-policy-performance-tests-1" role="tablist" class="tabset ">
|
||
<div class="tab-strip" data-category-name="platform" ><button aria-selected="true" data-category-value="one"
|
||
aria-controls="tabset-blog-2020-large-scale-security-policy-performance-tests-1-0-panel" id="tabset-blog-2020-large-scale-security-policy-performance-tests-1-0-tab" role="tab"><span>MTLS vs plainText</span>
|
||
</button><button tabindex="-1" data-category-value="two"
|
||
aria-controls="tabset-blog-2020-large-scale-security-policy-performance-tests-1-1-panel" id="tabset-blog-2020-large-scale-security-policy-performance-tests-1-1-tab" role="tab"><span>AuthZ mTLS SourcePrincipals</span>
|
||
</button><button tabindex="-1" data-category-value="three"
|
||
aria-controls="tabset-blog-2020-large-scale-security-policy-performance-tests-1-2-panel" id="tabset-blog-2020-large-scale-security-policy-performance-tests-1-2-tab" role="tab"><span>AuthZ JWT RequestPrincipal</span>
|
||
</button><button tabindex="-1" data-category-value="four"
|
||
aria-controls="tabset-blog-2020-large-scale-security-policy-performance-tests-1-3-panel" id="tabset-blog-2020-large-scale-security-policy-performance-tests-1-3-tab" role="tab"><span>AuthZ sourceIP</span>
|
||
</button><button tabindex="-1" data-category-value="five"
|
||
aria-controls="tabset-blog-2020-large-scale-security-policy-performance-tests-1-4-panel" id="tabset-blog-2020-large-scale-security-policy-performance-tests-1-4-tab" role="tab"><span>AuthZ paths</span>
|
||
</button><button tabindex="-1" data-category-value="six"
|
||
aria-controls="tabset-blog-2020-large-scale-security-policy-performance-tests-1-5-panel" id="tabset-blog-2020-large-scale-security-policy-performance-tests-1-5-tab" role="tab"><span>RequestAuthN JWT Issuer</span>
|
||
</button><button tabindex="-1" data-category-value="seven"
|
||
aria-controls="tabset-blog-2020-large-scale-security-policy-performance-tests-1-6-panel" id="tabset-blog-2020-large-scale-security-policy-performance-tests-1-6-tab" role="tab"><span>Variable AuthZ</span>
|
||
</button></div>
|
||
<div class="tab-content"><div id="tabset-blog-2020-large-scale-security-policy-performance-tests-1-0-panel" role="tabpanel" tabindex="0" aria-labelledby="tabset-blog-2020-large-scale-security-policy-performance-tests-1-0-tab">
|
||
<figure style="width:90%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:45.34%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/large-scale-security-policy-performance-tests/mtls_plaintext.svg" title="">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/large-scale-security-policy-performance-tests/mtls_plaintext.svg" alt="MTLS vs plaintext" />
|
||
</a>
|
||
</div>
|
||
<figcaption></figcaption>
|
||
</figure>
|
||
The difference of latency between MTLS mode STRICT and plaintext is very small in lower loads. As the <code>qps</code> and <code>conn</code> increase, the latency of requests with MTLS STRICT increases. The additional latency increased in larger loads is minimal compared to that of the increase from having no sidecars to having sidecars in the plaintext.</div><div hidden id="tabset-blog-2020-large-scale-security-policy-performance-tests-1-1-panel" role="tabpanel" tabindex="0" aria-labelledby="tabset-blog-2020-large-scale-security-policy-performance-tests-1-1-tab">
|
||
<figure style="width:90%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:45.34%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_principals.svg" title="">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_principals.svg" alt="Authorization policy variable number of principals" />
|
||
</a>
|
||
</div>
|
||
<figcaption></figcaption>
|
||
</figure>
|
||
<p>For Authorization policies with 10 vs 1000 principal rules, the latency increase of 10 principal rules compared to no policies is greater than the latency increase of 1000 principals compared to 10 principals.</div><div hidden id="tabset-blog-2020-large-scale-security-policy-performance-tests-1-2-panel" role="tabpanel" tabindex="0" aria-labelledby="tabset-blog-2020-large-scale-security-policy-performance-tests-1-2-tab">
|
||
<figure style="width:90%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:45.34%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_requestPrincipals.svg" title="">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_requestPrincipals.svg" alt="Authorization policy with variable principals" />
|
||
</a>
|
||
</div>
|
||
<figcaption></figcaption>
|
||
</figure>
|
||
For Authorization policies with a variable number of <code>requestPrincipal</code> rules, the latency increase of 10 <code>requestPrincipal</code> rules compared to no policies is nearly the same as the latency increase of 1000 <code>requestPrincipal</code> rules compared to 10 <code>requestPrincipal</code> rules.</div><div hidden id="tabset-blog-2020-large-scale-security-policy-performance-tests-1-3-panel" role="tabpanel" tabindex="0" aria-labelledby="tabset-blog-2020-large-scale-security-policy-performance-tests-1-3-tab">
|
||
<p><figure style="width:90%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:45.34%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_sourceIP.svg" title="">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_sourceIP.svg" alt="Authorization policy with variable `sourceIP` rules" />
|
||
</a>
|
||
</div>
|
||
<figcaption></figcaption>
|
||
</figure>
|
||
The latency increase of a single <code>AuthZ</code> policy with 10 <code>sourceIP</code> rules is not proportional to the latency increase of a single <code>AuthZ</code> policy with 1000 <code>sourceIP</code> rules compared to the system with sidecar and no policies.</p>
|
||
<p><figure style="width:90%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:45.34%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/large-scale-security-policy-performance-tests/AuthZ_paths_vs_sourceIP.svg" title="">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/large-scale-security-policy-performance-tests/AuthZ_paths_vs_sourceIP.svg" alt="Authorization policy with both paths and `sourceIP`" />
|
||
</a>
|
||
</div>
|
||
<figcaption></figcaption>
|
||
</figure>
|
||
The latency increase of a variable number of <code>sourceIP</code> rules is marginally greater than that of path rules.</p>
|
||
</div><div hidden id="tabset-blog-2020-large-scale-security-policy-performance-tests-1-4-panel" role="tabpanel" tabindex="0" aria-labelledby="tabset-blog-2020-large-scale-security-policy-performance-tests-1-4-tab">
|
||
<figure style="width:90%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:45.34%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_paths.svg" title="">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_paths.svg" alt="Authorization policy with variable number of paths" />
|
||
</a>
|
||
</div>
|
||
<figcaption></figcaption>
|
||
</figure>
|
||
The latency increase of a single <code>AuthZ</code> policy with 10 path rules is not proportional to the latency increase of a single <code>AuthZ</code> policy with 1000 path rules compared to the system with sidecar and no policies. This trend is similar to that of <code>sourceIP</code> rules.
|
||
<figure style="width:90%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:45.34%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/large-scale-security-policy-performance-tests/AuthZ_paths_vs_sourceIP.svg" title="">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/large-scale-security-policy-performance-tests/AuthZ_paths_vs_sourceIP.svg" alt="Authorization policy with both paths and `sourceIP`" />
|
||
</a>
|
||
</div>
|
||
<figcaption></figcaption>
|
||
</figure>
|
||
The latency of a variable number of paths rules is marginally lesser than that of <code>sourceIP</code> rules.</div><div hidden id="tabset-blog-2020-large-scale-security-policy-performance-tests-1-5-panel" role="tabpanel" tabindex="0" aria-labelledby="tabset-blog-2020-large-scale-security-policy-performance-tests-1-5-tab">
|
||
<figure style="width:90%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:45.34%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/large-scale-security-policy-performance-tests/RequestAuthN_jwks.svg" title="">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/large-scale-security-policy-performance-tests/RequestAuthN_jwks.svg" alt="Request Authentication with variable number of JWT issuers" />
|
||
</a>
|
||
</div>
|
||
<figcaption></figcaption>
|
||
</figure>
|
||
The latency of a single JWT issuer is comparable to that of no policies, but as the number of JWT issuers increase, the latency increases disproportionately.</div><div hidden id="tabset-blog-2020-large-scale-security-policy-performance-tests-1-6-panel" role="tabpanel" tabindex="0" aria-labelledby="tabset-blog-2020-large-scale-security-policy-performance-tests-1-6-tab">
|
||
<p>To test how the number of Authorization policies affect runtime, the tests can be broken into two cases:</p>
|
||
<ol>
|
||
<li><p>Every Authorization policy has a single <code>sourceIP</code> rule.</p></li>
|
||
<li><p>Every Authorization policy has a single path rule.</p></li>
|
||
</ol>
|
||
<p><figure style="width:90%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:45.34%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_policies_sourceIP.svg" title="">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_policies_sourceIP.svg" alt="Authorization policy with variable number of policies, with `sourceIP` rule" />
|
||
</a>
|
||
</div>
|
||
<figcaption></figcaption>
|
||
</figure>
|
||
<figure style="width:90%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:45.34%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_policies_paths.svg" title="">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_policies_paths.svg" alt="Authorization policy with variable number of policies, with path rule" />
|
||
</a>
|
||
</div>
|
||
<figcaption></figcaption>
|
||
</figure>
|
||
The overall trends of both graphs are similar. This is consistent to the paths vs <code>sourceIP</code> data, which showed that the latency is marginally greater for <code>sourceIP</code> rules than that of path rules.</p>
|
||
</div></div>
|
||
</div>
|
||
<h2 id="conclusion">Conclusion</h2>
|
||
<ul>
|
||
<li><p>In general, adding security policies does not add relatively high overhead to the system. The policies that add the most latency include:</p>
|
||
<ol>
|
||
<li><p>Authorization policy with <code>JWTRules</code> rules.</p></li>
|
||
<li><p>Authorization policy with <code>requestPrincipal</code> rules.</p></li>
|
||
<li><p>Authorization policy with principals rules.</p></li>
|
||
</ol></li>
|
||
<li><p>In lower loads (requests with lower qps and conn) the difference in latency for most policies is minimal.</p></li>
|
||
<li><p>Envoy proxy sidecars increase latency more than most policies, even if the policies are large.</p></li>
|
||
<li><p>The latency increase of extremely large policies is relatively similar to the latency increase of adding Envoy proxy sidecars compared to that of no sidecars.</p></li>
|
||
<li><p>Two different tests determined that the <code>sourceIP</code> rule is marginally slower than a path rule.</p></li>
|
||
</ul>
|
||
<p>If you are interested in creating your own large scale security policies and running performance tests with them, see the <a href="https://github.com/istio/tools/tree/master/perf/benchmark/security/generate_policies">performance benchmarking tool README</a>.</p>
|
||
<p>If you are interested in reading more about the security policies tests, see <a href="https://docs.google.com/document/d/1ZP9eQ_2EJEG12xnfsoo7125FDN38r62iqY1PUn9Dz-0/edit?usp=sharing">our design doc</a>. If you don&rsquo;t already have access, you can <a href="/v1.12/get-involved/">join the Istio team drive</a>.</p></description><pubDate>Tue, 15 Sep 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/large-scale-security-policy-performance-tests/</link><author>Michael Eizaguirre (Google), Yangmin Zhu (Google), Carolyn Hu (Google)</author><guid isPermaLink="true">/v1.12/blog/2020/large-scale-security-policy-performance-tests/</guid><category>test</category><category>security policy</category><category>performance</category></item><item><title>Deploying Istio Control Planes Outside the Mesh</title><description>
|
||
<h2 id="overview">Overview</h2>
|
||
<p>From experience working with various service mesh users and vendors, we believe there are 3 key personas for a typical service mesh:</p>
|
||
<ul>
|
||
<li><p>Mesh Operator, who manages the service mesh control plane installation and upgrade.</p></li>
|
||
<li><p>Mesh Admin, often referred as Platform Owner, who owns the service mesh platform and defines the overall strategy and implementation for service owners to adopt service mesh.</p></li>
|
||
<li><p>Mesh User, often referred as Service Owner, who owns one or more services in the mesh.</p></li>
|
||
</ul>
|
||
<p>Prior to version 1.7, Istio required the control plane to run in one of the <span class="term" data-title="Primary Cluster" data-body="&lt;p&gt;A primary cluster is a &lt;a href=&#34;/docs/reference/glossary/#cluster&#34;&gt;cluster&lt;/a&gt; with a
|
||
&lt;a href=&#34;/docs/reference/glossary/#control-plane&#34;&gt;control plane&lt;/a&gt;. A single
|
||
&lt;a href=&#34;/docs/reference/glossary/#service-mesh&#34;&gt;mesh&lt;/a&gt; can have more than
|
||
one primary cluster for HA or to reduce latency. Primary clusters can act as the
|
||
control plane for &lt;a href=&#34;/docs/reference/glossary/#remote-cluster&#34;&gt;remote clusters&lt;/a&gt;.&lt;/p&gt;
|
||
">primary clusters</span> in the mesh, leading to a lack of separation between the mesh operator and the mesh admin. Istio 1.7 introduces a new <span class="term" data-title="External Control Plane" data-body="&lt;p&gt;An external control plane is a &lt;a href=&#34;/docs/reference/glossary/#control-plane&#34;&gt;control plane&lt;/a&gt;
|
||
that externally manages mesh workloads running in their own &lt;a href=&#34;/docs/reference/glossary/#cluster&#34;&gt;clusters&lt;/a&gt;
|
||
or other infrastructure. The control plane may, itself, be deployed in a cluster, although not
|
||
in one of the clusters that is part of the mesh it&amp;rsquo;s controlling.
|
||
Its purpose is to cleanly separate the control plane from the data plane of a mesh.&lt;/p&gt;
|
||
">external control plane</span> deployment model which enables mesh operators to install and manage mesh control planes on separate external clusters. This deployment model allows a clear separation between mesh operators and mesh admins. Istio mesh operators can now run Istio control planes for mesh admins while mesh admins can still control the configuration of the control plane without worrying about installing or managing the control plane. This model is transparent to mesh users.</p>
|
||
<h2 id="external-control-plane-deployment-model">External control plane deployment model</h2>
|
||
<p>After installing Istio using the <a href="/v1.12/docs/setup/install/istioctl/#install-istio-using-the-default-profile">default installation profile</a>, you will have an Istiod control plane installed in a single cluster like the diagram below:</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:40.78842240615207%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/new-deployment-model/single-cluster.svg" title="Single cluster Istio mesh">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/new-deployment-model/single-cluster.svg" alt="Istio mesh in a single cluster" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Istio mesh in a single cluster</figcaption>
|
||
</figure>
|
||
<p>With the new deployment model in Istio 1.7, it&rsquo;s possible to run Istiod on an external cluster, separate from the mesh services as shown in the diagram below. The external control plane cluster is owned by the mesh operator while the mesh admin owns the cluster running services deployed in the mesh. The mesh admin has no access to the external control plane cluster. Mesh operators can follow the <a href="https://github.com/istio/istio/wiki/External-Istiod-single-cluster-steps">external istiod single cluster step by step guide</a> to explore more on this. (Note: In some internal discussions among Istio maintainers, this model was previously referred to as &ldquo;central istiod&rdquo;.)</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:47.926329500847174%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/new-deployment-model/single-cluster-external-Istiod.svg" title="Single cluster Istio mesh with Istiod outside">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/new-deployment-model/single-cluster-external-Istiod.svg" alt="Istio mesh in a single cluster with Istiod outside" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Single cluster Istio mesh with Istiod in an external control plane cluster</figcaption>
|
||
</figure>
|
||
<p>Mesh admins can expand the service mesh to multiple clusters, which are managed by the same Istiod running in the external cluster. None of the mesh clusters are <span class="term" data-title="Primary Cluster" data-body="&lt;p&gt;A primary cluster is a &lt;a href=&#34;/docs/reference/glossary/#cluster&#34;&gt;cluster&lt;/a&gt; with a
|
||
&lt;a href=&#34;/docs/reference/glossary/#control-plane&#34;&gt;control plane&lt;/a&gt;. A single
|
||
&lt;a href=&#34;/docs/reference/glossary/#service-mesh&#34;&gt;mesh&lt;/a&gt; can have more than
|
||
one primary cluster for HA or to reduce latency. Primary clusters can act as the
|
||
control plane for &lt;a href=&#34;/docs/reference/glossary/#remote-cluster&#34;&gt;remote clusters&lt;/a&gt;.&lt;/p&gt;
|
||
">primary clusters</span>, in this case. They are all <span class="term" data-title="Remote Cluster" data-body="&lt;p&gt;A remote cluster is a &lt;a href=&#34;/docs/reference/glossary/#cluster&#34;&gt;cluster&lt;/a&gt; that
|
||
connects to a &lt;a href=&#34;/docs/reference/glossary/#control-plane&#34;&gt;control plane&lt;/a&gt;
|
||
residing outside of the cluster. A remote cluster can connect to a control plane
|
||
running in a &lt;a href=&#34;/docs/reference/glossary/#primary-cluster&#34;&gt;primary cluster&lt;/a&gt;
|
||
or to an &lt;a href=&#34;/docs/reference/glossary/#external-control-plane&#34;&gt;external control plane&lt;/a&gt;.&lt;/p&gt;
|
||
">remote clusters</span>. However, one of them also serves as the Istio configuration cluster, in addition to running services. The external control plane reads Istio configurations from the <code>config cluster</code> and Istiod pushes configuration to the data plane running in both the config cluster and other remote clusters as shown in the diagram below.</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:44.93126790115233%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/new-deployment-model/multiple-clusters-external-Istiod.svg" title="Multicluster Istio mesh with Istiod outside">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/new-deployment-model/multiple-clusters-external-Istiod.svg" alt="Multicluster Istio mesh with Istiod outside" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Multicluster Istio mesh with Istiod in an external control plane cluster</figcaption>
|
||
</figure>
|
||
<p>Mesh operators can further expand this deployment model to manage multiple Istio control planes from an external cluster running multiple Istiod control planes:</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:45.55366354432676%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/new-deployment-model/multiple-external-Istiods.svg" title="Multiple single clusters Istio meshes with Istiod outside">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/new-deployment-model/multiple-external-Istiods.svg" alt="Istio meshes in single clusters with Istiod outside" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Multiple single clusters with multiple Istiod control planes in an external control plane cluster</figcaption>
|
||
</figure>
|
||
<p>In this case, each Istiod manages its own remote cluster(s). Mesh operators can even install their own Istio mesh in the external control plane cluster and configure its <code>istio-ingress</code> gateway to route traffic from remote clusters to their corresponding Istiod control planes. To learn more about this, check out <a href="https://github.com/istio/istio/wiki/External-Istiod-single-cluster-steps#deploy-istio-mesh-on-external-control-plane-cluster-to-manage-traffic-to-istiod-deployments">these steps</a>.</p>
|
||
<h2 id="conclusion">Conclusion</h2>
|
||
<p>The external control plane deployment model enables the Istio control plane to be run and managed by mesh operators who have operational expertise in Istio, and provides a clean separation between service mesh control and data planes. Mesh operators can run the control plane in their own clusters or other environments, providing the control plane as a service to mesh admins. Mesh operators can run multiple Istiod control planes in a single cluster, deploying their own Istio mesh and using <code>istio-ingress</code> gateways to control access to these Istiod control planes. Through the examples provided here, mesh operators can explore different implementation choices and choose what works best for them.</p>
|
||
<p>This new model reduces complexity for mesh admins by allowing them to focus on mesh configurations without operating the control plane themselves. Mesh admins can continue to configure mesh-wide settings and Istio resources without any access to external control plane clusters. Mesh users can continue to interact with the service mesh without any changes.</p></description><pubDate>Thu, 27 Aug 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/new-deployment-model/</link><author>Lin Sun (IBM), Iris Ding (IBM)</author><guid isPermaLink="true">/v1.12/blog/2020/new-deployment-model/</guid><category>istiod</category><category>deployment model</category><category>install</category><category>deploy</category><category>1.7</category></item><item><title>Introducing the new Istio steering committee</title><description>
|
||
<p>Today, the Istio project is pleased to announce a new revision to its steering charter, which opens up governance roles to more contributors and community members. This revision solidifies our commitment to open governance, ensuring that the community around the project will always be able to steer its direction, and that no one company has majority voting control over the project.</p>
|
||
<p>The Istio Steering Committee oversees the administrative aspects of the project and sets the marketing direction. From the earliest days of the project, it was bootstrapped with members from Google and IBM, the two founders and largest contributors, with the explicit intention that other seats would be added. We are very happy to deliver on that promise today, with a new charter designed to reward contribution and community.</p>
|
||
<p>The new Steering Committee consists of 13 seats: 9 proportionally allocated <strong>Contribution Seats</strong>, and 4 elected <strong>Community Seats</strong>.</p>
|
||
<h2 id="contribution-seats">Contribution Seats</h2>
|
||
<p>The direction of a project is set by the people who contribute to it. We&rsquo;ve designed our committee to reflect that, with 9 seats to be attributed in proportion to contributions made to Istio in the previous 12 months. In Kubernetes, the mantra was &ldquo;chop wood, carry water,&rdquo; and we similarly want to reward companies who are fueling the growth of the project with contributions.</p>
|
||
<p>This year, we&rsquo;ve chosen to use <strong>merged pull requests</strong> as our <a href="https://github.com/istio/community/blob/master/steering/CONTRIBUTION-FORMULA.md">proxy for proportional contribution</a>. We know that no measure of contribution is perfect, and as such we will explicitly reconsider the formula every year. (Other measures we considered, including commits, comments, and actions, gave the same results for this period.)</p>
|
||
<p>In order to ensure corporate diversity, there will always be a minimum of three companies represented in Contribution Seats.</p>
|
||
<h2 id="community-seats">Community Seats</h2>
|
||
<p>There are many wonderful contributors to the Istio community, including developers, SREs and mesh admins, working for companies large and small. We wanted to ensure that their voices were included, both in terms of representation and selection.</p>
|
||
<p>We have added 4 seats for representatives from 4 different organizations, who are not represented in the Contribution Seat allocation. These seats will be voted on by the Istio community in an <a href="https://github.com/istio/community/tree/master/steering/elections">annual election</a>.</p>
|
||
<p>Any <a href="https://github.com/istio/community/blob/master/ROLES.md#member">project member</a> can stand for election; all Istio members who have been active in the last 12 months are eligible to vote.</p>
|
||
<h2 id="corporate-diversification-is-the-goal">Corporate diversification is the goal</h2>
|
||
<p>Our goal is that the governance of Istio reflects the diverse set of contributors. Both Google and IBM/Red Hat will have fewer seats than previously, and the new model is designed to ensure representation from at least 7 different organizations.</p>
|
||
<p>We also want to make it clear that no single vendor, no matter how large their contribution, has majority voting control over the Istio project. We&rsquo;ve implemented a cap on the number of seats a company can hold, such that they can neither unanimously win a vote, or veto a decision of the rest of the committee.</p>
|
||
<h2 id="the-2020-committee-and-election">The 2020 committee and election</h2>
|
||
<p>According to our <a href="https://docs.google.com/spreadsheets/d/1Dt-h9s8G7Wyt4r16ZVqcmdWXDuCaPC0kPS21BuAfCL8/edit#gid=0">seat allocation process</a>, this year Google will be allocated 5 seats and IBM/Red Hat will be allocated 3. As the third largest contributor to Istio in the last 12 months, we are pleased to announce that Salesforce has earned a Contribution Seat.</p>
|
||
<p>The first <a href="https://github.com/istio/community/tree/master/steering/elections/2020">election for Community Seats</a> begins today. Members have two weeks to nominate themselves, and voting will run from 14 to 27 September. You can learn all about the election in the <code>istio/community</code> repository on GitHub. We&rsquo;re also hosting a special <a href="http://bit.ly/istiocommunitymeet">community meeting</a> this Thursday at 10:00 Pacific to discuss the changes and the election process. We&rsquo;d love to see you there!</p></description><pubDate>Mon, 24 Aug 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/steering-changes/</link><author>Istio Steering Committee</author><guid isPermaLink="true">/v1.12/blog/2020/steering-changes/</guid><category>istio</category><category>steering</category><category>governance</category><category>community</category><category>election</category></item><item><title>Using MOSN with Istio: an alternative data plane</title><description>
|
||
<p><a href="https://github.com/mosn/mosn">MOSN</a> (Modular Open Smart Network) is a network proxy server written in GoLang. It was built at <a href="https://www.antfin.com">Ant Group</a> as a sidecar/API Gateway/cloud-native Ingress/Layer 4 or Layer 7 load balancer etc. Over time, we&rsquo;ve added extra features, like a multi-protocol framework, multi-process plug-in mechanism, a DSL, and support for the <a href="https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol">xDS APIs</a>. Supporting xDS means we are now able to use MOSN as the network proxy for Istio. This configuration is not supported by the Istio project; for help, please see <a href="#learn-more">Learn More</a> below.</p>
|
||
<h2 id="background">Background</h2>
|
||
<p>In the service mesh world, using Istio as the control plane has become the mainstream. Because Istio was built on Envoy, it uses Envoy&rsquo;s data plane <a href="https://blog.envoyproxy.io/the-universal-data-plane-api-d15cec7a">APIs</a> (collectively known as the xDS APIs). These APIs have been standardized separately from Envoy, and so by implementing them in MOSN, we are able to drop in MOSN as a replacement for Envoy. Istio&rsquo;s integration of third-party data planes can be implemented in three steps, as follows.</p>
|
||
<ul>
|
||
<li>Implement xDS protocols to fulfill the capabilities for data plane related services.</li>
|
||
<li>Build <code>proxyv2</code> images using Istio&rsquo;s script and set the relevant <code>SIDECAR</code> and other parameters.</li>
|
||
<li>Specify a specific data plane via the <code>istioctl</code> tool and set the proxy-related configuration.</li>
|
||
</ul>
|
||
<h2 id="architecture">Architecture</h2>
|
||
<p>MOSN has a layered architecture with four layers, NET/IO, Protocol, Stream, and Proxy, as shown in the following figure.</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:45.77056778679027%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/mosn-proxy/mosn-arch.png" title="The architecture of MOSN">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/mosn-proxy/mosn-arch.png" alt="The architecture of MOSN" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The architecture of MOSN</figcaption>
|
||
</figure>
|
||
<ul>
|
||
<li>NET/IO acts as the network layer, monitoring connections and incoming packets, and as a mount point for the listener filter and network filter.</li>
|
||
<li>Protocol is the multi-protocol engine layer that examines packets and uses the corresponding protocol for decode/encode processing.</li>
|
||
<li>Stream does a secondary encapsulation of the decode packet into stream, which acts as a mount for the stream filter.</li>
|
||
<li>Proxy acts as a forwarding framework for MOSN, and does proxy processing on the encapsulated streams.</li>
|
||
</ul>
|
||
<h2 id="why-use-mosn">Why use MOSN?</h2>
|
||
<p>Before the service mesh transformation, we have expected that as the next generation of Ant Group&rsquo;s infrastructure, service mesh will inevitably bring revolutionary changes and evolution costs. We have a very ambitious blueprint: ready to integrate the original network and middleware various capabilities have been re-precipitated and polished to create a low-level platform for the next-generation architecture of the future, which will carry the responsibility of various service communications.</p>
|
||
<p>This is a long-term planning project that takes many years to build and meets the needs of the next five or even ten years, and cooperates to build a team that spans business, SRE, middleware, and infrastructure departments. We must have a network proxy forwarding plane with flexible expansion, high performance, and long-term evolution. Nginx and Envoy have a very long-term capacity accumulation and active community in the field of network agents. We have also borrowed from other excellent open source network agents such as Nginx and Envoy. At the same time, we have enhanced research and development efficiency and flexible expansion. Mesh transformation involves a large number of departments and R &amp; D personnel. We must consider the landing cost of cross-team cooperation. Therefore, we have developed a new network proxy MOSN based on GoLang in the cloud-native scenario. For GoLang&rsquo;s performance, we also did a full investigation and test in the early stage to meet the performance requirements of Ant Group&rsquo;s services.</p>
|
||
<p>At the same time, we received a lot of feedback and needs from the end user community. Everyone has the same needs and thoughts. So we combined the actual situation of the community and ourselves to conduct the research and development of MOSN from the perspective of satisfying the community and users. We believe that the open source competition is mainly competition between standards and specifications. We need to make the most suitable implementation choice based on open source standards.</p>
|
||
<h2 id="what-is-the-difference-between-mosn-and-istio-s-default-proxy">What is the difference between MOSN and Istio&rsquo;s default proxy?</h2>
|
||
<h3 id="differences-in-language-stacks">Differences in language stacks</h3>
|
||
<p>MOSN is written in GoLang. GoLang has strong guarantees in terms of production efficiency and memory security. At the same time, GoLang has an extensive library ecosystem in the cloud-native era. The performance is acceptable and usable in the service mesh scenario. Therefore, MOSN has a lower intellectual cost for companies and individuals using languages such as GoLang and Java.</p>
|
||
<h3 id="differentiation-of-core-competence">Differentiation of core competence</h3>
|
||
<ul>
|
||
<li>MOSN supports a multi-protocol framework, and users can easily access private protocols with a unified routing framework.</li>
|
||
<li>Multi-process plug-in mechanism, which can easily extend the plug-ins of independent MOSN processes through the plug-in framework, and do some other management, bypass and other functional module extensions.</li>
|
||
<li>Transport layer national secret algorithm support with Chinese encryption compliance, etc.</li>
|
||
</ul>
|
||
<h3 id="what-are-the-drawbacks-of-mosn">What are the drawbacks of MOSN</h3>
|
||
<ul>
|
||
<li>Because MOSN is written in GoLang, it doesn&rsquo;t have as good performance as Istio default proxy, but the performance is acceptable and usable in the service mesh scenario.</li>
|
||
<li>Compared with Istio default proxy, some features are not fully supported, such as WASM, HTTP3, Lua, etc. However, these are all in the <a href="https://docs.google.com/document/d/12lgyCW-GmlErr_ihvAO7tMmRe87i70bv2xqe4h2LUz4/edit?usp=sharing">roadmap</a> of MOSN, and the goal is to be fully compatible with Istio.</li>
|
||
</ul>
|
||
<h2 id="mosn-with-istio">MOSN with Istio</h2>
|
||
<p>The following describes how to set up MOSN as the data plane for Istio.</p>
|
||
<h2 id="setup-istio">Setup Istio</h2>
|
||
<p>You can download a zip file for your operating system from the <a href="https://github.com/istio/istio/releases/tag/1.5.2">Istio release</a> page. This file contains: the installation file, examples and the <code>istioctl</code> command line tool.
|
||
To download Istio (this example uses Istio 1.5.2) uses the following command.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export ISTIO_VERSION=1.5.2
|
||
$ curl -L https://istio.io/downloadIstio | sh -
|
||
</code></pre>
|
||
<p>The downloaded Istio package is named <code>istio-1.5.2</code> and contains:
|
||
- <code>install/kubernetes</code>: Contains YAML installation files related to Kubernetes.
|
||
- <code>examples/</code>: Contains example applications.
|
||
- <code>bin/</code>: Contains the istioctl client files.</p>
|
||
<p>Switch to the folder where Istio is located.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cd istio-$ISTIO_VERSION/
|
||
</code></pre>
|
||
<p>Add the <code>istioctl</code> client path to <code>$PATH</code> with the following command.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export PATH=$PATH:$(pwd)/bin
|
||
</code></pre>
|
||
<h2 id="setting-mosn-as-the-data-plane">Setting MOSN as the Data Plane</h2>
|
||
<p>It is possible to flexibly customize the Istio control plane and data plane configuration parameters using the <code>istioctl</code> command line tool. MOSN can be specified as the data plane for Istio using the following command.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl manifest apply --set .values.global.proxy.image=&#34;mosnio/proxyv2:1.5.2-mosn&#34; --set meshConfig.defaultConfig.binaryPath=&#34;/usr/local/bin/mosn&#34;
|
||
</code></pre>
|
||
<p>Check that Istio-related pods and services are deployed successfully.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get svc -n istio-system
|
||
</code></pre>
|
||
<p>If the service <code>STATUS</code> is Running, then Istio has been successfully installed using MOSN and you can now deploy the Bookinfo sample.</p>
|
||
<h2 id="bookinfo-examples">Bookinfo Examples</h2>
|
||
<p>You can run the Bookinfo sample by following the <a href="https://katacoda.com/mosn/courses/istio/mosn-with-istio">MOSN with Istio tutorial</a> where you can find instructions for using MOSN and Istio. You can install MOSN and get to the same point you would have using the default Istio instructions with Envoy.</p>
|
||
<h2 id="moving-forward">Moving forward</h2>
|
||
<p>Next, MOSN will not only be compatible with the features of the latest version of Istio, but also evolve in the following aspects.</p>
|
||
<ul>
|
||
<li><em>As a microservices runtime</em>, MOSN oriented programming makes services lighter, smaller and faster.</li>
|
||
<li><em>Programmable</em>, support WASM.</li>
|
||
<li><em>More scenario support</em>, Cache Mesh/Message Mesh/Block-chain Mesh etc.</li>
|
||
</ul>
|
||
<p>MOSN is an open source project that anyone in the community can use, improve, and enjoy. We&rsquo;d love you to join us! <a href="https://github.com/mosn/community">Here</a> are a few ways to find out what&rsquo;s happening and get involved.</p>
|
||
<h2 id="learn-more">Learn More</h2>
|
||
<ul>
|
||
<li><a href="https://mosn.io/en">MOSN website</a></li>
|
||
<li><a href="https://mosn.io/en/docs/community/">MOSN community</a></li>
|
||
<li><a href="https://katacoda.com/mosn">MOSN tutorials</a></li>
|
||
</ul></description><pubDate>Tue, 28 Jul 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/mosn-proxy/</link><author>Wang Fakang (mosn.io)</author><guid isPermaLink="true">/v1.12/blog/2020/mosn-proxy/</guid><category>mosn</category><category>sidecar</category><category>proxy</category></item><item><title>Open and neutral: transferring our trademarks to the Open Usage Commons</title><description>
|
||
<p>Since <a href="/v1.12/news/releases/0.x/announcing-0.1/">day one</a>, the Istio project has believed in the importance of being contributor-run, open, transparent and available to all. In that spirit, Google is pleased to announce that it will be transferring ownership of the project’s trademarks to the new Open Usage Commons.</p>
|
||
<p>Istio is an open source project, released under the Apache 2.0 license. That means people can copy, modify, distribute, make, use and sell the source code. The only freedom people don&rsquo;t have under the Apache 2.0 license is to use the name Istio, or its logo, in a way that would confuse consumers.</p>
|
||
<p>As one of the founders of the project, Google is the current owner of the Istio trademark. While anyone who is using the software in accordance with the license can use the trademarks, the historic ownership has caused some confusion and uncertainty about who can use the name and how, and at times this confusion has been a barrier to community growth. So today, as part of Istio’s continued commitment to openness, Google is announcing that the Istio trademarks will be transferred to a new organization, the Open Usage Commons, to provide neutral, independent oversight of the marks.</p>
|
||
<h2 id="a-neutral-home-for-istio-s-trademarks">A neutral home for Istio’s trademarks</h2>
|
||
<p>The Open Usage Commons is a new organization that is focused solely on providing management and guidance of open source project trademarks in a way that is aligned with the <a href="https://opensource.org/osd">Open Source Definition</a>. For projects, particularly projects with robust ecosystems like Istio, ensuring that the trademark is available to anyone who is using the software in accordance with the license is important. The trademark allows maintainers to grow a community and use the name to do so. It also lets ecosystem partners create services on top of the project, and it enables developers to create tooling and integrations that reference the project. Maintainers, ecosystem partners, and developers alike must feel confident in their investments in Istio - for the long term. Google thinks having the Istio trademarks in the Open Usage Commons is the right way to give that clarity and provide that confidence.</p>
|
||
<p>The Open Usage Commons will work with the Istio Steering Committee to generate trademark usage guidelines. There will be no immediate changes to the Istio usage guidelines, and if you are currently using the Istio marks in a way that follows the existing brand guide, you can continue to do so.</p>
|
||
<p>You can learn more about <a href="https://openusage.org/faq">open source project IP and the Open Usage Commons</a> at <a href="https://openusage.org">openusage.org</a>.</p>
|
||
<h2 id="a-continued-commitment-to-open">A continued commitment to open</h2>
|
||
<p>The Open Usage Commons is focused on project trademarks; it does not address other facets of an open project, like rules around who gets decision-making votes. Similar to many projects in their early days, Istio’s committees started as small groups that stemmed from the founding companies. But Istio has grown and matured (last year Istio was <a href="https://octoverse.github.com/#fastest-growing-oss-projects-by-contributors">#4 on GitHub&rsquo;s list of fastest growing open source projects!</a>), and it is time for the next evolution of Istio’s governance.</p>
|
||
<p>Recently, <a href="https://aspenmesh.io/helping-istio-sail/">we were proud to appoint Neeraj Poddar, Co-founder &amp; Chief Architect of Aspen Mesh</a>, to the Technical Oversight Committee — the group responsible for all technical decision-making in the project. Neeraj is a long-time contributor to the project and served as a Working Group lead. The <a href="https://github.com/istio/community/blob/master/TECH-OVERSIGHT-COMMITTEE.md#committee-members">TOC is now made up of</a> 7 members from 4 different companies - Tetrate, IBM, Google &amp; now Aspen Mesh.</p>
|
||
<p>Our community is currently discussing how the Steering Committee, which oversees marketing and community activities, should be governed, to reflect the expanding community and ecosystem. If you have ideas for this new governance, visit the <a href="https://github.com/istio/community/pull/361">pull request on GitHub</a> where an active discussion is taking place.</p>
|
||
<p>In the last 12 months, Istio has had commits from <a href="https://istio.teststats.cncf.io/d/5/companies-table?var-period_name=Last%20year&amp;var-metric=commits">more than 100 organizations</a> and currently has <a href="http://eng.istio.io/maintainers">70 maintainers from 14 different companies</a>. This trend is the kind of contributor diversity the project’s founders intended, and nurturing it remains a priority. Google is excited about what the future holds for Istio, and hopes you’ll be a part of it.</p></description><pubDate>Wed, 08 Jul 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/open-usage/</link><author>Sean Suchter (Google)</author><guid isPermaLink="true">/v1.12/blog/2020/open-usage/</guid><category>trademark</category><category>governance</category><category>steering</category></item><item><title>Reworking our Addon Integrations</title><description>
|
||
<p>Starting with Istio 1.6, we are introducing a new method for integration with telemetry addons, such as Grafana, Prometheus, Zipkin, Jaeger, and Kiali.</p>
|
||
<p>In previous releases, these addons were bundled as part of the Istio installation. This allowed users to quickly get started with Istio without any complicated configurations to install and integrate these addons. However, it came with some issues:</p>
|
||
<ul>
|
||
<li>The Istio addon installations were not as up to date or feature rich as upstream installation methods. Users were left missing out on some of the great features provided by these applications, such as:
|
||
<ul>
|
||
<li>Persistent storage</li>
|
||
<li>Features like <code>Alertmanager</code> for Prometheus</li>
|
||
<li>Advanced security settings</li>
|
||
</ul></li>
|
||
<li>Integration with existing deployments that were using these features was more challenging than it should be.</li>
|
||
</ul>
|
||
<h2 id="changes">Changes</h2>
|
||
<p>In order to address these gaps, we have made a number of changes:</p>
|
||
<ul>
|
||
<li><p>Added a new <a href="/v1.12/docs/ops/integrations/">Integrations</a> documentation section to explain which applications Istio can integrate with, how to use them, and best practices.</p></li>
|
||
<li><p>Reduced the amount of configuration required to set up telemetry addons</p>
|
||
<ul>
|
||
<li><p>Grafana dashboards are now <a href="/v1.12/docs/ops/integrations/grafana/#import-from-grafana-com">published to <code>grafana.com</code></a>.</p></li>
|
||
<li><p>Prometheus can now scrape all Istio pods <a href="/v1.12/docs/ops/integrations/prometheus/#option-2-metrics-merging">using standard <code>prometheus.io</code> annotations</a>. This allows most Prometheus deployments to work with Istio without any special configuration.</p></li>
|
||
</ul></li>
|
||
<li><p>Removed the bundled addon installations from <code>istioctl</code> and the operator. Istio does not install components that are not delivered by the Istio project. As a result, Istio will stop shipping installation artifacts related to addons. However, Istio will guarantee version compatibility where necessary. It is the user&rsquo;s responsibility to install these components by using the official <a href="/v1.12/docs/ops/integrations/">Integrations</a> documentation and artifacts provided by the respective projects. For demos, users can deploy simple YAML files from the <a href="https://github.com/istio/istio/tree/release-1.12/samples/addons"><code>samples/addons/</code> directory</a>.</p></li>
|
||
</ul>
|
||
<p>We hope these changes allow users to make the most of these addons so as to fully experience what Istio can offer.</p>
|
||
<h2 id="timeline">Timeline</h2>
|
||
<ul>
|
||
<li>Istio 1.6: The new demo deployments for telemetry addons are available under <code>samples/addons/</code> directory.</li>
|
||
<li>Istio 1.7: Upstream installation methods or the new samples deployment are the recommended installation methods. Installation by <code>istioctl</code> is deprecated.</li>
|
||
<li>Istio 1.8: Installation of addons by <code>istioctl</code> is removed.</li>
|
||
</ul></description><pubDate>Thu, 04 Jun 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/addon-rework/</link><author>John Howard (Google)</author><guid isPermaLink="true">/v1.12/blog/2020/addon-rework/</guid><category>telemetry</category><category>addons</category><category>integrations</category><category>grafana</category><category>prometheus</category></item><item><title>Introducing Workload Entries</title><description>
|
||
<h2 id="introducing-workload-entries-bridging-kubernetes-and-vms">Introducing Workload Entries: Bridging Kubernetes and VMs</h2>
|
||
<p>Historically, Istio has provided great experience to workloads that run on Kubernetes, but it has been less smooth for other types of workloads, such as Virtual Machines (VMs) and bare metal. The gaps included the inability to declaratively specify the properties of a sidecar on a VM, inability to properly respond to the lifecycle changes of the workload (e.g., booting to not ready to ready, or health checks), and cumbersome DNS workarounds as the workloads are migrated into Kubernetes to name a few.</p>
|
||
<p>Istio 1.6 has introduced a few changes in how you manage non-Kubernetes workloads, driven by a desire to make it easier to gain Istio&rsquo;s benefits for use cases beyond containers, such as running traditional databases on a platform outside of Kubernetes, or adopting Istio&rsquo;s features for existing applications without rewriting them.</p>
|
||
<h3 id="background">Background</h3>
|
||
<p>Prior to Istio 1.6, non-containerized workloads were configurable simply as an IP address in a <code>ServiceEntry</code>, which meant that they only existed as part of a service. Istio lacked a first-class abstraction for these non-containerized workloads, something similar to how Kubernetes treats Pods as the fundamental unit of compute - a named object that serves as the collection point for all things related to a workload - name, labels, security properties, lifecycle status events, etc. Enter <code>WorkloadEntry</code>.</p>
|
||
<p>Consider the following <code>ServiceEntry</code> describing a service implemented by a few tens of VMs with IP addresses:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: svc1
|
||
spec:
|
||
hosts:
|
||
- svc1.internal.com
|
||
ports:
|
||
- number: 80
|
||
name: http
|
||
protocol: HTTP
|
||
resolution: STATIC
|
||
endpoints:
|
||
- address: 1.1.1.1
|
||
- address: 2.2.2.2
|
||
....
|
||
</code></pre>
|
||
<p>If you wanted to migrate this service into Kubernetes in an active-active manner - i.e. launch a bunch of Pods, send a portion of the traffic to the Pods over Istio mutual TLS (mTLS) and send the rest to the VMs without sidecars - how would you do it? You would have needed to use a combination of a Kubernetes service, a virtual service, and a destination rule to achieve the behavior. Now, let&rsquo;s say you decided to add sidecars to these VMs, one by one, such that you want only the traffic to the VMs with sidecars to use Istio mTLS. If any other Service Entry happens to include the same VM in its addresses, things start to get very complicated and error prone.</p>
|
||
<p>The primary source of these complications is that Istio lacked a first-class definition of a non-containerized workload, whose properties can be described independently of the service(s) it is part of.</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:75%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/workload-entry/workload-entry-first-example.svg" title="The Internal of Service Entries Pointing to Workload Entries">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/workload-entry/workload-entry-first-example.svg" alt="Service Entries Pointing to Workload Entries" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The Internal of Service Entries Pointing to Workload Entries</figcaption>
|
||
</figure>
|
||
<h3 id="workload-entry-a-non-kubernetes-endpoint">Workload Entry: A Non-Kubernetes Endpoint</h3>
|
||
<p><code>WorkloadEntry</code> was created specifically to solve this problem. <code>WorkloadEntry</code> allows you to describe non-Pod endpoints that should still be part of the mesh, and treat them the same as a Pod. From here everything becomes easier, like enabling <code>MUTUAL_TLS</code> between workloads, whether they are containerized or not.</p>
|
||
<p>To create a <a href="/v1.12/docs/reference/config/networking/workload-entry/"><code>WorkloadEntry</code></a> and attach it to a <a href="/v1.12/docs/reference/config/networking/service-entry/"><code>ServiceEntry</code></a> you can do something like this:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: WorkloadEntry
|
||
metadata:
|
||
name: vm1
|
||
namespace: ns1
|
||
spec:
|
||
address: 1.1.1.1
|
||
labels:
|
||
app: foo
|
||
instance-id: vm-78ad2
|
||
class: vm
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: svc1
|
||
namespace: ns1
|
||
spec:
|
||
hosts:
|
||
- svc1.internal.com
|
||
ports:
|
||
- number: 80
|
||
name: http
|
||
protocol: HTTP
|
||
resolution: STATIC
|
||
workloadSelector:
|
||
labels:
|
||
app: foo
|
||
</code></pre>
|
||
<p>This creates a new <code>WorkloadEntry</code> with a set of labels and an address, and a <code>ServiceEntry</code> that uses a <code>WorkloadSelector</code> to select all endpoints with the desired labels, in this case including the <code>WorkloadEntry</code> that are created for the VM.</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:75%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/workload-entry/workload-entry-final.svg" title="The Internal of Service Entries Pointing to Workload Entries">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/workload-entry/workload-entry-final.svg" alt="Service Entries Pointing to Workload Entries" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The Internal of Service Entries Pointing to Workload Entries</figcaption>
|
||
</figure>
|
||
<p>Notice that the <code>ServiceEntry</code> can reference both Pods and <code>WorkloadEntries</code>, using the same selector. VMs and Pods can now be treated identically by Istio, rather than being kept separate.</p>
|
||
<p>If you were to migrate some of your workloads to Kubernetes, and you choose to keep a substantial number of your VMs, the <code>WorkloadSelector</code> can select both Pods and VMs, and Istio will automatically load balance between them. The 1.6 changes also mean that <code>WorkloadSelector</code> syncs configurations between the Pods and VMs and removes the manual requirement to target both infrastructures with duplicate policies like mTLS and authorization.
|
||
The Istio 1.6 release provides a great starting point for what will be possible for the future of Istio. The ability to describe what exists outside of the mesh the same way you do with a Pod leads to added benefits like improved bootstrapping experience. However, these benefits are merely side effects. The core benefit is you can now have VMs, and Pods co-exist without any configuration needed to bridge the two together.</p></description><pubDate>Thu, 21 May 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/workload-entry/</link><author>Cynthia Coan (Tetrate), Shriram Rajagopalan (Tetrate), Tia Louden (Tetrate), John Howard (Google), Sven Mawson (Google)</author><guid isPermaLink="true">/v1.12/blog/2020/workload-entry/</guid><category>vm</category><category>workloadentry</category><category>migration</category><category>1.6</category><category>baremetal</category><category>serviceentry</category><category>discovery</category></item><item><title>Safely Upgrade Istio using a Canary Control Plane Deployment</title><description>
|
||
<p>Canary deployments are a core feature of Istio. Users rely on Istio&rsquo;s traffic management features to safely control the rollout of new versions of their applications, while making use of Istio&rsquo;s rich telemetry to compare the performance of canaries. However, when it came to upgrading Istio, there was not an easy way to canary the upgrade, and due to the in-place nature of the upgrade, issues or changes found affect the entire mesh at once.</p>
|
||
<p>Istio 1.6 will support a new upgrade model to safely canary-deploy new versions of Istio. In this new model, proxies will associate with a specific control plane that they use. This allows a new version to deploy to the cluster with less risk - no proxies connect to the new version until the user explicitly chooses to. This allows gradually migrating workloads to the new control plane, while monitoring changes using Istio telemetry to investigate any issues, just like using <code>VirtualService</code> for workloads. Each independent control plane is referred to as a &ldquo;revision&rdquo; and has an <code>istio.io/rev</code> label.</p>
|
||
<h2 id="understanding-upgrades">Understanding upgrades</h2>
|
||
<p>Upgrading Istio is a complicated process. During the transition period between two versions, which might take a long time for large clusters, there are version differences between proxies and the control plane. In the old model the old and new control planes use the same Service, traffic is randomly distributed between the two, offering no control to the user. However, in the new model, there is not cross-version communication. Look at how the upgrade changes:</p>
|
||
<iframe src="https://docs.google.com/presentation/d/e/2PACX-1vR2R_Nd1XsjriBfwbqmcBc8KtdP4McDqNpp8S5v6woq28FnsW-kATBrKtLEG9k61DuBwTgFKLWyAxuK/embed?start=false&loop=true&delayms=3000" frameborder="0" width="960" height="569" allowfullscreen="true" mozallowfullscreen="true" webkitallowfullscreen="true"></iframe>
|
||
<h2 id="configuring">Configuring</h2>
|
||
<p>Control plane selection is done based on the sidecar injection webhook. Each control plane is configured to select objects with a matching <code>istio.io/rev</code> label on the namespace. Then, the upgrade process configures the pods to connect to a control plane specific to that revision. Unlike in the current model, this means that a given proxy connects to the same revision during its lifetime. This avoids subtle issues that might arise when a proxy switches which control plane it is connected to.</p>
|
||
<p>The new <code>istio.io/rev</code> label will replace the <code>istio-injection=enabled</code> label when using revisions. For example, if we had a revision named canary, we would label our namespaces that we want to use this revision with istio.io/rev=canary. See the <a href="/v1.12/docs/setup/upgrade">upgrade guide</a> for more information.</p></description><pubDate>Tue, 19 May 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/multiple-control-planes/</link><author>John Howard (Google)</author><guid isPermaLink="true">/v1.12/blog/2020/multiple-control-planes/</guid><category>install</category><category>upgrade</category><category>revision</category><category>control plane</category></item><item><title>Direct encrypted traffic from IBM Cloud Kubernetes Service Ingress to Istio Ingress Gateway</title><description>
|
||
<p>In this blog post I show how to configure the <a href="https://cloud.ibm.com/docs/containers?topic=containers-ingress-about">Ingress Application Load Balancer (ALB)</a>
|
||
on <a href="https://www.ibm.com/cloud/kubernetes-service/">IBM Cloud Kubernetes Service (IKS)</a> to direct traffic to the Istio
|
||
ingress gateway, while securing the traffic between them using <span class="term" data-title="Mutual TLS Authentication" data-body="&lt;p&gt;Mutual TLS provides strong service-to-service authentication with built-in identity and credential management.
|
||
&lt;a href=&#34;/docs/concepts/security/#mutual-tls-authentication&#34;&gt;Learn more about mutual TLS authentication&lt;/a&gt;.&lt;/p&gt;
|
||
">mutual TLS authentication</span>.</p>
|
||
<p>When you use IKS without Istio, you may control your ingress traffic using the provided ALB. This ingress-traffic
|
||
routing is configured using a Kubernetes
|
||
<a href="https://kubernetes.io/docs/concepts/services-networking/ingress/">Ingress</a> resource with
|
||
<a href="https://cloud.ibm.com/docs/containers?topic=containers-ingress_annotation">ALB-specific annotations</a>. IKS provides a
|
||
DNS domain name, a TLS certificate that matches the domain, and a private key for the certificate. IKS stores the
|
||
certificates and the private key in a <a href="https://kubernetes.io/docs/concepts/configuration/secret/">Kubernetes secret</a>.</p>
|
||
<p>When you start using Istio in your IKS cluster, the recommended method to send traffic to your Istio enabled workloads
|
||
is by using the <a href="/v1.12/docs/tasks/traffic-management/ingress/ingress-control/">Istio Ingress Gateway</a> instead of using the
|
||
<a href="https://kubernetes.io/docs/concepts/services-networking/ingress/">Kubernetes Ingress</a>. One of the main reasons to use
|
||
the Istio ingress gateway is the fact the ALB provided by IKS will not be able to communicate directly with the services
|
||
inside the mesh when you enable STRICT mutual TLS. During your transition to having only Istio ingress gateway as your
|
||
main entry point, you can continue to use the traditional Ingress for non-Istio services while using the Istio ingress
|
||
gateway for services that are part of the mesh.</p>
|
||
<p>IKS provides a convenient way for clients to access Istio ingress gateway by letting you
|
||
<a href="https://cloud.ibm.com/docs/containers?topic=containers-loadbalancer_hostname">register a new DNS subdomain</a> for the
|
||
Istio gateway&rsquo;s IP with an IKS command. The domain is in the following
|
||
<a href="https://cloud.ibm.com/docs/containers?topic=containers-loadbalancer_hostname#loadbalancer_hostname_format">format</a>:
|
||
<code>&lt;cluster_name&gt;-&lt;globally_unique_account_HASH&gt;-0001.&lt;region&gt;.containers.appdomain.cloud</code>, for example <code>mycluster-a1b2cdef345678g9hi012j3kl4567890-0001.us-south.containers.appdomain.cloud</code>. In the same way as for the ALB domain,
|
||
IKS provides a certificate and a private key, storing them in another Kubernetes secret.</p>
|
||
<p>This blog describes how you can chain together the IKS Ingress ALB and the Istio ingress gateway to send traffic to your
|
||
Istio enabled workloads while being able to continue using the ALB specific features and the ALB subdomain name. You
|
||
configure the IKS Ingress ALB to direct traffic to the services inside an Istio service mesh through the Istio ingress
|
||
gateway, while using mutual TLS authentication between the ALB and the gateway. For the mutual TLS authentication, you
|
||
will configure the ALB and the Istio ingress gateway to use the certificates and keys provided by IKS for the ALB and
|
||
NLB subdomains. Using certificates provided by IKS saves you the overhead of managing your own certificates for the
|
||
connection between the ALB and the Istio ingress gateway.</p>
|
||
<p>You will use the NLB subdomain certificate as the server certificate for the Istio ingress gateway as intended.
|
||
The NLB subdomain certificate represents the identity of the server that serves a particular NLB subdomain, in this
|
||
case, the ingress gateway.</p>
|
||
<p>You will use the ALB subdomain certificate as the client certificate in mutual TLS authentication between the ALB and
|
||
the Istio Ingress. When ALB acts as a server it presents the ALB certificate to the clients so the clients can
|
||
authenticate the ALB. When ALB acts as a client of the Istio ingress gateway, it presents the same certificate to the
|
||
Istio ingress gateway, so the Istio ingress gateway could authenticate the ALB.</p>
|
||
<div>
|
||
<aside class="callout warning">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-warning"/></svg>
|
||
</div>
|
||
<div class="content">Note that the instructions in this blog post only configure the ALB and the Istio ingress gateway to encrypt the traffic
|
||
between them and to verify that they receive valid certificates issued by <a href="https://letsencrypt.org">Let&rsquo;s Encrypt</a>. In
|
||
order to specify that only the ALB is allowed to talk to the Istio ingress gateway, an additional Istio security policy
|
||
must be defined. In order to verify that the ALB indeed talks to the Istio ingress gateway, additional configuration
|
||
must be added to the ALB. The additional configuration of the Istio ingress gateway and the ALB is out of scope for this
|
||
blog.</div>
|
||
</aside>
|
||
</div>
|
||
<p>Traffic to the services without an Istio sidecar can continue to flow as before directly from the ALB.</p>
|
||
<p>The diagram below exemplifies the described setting. It shows two services in the cluster, <code>service A</code> and <code>service B</code>.
|
||
<code>service A</code> has an Istio sidecar injected and requires mutual TLS. <code>service B</code> has no Istio sidecar. <code>service B</code> can
|
||
be accessed by clients through the ALB, which directly communicates with <code>service B</code>. <code>service A</code> can be also
|
||
accessed by clients through the ALB, but in this case the traffic must pass through the Istio ingress gateway. Mutual
|
||
TLS authentication between the ALB and the gateway is based on the certificates provided by IKS.
|
||
The clients can also access the Istio ingress gateway directly. IKS registers different DNS domains for the ALB and for
|
||
the ingress gateway.</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:63.32720606343596%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/alb-ingress-gateway-iks/alb-ingress-gateway.svg" title="A cluster with the ALB and the Istio ingress gateway">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/alb-ingress-gateway-iks/alb-ingress-gateway.svg" alt="A cluster with the ALB and the Istio ingress gateway" />
|
||
</a>
|
||
</div>
|
||
<figcaption>A cluster with the ALB and the Istio ingress gateway</figcaption>
|
||
</figure>
|
||
<h2 id="initial-setting">Initial setting</h2>
|
||
<ol>
|
||
<li><p>Create the <code>httptools</code> namespace and enable Istio sidecar injection:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl create namespace httptools
|
||
$ kubectl label namespace httptools istio-injection=enabled
|
||
namespace/httptools created
|
||
namespace/httptools labeled
|
||
</code></pre></li>
|
||
<li><p>Deploy the <code>httpbin</code> sample to <code>httptools</code>:</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/httpbin/httpbin.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/httpbin/httpbin.yaml@ -n httptools
|
||
service/httpbin created
|
||
deployment.apps/httpbin created
|
||
</code></pre></div></li>
|
||
</ol>
|
||
<h2 id="create-secrets-for-the-alb-and-the-istio-ingress-gateway">Create secrets for the ALB and the Istio ingress gateway</h2>
|
||
<p>IKS generates a TLS certificate and a private key and stores them as a secret in the default namespace when you register
|
||
a DNS domain for an external IP by using the <code>ibmcloud ks nlb-dns-create</code> command. IKS stores the ALB&rsquo;s
|
||
certificate and private key also as a secret in the default namespace. You need these credentials to establish the
|
||
identities that the ALB and the Istio ingress gateway will present during the mutual TLS authentication between
|
||
them. You will configure the ALB and the Istio ingress gateway to exchange these certificates, to trust the certificates
|
||
of one another, and to use their private keys to encrypt and sign the traffic.</p>
|
||
<ol>
|
||
<li><p>Store the name of your cluster in the <code>CLUSTER_NAME</code> environment variable:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export CLUSTER_NAME=&lt;your cluster name&gt;
|
||
</code></pre></li>
|
||
<li><p>Store the domain name of your ALB in the <code>ALB_INGRESS_DOMAIN</code> environment variable:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ ibmcloud ks cluster get --cluster $CLUSTER_NAME | grep Ingress
|
||
Ingress Subdomain: &lt;your ALB ingress domain&gt;
|
||
Ingress Secret: &lt;your ALB secret&gt;
|
||
</code></pre>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export ALB_INGRESS_DOMAIN=&lt;your ALB ingress domain&gt;
|
||
$ export ALB_SECRET=&lt;your ALB secret&gt;
|
||
</code></pre></li>
|
||
<li><p>Store the external IP of your <code>istio-ingressgateway</code> service in an environment variable.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export INGRESS_GATEWAY_IP=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath=&#39;{.status.loadBalancer.ingress[0].ip}&#39;)
|
||
$ echo INGRESS_GATEWAY_IP = $INGRESS_GATEWAY_IP
|
||
</code></pre></li>
|
||
<li><p>Create a DNS domain and certificates for the IP of the Istio Ingress Gateway service:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ ibmcloud ks nlb-dns create classic --cluster $CLUSTER_NAME --ip $INGRESS_GATEWAY_IP --secret-namespace istio-system
|
||
Host name subdomain is created as &lt;some domain&gt;
|
||
</code></pre></li>
|
||
<li><p>Store the domain name from the previous command in an environment variable:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export INGRESS_GATEWAY_DOMAIN=&lt;the domain from the previous command&gt;
|
||
</code></pre></li>
|
||
<li><p>List the registered domain names:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ ibmcloud ks nlb-dnss --cluster $CLUSTER_NAME
|
||
Retrieving host names, certificates, IPs, and health check monitors for network load balancer (NLB) pods in cluster &lt;your cluster&gt;...
|
||
OK
|
||
Hostname IP(s) Health Monitor SSL Cert Status SSL Cert Secret Name Secret Namespace
|
||
&lt;your ingress gateway hostname&gt; &lt;your ingress gateway IP&gt; None created &lt;the matching secret name&gt; istio-system
|
||
...
|
||
</code></pre>
|
||
<p>Wait until the status of the certificate (the fourth field) of the new domain name becomes <code>enabled</code> (initially it is <code>pending</code>).</p></li>
|
||
<li><p>Store the name of the secret of the new domain name:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export INGRESS_GATEWAY_SECRET=&lt;the secret&#39;s name as shown in the SSL Cert Secret Name column&gt;
|
||
</code></pre></li>
|
||
<li><p>Extract the certificate and the key from the secret provided for the ALB:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ mkdir alb_certs
|
||
$ kubectl get secret $ALB_SECRET --namespace=default -o yaml | grep &#39;tls.key:&#39; | cut -f2 -d: | base64 --decode &gt; alb_certs/client.key
|
||
$ kubectl get secret $ALB_SECRET --namespace=default -o yaml | grep &#39;tls.crt:&#39; | cut -f2 -d: | base64 --decode &gt; alb_certs/client.crt
|
||
$ ls -al alb_certs
|
||
-rw-r--r-- 1 user staff 3738 Sep 11 07:57 client.crt
|
||
-rw-r--r-- 1 user staff 1675 Sep 11 07:57 client.key
|
||
</code></pre></li>
|
||
<li><p>Download the issuer certificate of the <a href="https://letsencrypt.org">Let&rsquo;s Encrypt</a> certificate, which is the
|
||
issuer of the certificates provided by IKS. You specify this certificate as the certificate of a certificate
|
||
authority to trust, for both the ALB and the Istio ingress gateway.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl https://letsencrypt.org/certs/trustid-x3-root.pem --output trusted.crt
|
||
</code></pre></li>
|
||
<li><p>Create a Kubernetes secret to be used by the ALB to establish mutual TLS connection.</p>
|
||
<div>
|
||
<aside class="callout warning">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-warning"/></svg>
|
||
</div>
|
||
<div class="content">The certificates provided by IKS expire every 90 days and are automatically renewed by
|
||
IKS 37 days before they expire.
|
||
You will have to recreate the secrets by rerunning the instructions of this section every time the secrets provided
|
||
by IKS are updated. You may want to use scripts or operators to automate this and keep the
|
||
secrets in sync.</div>
|
||
</aside>
|
||
</div>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl create secret generic alb-certs -n istio-system --from-file=trusted.crt --from-file=alb_certs/client.crt --from-file=alb_certs/client.key
|
||
secret &#34;alb-certs&#34; created
|
||
</code></pre></li>
|
||
<li><p>For mutual TLS, a separate Secret named <code>&lt;tls-cert-secret&gt;-cacert</code> with a <code>cacert</code> key is needed for the ingress gateway.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl create -n istio-system secret generic $INGRESS_GATEWAY_SECRET-cacert --from-file=ca.crt=trusted.crt
|
||
secret/cluster_name-hash-XXXX-cacert created
|
||
</code></pre></li>
|
||
</ol>
|
||
<h2 id="configure-a-mutual-tls-ingress-gateway">Configure a mutual TLS ingress gateway</h2>
|
||
<p>In this section you configure the Istio ingress gateway to perform mutual TLS between external clients and the gateway.
|
||
You use the certificates and the keys provided to you for the ingress gateway and the ALB.</p>
|
||
<ol>
|
||
<li><p>Define a <code>Gateway</code> to allow access on port 443 only, with mutual TLS:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -n httptools -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: Gateway
|
||
metadata:
|
||
name: default-ingress-gateway
|
||
spec:
|
||
selector:
|
||
istio: ingressgateway # use istio default ingress gateway
|
||
servers:
|
||
- port:
|
||
number: 443
|
||
name: https
|
||
protocol: HTTPS
|
||
tls:
|
||
mode: MUTUAL
|
||
credentialName: $INGRESS_GATEWAY_SECRET
|
||
hosts:
|
||
- &#34;$INGRESS_GATEWAY_DOMAIN&#34;
|
||
- &#34;httpbin.$ALB_INGRESS_DOMAIN&#34;
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Configure routes for traffic entering via the <code>Gateway</code>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -n httptools -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: default-ingress
|
||
spec:
|
||
hosts:
|
||
- &#34;$INGRESS_GATEWAY_DOMAIN&#34;
|
||
- &#34;httpbin.$ALB_INGRESS_DOMAIN&#34;
|
||
gateways:
|
||
- default-ingress-gateway
|
||
http:
|
||
- match:
|
||
- uri:
|
||
prefix: /status
|
||
route:
|
||
- destination:
|
||
port:
|
||
number: 8000
|
||
host: httpbin.httptools.svc.cluster.local
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Send a request to <code>httpbin</code> by <em>curl</em>, passing as parameters the client certificate
|
||
(the <code>--cert</code> option) and the private key (the <code>--key</code> option):</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl https://$INGRESS_GATEWAY_DOMAIN/status/418 --cert alb_certs/client.crt --key alb_certs/client.key
|
||
-=[ teapot ]=-
|
||
_...._
|
||
.&#39; _ _ `.
|
||
| .&#34;` ^ `&#34;. _,
|
||
\_;`&#34;---&#34;`|//
|
||
| ;/
|
||
\_ _/
|
||
`&#34;&#34;&#34;`
|
||
</code></pre></li>
|
||
<li><p>Remove the directories with the ALB and ingress gateway certificates and keys.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ rm -r alb_certs trusted.crt
|
||
</code></pre></li>
|
||
</ol>
|
||
<h2 id="configure-the-alb">Configure the ALB</h2>
|
||
<p>You need to configure your Ingress resource to direct traffic to the Istio ingress gateway while using the certificate
|
||
stored in the <code>alb-certs</code> secret. Normally, the ALB decrypts HTTPS requests before forwarding traffic to your apps.
|
||
You can configure the ALB to re-encrypt the traffic before it is forwarded to the Istio ingress gateway by using the
|
||
<code>ssl-services</code> annotation on the Ingress resource. This annotation also allows you to specify the certificate stored in
|
||
the <code>alb-certs</code> secret, required for mutual TLS.</p>
|
||
<ol>
|
||
<li><p>Configure the <code>Ingress</code> resource for the ALB. You must create the <code>Ingress</code> resource in the <code>istio-system</code> namespace
|
||
in order to forward the traffic to the Istio ingress gateway.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: extensions/v1beta1
|
||
kind: Ingress
|
||
metadata:
|
||
name: alb-ingress
|
||
namespace: istio-system
|
||
annotations:
|
||
ingress.bluemix.net/ssl-services: &#34;ssl-service=istio-ingressgateway ssl-secret=alb-certs proxy-ssl-name=$INGRESS_GATEWAY_DOMAIN&#34;
|
||
spec:
|
||
tls:
|
||
- hosts:
|
||
- httpbin.$ALB_INGRESS_DOMAIN
|
||
secretName: $ALB_SECRET
|
||
rules:
|
||
- host: httpbin.$ALB_INGRESS_DOMAIN
|
||
http:
|
||
paths:
|
||
- path: /status
|
||
backend:
|
||
serviceName: istio-ingressgateway
|
||
servicePort: 443
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Test the ALB ingress:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl https://httpbin.$ALB_INGRESS_DOMAIN/status/418
|
||
-=[ teapot ]=-
|
||
_...._
|
||
.&#39; _ _ `.
|
||
| .&#34;` ^ `&#34;. _,
|
||
\_;`&#34;---&#34;`|//
|
||
| ;/
|
||
\_ _/
|
||
`&#34;&#34;&#34;`
|
||
</code></pre></li>
|
||
</ol>
|
||
<p>Congratulations! You configured the IKS Ingress ALB to send encrypted traffic to the Istio ingress gateway. You
|
||
allocated a host name and certificate for your Istio ingress gateway and used that certificate as the server certificate
|
||
for Istio ingress gateway. As the client certificate of the ALB you used the certificate provided by IKS for the ALB.
|
||
Once you had the certificates deployed as Kubernetes secrets, you directed the ingress traffic from the ALB to the Istio
|
||
ingress gateway for some specific paths and used the certificates for mutual TLS authentication between the ALB and the
|
||
Istio ingress gateway.</p>
|
||
<h2 id="cleanup">Cleanup</h2>
|
||
<ol>
|
||
<li><p>Delete the <code>Gateway</code> configuration, the <code>VirtualService</code>, and the secrets:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete ingress alb-ingress -n istio-system
|
||
$ kubectl delete virtualservice default-ingress -n httptools
|
||
$ kubectl delete gateway default-ingress-gateway -n httptools
|
||
$ kubectl delete secrets alb-certs -n istio-system
|
||
$ rm -rf alb_certs trusted.crt
|
||
$ unset CLUSTER_NAME ALB_INGRESS_DOMAIN ALB_SECRET INGRESS_GATEWAY_DOMAIN INGRESS_GATEWAY_SECRET
|
||
</code></pre></li>
|
||
<li><p>Shutdown the <code>httpbin</code> service:</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/httpbin/httpbin.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete -f @samples/httpbin/httpbin.yaml@ -n httptools
|
||
</code></pre></div></li>
|
||
<li><p>Delete the <code>httptools</code> namespace:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete namespace httptools
|
||
</code></pre></li>
|
||
</ol></description><pubDate>Fri, 15 May 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/alb-ingress-gateway-iks/</link><author>Vadim Eisenberg (IBM)</author><guid isPermaLink="true">/v1.12/blog/2020/alb-ingress-gateway-iks/</guid><category>traffic-management</category><category>ingress</category><category>sds-credentials</category><category>iks</category><category>mutual-tls</category></item><item><title>Provision a certificate and key for an application without sidecars</title><description><div>
|
||
<aside class="callout warning">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-warning"/></svg>
|
||
</div>
|
||
<div class="content">The following information describes an experimental feature, which is intended
|
||
for evaluation purposes only.</div>
|
||
</aside>
|
||
</div>
|
||
<p>Istio sidecars obtain their certificates using
|
||
the secret discovery service.
|
||
A service in the service mesh may not need (or want) an Envoy sidecar
|
||
to handle its traffic. In this case, the service will need
|
||
to obtain a certificate itself if it wants to connect to other TLS or mutual TLS secured services.</p>
|
||
<p>For a service with no need of a sidecar to manage its traffic, a sidecar can nevertheless still be
|
||
deployed only to provision the private key and certificates through
|
||
the CSR flow from the CA and then share the certificate with the service
|
||
through a mounted file in <code>tmpfs</code>.
|
||
We have used Prometheus as our example application for provisioning
|
||
a certificate using this mechanism.</p>
|
||
<p>In the example application (i.e., Prometheus), a sidecar is added to the
|
||
Prometheus deployment by setting the flag <code>.Values.prometheus.provisionPrometheusCert</code>
|
||
to <code>true</code> (this flag is set to true by default in an Istio installation).
|
||
This deployed sidecar will then request and share a
|
||
certificate with Prometheus.</p>
|
||
<p>The key and certificate provisioned for the example application
|
||
are mounted in the directory <code>/etc/istio-certs/</code>.
|
||
We can list the key and certificate provisioned for the application by
|
||
running the following command:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec -it `kubectl get pod -l app=prometheus -n istio-system -o jsonpath=&#39;{.items[0].metadata.name}&#39;` -c prometheus -n istio-system -- ls -la /etc/istio-certs/
|
||
</code></pre>
|
||
<p>The output from the above command should include non-empty key and certificate files, similar to the following:</p>
|
||
<pre><code class='language-plain' data-expandlinks='true' data-repo='istio' >-rwxr-xr-x 1 root root 2209 Feb 25 13:06 cert-chain.pem
|
||
-rwxr-xr-x 1 root root 1679 Feb 25 13:06 key.pem
|
||
-rwxr-xr-x 1 root root 1054 Feb 25 13:06 root-cert.pem
|
||
</code></pre>
|
||
<p>If you want to use this mechanism to provision a certificate
|
||
for your own application, take a look at our
|
||
<a href="https://github.com/istio/istio/blob/release-1.12/manifests/charts/istio-telemetry/prometheus/templates/deployment.yaml">Prometheus example application</a> and simply follow the same pattern.</p></description><pubDate>Wed, 25 Mar 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/proxy-cert/</link><author>Lei Tang (Google)</author><guid isPermaLink="true">/v1.12/blog/2020/proxy-cert/</guid><category>certificate</category><category>sidecar</category></item><item><title>Extended and Improved WebAssemblyHub to Bring the Power of WebAssembly to Envoy and Istio</title><description>
|
||
<p><a href="https://www.solo.io/blog/an-extended-and-improved-webassembly-hub-to-helps-bring-the-power-of-webassembly-to-envoy-and-istio/"><em>Originally posted on the Solo.io blog</em></a></p>
|
||
<p>As organizations adopt Envoy-based infrastructure like Istio to help solve challenges with microservices communication, they inevitably find themselves needing to customize some part of that infrastructure to fit within their organization&rsquo;s constraints. <a href="https://webassembly.org/">WebAssembly (Wasm)</a> has emerged as a safe, secure, and dynamic environment for platform extension.</p>
|
||
<p>In the recent <a href="/v1.12/blog/2020/wasm-announce/">announcement of Istio 1.5</a>, the Istio project lays the foundation for bringing WebAssembly to the popular Envoy proxy. <a href="https://solo.io">Solo.io</a> is collaborating with Google and the Istio community to simplify the overall experience of creating, sharing, and deploying WebAssembly extensions to Envoy and Istio. It wasn&rsquo;t that long ago that Google and others laid the foundation for containers, and Docker built a great user experience to make it consumable. Similarly, this effort makes Wasm consumable by building the best user experience for WebAssembly on Istio.</p>
|
||
<p>Back in December 2019, Solo.io began an effort to provide a great developer experience for WebAssembly with the announcement of WebAssembly Hub. The WebAssembly Hub allows developers to very quickly spin up a new WebAssembly project in C++ (we&rsquo;re expanding this language choice, see below), build it using Bazel in Docker, and push it to an OCI-compliant registry. From there, operators had to pull the module, and configure Envoy proxies themselves to load it from disk. Beta support in <a href="https://docs.solo.io/gloo/latest/">Gloo, an API Gateway built on Envoy</a> allows you to declaratively and dynamically load the module, the Solo.io team wanted to bring the same effortless and secure experience to other Envoy-based frameworks as well - like Istio.</p>
|
||
<p>There has been a lot of interest in the innovation in this area, and the Solo.io team has been working hard to further the capabilities of WebAssembly Hub and the workflows it supports. In conjunction with Istio 1.5, Solo.io is thrilled to announce new enhancements to WebAssembly Hub that evolve the viability of WebAssembly with Envoy for production, improve the developer experience, and streamline using Wasm with Envoy in Istio.</p>
|
||
<h2 id="evolving-toward-production">Evolving toward production</h2>
|
||
<p>The Envoy community is working hard to bring Wasm support into the upstream project (right now it lives on a working development fork), with Istio declaring Wasm support an Alpha feature. In <a href="https://www.solo.io/blog/announcing-gloo-1-0-a-production-ready-envoy-based-api-gateway/">Gloo 1.0, we also announced</a> early, non-production support for Wasm. What is Gloo? Gloo is a modern API Gateway and Ingress Controller (built on Envoy Proxy) that supports routing and securing incoming traffic to legacy monoliths, microservices / Kubernetes and serverless functions. Dev and ops teams are able to shape and control traffic patterns from external end users/clients to backend application services. Gloo is a Kubernetes and Istio native ingress gateway.</p>
|
||
<p>Although it&rsquo;s still maturing in each individual project, there are things that we, as a community, can do to improve the foundation for production support.</p>
|
||
<p>The first area is standardizing what a WebAssembly extension for Envoy looks like. Solo.io, Google, and the Istio community have defined an open specification for bundling and distributing WebAssembly modules as OCI images. This specification provides a powerful model for distributing any type of Wasm module including Envoy extensions.</p>
|
||
<p>This is open to the community - <a href="https://github.com/solo-io/wasm-image-spec">Join in the effort</a></p>
|
||
<p>The next area is improving the experience of deploying Wasm extensions into an Envoy-based framework running in production. In the Kubernetes ecosystem, it is considered a best practice in production to use declarative CRD-based configuration to manage cluster configuration. The new <a href="https://docs.solo.io/web-assembly-hub/latest/tutorial_code/wasme_operator/">WebAssembly Hub Operator</a> adds a single, declarative CRD which automatically deploys and configures Wasm filters to Envoy proxies running inside of a Kubernetes cluster. This operator enables GitOps workflows and cluster automation to manage Wasm filters without human intervention or imperative workflows. We will provide more information about the Operator in an upcoming blog post.</p>
|
||
<p>Lastly, the interactions between developers of Wasm extensions and the teams that deploy them need some kind of role-based access, organization management, and facilities to share, discover, and consume these extensions. The WebAssembly Hub adds team management features like permissions, organizations, user management, sharing, and more.</p>
|
||
<h2 id="improving-the-developer-experience">Improving the developer experience</h2>
|
||
<p>As developers want to target more languages and runtimes, the experience must be kept as simple and as productive as possible. Multi-language support and runtime ABI (Application Binary Interface) targets should be handled automatically in tooling.</p>
|
||
<p>One of the benefits of Wasm is the ability to write modules in many languages. The collaboration between Solo.io and Google provides out-of-the-box support for Envoy filters written in C++, Rust, and AssemblyScript. We will continue to add support for more languages.</p>
|
||
<p>Wasm extensions use the Application Binary Interface (ABI) within the Envoy proxy to which they are deployed. The WebAssembly Hub provides strong ABI versioning guarantees between Envoy, Istio, and Gloo to prevent unpredictable behavior and bugs. All you have to worry about is writing your extension code.</p>
|
||
<p>Lastly, like Docker, the WebAssembly Hub stores and distributes Wasm extensions as OCI images. This makes pushing, pulling, and running extensions as easy as Docker containers. Wasm extension images are versioned and cryptographically secure, making it safe to run extensions locally the same way you would in production. This allows you to build and push as well as trust the source when they pull down and deploy images.</p>
|
||
<h2 id="webassembly-hub-with-istio">WebAssembly Hub with Istio</h2>
|
||
<p>The WebAssembly Hub now fully automates the process of deploying Wasm extensions to Istio, (as well as other Envoy-based frameworks like <a href="https://docs.solo.io/gloo/latest/">Gloo API Gateway</a>) installed in Kubernetes. With this deployment feature, the WebAssembly Hub relieves the operator or end user from having to manually configure the Envoy proxy in their Istio service mesh to use their WebAssembly modules.</p>
|
||
<p>Take a look at the following video to see just how easy it is to get started with WebAssembly and Istio:</p>
|
||
<ul>
|
||
<li><a href="https://www.youtube.com/watch?v=-XPTGXEpUp8">Part 1</a></li>
|
||
<li><a href="https://youtu.be/vuJKRnjh1b8">Part 2</a></li>
|
||
</ul>
|
||
<h2 id="get-started">Get Started</h2>
|
||
<p>We hope that the WebAssembly Hub will become a meeting place for the community to share, discover, and distribute Wasm extensions. By providing a great user experience, we hope to make developing, installing, and running Wasm easier and more rewarding. Join us at the <a href="https://webassemblyhub.io">WebAssembly Hub</a>, share your extensions and <a href="https://slack.solo.io">ideas</a>, and join an <a href="https://solo.zoom.us/webinar/register/WN_i8MiDTIpRxqX-BjnXbj9Xw">upcoming webinar</a>.</p></description><pubDate>Wed, 25 Mar 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/wasmhub-istio/</link><author>Idit Levine (Solo.io)</author><guid isPermaLink="true">/v1.12/blog/2020/wasmhub-istio/</guid><category>wasm</category><category>extensibility</category><category>alpha</category><category>performance</category><category>operator</category></item><item><title>Introducing istiod: simplifying the control plane</title><description>
|
||
<p>Microservices are a great pattern when they map services to disparate teams that deliver them, or when the value of independent rollout and the value of independent scale are greater than the cost of orchestration. We regularly talk to customers and teams running Istio in the real world, and they told us that none of these were the case for the Istio control plane. So, in Istio 1.5, we&rsquo;ve changed how Istio is packaged, consolidating the control plane functionality into a single binary called <strong>istiod</strong>.</p>
|
||
<h2 id="history-of-the-istio-control-plane">History of the Istio control plane</h2>
|
||
<p>Istio implements a pattern that has been in use at both Google and IBM for many years, which later became known as &ldquo;service mesh&rdquo;. By pairing client and server processes with proxy servers, they act as an application-aware <em>data plane</em> that’s not simply moving packets around hosts, or pulses over wires.</p>
|
||
<p>This pattern helps the world come to terms with <em>microservices</em>: fine-grained, loosely-coupled services connected via lightweight protocols. The common cross-platform and cross-language standards like HTTP and gRPC that replace proprietary transports, and the widespread presence of the needed libraries, empower different teams to write different parts of an overall architecture in whatever language makes the most sense. Furthermore, each service can scale independently as needed. A desire to implement security, observability and traffic control for such a network powers Istio’s popularity.</p>
|
||
<p>Istio&rsquo;s <em>control plane</em> is, itself, a modern, cloud-native application. Thus, it was built from the start as a set of microservices. Individual Istio components like service discovery (Pilot), configuration (Galley), certificate generation (Citadel) and extensibility (Mixer) were all written and deployed as separate microservices. The need for these components to communicate securely and be observable, provided opportunities for Istio to eat its own dogfood (or &ldquo;drink its own champagne&rdquo;, to use a more French version of the metaphor!).</p>
|
||
<h2 id="the-cost-of-complexity">The cost of complexity</h2>
|
||
<p>Good teams look back upon their choices and, with the benefit of hindsight, revisit them. Generally, when a team adopts microservices and their inherent complexity, they look for improvements in other areas to justify the tradeoffs. Let&rsquo;s look at the Istio control plane through that lens.</p>
|
||
<ul>
|
||
<li><p><strong>Microservices empower you to write in different languages.</strong> The data plane (the Envoy proxy) is written in C++, and this boundary benefits from a clean separation in terms of the xDS APIs. However, all of the Istio control plane components are written in Go. We were able to choose the appropriate language for the appropriate job: highly performant C++ for the proxy, but accessible and speedy-development for everything else.</p></li>
|
||
<li><p><strong>Microservices empower you to allow different teams to manage services individually.</strong>. In the vast majority of Istio installations, all the components are installed and operated by a single team or individual. The componentization done within Istio is aligned along the boundaries of the development teams who build it. This would make sense if the Istio components were delivered as a managed service by the people who wrote them, but this is not the case! Making life simpler for the development teams had an outsized impact of the usability for the orders-of-magnitude more users.</p></li>
|
||
<li><p><strong>Microservices empower you to decouple versions, and release different components at different times.</strong> All the components of the control plane have always been released at the same version, at the same time. We have never tested or supported running different versions of (for example) Citadel and Pilot.</p></li>
|
||
<li><p><strong>Microservices empower you to scale components independently.</strong> In Istio 1.5, control plane costs are dominated by a single feature: serving the Envoy xDS APIs that program the data plane. Every other feature has a marginal cost, which means there is very little value to having those features in separately-scalable microservices.</p></li>
|
||
<li><p><strong>Microservices empower you to maintain security boundaries.</strong> Another good reason to separate an application into different microservices is if they have different security roles. Multiple Istio microservices like the sidecar injector, the Envoy bootstrap, Citadel, and Pilot hold nearly equivalent permissions to change the proxy configuration. Therefore, exploiting any of these services would cause near equivalent damage. When you deploy Istio, all the components are installed by default into the same Kubernetes namespace, offering limited security isolation.</p></li>
|
||
</ul>
|
||
<h2 id="the-benefit-of-consolidation-introducing-istiod">The benefit of consolidation: introducing istiod</h2>
|
||
<p>Having established that many of the common benefits of microservices didn&rsquo;t apply to the Istio control plane, we decided to unify them into a single binary: <strong>istiod</strong> (the &rsquo;d&rsquo; is for <a href="https://en.wikipedia.org/wiki/Daemon_%28computing%29">daemon</a>).</p>
|
||
<p>Let&rsquo;s look at the benefits of the new packaging:</p>
|
||
<ul>
|
||
<li><p><strong>Installation becomes easier.</strong> Fewer Kubernetes deployments and associated configurations are required, so the set of configuration options and flags for Istio is reduced significantly. In the simplest case, <strong><em>you can start the Istio control plane, with all features enabled, by starting a single Pod.</em></strong></p></li>
|
||
<li><p><strong>Configuration becomes easier.</strong> Many of the configuration options that Istio has today are ways to orchestrate the control plane components, and so are no longer needed. You also no longer need to change cluster-wide <code>PodSecurityPolicy</code> to deploy Istio.</p></li>
|
||
<li><p><strong>Using VMs becomes easier.</strong> To add a workload to a mesh, you now just need to install one agent and the generated certificates. That agent connects back to only a single service.</p></li>
|
||
<li><p><strong>Maintenance becomes easier.</strong> Installing, upgrading, and removing Istio no longer require a complicated dance of version dependencies and startup orders. For example: To upgrade, you only need to start a new istiod version alongside your existing control plane, canary it, and then move all traffic over to it.</p></li>
|
||
<li><p><strong>Scalability becomes easier.</strong> There is now only one component to scale.</p></li>
|
||
<li><p><strong>Debugging becomes easier.</strong> Fewer components means less cross-component environmental debugging.</p></li>
|
||
<li><p><strong>Startup time goes down.</strong> Components no longer need to wait for each other to start in a defined order.</p></li>
|
||
<li><p><strong>Resource usage goes down and responsiveness goes up.</strong> Communication between components becomes guaranteed, and not subject to gRPC size limits. Caches can be shared safely, which decreases the resource footprint as a result.</p></li>
|
||
</ul>
|
||
<p>istiod unifies functionality that Pilot, Galley, Citadel and the sidecar injector previously performed, into a single binary.</p>
|
||
<p>A separate component, the istio-agent, helps each sidecar connect to the mesh by securely passing configuration and secrets to the Envoy proxies. While the agent, strictly speaking, is still part of the control plane, it runs on a per-pod basis. We’ve further simplified by rolling per-node functionality that used to run as a DaemonSet, into that per-pod agent.</p>
|
||
<h2 id="extra-for-experts">Extra for experts</h2>
|
||
<p>There will still be some cases where you might want to run Istio components independently, or replace certain components.</p>
|
||
<p>Some users might want to use a Certificate Authority (CA) outside the mesh, and we have <a href="/v1.12/docs/tasks/security/cert-management/plugin-ca-cert/">documentation on how to do that</a>. If you do your certificate provisioning using a different tool, we can use that instead of the built-in CA.</p>
|
||
<h2 id="moving-forward">Moving forward</h2>
|
||
<p>At its heart, istiod is just a packaging and optimization change. It&rsquo;s built on the same code and API contracts as the separate components, and remains covered by our comprehensive test suite. This gives us confidence in making it the default in Istio 1.5. The service is now called <code>istiod</code> - you’ll see an <code>istio-pilot</code> for existing proxies as the upgrade process completes.</p>
|
||
<p>While the move to istiod may seem like a big change, and is a huge improvement for the people who <em>administer</em> and <em>maintain</em> the mesh, it won’t make the day-to-day life of <em>using</em> Istio any different. istiod is not changing any of the APIs used to configure your mesh, so your existing processes will all stay the same.</p>
|
||
<p>Does this change imply that microservice are a mistake for <em>all</em> workloads and architectures? Of course not. They are a tool in a toolbelt, and they work best when they are reflected in your organizational reality. Instead, this change shows a willingness in the project to change based on user feedback, and a continued focus on simplification for all users. Microservices have to be right sized, and we believe we have found the right size for Istio.</p></description><pubDate>Thu, 19 Mar 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/istiod/</link><author>Craig Box (Google)</author><guid isPermaLink="true">/v1.12/blog/2020/istiod/</guid><category>istiod</category><category>control plane</category><category>operator</category></item><item><title>Declarative WebAssembly deployment for Istio</title><description>
|
||
<p>As outlined in the <a href="/v1.12/blog/2020/tradewinds-2020/">Istio 2020 trade winds blog</a> and more recently <a href="/v1.12/news/releases/1.5.x/announcing-1.5/">announced with Istio 1.5</a>, WebAssembly (Wasm) is now an (alpha) option for extending the functionality of the Istio service proxy (Envoy proxy). With Wasm, users can build support for new protocols, custom metrics, loggers, and other filters. Working closely with Google, we in the community (<a href="https://solo.io">Solo.io</a>) have focused on the user experience of building, socializing, and deploying Wasm extensions to Istio. We&rsquo;ve announced <a href="https://webassemblyhub.io">WebAssembly Hub</a> and <a href="https://docs.solo.io/web-assembly-hub/latest/installation/">associated tooling</a> to build a &ldquo;docker-like&rdquo; experience for working with Wasm.</p>
|
||
<h2 id="background">Background</h2>
|
||
<p>With the WebAssembly Hub tooling, we can use the <code>wasme</code> CLI to easily bootstrap a Wasm project for Envoy, push it to a repository, and then pull/deploy it to Istio. For example, to deploy a Wasm extension to Istio with <code>wasme</code> we can run the following:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ wasme deploy istio webassemblyhub.io/ceposta/demo-add-header:v0.2 \
|
||
--id=myfilter \
|
||
--namespace=bookinfo \
|
||
--config &#39;tomorrow&#39;
|
||
</code></pre>
|
||
<p>This will add the <code>demo-add-header</code> extension to all workloads running in the <code>bookinfo</code> namespace. We can get more fine-grained control over which workloads get the extension by using the <code>--labels</code> parameter:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ wasme deploy istio webassemblyhub.io/ceposta/demo-add-header:v0.2 \
|
||
--id=myfilter \
|
||
--namespace=bookinfo \
|
||
--config &#39;tomorrow&#39; \
|
||
--labels app=details
|
||
</code></pre>
|
||
<p>This is a much easier experience than manually creating <code>EnvoyFilter</code> resources and trying to get the Wasm module to each of the pods that are part of the workload you&rsquo;re trying to target. However, this is a very imperative approach to interacting with Istio. Just like users typically don&rsquo;t use <code>kubectl</code> directly in production and prefer a declarative, resource-based workflow, we want the same for making customizations to our Istio proxies.</p>
|
||
<h2 id="a-declarative-approach">A declarative approach</h2>
|
||
<p>The WebAssembly Hub tooling also includes <a href="https://docs.solo.io/web-assembly-hub/latest/tutorial_code/wasme_operator/">an operator for deploying Wasm extensions to Istio workloads</a>. The <a href="https://kubernetes.io/docs/concepts/extend-kubernetes/operator/">operator</a> allows users to define their WebAssembly extensions using a declarative format and leave it to the operator to rectify the deployment. For example, we use a <code>FilterDeployment</code> resource to define what image and workloads need the extension:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: wasme.io/v1
|
||
kind: FilterDeployment
|
||
metadata:
|
||
name: bookinfo-custom-filter
|
||
namespace: bookinfo
|
||
spec:
|
||
deployment:
|
||
istio:
|
||
kind: Deployment
|
||
labels:
|
||
app: details
|
||
filter:
|
||
config: &#39;world&#39;
|
||
image: webassemblyhub.io/ceposta/demo-add-header:v0.2
|
||
</code></pre>
|
||
<p>We could then take this <code>FilterDeployment</code> document and version it with the rest of our Istio resources. You may be wondering why we need this Custom Resource to configure Istio&rsquo;s service proxy to use a Wasm extension when Istio already has the <code>EnvoyFilter</code> resource.</p>
|
||
<p>Let&rsquo;s take a look at exactly how all of this works under the covers.</p>
|
||
<h2 id="how-it-works">How it works</h2>
|
||
<p>Under the covers the operator is doing a few things that aid in deploying and configuring a Wasm extension into the Istio service proxy (Envoy Proxy).</p>
|
||
<ul>
|
||
<li>Set up local cache of Wasm extensions</li>
|
||
<li>Pull desired Wasm extension into the local cache</li>
|
||
<li>Mount the <code>wasm-cache</code> into appropriate workloads</li>
|
||
<li>Configure Envoy with <code>EnvoyFilter</code> CRD to use the Wasm filter</li>
|
||
</ul>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:42.663891779396465%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/deploy-wasm-declarative/how-it-works.png" title="Understanding how wasme operator works">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/deploy-wasm-declarative/how-it-works.png" alt="How the wasme operator works" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Understanding how wasme operator works</figcaption>
|
||
</figure>
|
||
<p>At the moment, the Wasm image needs to be published into a registry for the operator to correctly cache it. The cache pods run as DaemonSet on each node so that the cache can be mounted into the Envoy container. This is being improved, as it&rsquo;s not the ideal mechanism. Ideally we wouldn&rsquo;t have to deal with mounting anything and could stream the module to the proxy directly over HTTP, so stay tuned for updates (should land within next few days). The mount is established by using the <code>sidecar.istio.io/userVolume</code> and <code>sidecar.istio.io/userVolumeMount</code> annotations. See <a href="/v1.12/docs/reference/config/annotations/">the docs on Istio Resource Annotations</a> for more about how that works.</p>
|
||
<p>Once the Wasm module is cached correctly and mounted into the workload&rsquo;s service proxy, the operator then configures the <code>EnvoyFilter</code> resources.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: EnvoyFilter
|
||
metadata:
|
||
name: details-v1-myfilter
|
||
namespace: bookinfo
|
||
spec:
|
||
configPatches:
|
||
- applyTo: HTTP_FILTER
|
||
match:
|
||
context: SIDECAR_INBOUND
|
||
listener:
|
||
filterChain:
|
||
filter:
|
||
name: envoy.http_connection_manager
|
||
subFilter:
|
||
name: envoy.router
|
||
patch:
|
||
operation: INSERT_BEFORE
|
||
value:
|
||
config:
|
||
config:
|
||
configuration: tomorrow
|
||
name: myfilter
|
||
rootId: add_header
|
||
vmConfig:
|
||
code:
|
||
local:
|
||
filename: /var/local/lib/wasme-cache/44bf95b368e78fafb663020b43cf099b23fc6032814653f2f47e4d20643e7267
|
||
runtime: envoy.wasm.runtime.v8
|
||
vmId: myfilter
|
||
name: envoy.filters.http.wasm
|
||
workloadSelector:
|
||
labels:
|
||
app: details
|
||
version: v1
|
||
</code></pre>
|
||
<p>You can see the <code>EnvoyFilter</code> resource configures the proxy to add the <code>envoy.filter.http.wasm</code> filter and load the Wasm module from the <code>wasme-cache</code>.</p>
|
||
<p>Once the Wasm extension is loaded into the Istio service proxy, it will extend the capabilities of the proxy with whatever custom code you introduced.</p>
|
||
<h2 id="next-steps">Next Steps</h2>
|
||
<p>In this blog we explored options for installing Wasm extensions into Istio workloads. The easiest way to get started with WebAssembly on Istio is to use the <code>wasme</code> tool <a href="https://docs.solo.io/web-assembly-hub/latest/tutorial_code/getting_started/">to bootstrap a new Wasm project</a> with C++, AssemblyScript [or Rust coming really soon!]. For example, to set up a C++ Wasm module, you can run:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ wasme init ./filter --language cpp --platform istio --platform-version 1.5.x
|
||
</code></pre>
|
||
<p>If we didn&rsquo;t have the extra flags, <code>wasme init</code> would enter an interactive mode walking you through the correct values to choose.</p>
|
||
<p>Take a look at the <a href="https://docs.solo.io/web-assembly-hub/latest/tutorial_code/getting_started/">WebAssembly Hub wasme tooling</a> to get started with Wasm on Istio.</p>
|
||
<h2 id="learn-more">Learn more</h2>
|
||
<ul>
|
||
<li><p>Redefine Extensibility <a href="/v1.12/blog/2020/wasm-announce/">with WebAssembly on Envoy and Istio</a></p></li>
|
||
<li><p>WebAssembly SF talk (video): <a href="https://www.youtube.com/watch?v=OIUPf8m7CGA">Extensions for network proxies</a>, by John Plevyak</p></li>
|
||
<li><p><a href="https://www.solo.io/blog/an-extended-and-improved-webassembly-hub-to-helps-bring-the-power-of-webassembly-to-envoy-and-istio/">Solo blog</a></p></li>
|
||
<li><p><a href="https://github.com/proxy-wasm/spec">Proxy-Wasm ABI specification</a></p></li>
|
||
<li><p><a href="https://github.com/proxy-wasm/proxy-wasm-cpp-sdk/blob/master/docs/wasm_filter.md">Proxy-Wasm C++ SDK</a> and
|
||
its <a href="https://github.com/proxy-wasm/proxy-wasm-cpp-sdk/blob/master/docs/wasm_filter.md">developer documentation</a></p></li>
|
||
<li><p><a href="https://github.com/proxy-wasm/proxy-wasm-rust-sdk">Proxy-Wasm Rust SDK</a></p></li>
|
||
<li><p><a href="https://github.com/solo-io/proxy-runtime">Proxy-Wasm AssemblyScript SDK</a></p></li>
|
||
<li><p><a href="https://docs.solo.io/web-assembly-hub/latest/tutorial_code/">Tutorials</a></p></li>
|
||
<li><p>Videos on the <a href="https://www.youtube.com/channel/UCuketWAG3WqYjjxtQ9Q8ApQ">Solo.io Youtube Channel</a></p></li>
|
||
</ul></description><pubDate>Mon, 16 Mar 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/deploy-wasm-declarative/</link><author>Christian Posta (Solo.io)</author><guid isPermaLink="true">/v1.12/blog/2020/deploy-wasm-declarative/</guid><category>wasm</category><category>extensibility</category><category>alpha</category><category>operator</category></item><item><title>Redefining extensibility in proxies - introducing WebAssembly to Envoy and Istio</title><description>
|
||
<p>Since adopting <a href="https://www.envoyproxy.io/">Envoy</a> in 2016, the Istio project has always wanted to
|
||
provide a platform on top of which a rich set of extensions could be built, to meet the diverse
|
||
needs of our users. There are many reasons to add capability to the data plane of a service
|
||
mesh &mdash; to support newer protocols, integrate with proprietary security controls, or enhance
|
||
observability with custom metrics, to name a few.</p>
|
||
<p>Over the last year and a half our team here at Google has been working on adding dynamic
|
||
extensibility to the Envoy proxy using <a href="https://webassembly.org/">WebAssembly</a>. We are delighted to
|
||
share that work with the world today, as well as
|
||
unveiling <a href="https://github.com/proxy-wasm/spec">WebAssembly (Wasm) for Proxies</a> (Proxy-Wasm): an ABI,
|
||
which we intend to standardize; SDKs; and its first major implementation, the new,
|
||
lower-latency <a href="/v1.12/docs/reference/config/proxy_extensions/wasm_telemetry/">Istio telemetry system</a>.</p>
|
||
<p>We have also worked closely with the community to ensure that there is a great developer experience
|
||
for users to get started quickly. The Google team has been working closely with the team
|
||
at <a href="https://solo.io">Solo.io</a> who have built the <a href="https://webassemblyhub.io/">WebAssembly Hub,</a>
|
||
a service for building, sharing, discovering and deploying Wasm extensions.
|
||
With the WebAssembly Hub, Wasm extensions are as easy to manage, install and and run as containers.</p>
|
||
<p>This work is being released today in Alpha and there is still lots
|
||
of <a href="#next-steps">work to be done</a>, but we are excited to get this into the hands of developers
|
||
so they can start experimenting with the tremendous possibilities this opens up.</p>
|
||
<h2 id="background">Background</h2>
|
||
<p>The need for extensibility has been a founding tenet of both the Istio and Envoy projects,
|
||
but the two projects took different approaches. Istio project focused on enabling a generic
|
||
out-of-process extension model called <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/mixer-overview/">Mixer</a>
|
||
with a lightweight developer experience, while Envoy focused on in-proxy <a href="https://www.envoyproxy.io/docs/envoy/latest/extending/extending">extensions</a>.</p>
|
||
<p>Each approach has its share of pros and cons. The Istio model led to significant resource
|
||
inefficiencies that impacted tail latencies and resource utilization. This model was also
|
||
intrinsically limited - for example, it was never going to provide support for
|
||
implementing <a href="https://blog.envoyproxy.io/how-to-write-envoy-filters-like-a-ninja-part-1-d166e5abec09">custom protocol handling</a>.</p>
|
||
<p>The Envoy model imposed a monolithic build process, and required extensions to be written in C++,
|
||
limiting the developer ecosystem. Rolling out a new extension to the fleet required pushing new
|
||
binaries and rolling restarts, which can be difficult to coordinate, and risk downtime. This also
|
||
incentivized developers to upstream extensions into Envoy that were used by only a small
|
||
percentage of deployments, just to piggyback on its release mechanisms.</p>
|
||
<p>Over time some of the most performance-sensitive features of Istio have been upstreamed
|
||
into Envoy - <a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/rbac_filter">policy checks on traffic</a>, and
|
||
<a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/jwt_authn_filter">JWT authentication</a>, for example.
|
||
Still, we have always wanted to converge on a single stack for extensibility that imposes fewer
|
||
tradeoffs: something that decouples Envoy releases from its extension ecosystem, enables
|
||
developers to work in their languages of choice, and enables Istio to reliably roll out new
|
||
capability without downtime risk. Enter WebAssembly.</p>
|
||
<h2 id="what-is-webassembly">What is WebAssembly?</h2>
|
||
<p><a href="https://webassembly.org/">WebAssembly</a> (Wasm) is a portable bytecode format for executing code
|
||
written in <a href="https://github.com/appcypher/awesome-wasm-langs">multiple languages</a> at
|
||
near-native speed. Its initial <a href="https://webassembly.org/docs/high-level-goals/">design goals</a> align
|
||
well with the challenges outlined above, and it has sizable industry support behind it. Wasm
|
||
is the fourth standard language (following HTML, CSS and JavaScript) to run natively in all
|
||
the major browsers, having become a <a href="https://www.w3.org/TR/wasm-core-1/">W3C Recommendation</a> in
|
||
December 2019. That gives us confidence in making a strategic bet on it.</p>
|
||
<p>While WebAssembly started life as a client-side technology, there are a number of advantages
|
||
to using it on the server. The runtime is memory-safe and sandboxed for security. There is a
|
||
large tooling ecosystem for compiling and debugging Wasm in its textual or binary format.
|
||
The <a href="https://www.w3.org/">W3C</a> and <a href="https://bytecodealliance.org/">BytecodeAlliance</a> have become
|
||
active hubs for other server-side efforts. For example, the Wasm community is standardizing
|
||
a <a href="https://hacks.mozilla.org/2019/03/standardizing-wasi-a-webassembly-system-interface/">&ldquo;WebAssembly System Interface&rdquo; (WASI)</a>
|
||
at the W3C, with a sample implementation, which provides an OS-like abstraction to Wasm &lsquo;programs&rsquo;.</p>
|
||
<h2 id="bringing-webassembly-to-envoy">Bringing WebAssembly to Envoy</h2>
|
||
<p><a href="https://github.com/envoyproxy/envoy/issues/4272">Over the past 18 months</a>, we have been working
|
||
with the Envoy community to build Wasm extensibility into Envoy and contribute it upstream.
|
||
We&rsquo;re pleased to announce it is available as Alpha in the Envoy build shipped
|
||
with <a href="/v1.12/news/releases/1.5.x/announcing-1.5/">Istio 1.5</a>, with source in
|
||
the <a href="https://github.com/envoyproxy/envoy-wasm/"><code>envoy-wasm</code></a> development fork and work ongoing to
|
||
merge it into the main Envoy tree. The implementation uses the WebAssembly runtime built into
|
||
Google&rsquo;s high performance <a href="https://v8.dev/">V8 engine</a>.</p>
|
||
<p>In addition to the underlying runtime, we have also built:</p>
|
||
<ul>
|
||
<li><p>A generic Application Binary Interface (ABI) for embedding Wasm in proxies, which means compiled
|
||
extensions will work across different versions of Envoy - or even other proxies, should they choose
|
||
to implement the ABI</p></li>
|
||
<li><p>SDKs for easy extension development in <a href="https://github.com/proxy-wasm/proxy-wasm-cpp-sdk">C++</a>,
|
||
<a href="https://github.com/proxy-wasm/proxy-wasm-rust-sdk">Rust</a>
|
||
and <a href="https://github.com/solo-io/proxy-runtime">AssemblyScript</a>, with more to follow</p></li>
|
||
<li><p>Comprehensive <a href="https://docs.solo.io/web-assembly-hub/latest/tutorial_code/">samples and instructions</a>
|
||
on how to deploy in Istio and standalone Envoy</p></li>
|
||
<li><p>Abstractions to allow for other Wasm runtimes to be used, including a &lsquo;null&rsquo; runtime which
|
||
simply compiles the extension natively into Envoy &mdash; very useful for testing and debugging</p></li>
|
||
</ul>
|
||
<p>Using Wasm for extending Envoy brings us several key benefits:</p>
|
||
<ul>
|
||
<li><p>Agility: Extensions can be delivered and reloaded at runtime using the Istio control plane.
|
||
This enables a fast develop → test → release cycle for extensions without
|
||
requiring Envoy rollouts.</p></li>
|
||
<li><p>Stock releases: Once merging into the main tree is complete, Istio and others will be able to
|
||
use stock releases of Envoy, instead of custom builds. This will also free the Envoy community
|
||
to move some of the built-in extensions to this model, thereby reducing their
|
||
supported footprint.</p></li>
|
||
<li><p>Reliability and isolation: Extensions are deployed inside a sandbox with resource constraints,
|
||
which means they can now crash, or leak memory, without bringing the whole Envoy process down.
|
||
CPU and memory usage can also be constrained.</p></li>
|
||
<li><p>Security: The sandbox has a clearly defined API for communicating with Envoy, so extensions
|
||
only have access to, and can modify, a limited number of properties of a connection or request.
|
||
Furthermore, because Envoy mediates this interaction, it can hide or sanitize sensitive
|
||
information from the extension (e.g. &ldquo;Authorization&rdquo; and &ldquo;Cookie&rdquo; HTTP headers, or
|
||
the client&rsquo;s IP address).</p></li>
|
||
<li><p>Flexibility: <a href="https://github.com/appcypher/awesome-wasm-langs">over 30 programming languages can be compiled to WebAssembly</a>,
|
||
allowing developers from all backgrounds - C++, Go, Rust, Java, TypeScript, etc. - to write
|
||
Envoy extensions in their language of choice.</p></li>
|
||
</ul>
|
||
<p>&ldquo;I am extremely excited to see WASM support land in Envoy; this is the future of Envoy
|
||
extensibility, full stop. Envoy&rsquo;s WASM support coupled with a community driven hub will unlock an
|
||
incredible amount of innovation in the networking space across both service mesh and API gateway
|
||
use cases. I can&rsquo;t wait to see what the community builds moving forward.&rdquo;
|
||
&ndash; Matt Klein, Envoy creator.</p>
|
||
<p>For technical details of the implementation, look out for an upcoming post
|
||
to <a href="https://blog.envoyproxy.io/">the Envoy blog</a>.</p>
|
||
<p>The <a href="https://github.com/proxy-wasm">Proxy-Wasm</a> interface between host environment and extensions
|
||
is deliberately proxy agnostic. We&rsquo;ve built it into Envoy, but it was designed to be adopted by
|
||
other proxy vendors. We want to see a world where you can take an extension written for Istio and
|
||
Envoy and run it in other infrastructure; you&rsquo;ll hear more about that soon.</p>
|
||
<h2 id="building-on-webassembly-in-istio">Building on WebAssembly in Istio</h2>
|
||
<p>Istio moved several of its extensions into its build of Envoy as part of the 1.5 release, in order
|
||
to significantly improve performance. While doing that work we have been testing to ensure those
|
||
same extensions can compile and run as Proxy-Wasm modules with no variation in behavior. We&rsquo;re not
|
||
quite ready to make this setup the default, given that we consider Wasm support to be Alpha;
|
||
however, this has given us a lot of confidence in our general approach and in the host
|
||
environment, ABI and SDKs that have been developed.</p>
|
||
<p>We have also been careful to ensure that the Istio control plane and
|
||
its <a href="/v1.12/docs/reference/config/networking/envoy-filter/">Envoy configuration APIs</a> are Wasm-ready.
|
||
We have samples to show how several common customizations such as custom header decoding or
|
||
programmatic routing can be performed which are common asks from users. As we move this support to
|
||
Beta, you will see documentation showing best practices for using Wasm with Istio.</p>
|
||
<p>Finally, we are working with the many vendors who have
|
||
written <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/adapters/">Mixer adapters</a>,
|
||
to help them with a migration to Wasm &mdash; if that is the best path forward. Mixer will move to a
|
||
community project in a future release, where it will remain available for legacy use cases.</p>
|
||
<h2 id="developer-experience">Developer Experience</h2>
|
||
<p>Powerful tooling is nothing without a great developer experience. Solo.io
|
||
<a href="https://www.solo.io/blog/an-extended-and-improved-webassembly-hub-to-helps-bring-the-power-of-webassembly-to-envoy-and-istio/">recently announced</a>
|
||
the release of <a href="https://webassemblyhub.io/">WebAssembly Hub</a>, a set of tools and repository for
|
||
building, deploying, sharing and discovering Envoy Proxy Wasm extensions for Envoy and Istio.</p>
|
||
<p>The WebAssembly Hub fully automates many of the steps required for developing and deploying Wasm
|
||
extensions. Using WebAssembly Hub tooling, users can easily compile their code - in any supported
|
||
language - into Wasm extensions. The extensions can then be uploaded to the Hub registry, and be
|
||
deployed and undeployed to Istio with a single command.</p>
|
||
<p>Behind the scenes the Hub takes care of much of the nitty-gritty, such as pulling in the correct
|
||
toolchain, ABI version verification, permission control, and more. The workflow also eliminates
|
||
toil with configuration changes across Istio service proxies by automating the deployment of your
|
||
extensions. This tooling helps users and operators avoid unexpected behaviors due to
|
||
misconfiguration or version mismatches.</p>
|
||
<p>The WebAssembly Hub tools provide a powerful CLI as well as an elegant and easy-to-use graphical
|
||
user interface. An important goal of the WebAssembly Hub is to simplify the experience around
|
||
building Wasm modules and provide a place of collaboration for developers to share and discover
|
||
useful extensions.</p>
|
||
<p>Check out the <a href="https://docs.solo.io/web-assembly-hub/latest/tutorial_code/">getting started guide</a>
|
||
to create your first Proxy-Wasm extension.</p>
|
||
<h2 id="next-steps">Next Steps</h2>
|
||
<p>In addition to working towards a beta release, we are committed to making sure that there is a
|
||
durable community around Proxy-Wasm. The ABI needs to be finalized, and turning it into a standard
|
||
will be done with broader feedback within the appropriate standards body. Completing upstreaming
|
||
support into the Envoy mainline is still in progress. We are also seeking an appropriate
|
||
community home for the tooling and the WebAssembly Hub</p>
|
||
<h2 id="learn-more">Learn more</h2>
|
||
<ul>
|
||
<li><p>WebAssembly SF talk (video): <a href="https://www.youtube.com/watch?v=OIUPf8m7CGA">Extensions for network proxies</a>, by John Plevyak</p></li>
|
||
<li><p><a href="https://www.solo.io/blog/an-extended-and-improved-webassembly-hub-to-helps-bring-the-power-of-webassembly-to-envoy-and-istio/">Solo blog</a></p></li>
|
||
<li><p><a href="https://github.com/proxy-wasm/spec">Proxy-Wasm ABI specification</a></p></li>
|
||
<li><p><a href="https://github.com/proxy-wasm/proxy-wasm-cpp-sdk/blob/master/docs/wasm_filter.md">Proxy-Wasm C++ SDK</a> and
|
||
its <a href="https://github.com/proxy-wasm/proxy-wasm-cpp-sdk/blob/master/docs/wasm_filter.md">developer documentation</a></p></li>
|
||
<li><p><a href="https://github.com/proxy-wasm/proxy-wasm-rust-sdk">Proxy-Wasm Rust SDK</a></p></li>
|
||
<li><p><a href="https://github.com/solo-io/proxy-runtime">Proxy-Wasm AssemblyScript SDK</a></p></li>
|
||
<li><p><a href="https://docs.solo.io/web-assembly-hub/latest/tutorial_code/">Tutorials</a></p></li>
|
||
<li><p>Videos on the <a href="https://www.youtube.com/channel/UCuketWAG3WqYjjxtQ9Q8ApQ">Solo.io Youtube Channel</a></p></li>
|
||
</ul></description><pubDate>Thu, 05 Mar 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/wasm-announce/</link><author>Craig Box, Mandar Jog, John Plevyak, Louis Ryan, Piotr Sikora (Google), Yuval Kohavi, Scott Weiss (Solo.io)</author><guid isPermaLink="true">/v1.12/blog/2020/wasm-announce/</guid><category>wasm</category><category>extensibility</category><category>alpha</category><category>performance</category><category>operator</category></item><item><title>Istio in 2020 - Following the Trade Winds</title><description>
|
||
<p>Istio solves real problems that people encounter running microservices. Even
|
||
<a href="https://kubernetespodcast.com/episode/016-descartes-labs/">very early pre-release versions</a>
|
||
helped users debug the latency in their architecture, increase the reliability
|
||
of services, and transparently secure traffic behind the firewall.</p>
|
||
<p>Last year, the Istio project experienced major growth. After a 9-month gestation
|
||
before the 1.1 release in Q1, we set a goal of having a quarterly release
|
||
cadence. We knew it was important to deliver value consistently and predictably.
|
||
With three releases landing in the successive quarters as planned, we are proud
|
||
to have reached that goal.</p>
|
||
<p>During that time, we improved our build and test infrastructure, resulting in
|
||
higher quality and easier release cycles. We doubled down on user experience,
|
||
adding many commands to make operating and debugging the mesh easier. We also
|
||
saw tremendous growth in the number of developers and companies contributing to
|
||
the product - culminating in us being
|
||
<a href="https://octoverse.github.com/#fastest-growing-oss-projects-by-contributors">#4 on GitHub&rsquo;s top ten list of fastest growing projects</a>!</p>
|
||
<p>We have ambitious goals for Istio in 2020 and there are many major efforts
|
||
underway, but at the same time we strongly believe that good infrastructure
|
||
should be &ldquo;boring.&rdquo; Using Istio in production should be a seamless experience;
|
||
performance should not be a concern, upgrades should be a non-event and complex
|
||
tasks should be automated away. With our investment in a more powerful
|
||
extensibility story we think the pace of innovation in the service mesh space
|
||
can increase while Istio focuses on being gloriously dull.
|
||
More details on our major efforts in 2020 below.</p>
|
||
<h2 id="sleeker-smoother-and-faster">Sleeker, smoother and faster</h2>
|
||
<p>Istio provided for extensibility from day one, implemented by a component called
|
||
Mixer. Mixer is a platform that allows custom
|
||
<a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/mixer-overview/#adapters">adapters</a>
|
||
to act as an intermediary between the data plane and the backends you use for
|
||
policy or telemetry. Mixer necessarily added overhead to requests because it
|
||
required extensions to be out-of-process. So, we&rsquo;re moving to a model that
|
||
enables extension directly in the proxies instead.</p>
|
||
<p>Most of Mixer’s use cases for policy enforcement are already addressed with
|
||
Istio&rsquo;s <a href="/v1.12/docs/concepts/security/#authentication-policies">authentication</a>
|
||
and <a href="/v1.12/docs/concepts/security/#authorization">authorization</a> policies, which
|
||
allow you to control workload-to-workload and end-user-to-workload authorization
|
||
directly in the proxy. Common monitoring use cases have already moved into the
|
||
proxy too - we have
|
||
<a href="/v1.12/docs/reference/config/metrics">introduced in-proxy support</a>
|
||
for sending telemetry to Prometheus and Stackdriver.</p>
|
||
<p>Our benchmarking shows that the new telemetry model reduces our latency
|
||
dramatically and gives us industry-leading performance, with 50% reductions in
|
||
both latency and CPU consumption.</p>
|
||
<h2 id="a-new-model-for-istio-extensibility">A new model for Istio extensibility</h2>
|
||
<p>The model that replaces Mixer uses extensions in Envoy to provide even more
|
||
capability. The Istio community is leading the implementation of a
|
||
<a href="https://webassembly.org/">WebAssembly</a> (Wasm) runtime in Envoy, which lets us
|
||
implement extensions that are modular, sandboxed, and developed in one of
|
||
<a href="https://github.com/appcypher/awesome-wasm-langs">over 20 languages</a>. Extensions
|
||
can be dynamically loaded and reloaded while the proxy continues serving
|
||
traffic. Wasm extensions will also be able to extend the platform in ways that
|
||
Mixer simply couldn’t. They can act as custom protocol handlers and transform
|
||
payloads as they pass through Envoy — in short they can do the same things as
|
||
modules built into Envoy.</p>
|
||
<p>We&rsquo;re working with the Envoy community on ways to discover and distribute these
|
||
extensions. We want to make WebAssembly extensions as easy to install and run as
|
||
containers. Many of our partners have written Mixer adapters, and together we
|
||
are getting them ported to Wasm. We are also developing guides and codelabs on
|
||
how to write your own extensions for custom integrations.</p>
|
||
<p>By changing the extension model, we were also able to remove dozens of CRDs.
|
||
You no longer need a unique CRD for every piece of software you integrate with
|
||
Istio.</p>
|
||
<p>Installing Istio 1.5 with the &lsquo;preview&rsquo; configuration profile won&rsquo;t install
|
||
Mixer. If you upgrade from a previous release, or install the &lsquo;default&rsquo; profile,
|
||
we still keep Mixer around, to be safe. When using Prometheus or Stackdriver for
|
||
metrics, we recommend you try out the new mode and see how much your performance
|
||
improves.</p>
|
||
<p>You can keep Mixer installed and enabled if you need it. Eventually Mixer will
|
||
become a separately released add-on to Istio that is part of the
|
||
<a href="https://github.com/istio-ecosystem/">istio-ecosystem</a>.</p>
|
||
<h2 id="fewer-moving-parts">Fewer moving parts</h2>
|
||
<p>We are also simplifying the deployment of the rest of the control plane. To
|
||
that end, we combined several of the control plane components into a single
|
||
component: Istiod. This binary includes the features of Pilot, Citadel, Galley,
|
||
and the sidecar injector. This approach improves many aspects of installing and
|
||
managing Istio &ndash; reducing installation and configuration complexity,
|
||
maintenance effort, and issue diagnosis time while increasing responsiveness.
|
||
Read more about Istiod in
|
||
<a href="https://blog.christianposta.com/microservices/istio-as-an-example-of-when-not-to-do-microservices/">this post from Christian Posta</a>.</p>
|
||
<p>We are shipping Istiod as the default for all profiles in 1.5.</p>
|
||
<p>To reduce the per-node footprint, we are getting rid of the node-agent, used to
|
||
distribute certificates, and moving its functionality to the istio-agent, which
|
||
already runs in each Pod. For those of you who like pictures we are moving from
|
||
this &hellip;</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:75%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/tradewinds-2020/architecture-pre-istiod.svg" title="The Istio architecture today">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/tradewinds-2020/architecture-pre-istiod.svg" alt="Istio architecture with Pilot, Mixer, Citadel, Sidecar injector" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The Istio architecture today</figcaption>
|
||
</figure>
|
||
<p>to this&hellip;</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:75%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/tradewinds-2020/architecture-post-istiod.svg" title="The Istio architecture in 2020">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/tradewinds-2020/architecture-post-istiod.svg" alt="Istio architecture with Istiod" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The Istio architecture in 2020</figcaption>
|
||
</figure>
|
||
<p>In 2020, we will continue to invest in onboarding to achieve our goal of a
|
||
&ldquo;zero config&rdquo; default that doesn’t require you to change any of your
|
||
application&rsquo;s configuration to take advantage of most Istio features.</p>
|
||
<h2 id="improved-lifecycle-management">Improved lifecycle management</h2>
|
||
<p>To improve Istio’s life-cycle management, we moved to an
|
||
<a href="https://kubernetes.io/docs/concepts/extend-kubernetes/operator/">operator</a>-based
|
||
installation. We introduced the
|
||
<strong><a href="/v1.12/docs/setup/install/istioctl/">IstioOperator CRD and two installation modes</a></strong>:</p>
|
||
<ul>
|
||
<li>Human-triggered: use istioctl to apply the settings to the cluster.</li>
|
||
<li>Machine-triggered: use a controller that is continually watching for changes
|
||
in that CRD and affecting those in real time.</li>
|
||
</ul>
|
||
<p>In 2020 upgrades will getting easier too. We will add support for &ldquo;canarying&rdquo;
|
||
new versions of the Istio control plane, which allows you to run a new version
|
||
alongside the existing version and gradually switch your data plane over to use
|
||
the new one.</p>
|
||
<h2 id="secure-by-default">Secure By Default</h2>
|
||
<p>Istio already provides the fundamentals for strong service security: reliable
|
||
workload identity, robust access policies and comprehensive audit logging. We’re
|
||
stabilizing APIs for these features; many Alpha APIs are moving to Beta in 1.5,
|
||
and we expect them to all be v1 by the end of 2020. To learn more about the
|
||
status of our APIs, see our
|
||
<a href="/v1.12/docs/releases/feature-stages/#istio-features">features page</a>.</p>
|
||
<p>Network traffic is also becoming more secure by default. After many users
|
||
enabled it in preview,
|
||
<a href="/v1.12/docs/tasks/security/authentication/authn-policy/#auto-mutual-tls">automated rollout of mutual TLS</a>
|
||
is becoming the recommended practice in Istio 1.5.</p>
|
||
<p>In addition we will make Istio require fewer privileges and simplify its
|
||
dependencies which in turn make it a more robust system. Historically, you had
|
||
to mount certificates into Envoy using Kubernetes Secrets, which were mounted as
|
||
files into each proxy. By leveraging the
|
||
<a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret">Secret Discovery Service</a>
|
||
we can distribute these certificates securely without concern of them being
|
||
intercepted by other workloads on the machine. This mode will become the default
|
||
in 1.5.</p>
|
||
<p>Getting rid of the node-agent not only simplifies the deployment, but also
|
||
removes the requirement for a cluster-wide <code>PodSecurityPolicy</code>, further
|
||
improving the security posture of your cluster.</p>
|
||
<h2 id="other-features">Other features</h2>
|
||
<p>Here&rsquo;s a snapshot of some more exciting things you can expect from Istio in
|
||
2020:</p>
|
||
<ul>
|
||
<li>Integration with more hosted Kubernetes environments - service meshes
|
||
powered by Istio are currently available from 15 vendors, including Google, IBM,
|
||
Red Hat, VMware, Alibaba and Huawei</li>
|
||
<li>More investment in <code>istioctl</code> and its ability to help diagnose problems</li>
|
||
<li>Better integration of VM-based workloads into meshes</li>
|
||
<li>Continued work towards making multi-cluster and multi-network meshes easier to
|
||
configure, maintain, and run</li>
|
||
<li>Integration with more service discovery systems, including
|
||
Functions-as-a-Service</li>
|
||
<li>Implementation of the new
|
||
<a href="https://kubernetes-sigs.github.io/service-apis/">Kubernetes service APIs</a>,
|
||
which are currently in development</li>
|
||
<li>An <a href="https://github.com/istio/enhancements/">enhancement repository</a>,
|
||
to track feature development</li>
|
||
<li>Making it easier to run Istio without needing Kubernetes!</li>
|
||
</ul>
|
||
<p>From the seas to <a href="https://www.youtube.com/watch?v=YjZ4AZ7hRM0">the skies</a>,
|
||
we&rsquo;re excited to see where you take Istio next.</p></description><pubDate>Tue, 03 Mar 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/tradewinds-2020/</link><author>Istio Team</author><guid isPermaLink="true">/v1.12/blog/2020/tradewinds-2020/</guid><category>roadmap</category><category>security</category><category>performance</category><category>operator</category></item><item><title>Remove cross-pod unix domain sockets</title><description><p>In Istio versions before 1.5, during secret discovery service (SDS) execution,
|
||
the SDS client and the SDS server communicate through a cross-pod Unix domain
|
||
socket (UDS), which needs to be protected by Kubernetes pod security policies.</p>
|
||
<p>With Istio 1.5, Pilot Agent, Envoy, and Citadel Agent will be running in
|
||
the same container (the architecture is shown in the following diagram).
|
||
To defend against attackers eavesdropping on the cross-pod UDS between Envoy (SDS client)
|
||
and Citadel Agent (SDS server), Istio 1.5 merges Pilot Agent and Citadel Agent
|
||
into a single Istio Agent and makes the UDS between Envoy and Citadel Agent
|
||
private to the Istio Agent container.
|
||
The Istio Agent container is deployed as the sidecar of the application service container.</p>
|
||
<figure style="width:70%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:80.39622513132818%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/istio-agent/istio_agent.svg" title="The architecture of Istio Agent">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/istio-agent/istio_agent.svg" alt="The architecture of Istio Agent" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The architecture of Istio Agent</figcaption>
|
||
</figure></description><pubDate>Thu, 20 Feb 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/istio-agent/</link><author>Lei Tang (Google)</author><guid isPermaLink="true">/v1.12/blog/2020/istio-agent/</guid><category>security</category><category>secret discovery service</category><category>unix domain socket</category></item><item><title>Multicluster Istio configuration and service discovery using Admiral</title><description>
|
||
<p>At Intuit, we read the blog post <a href="/v1.12/blog/2019/isolated-clusters/">Multi-Mesh Deployments for Isolation and Boundary Protection</a> and immediately related to some of the problems mentioned.
|
||
We realized that even though we wanted to configure a single multi-cluster mesh, instead of a federation of multiple meshes
|
||
as described in the blog post, the same non-uniform naming issues also applied in our environment.
|
||
This blog post explains how we solved these problems using <a href="https://github.com/istio-ecosystem/admiral">Admiral</a>, an open source project under <code>istio-ecosystem</code> in GitHub.</p>
|
||
<h2 id="background">Background</h2>
|
||
<p>Using Istio, we realized the configuration for multi-cluster was complex and challenging to maintain over time. As a result, we chose the model described in <a href="https://istio.io/v1.6/docs/setup/install/multicluster/gateways/#deploy-the-istio-control-plane-in-each-cluster">Multi-Cluster Istio Service Mesh with replicated control planes</a> for scalability and other operational reasons. Following this model, we had to solve these key requirements before widely adopting an Istio service mesh:</p>
|
||
<ul>
|
||
<li>Creation of service DNS entries decoupled from the namespace, as described in <a href="/v1.12/blog/2019/isolated-clusters/#features-of-multi-mesh-deployments">Features of multi-mesh deployments</a>.</li>
|
||
<li>Service discovery across many clusters.</li>
|
||
<li>Supporting active-active &amp; HA/DR deployments. We also had to support these crucial resiliency patterns with services being deployed in globally unique namespaces across discrete clusters.</li>
|
||
</ul>
|
||
<p>We have over 160 Kubernetes clusters with a globally unique namespace name across all clusters. In this configuration, we can have the same service workload deployed in different regions running in namespaces with different names. As a result, following the routing strategy mentioned in <a href="/v1.12/blog/2019/multicluster-version-routing">Multicluster version routing</a>, the example name <code>foo.namespace.global</code> wouldn&rsquo;t work across clusters. We needed a globally unique and discoverable service DNS that resolves service instances in multiple clusters, each instance running/addressable with its own unique Kubernetes FQDN. For example, <code>foo.global</code> should resolve to both <code>foo.uswest2.svc.cluster.local</code> &amp; <code>foo.useast2.svc.cluster.local</code> if <code>foo</code> is running in two Kubernetes clusters with different names.
|
||
Also, our services need additional DNS names with different resolution and global routing properties. For example, <code>foo.global</code> should resolve locally first, then route to a remote instance using topology routing, while <code>foo-west.global</code> and <code>foo-east.global</code> (names used for testing) should always resolve to the respective regions.</p>
|
||
<h2 id="contextual-configuration">Contextual Configuration</h2>
|
||
<p>After further investigation, it was apparent that configuration needed to be contextual: each cluster needs a configuration specifically tailored for its view of the world.</p>
|
||
<p>For example, we have a payments service consumed by orders and reports. The payments service has a HA/DR deployment across <code>us-east</code> (cluster 3) and <code>us-west</code> (cluster 2). The payments service is deployed in namespaces with different names in each region. The orders service is deployed in a different cluster as payments in <code>us-west</code> (cluster 1). The reports service is deployed in the same cluster as payments in <code>us-west</code> (cluster 2).</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:60.81558869142712%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/multi-cluster-mesh-automation/Istio_mesh_example.svg" title="Cross cluster workload communication with Istio">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/multi-cluster-mesh-automation/Istio_mesh_example.svg" alt="Example of calling a workload in Istio multicluster" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Cross cluster workload communication with Istio</figcaption>
|
||
</figure>
|
||
<p>Istio <code>ServiceEntry</code> yaml for payments service in Cluster 1 and Cluster 2 below illustrates the contextual configuration that other services need to use the payments service:</p>
|
||
<p>Cluster 1 Service Entry</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: payments.global-se
|
||
spec:
|
||
addresses:
|
||
- 240.0.0.10
|
||
endpoints:
|
||
- address: ef394f...us-east-2.elb.amazonaws.com
|
||
locality: us-east-2
|
||
ports:
|
||
http: 15443
|
||
- address: ad38bc...us-west-2.elb.amazonaws.com
|
||
locality: us-west-2
|
||
ports:
|
||
http: 15443
|
||
hosts:
|
||
- payments.global
|
||
location: MESH_INTERNAL
|
||
ports:
|
||
- name: http
|
||
number: 80
|
||
protocol: http
|
||
resolution: DNS
|
||
</code></pre>
|
||
<p>Cluster 2 Service Entry</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: payments.global-se
|
||
spec:
|
||
addresses:
|
||
- 240.0.0.10
|
||
endpoints:
|
||
- address: ef39xf...us-east-2.elb.amazonaws.com
|
||
locality: us-east-2
|
||
ports:
|
||
http: 15443
|
||
- address: payments.default.svc.cluster.local
|
||
locality: us-west-2
|
||
ports:
|
||
http: 80
|
||
hosts:
|
||
- payments.global
|
||
location: MESH_INTERNAL
|
||
ports:
|
||
- name: http
|
||
number: 80
|
||
protocol: http
|
||
resolution: DNS
|
||
</code></pre>
|
||
<p>The payments <code>ServiceEntry</code> (Istio CRD) from the point of view of the reports service in Cluster 2, would set the locality <code>us-west</code> pointing to the local Kubernetes FQDN and locality <code>us-east</code> pointing to the <code>istio-ingressgateway</code> (load balancer) for Cluster 3.
|
||
The payments <code>ServiceEntry</code> from the point of view of the orders service in Cluster 1, will set the locality <code>us-west</code> pointing to Cluster 2 <code>istio-ingressgateway</code> and locality <code>us-east</code> pointing to the <code>istio-ingressgateway</code> for Cluster 3.</p>
|
||
<p>But wait, there&rsquo;s even more complexity: What if the payment services want to move traffic to the <code>us-east</code> region for a planned maintenance in <code>us-west</code>? This would require the payments service to change the Istio configuration in all of their clients&rsquo; clusters. This would be nearly impossible to do without automation.</p>
|
||
<h2 id="admiral-to-the-rescue-admiral-is-that-automation">Admiral to the Rescue: Admiral is that Automation</h2>
|
||
<p><em>Admiral is a controller of Istio control planes.</em></p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:69.43866943866944%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2020/multi-cluster-mesh-automation/Istio_mesh_example_with_admiral.svg" title="Cross cluster workload communication with Istio and Admiral">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2020/multi-cluster-mesh-automation/Istio_mesh_example_with_admiral.svg" alt="Example of calling a workload in Istio multicluster with Admiral" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Cross cluster workload communication with Istio and Admiral</figcaption>
|
||
</figure>
|
||
<p>Admiral provides automatic configuration for an Istio mesh spanning multiple clusters to work as a single mesh based on a unique service identifier that associates workloads running on multiple clusters to a service. It also provides automatic provisioning and syncing of Istio configuration across clusters. This removes the burden on developers and mesh operators, which helps scale beyond a few clusters.</p>
|
||
<h2 id="admiral-crds">Admiral CRDs</h2>
|
||
<h3 id="global-traffic-routing">Global Traffic Routing</h3>
|
||
<p>With Admiral’s global traffic policy CRD, the payments service can update regional traffic weights and Admiral updates the Istio configuration in all clusters that consume the payments service.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: admiral.io/v1alpha1
|
||
kind: GlobalTrafficPolicy
|
||
metadata:
|
||
name: payments-gtp
|
||
spec:
|
||
selector:
|
||
identity: payments
|
||
policy:
|
||
- dns: default.payments.global
|
||
lbType: 1
|
||
target:
|
||
- region: us-west-2/*
|
||
weight: 10
|
||
- region: us-east-2/*
|
||
weight: 90
|
||
</code></pre>
|
||
<p>In the example above, 90% of the payments service traffic is routed to the <code>us-east</code> region. This Global Traffic Configuration is automatically converted into Istio configuration and contextually mapped into Kubernetes clusters to enable multi-cluster global routing for the payments service for its clients within the Mesh.</p>
|
||
<p>This Global Traffic Routing feature relies on Istio&rsquo;s locality load-balancing per service available in Istio 1.5 or later.</p>
|
||
<h3 id="dependency">Dependency</h3>
|
||
<p>The Admiral <code>Dependency</code> CRD allows us to specify a service&rsquo;s dependencies based on a service identifier. This optimizes the delivery of Admiral generated configuration only to the required clusters where the dependent clients of a service are running (instead of writing it to all clusters). Admiral also configures and/or updates the Sidecar Istio CRD in the client&rsquo;s workload namespace to limit the Istio configuration to only its dependencies. We use service-to-service authorization information recorded elsewhere to generate this <code>dependency</code> records for Admiral to use.</p>
|
||
<p>An example <code>dependency</code> for the <code>orders</code> service:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: admiral.io/v1alpha1
|
||
kind: Dependency
|
||
metadata:
|
||
name: dependency
|
||
namespace: admiral
|
||
spec:
|
||
source: orders
|
||
identityLabel: identity
|
||
destinations:
|
||
- payments
|
||
</code></pre>
|
||
<p><code>Dependency</code> is optional and a missing dependency for a service will result in an Istio configuration for that service pushed to all clusters.</p>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>Admiral provides a new Global Traffic Routing and unique service naming functionality to address some challenges posed by the Istio model described in <a href="https://istio.io/v1.6/docs/setup/install/multicluster/gateways/#deploy-the-istio-control-plane-in-each-cluster">multi-cluster deployment with replicated control planes</a>. It removes the need for manual configuration synchronization between clusters and generates contextual configuration for each cluster. This makes it possible to operate a Service Mesh composed of many Kubernetes clusters.</p>
|
||
<p>We think Istio/Service Mesh community would benefit from this approach, so we <a href="https://github.com/istio-ecosystem/admiral">open sourced Admiral</a> and would love your feedback and support!</p></description><pubDate>Sun, 05 Jan 2020 00:00:00 +0000</pubDate><link>/v1.12/blog/2020/multi-cluster-mesh-automation/</link><author>Anil Attuluri (Intuit), Jason Webb (Intuit)</author><guid isPermaLink="true">/v1.12/blog/2020/multi-cluster-mesh-automation/</guid><category>traffic-management</category><category>automation</category><category>configuration</category><category>multicluster</category><category>multi-mesh</category><category>gateway</category><category>federated</category><category>globalidentifer</category></item><item><title>Secure Webhook Management</title><description><p>Istio has two webhooks: Galley and the sidecar injector.
|
||
Galley validates Kubernetes resources and the sidecar injector injects sidecar
|
||
containers into Istio.</p>
|
||
<p>By default, Galley and the sidecar injector manage their own webhook configurations.
|
||
This can pose a security risk if they are compromised, for example, through buffer overflow attacks.
|
||
Configuring a webhook is a highly privileged operation as a webhook may monitor and mutate all
|
||
Kubernetes resources.</p>
|
||
<p>In the following example, the attacker compromises
|
||
Galley and modifies the webhook configuration of Galley to eavesdrop on all Kubernetes secrets
|
||
(the <code>clientConfig</code> is modified by the attacker to direct the <code>secrets</code> resources to
|
||
a service owned by the attacker).</p>
|
||
<figure style="width:70%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:44.37367303609342%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/webhook/example_attack.png" title="An example attack">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/webhook/example_attack.png" alt="An example attack" />
|
||
</a>
|
||
</div>
|
||
<figcaption>An example attack</figcaption>
|
||
</figure>
|
||
<p>To protect against this kind of attack, Istio 1.4 introduces a new feature to securely manage
|
||
webhooks using <code>istioctl</code>:</p>
|
||
<ol>
|
||
<li><p><code>istioctl</code>, instead of Galley and the sidecar injector, manage the webhook configurations.
|
||
Galley and the sidecar injector are de-privileged so even if they are compromised, they
|
||
will not be able to alter the webhook configurations.</p></li>
|
||
<li><p>Before configuring a webhook, <code>istioctl</code> will verify the webhook server is up
|
||
and that the certificate chain used by the webhook server is valid. This reduces the errors
|
||
that can occur before a server is ready or if a server has invalid certificates.</p></li>
|
||
</ol>
|
||
<p>To try this new feature, refer to the <a href="https://archive.istio.io/v1.4/docs/tasks/security/webhook">Istio webhook management task</a>.</p></description><pubDate>Thu, 14 Nov 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/webhook/</link><author>Lei Tang (Google)</author><guid isPermaLink="true">/v1.12/blog/2019/webhook/</guid><category>security</category><category>kubernetes</category><category>webhook</category></item><item><title>Introducing the Istio v1beta1 Authorization Policy</title><description>
|
||
<p>Istio 1.4 introduces the
|
||
<a href="/v1.12/docs/reference/config/security/authorization-policy/"><code>v1beta1</code> authorization policy</a>,
|
||
which is a major update to the previous <code>v1alpha1</code> role-based access control
|
||
(RBAC) policy. The new policy provides these improvements:</p>
|
||
<ul>
|
||
<li>Aligns with Istio configuration model.</li>
|
||
<li>Improves the user experience by simplifying the API.</li>
|
||
<li>Supports more use cases (e.g. Ingress/Egress gateway support) without
|
||
added complexity.</li>
|
||
</ul>
|
||
<p>The <code>v1beta1</code> policy is not backward compatible and requires a one time
|
||
conversion. A tool is provided to automate this process. The previous
|
||
configuration resources <code>ClusterRbacConfig</code>, <code>ServiceRole</code>, and
|
||
<code>ServiceRoleBinding</code> will not be supported from Istio 1.6 onwards.</p>
|
||
<p>This post describes the new <code>v1beta1</code> authorization policy model, its
|
||
design goals and the migration from <code>v1alpha1</code> RBAC policies. See the
|
||
<a href="/v1.12/docs/concepts/security/#authorization">authorization concept page</a>
|
||
for a detailed in-depth explanation of the <code>v1beta1</code> authorization policy.</p>
|
||
<p>We welcome your feedback about the <code>v1beta1</code> authorization policy at
|
||
<a href="https://discuss.istio.io/c/security">discuss.istio.io</a>.</p>
|
||
<h2 id="background">Background</h2>
|
||
<p>To date, Istio provided RBAC policies to enforce access control on
|
||
<span class="term" data-title="Service" data-body="&lt;p&gt;A delineated group of related behaviors within a &lt;a href=&#34;/docs/reference/glossary/#service-mesh&#34;&gt;service mesh&lt;/a&gt;. Services are identified using a
|
||
&lt;a href=&#34;/docs/reference/glossary/#service-name&#34;&gt;service name&lt;/a&gt;,
|
||
and Istio policies such as load balancing and routing are applied using these names.
|
||
A service is typically materialized by one or more &lt;a href=&#34;/docs/reference/glossary/#service-endpoint&#34;&gt;service endpoints&lt;/a&gt;, and may consist of multiple
|
||
&lt;a href=&#34;/docs/reference/glossary/#service-version&#34;&gt;service versions&lt;/a&gt;.&lt;/p&gt;
|
||
">services</span> using three configuration
|
||
resources: <code>ClusterRbacConfig</code>, <code>ServiceRole</code> and <code>ServiceRoleBinding</code>.
|
||
With this API, users have been able to enforce control access at mesh-level,
|
||
namespace-level and service-level. Like other RBAC policies, Istio RBAC uses
|
||
the same concept of role and binding for granting permissions to identities.</p>
|
||
<p>Although Istio RBAC has been working reliably, we&rsquo;ve found that many
|
||
improvements were possible.</p>
|
||
<p>For example, users have mistakenly assumed that access control enforcement
|
||
happens at service-level because <code>ServiceRole</code> uses service to specify where
|
||
to apply the policy, however, the policy is actually applied on
|
||
<span class="term" data-title="Workload" data-body="&lt;p&gt;A binary deployed by &lt;a href=&#34;/docs/reference/glossary/#operator&#34;&gt;operators&lt;/a&gt; to deliver some function of a service mesh application.
|
||
Workloads have names, namespaces, and unique ids. These properties are available in policy and telemetry configuration
|
||
using the following &lt;a href=&#34;/docs/reference/glossary/#attribute&#34;&gt;attributes&lt;/a&gt;:&lt;/p&gt;
|
||
&lt;ul&gt;
|
||
&lt;li&gt;&lt;code&gt;source.workload.name&lt;/code&gt;, &lt;code&gt;source.workload.namespace&lt;/code&gt;, &lt;code&gt;source.workload.uid&lt;/code&gt;&lt;/li&gt;
|
||
&lt;li&gt;&lt;code&gt;destination.workload.name&lt;/code&gt;, &lt;code&gt;destination.workload.namespace&lt;/code&gt;, &lt;code&gt;destination.workload.uid&lt;/code&gt;&lt;/li&gt;
|
||
&lt;/ul&gt;
|
||
&lt;p&gt;In Kubernetes, a workload typically corresponds to a Kubernetes deployment,
|
||
while a &lt;a href=&#34;/docs/reference/glossary/#workload-instance&#34;&gt;workload instance&lt;/a&gt; corresponds to an individual &lt;a href=&#34;/docs/reference/glossary/#pod&#34;&gt;pod&lt;/a&gt; managed
|
||
by the deployment.&lt;/p&gt;
|
||
">workloads</span>, the service is only used to
|
||
find the corresponding workload. This nuance is significant when multiple
|
||
services are referring to the same workload. A <code>ServiceRole</code> for service A
|
||
will also affect service B if the two services are referring to the same
|
||
workload, which can cause confusion and incorrect configuration.</p>
|
||
<p>An other example is that it&rsquo;s proven difficult for users to maintain and
|
||
manage the Istio RBAC configurations because of the need to deeply understand
|
||
three related resources.</p>
|
||
<h2 id="design-goals">Design goals</h2>
|
||
<p>The new <code>v1beta1</code> authorization policy had several design goals:</p>
|
||
<ul>
|
||
<li><p>Align with <a href="https://goo.gl/x3STjD">Istio Configuration Model</a> for better
|
||
clarity on the policy target. The configuration model provides a unified
|
||
configuration hierarchy, resolution and target selection.</p></li>
|
||
<li><p>Improve the user experience by simplifying the API. It&rsquo;s easier to manage
|
||
one custom resource definition (CRD) that includes all access control
|
||
specifications, instead of multiple CRDs.</p></li>
|
||
<li><p>Support more use cases without added complexity. For example, allow the
|
||
policy to be applied on Ingress/Egress gateway to enforce access control
|
||
for traffic entering/exiting the mesh.</p></li>
|
||
</ul>
|
||
<h2 id="authorizationpolicy"><code>AuthorizationPolicy</code></h2>
|
||
<p>An <a href="/v1.12/docs/reference/config/security/authorization-policy/"><code>AuthorizationPolicy</code> custom resource</a>
|
||
enables access control on workloads. This section gives an overview of the
|
||
changes in the <code>v1beta1</code> authorization policy.</p>
|
||
<p>An <code>AuthorizationPolicy</code> includes a <code>selector</code> and a list of <code>rule</code>.
|
||
The <code>selector</code> specifies on which workload to apply the policy and the
|
||
list of <code>rule</code> specifies the detailed access control rule for the workload.</p>
|
||
<p>The <code>rule</code> is additive, which means a request is allowed if any <code>rule</code>
|
||
allows the request. Each <code>rule</code> includes a list of <code>from</code>, <code>to</code> and
|
||
<code>when</code>, which specifies <strong>who</strong> is allowed to do <strong>what</strong> under which
|
||
<strong>conditions</strong>.</p>
|
||
<p>The <code>selector</code> replaces the functionality provided by <code>ClusterRbacConfig</code>
|
||
and the <code>services</code> field in <code>ServiceRole</code>. The <code>rule</code> replaces the other
|
||
fields in the <code>ServiceRole</code> and <code>ServiceRoleBinding</code>.</p>
|
||
<h3 id="example">Example</h3>
|
||
<p>The following authorization policy applies to workloads with <code>app: httpbin</code>
|
||
and <code>version: v1</code> label in the <code>foo</code> namespace:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: security.istio.io/v1beta1
|
||
kind: AuthorizationPolicy
|
||
metadata:
|
||
name: httpbin
|
||
namespace: foo
|
||
spec:
|
||
selector:
|
||
matchLabels:
|
||
app: httpbin
|
||
version: v1
|
||
rules:
|
||
- from:
|
||
- source:
|
||
principals: [&#34;cluster.local/ns/default/sa/sleep&#34;]
|
||
to:
|
||
- operation:
|
||
methods: [&#34;GET&#34;]
|
||
when:
|
||
- key: request.headers[version]
|
||
values: [&#34;v1&#34;, &#34;v2&#34;]
|
||
</code></pre>
|
||
<p>The policy allows principal <code>cluster.local/ns/default/sa/sleep</code> to access the
|
||
workload using the <code>GET</code> method when the request includes a <code>version</code> header
|
||
of value <code>v1</code> or <code>v2</code>. Any requests not matched with the policy will be denied
|
||
by default.</p>
|
||
<p>Assuming the <code>httpbin</code> service is defined as:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: httpbin
|
||
namespace: foo
|
||
spec:
|
||
selector:
|
||
app: httpbin
|
||
version: v1
|
||
ports:
|
||
# omitted
|
||
</code></pre>
|
||
<p>You would need to configure three resources to achieve the same result in
|
||
<code>v1alpha1</code>:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
|
||
kind: ClusterRbacConfig
|
||
metadata:
|
||
name: default
|
||
spec:
|
||
mode: &#39;ON_WITH_INCLUSION&#39;
|
||
inclusion:
|
||
services: [&#34;httpbin.foo.svc.cluster.local&#34;]
|
||
---
|
||
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
|
||
kind: ServiceRole
|
||
metadata:
|
||
name: httpbin
|
||
namespace: foo
|
||
spec:
|
||
rules:
|
||
- services: [&#34;httpbin.foo.svc.cluster.local&#34;]
|
||
methods: [&#34;GET&#34;]
|
||
constraints:
|
||
- key: request.headers[version]
|
||
values: [&#34;v1&#34;, &#34;v2&#34;]
|
||
---
|
||
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
|
||
kind: ServiceRoleBinding
|
||
metadata:
|
||
name: httpbin
|
||
namespace: foo
|
||
spec:
|
||
subjects:
|
||
- user: &#34;cluster.local/ns/default/sa/sleep&#34;
|
||
roleRef:
|
||
kind: ServiceRole
|
||
name: &#34;httpbin&#34;
|
||
</code></pre>
|
||
<h3 id="workload-selector">Workload selector</h3>
|
||
<p>A major change in the <code>v1beta1</code> authorization policy is that it now uses
|
||
workload selector to specify where to apply the policy. This is the same
|
||
workload selector used in the <code>Gateway</code>, <code>Sidecar</code> and <code>EnvoyFilter</code>
|
||
configurations.</p>
|
||
<p>The workload selector makes it clear that the policy is applied and enforced
|
||
on workloads instead of services. If a policy applies to a workload that is
|
||
used by multiple different services, the same policy will affect the traffic
|
||
to all the different services.</p>
|
||
<p>You can simply leave the <code>selector</code> empty to apply the policy to all
|
||
workloads in a namespace. The following policy applies to all workloads in
|
||
the namespace <code>bar</code>:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: security.istio.io/v1beta1
|
||
kind: AuthorizationPolicy
|
||
metadata:
|
||
name: policy
|
||
namespace: bar
|
||
spec:
|
||
rules:
|
||
# omitted
|
||
</code></pre>
|
||
<h3 id="root-namespace">Root namespace</h3>
|
||
<p>A policy in the root namespace applies to all workloads in the mesh in every
|
||
namespaces. The root namespace is configurable in the
|
||
<a href="/v1.12/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig"><code>MeshConfig</code></a>
|
||
and has the default value of <code>istio-system</code>.</p>
|
||
<p>For example, you installed Istio in <code>istio-system</code> namespace and deployed
|
||
workloads in <code>default</code> and <code>bookinfo</code> namespace. The root namespace is
|
||
changed to <code>istio-config</code> from the default value. The following policy will
|
||
apply to workloads in every namespace including <code>default</code>, <code>bookinfo</code> and
|
||
the <code>istio-system</code>:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: security.istio.io/v1beta1
|
||
kind: AuthorizationPolicy
|
||
metadata:
|
||
name: policy
|
||
namespace: istio-config
|
||
spec:
|
||
rules:
|
||
# omitted
|
||
</code></pre>
|
||
<h3 id="ingress-egress-gateway-support">Ingress/Egress Gateway support</h3>
|
||
<p>The <code>v1beta1</code> authorization policy can also be applied on ingress/egress
|
||
gateway to enforce access control on traffic entering/leaving the mesh,
|
||
you only need to change the <code>selector</code> to make select the ingress/egress
|
||
workload.</p>
|
||
<p>The following policy applies to workloads with the
|
||
<code>app: istio-ingressgateway</code> label:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: security.istio.io/v1beta1
|
||
kind: AuthorizationPolicy
|
||
metadata:
|
||
name: ingress
|
||
namespace: istio-system
|
||
spec:
|
||
selector:
|
||
matchLabels:
|
||
app: istio-ingressgateway
|
||
rules:
|
||
# omitted
|
||
</code></pre>
|
||
<p>Remember the authorization policy only applies to workloads in the same
|
||
namespace as the policy, unless the policy is applied in the root namespace:</p>
|
||
<ul>
|
||
<li><p>If you don&rsquo;t change the default root namespace value (i.e. <code>istio-system</code>),
|
||
the above policy will apply to workloads with the <code>app: istio-ingressgateway</code>
|
||
label in <strong>every</strong> namespace.</p></li>
|
||
<li><p>If you have changed the root namespace to a different value, the above
|
||
policy will only apply to workloads with the <code>app: istio-ingressgateway</code>
|
||
label <strong>only</strong> in the <code>istio-system</code> namespace.</p></li>
|
||
</ul>
|
||
<h3 id="comparison">Comparison</h3>
|
||
<p>The following table highlights the key differences between the old <code>v1alpha1</code>
|
||
RBAC policies and the new <code>v1beta1</code> authorization policy.</p>
|
||
<h4 id="feature">Feature</h4>
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
<th>Feature</th>
|
||
<th><code>v1alpha1</code> RBAC policy</th>
|
||
<th><code>v1beta1</code> Authorization Policy</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td>API stability</td>
|
||
<td><code>alpha</code>: <strong>No</strong> backward compatible</td>
|
||
<td><code>beta</code>: backward compatible <strong>guaranteed</strong></td>
|
||
</tr>
|
||
<tr>
|
||
<td>Number of CRDs</td>
|
||
<td>Three: <code>ClusterRbacConfig</code>, <code>ServiceRole</code> and <code>ServiceRoleBinding</code></td>
|
||
<td>Only One: <code>AuthorizationPolicy</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>Policy target</td>
|
||
<td><strong>service</strong></td>
|
||
<td><strong>workload</strong></td>
|
||
</tr>
|
||
<tr>
|
||
<td>Deny-by-default behavior</td>
|
||
<td>Enabled <strong>explicitly</strong> by configuring <code>ClusterRbacConfig</code></td>
|
||
<td>Enabled <strong>implicitly</strong> with <code>AuthorizationPolicy</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>Ingress/Egress gateway support</td>
|
||
<td>Not supported</td>
|
||
<td>Supported</td>
|
||
</tr>
|
||
<tr>
|
||
<td>The <code>&quot;*&quot;</code> value in policy</td>
|
||
<td>Match all contents (empty and non-empty)</td>
|
||
<td>Match non-empty contents only</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<p>The following tables show the relationship between the <code>v1alpha1</code> and <code>v1beta1</code> API.</p>
|
||
<h4 id="clusterrbacconfig"><code>ClusterRbacConfig</code></h4>
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
<th><code>ClusterRbacConfig.Mode</code></th>
|
||
<th><code>AuthorizationPolicy</code></th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td><code>OFF</code></td>
|
||
<td>No policy applied</td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>ON</code></td>
|
||
<td>A deny-all policy applied in root namespace</td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>ON_WITH_INCLUSION</code></td>
|
||
<td>policies should be applied to namespaces or workloads included by <code>ClusterRbacConfig</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>ON_WITH_EXCLUSION</code></td>
|
||
<td>policies should be applied to namespaces or workloads excluded by <code>ClusterRbacConfig</code></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<h4 id="servicerole"><code>ServiceRole</code></h4>
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
<th><code>ServiceRole</code></th>
|
||
<th><code>AuthorizationPolicy</code></th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td><code>services</code></td>
|
||
<td><code>selector</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>paths</code></td>
|
||
<td><code>paths</code> in <code>to</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>methods</code></td>
|
||
<td><code>methods</code> in <code>to</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>destination.ip</code> in constraint</td>
|
||
<td>Not supported</td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>destination.port</code> in constraint</td>
|
||
<td><code>ports</code> in <code>to</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>destination.labels</code> in constraint</td>
|
||
<td><code>selector</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>destination.namespace</code> in constraint</td>
|
||
<td>Replaced by the namespace of the policy, i.e. the <code>namespace</code> in metadata</td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>destination.user</code> in constraint</td>
|
||
<td>Not supported</td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>experimental.envoy.filters</code> in constraint</td>
|
||
<td><code>experimental.envoy.filters</code> in <code>when</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>request.headers</code> in constraint</td>
|
||
<td><code>request.headers</code> in <code>when</code></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<h4 id="servicerolebinding"><code>ServiceRoleBinding</code></h4>
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
<th><code>ServiceRoleBinding</code></th>
|
||
<th><code>AuthorizationPolicy</code></th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td><code>user</code></td>
|
||
<td><code>principals</code> in <code>from</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>group</code></td>
|
||
<td><code>request.auth.claims[group]</code> in <code>when</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>source.ip</code> in property</td>
|
||
<td><code>ipBlocks</code> in <code>from</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>source.namespace</code> in property</td>
|
||
<td><code>namespaces</code> in <code>from</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>source.principal</code> in property</td>
|
||
<td><code>principals</code> in <code>from</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>request.headers</code> in property</td>
|
||
<td><code>request.headers</code> in <code>when</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>request.auth.principal</code> in property</td>
|
||
<td><code>requestPrincipals</code> in <code>from</code> or <code>request.auth.principal</code> in <code>when</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>request.auth.audiences</code> in property</td>
|
||
<td><code>request.auth.audiences</code> in <code>when</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>request.auth.presenter</code> in property</td>
|
||
<td><code>request.auth.presenter</code> in <code>when</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td><code>request.auth.claims</code> in property</td>
|
||
<td><code>request.auth.claims</code> in <code>when</code></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<p>Beyond all the differences, the <code>v1beta1</code> policy is enforced by the same
|
||
engine in Envoy and supports the same authenticated identity (mutual TLS or
|
||
JWT), condition and other primitives (e.g. IP, port and etc.) as the
|
||
<code>v1alpha1</code> policy.</p>
|
||
<h2 id="future-of-the-v1alpha1-policy">Future of the <code>v1alpha1</code> policy</h2>
|
||
<p>The <code>v1alpha1</code> RBAC policy (<code>ClusterRbacConfig</code>, <code>ServiceRole</code>, and
|
||
<code>ServiceRoleBinding</code>) is deprecated by the <code>v1beta1</code> authorization policy.</p>
|
||
<p>Istio 1.4 continues to support the <code>v1alpha1</code> RBAC policy to give you
|
||
enough time to move away from the alpha policies.</p>
|
||
<h2 id="migration-from-the-v1alpha1-policy">Migration from the <code>v1alpha1</code> policy</h2>
|
||
<p>Istio only supports one of the two versions for a given workload:</p>
|
||
<ul>
|
||
<li>If there is only <code>v1beta1</code> policy for a workload, the <code>v1beta1</code> policy
|
||
will be used.</li>
|
||
<li>If there is only <code>v1alpha1</code> policy for a workload, the <code>v1alpha1</code> policy
|
||
will be used.</li>
|
||
<li>If there are both <code>v1beta1</code> and <code>v1alpha1</code> policies for a workload,
|
||
only the <code>v1beta1</code> policy will be used and the the <code>v1alpha1</code> policy
|
||
will be ignored.</li>
|
||
</ul>
|
||
<h3 id="general-guideline">General Guideline</h3>
|
||
<div>
|
||
<aside class="callout warning">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-warning"/></svg>
|
||
</div>
|
||
<div class="content">When migrating to use <code>v1beta1</code> policy for a given workload, make sure the
|
||
new <code>v1beta1</code> policy covers all the existing <code>v1alpha1</code> policies applied
|
||
for the workload, because the <code>v1alpha1</code> policies applied for the workload
|
||
will be ignored after you applied the <code>v1beta1</code> policies.</div>
|
||
</aside>
|
||
</div>
|
||
<p>The typical flow of migrating to <code>v1beta1</code> policy is to start by checking the
|
||
<code>ClusterRbacConfig</code> to decide which namespace or service is enabled with RBAC.</p>
|
||
<p>For each service enabled with RBAC:</p>
|
||
<ol>
|
||
<li>Get the workload selector from the service definition.</li>
|
||
<li>Create a <code>v1beta1</code> policy with the workload selector.</li>
|
||
<li>Update the <code>v1beta1</code> policy for each <code>ServiceRole</code> and <code>ServiceRoleBinding</code>
|
||
applied to the service.</li>
|
||
<li>Apply the <code>v1beta1</code> policy and monitor the traffic to make sure the
|
||
policy is working as expected.</li>
|
||
<li>Repeat the process for the next service enabled with RBAC.</li>
|
||
</ol>
|
||
<p>For each namespace enabled with RBAC:</p>
|
||
<ol>
|
||
<li>Apply a <code>v1beta1</code> policy that denies all traffic to the given namespace.</li>
|
||
</ol>
|
||
<h3 id="migration-example">Migration Example</h3>
|
||
<p>Assume you have the following <code>v1alpha1</code> policies for the <code>httpbin</code> service
|
||
in the <code>foo</code> namespace:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
|
||
kind: ClusterRbacConfig
|
||
metadata:
|
||
name: default
|
||
spec:
|
||
mode: &#39;ON_WITH_INCLUSION&#39;
|
||
inclusion:
|
||
namespaces: [&#34;foo&#34;]
|
||
---
|
||
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
|
||
kind: ServiceRole
|
||
metadata:
|
||
name: httpbin
|
||
namespace: foo
|
||
spec:
|
||
rules:
|
||
- services: [&#34;httpbin.foo.svc.cluster.local&#34;]
|
||
methods: [&#34;GET&#34;]
|
||
---
|
||
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
|
||
kind: ServiceRoleBinding
|
||
metadata:
|
||
name: httpbin
|
||
namespace: foo
|
||
spec:
|
||
subjects:
|
||
- user: &#34;cluster.local/ns/default/sa/sleep&#34;
|
||
roleRef:
|
||
kind: ServiceRole
|
||
name: &#34;httpbin&#34;
|
||
</code></pre>
|
||
<p>Migrate the above policies to <code>v1beta1</code> in the following ways:</p>
|
||
<ol>
|
||
<li><p>Assume the <code>httpbin</code> service has the following workload selector:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >selector:
|
||
app: httpbin
|
||
version: v1
|
||
</code></pre></li>
|
||
<li><p>Create a <code>v1beta1</code> policy with the workload selector:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: security.istio.io/v1beta1
|
||
kind: AuthorizationPolicy
|
||
metadata:
|
||
name: httpbin
|
||
namespace: foo
|
||
spec:
|
||
selector:
|
||
matchLabels:
|
||
app: httpbin
|
||
version: v1
|
||
</code></pre></li>
|
||
<li><p>Update the <code>v1beta1</code> policy with each <code>ServiceRole</code> and <code>ServiceRoleBinding</code>
|
||
applied to the service:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: security.istio.io/v1beta1
|
||
kind: AuthorizationPolicy
|
||
metadata:
|
||
name: httpbin
|
||
namespace: foo
|
||
spec:
|
||
selector:
|
||
matchLabels:
|
||
app: httpbin
|
||
version: v1
|
||
rules:
|
||
- from:
|
||
- source:
|
||
principals: [&#34;cluster.local/ns/default/sa/sleep&#34;]
|
||
to:
|
||
- operation:
|
||
methods: [&#34;GET&#34;]
|
||
</code></pre></li>
|
||
<li><p>Apply the <code>v1beta1</code> policy and monitor the traffic to make sure it works
|
||
as expected.</p></li>
|
||
<li><p>Apply the following <code>v1beta1</code> policy that denies all traffic to the
|
||
<code>foo</code> namespace because the <code>foo</code> namespace is enabled with RBAC:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: security.istio.io/v1beta1
|
||
kind: AuthorizationPolicy
|
||
metadata:
|
||
name: deny-all
|
||
namespace: foo
|
||
spec:
|
||
{}
|
||
</code></pre></li>
|
||
</ol>
|
||
<p>Make sure the <code>v1beta1</code> policy is working as expected and then you can delete
|
||
the <code>v1alpha1</code> policies from the cluster.</p>
|
||
<h3 id="automation-of-the-migration">Automation of the Migration</h3>
|
||
<p>To help ease the migration, the <code>istioctl experimental authz convert</code>
|
||
command is provided to automatically convert the <code>v1alpha1</code> policies to
|
||
the <code>v1beta1</code> policy.</p>
|
||
<p>You can evaluate the command but it is experimental in Istio 1.4 and doesn&rsquo;t
|
||
support the full <code>v1alpha1</code> semantics as of the date of this blog post.</p>
|
||
<p>The command to support the full <code>v1alpha1</code> semantics is expected in a patch
|
||
release following Istio 1.4.</p></description><pubDate>Thu, 14 Nov 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/v1beta1-authorization-policy/</link><author>Yangmin Zhu (Google)</author><guid isPermaLink="true">/v1.12/blog/2019/v1beta1-authorization-policy/</guid><category>security</category><category>RBAC</category><category>access control</category><category>authorization</category></item><item><title>Introducing the Istio Operator</title><description>
|
||
<p>Kubernetes <a href="https://kubernetes.io/docs/concepts/extend-kubernetes/operator/">operators</a> provide
|
||
a pattern for encoding human operational knowledge in software and are a popular way to simplify
|
||
the administration of software infrastructure components. Istio is a natural candidate for an automated
|
||
operator as it is challenging to administer.</p>
|
||
<p>Up until now, <a href="https://github.com/helm/helm">Helm</a> has been the primary tool to install and upgrade Istio.
|
||
Istio 1.4 introduces a new method of <a href="/v1.12/docs/setup/install/istioctl/">installation using istioctl</a>.
|
||
This new installation method builds on the strengths of Helm with the addition of the
|
||
following:</p>
|
||
<ul>
|
||
<li>Users only need to install one tool: <code>istioctl</code></li>
|
||
<li>All API fields are validated</li>
|
||
<li>Small customizations not in the API don&rsquo;t require chart or API changes</li>
|
||
<li>Version specific upgrade hooks can be easily and robustly implemented</li>
|
||
</ul>
|
||
<p>The <a href="https://archive.istio.io/1.4/docs/setup/install/helm/">Helm installation</a> method is in the process of deprecation. Upgrading from Istio
|
||
1.4 with a version not initially installed with Helm will also be replaced by a new
|
||
<a href="https://archive.istio.io/v1.4/docs/setup/upgrade/istioctl-upgrade/">istioctl upgrade feature</a>.</p>
|
||
<p>The new <code>istioctl</code> installation commands use a
|
||
<a href="https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/">custom resource</a>
|
||
to configure the installation. The custom resource is part of a new Istio operator
|
||
implementation intended to simplify the common administrative tasks of installation, upgrade,
|
||
and complex configuration changes for Istio. Validation and checking for installation and upgrade
|
||
is tightly integrated with the tools to prevent common errors and simplify troubleshooting.</p>
|
||
<h2 id="the-operator-api">The Operator API</h2>
|
||
<p>Every operator implementation requires a
|
||
<a href="https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions">custom resource definition (CRD)</a>
|
||
to define its custom resource, that is, its API. Istio&rsquo;s operator API is defined by the
|
||
<a href="https://archive.istio.io/v1.4/docs/reference/config/istio.operator.v1alpha12.pb/"><code>IstioControlPlane</code> CRD</a>,
|
||
which is generated from an
|
||
<a href="https://github.com/istio/operator/blob/release-1.4/pkg/apis/istio/v1alpha2/istiocontrolplane_types.proto"><code>IstioControlPlane</code> proto</a>.
|
||
The API supports all of Istio&rsquo;s current <a href="/v1.12/docs/setup/additional-setup/config-profiles/">configuration profiles</a>
|
||
using a single field to select the profile. For example, the following <code>IstioControlPlane</code> resource
|
||
configures Istio using the <code>demo</code> profile:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: install.istio.io/v1alpha2
|
||
kind: IstioControlPlane
|
||
metadata:
|
||
namespace: istio-operator
|
||
name: example-istiocontrolplane
|
||
spec:
|
||
profile: demo
|
||
</code></pre>
|
||
<p>You can then customize the configuration with additional settings. For example, to disable telemetry:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: install.istio.io/v1alpha2
|
||
kind: IstioControlPlane
|
||
metadata:
|
||
namespace: istio-operator
|
||
name: example-istiocontrolplane
|
||
spec:
|
||
profile: demo
|
||
telemetry:
|
||
enabled: false
|
||
</code></pre>
|
||
<h2 id="installing-with-hahahugoshortcode-s4-hbhb">Installing with istioctl</h2>
|
||
<p>The recommended way to use the Istio operator API is through a new set of <code>istioctl</code> commands.
|
||
For example, to install Istio into a cluster:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl manifest apply -f &lt;your-istiocontrolplane-customresource&gt;
|
||
</code></pre>
|
||
<p>Make changes to the installation configuration by editing the configuration file and executing
|
||
<code>istioctl manifest apply</code> again.</p>
|
||
<p>To upgrade to a new version of Istio:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl x upgrade -f &lt;your-istiocontrolplane-config-changes&gt;
|
||
</code></pre>
|
||
<p>In addition to specifying the complete configuration in an <code>IstioControlPlane</code> resource,
|
||
the <code>istioctl</code> commands can also be passed individual settings using a <code>--set</code> flag:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl manifest apply --set telemetry.enabled=false
|
||
</code></pre>
|
||
<p>There are also a number of other <code>istioctl</code> commands that, for example, help you list, display,
|
||
and compare configuration profiles and manifests.</p>
|
||
<p>Refer to the Istio <a href="/v1.12/docs/setup/install/istioctl">install instructions</a> for more details.</p>
|
||
<h2 id="istio-controller-alpha">Istio Controller (alpha)</h2>
|
||
<p>Operator implementations use a Kubernetes controller to continuously monitor their custom resource
|
||
and apply the corresponding configuration changes. The Istio controller monitors an <code>IstioControlPlane</code>
|
||
resource and reacts to changes by updating the Istio installation configuration in the corresponding cluster.</p>
|
||
<p>In the 1.4 release, the Istio controller is in the alpha phase of development and not fully
|
||
integrated with <code>istioctl</code>. It is, however,
|
||
<a href="/v1.12/docs/setup/install/operator/">available for experimentation</a> using <code>kubectl</code> commands.
|
||
For example, to install the controller and a default version of Istio into your cluster,
|
||
run the following command:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f https://&lt;repo URL&gt;/operator.yaml
|
||
$ kubectl apply -f https://&lt;repo URL&gt;/default-cr.yaml
|
||
</code></pre>
|
||
<p>You can then make changes to the Istio installation configuration:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl edit istiocontrolplane example-istiocontrolplane -n istio-system
|
||
</code></pre>
|
||
<p>As soon as the resource is updated, the controller will detect the changes and respond by updating
|
||
the Istio installation correspondingly.</p>
|
||
<p>Both the operator controller and <code>istioctl</code> commands share the same implementation. The significant
|
||
difference is the execution context. In the <code>istioctl</code> case, the operation runs in the admin user’s
|
||
command execution and security context. In the controller case, a pod in the cluster runs the code
|
||
in its security context. In both cases, configuration is validated against a schema and the same correctness
|
||
checks are performed.</p>
|
||
<h2 id="migration-from-helm">Migration from Helm</h2>
|
||
<p>To help ease the transition from previous configurations using Helm,
|
||
<code>istioctl</code> and the controller support pass-through access for the full Helm installation API.</p>
|
||
<p>You can pass Helm configuration options using <code>istioctl --set</code> by prepending the string <code>values.</code> to the option name.
|
||
For example, instead of this Helm command:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ helm template ... --set global.mtls.enabled=true
|
||
</code></pre>
|
||
<p>You can use this <code>istioctl</code> command:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl manifest generate ... --set values.global.mtls.enabled=true
|
||
</code></pre>
|
||
<p>You can also set Helm configuration values in an <code>IstioControlPlane</code> custom resource.
|
||
See <a href="/v1.12/docs/setup/install/istioctl/#customize-istio-settings-using-the-helm-api">Customize Istio settings using Helm</a>
|
||
for details.</p>
|
||
<p>Another feature to help with the transition from Helm is the alpha
|
||
<a href="/v1.12/docs/reference/commands/istioctl/#istioctl-manifest-migrate">istioctl manifest migrate</a> command.
|
||
This command can be used to automatically convert a Helm <code>values.yaml</code> file to a corresponding
|
||
<code>IstioControlPlane</code> configuration.</p>
|
||
<h2 id="implementation">Implementation</h2>
|
||
<p>Several frameworks have been created to help implement operators by generating stubs for some or all of
|
||
the components. The Istio operator was created with the help of a combination of
|
||
<a href="https://github.com/kubernetes-sigs/kubebuilder">kubebuilder</a> and
|
||
<a href="https://github.com/operator-framework">operator framework</a>. Istio&rsquo;s installation now uses a proto to
|
||
describe the API such that runtime validation can be executed against a schema.</p>
|
||
<p>More information about the implementation can be found in the README and ARCHITECTURE documents
|
||
in the <a href="https://github.com/istio/operator">Istio operator repository</a>.</p>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>Starting in Istio 1.4, Helm installation is being replaced by new <code>istioctl</code> commands using
|
||
a new operator custom resource definition, <code>IstioControlPlane</code>, for the configuration API.
|
||
An alpha controller is also available for early experimentation with the operator.</p>
|
||
<p>The new <code>istioctl</code> commands and operator controller both validate configuration schemas and perform a range of
|
||
checks for installation change or upgrade. These checks are tightly integrated with the tools to prevent
|
||
common errors and simplify troubleshooting.</p>
|
||
<p>The Istio maintainers expect that this new approach will improve the user experience during Istio
|
||
installation and upgrade, better stabilize the installation API, and help users better manage and
|
||
monitor their Istio installations.</p>
|
||
<p>We welcome your feedback about the new installation approach at <a href="https://discuss.istio.io/">discuss.istio.io</a>.</p></description><pubDate>Thu, 14 Nov 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/introducing-istio-operator/</link><author>Martin Ostrowski (Google), Frank Budinsky (IBM)</author><guid isPermaLink="true">/v1.12/blog/2019/introducing-istio-operator/</guid><category>install</category><category>configuration</category><category>istioctl</category><category>operator</category></item><item><title>Introducing istioctl analyze</title><description>
|
||
<p>Istio 1.4 introduces an experimental new tool to help you analyze and debug your clusters running Istio.</p>
|
||
<p><a href="/v1.12/docs/reference/commands/istioctl/#istioctl-experimental-analyze"><code>istioctl analyze</code></a> is a diagnostic tool that detects potential issues with your
|
||
Istio configuration, as well as gives general insights to improve your configuration.
|
||
It can run against a live cluster or a set of local configuration files.
|
||
It can also run against a combination of the two, allowing you to catch problems before you
|
||
apply changes to a cluster.</p>
|
||
<p>To get started with it in just minutes, head over to the <a href="/v1.12/docs/ops/diagnostic-tools/istioctl-analyze/">documentation</a>.</p>
|
||
<h2 id="designed-to-be-approachable-for-novice-users">Designed to be approachable for novice users</h2>
|
||
<p>One of the key design goals that we followed for this feature is to make it extremely approachable.
|
||
This is achieved by making the command useful without having to pass any required complex parameters.</p>
|
||
<p>In practice, here are some of the scenarios that it goes after:</p>
|
||
<ul>
|
||
<li><em>&ldquo;There is some problem with my cluster, but I have no idea where to start&rdquo;</em></li>
|
||
<li><em>&ldquo;Things are generally working, but I&rsquo;m wondering if there is anything I could improve&rdquo;</em></li>
|
||
</ul>
|
||
<p>In that sense, it is very different from some of the more advanced diagnostic tools, which go
|
||
after scenarios along the lines of (taking <code>istioctl proxy-config</code> as an example):</p>
|
||
<ul>
|
||
<li><em>&ldquo;Show me the Envoy configuration for this specific pod so I can see if anything looks wrong&rdquo;</em></li>
|
||
</ul>
|
||
<p>This can be very useful for advanced debugging, but it requires a lot of expertize before you
|
||
can figure out that you need to run this specific command, and which pod to run it on.</p>
|
||
<p>So really, the one-line pitch for <code>analyze</code> is: just run it! It&rsquo;s completely safe, it takes no thinking,
|
||
it might help you, and at worst, you&rsquo;ll have wasted a minute!</p>
|
||
<h2 id="improving-this-tool-over-time">Improving this tool over time</h2>
|
||
<p>In Istio 1.4, <code>analyze</code> comes with a nice set of analyzers that can detect a number of common issues.
|
||
But this is just the beginning, and we are planning to keep growing and fine tuning the analyzers with
|
||
each release.</p>
|
||
<p>In fact, we would welcome suggestions from Istio users. Specifically, if you encounter a situation
|
||
where you think an issue could be detected via configuration analysis, but is not currently flagged
|
||
by <code>analyze</code>, please do let us know. The best way to do this is to <a href="https://github.com/istio/istio/issues">open an issue on GitHub</a>.</p></description><pubDate>Thu, 14 Nov 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/introducing-istioctl-analyze/</link><author>David Ebbo (Google)</author><guid isPermaLink="true">/v1.12/blog/2019/introducing-istioctl-analyze/</guid><category>debugging</category><category>istioctl</category><category>configuration</category></item><item><title>DNS Certificate Management</title><description><p>By default, Citadel manages the DNS certificates of the Istio control plane.
|
||
Citadel is a large component that maintains its own private signing key, and acts as a Certificate Authority (CA).</p>
|
||
<p>New in Istio 1.4, we introduce a feature to securely provision and manage DNS certificates
|
||
signed by the Kubernetes CA, which has the following advantages.</p>
|
||
<ul>
|
||
<li><p>Lighter weight DNS certificate management with no dependency on Citadel.</p></li>
|
||
<li><p>Unlike Citadel, this feature doesn&rsquo;t maintain a private signing key, which enhances security.</p></li>
|
||
<li><p>Simplified root certificate distribution to TLS clients.
|
||
Clients no longer need to wait for Citadel to generate and distribute its CA certificate.</p></li>
|
||
</ul>
|
||
<p>The following diagram shows the architecture of provisioning and managing DNS certificates in Istio.
|
||
Chiron is the component provisioning and managing DNS certificates in Istio.</p>
|
||
<figure style="width:50%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:82.13367609254499%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/dns-cert/architecture.png" title="The architecture of provisioning and managing DNS certificates in Istio">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/dns-cert/architecture.png" alt="The architecture of provisioning and managing DNS certificates in Istio" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The architecture of provisioning and managing DNS certificates in Istio</figcaption>
|
||
</figure>
|
||
<p>To try this new feature, refer to the <a href="/v1.12/docs/tasks/security/cert-management/dns-cert">DNS certificate management task</a>.</p></description><pubDate>Thu, 14 Nov 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/dns-cert/</link><author>Lei Tang (Google)</author><guid isPermaLink="true">/v1.12/blog/2019/dns-cert/</guid><category>security</category><category>kubernetes</category><category>certificates</category><category>DNS</category></item><item><title>Announcing Istio client-go</title><description>
|
||
<p>We are pleased to announce the initial release of the Istio
|
||
<a href="https://github.com/istio/client-go">client go</a> repository which enables developers
|
||
to gain programmatic access to Istio APIs in a Kubernetes environment. The
|
||
generated Kubernetes informers and client set in this repository makes it easy
|
||
for developers to create controllers and perform Create, Read, Update and Delete
|
||
(CRUD) operations for all Istio Custom Resource Definitions (CRDs).</p>
|
||
<p>This was a highly requested functionality by many Istio users, as is evident
|
||
from the feature requests on the clients generated by <a href="https://github.com/aspenmesh/istio-client-go">Aspen Mesh</a>
|
||
and the <a href="https://github.com/knative/pkg">Knative project</a>.
|
||
If you&rsquo;re currently using one of the above mentioned clients, you can easily
|
||
switch to using <a href="https://github.com/istio/client-go">Istio client go</a> like
|
||
this:</p>
|
||
<pre><code class='language-go' data-expandlinks='true' data-repo='istio' >import (
|
||
...
|
||
- versionedclient &#34;github.com/aspenmesh/istio-client-go/pkg/client/clientset/versioned&#34;
|
||
+ versionedclient &#34;istio.io/client-go/pkg/clientset/versioned&#34;
|
||
)
|
||
</code></pre>
|
||
<p>As the generated client sets are functionally equivalent, switching the imported
|
||
client libraries should be sufficient in order to consume the newly
|
||
generated library.</p>
|
||
<h2 id="how-to-use-client-go">How to use client-go</h2>
|
||
<p>The Istio <a href="https://github.com/istio/client-go">client go</a> repository follows the
|
||
same branching strategy as the <a href="https://github.com/istio/api">Istio API</a>
|
||
repository, as the client repository depends on the API definitions. If you want
|
||
to use a stable client set, you can use the release branches or tagged versions
|
||
in the <a href="https://github.com/istio/client-go">client go</a> repository.
|
||
Using the client set is very similar to using the <a href="https://github.com/kubernetes/client-go">Kubernetes client
|
||
go</a>, here&rsquo;s a quick example of using
|
||
the client to list all <a href="/v1.12/docs/reference/config/networking/virtual-service">Istio
|
||
virtual services</a>
|
||
in the passed namespace:</p>
|
||
<pre><code class='language-go' data-expandlinks='true' data-repo='istio' >package main
|
||
import (
|
||
&#34;log&#34;
|
||
&#34;os&#34;
|
||
metav1 &#34;k8s.io/apimachinery/pkg/apis/meta/v1&#34;
|
||
&#34;k8s.io/client-go/tools/clientcmd&#34;
|
||
versionedclient &#34;istio.io/client-go/pkg/clientset/versioned&#34;
|
||
)
|
||
func main() {
|
||
kubeconfig := os.Getenv(&#34;KUBECONFIG&#34;)
|
||
namespace := os.Getenv(&#34;NAMESPACE&#34;)
|
||
if len(kubeconfig) == 0 || len(namespace) == 0 {
|
||
log.Fatalf(&#34;Environment variables KUBECONFIG and NAMESPACE need to be set&#34;)
|
||
}
|
||
restConfig, err := clientcmd.BuildConfigFromFlags(&#34;&#34;, kubeconfig)
|
||
if err != nil {
|
||
log.Fatalf(&#34;Failed to create k8s rest client: %s&#34;, err)
|
||
}
|
||
ic, err := versionedclient.NewForConfig(restConfig)
|
||
if err != nil {
|
||
log.Fatalf(&#34;Failed to create istio client: %s&#34;, err)
|
||
}
|
||
// Print all VirtualServices
|
||
vsList, err := ic.NetworkingV1alpha3().VirtualServices(namespace).List(metav1.ListOptions{})
|
||
if err != nil {
|
||
log.Fatalf(&#34;Failed to get VirtualService in %s namespace: %s&#34;, namespace, err)
|
||
}
|
||
for i := range vsList.Items {
|
||
vs := vsList.Items[i]
|
||
log.Printf(&#34;Index: %d VirtualService Hosts: %+v\n&#34;, i, vs.Spec.GetHosts())
|
||
}
|
||
}
|
||
</code></pre>
|
||
<p>You can find a more in-depth example <a href="https://github.com/istio/client-go/blob/release-1.12/cmd/example/client.go">here</a>.</p>
|
||
<h2 id="useful-tools-created-for-generating-istio-client-go">Useful tools created for generating Istio client-go</h2>
|
||
<p>If you&rsquo;re wondering why it took so long or why was it difficult to generate
|
||
this client set, this section is for you. In Istio, we use
|
||
<a href="https://developers.google.com/protocol-buffers">protobuf</a> specifications to
|
||
write APIs which are then converted to Go definitions
|
||
using the protobuf tool chain. There are three major challenges which you might
|
||
face if you&rsquo;re trying to generate Kubernetes client set from a protobuf-generated API:</p>
|
||
<ul>
|
||
<li><p><strong>Creating Kubernetes Wrapper Types</strong> - Kubernetes <a href="https://github.com/kubernetes/code-generator/tree/master/cmd/client-gen">client generation</a>
|
||
library only works for Go objects which follow the Kubernetes object
|
||
specification for e.g. <a href="https://github.com/istio/client-go/blob/release-1.12/pkg/apis/authentication/v1alpha1/types.gen.go">Authentication Policy Kubernetes Wrappers</a>.
|
||
This means for every API which needs programmatic access, you need to create
|
||
these wrappers. Additionally, there is a fair amount of boilerplate needed for
|
||
every <code>CRD</code> group, version and kind that needs client code generation.
|
||
To automate this process, we created a <a href="https://github.com/istio/tools/tree/master/cmd/kubetype-gen">Kubernetes type
|
||
generator</a> tool
|
||
which can automatically create the Kubernetes types based on annotations.
|
||
The annotations parsed by this tool and the various available options
|
||
are explained in the <a href="https://github.com/istio/tools/blob/master/cmd/kubetype-gen/README.md">README</a>.
|
||
Note that if you&rsquo;re using protobuf tools to generate Go types, you would need to
|
||
add these annotations as comments in the proto files, so that the comments are
|
||
present in the generated Go files which are then used by this tool.</p></li>
|
||
<li><p><strong>Generating deep copy methods</strong> - In Kubernetes client machinery, if you want to
|
||
mutate any object returned from the client set, you are required to make a copy
|
||
of the object to prevent modifying the object in-place in the cache store. The
|
||
canonical way to do this is to create a <code>deepcopy</code> method on all nested types.
|
||
We created a tool <a href="https://github.com/istio/tools/tree/master/cmd/protoc-gen-deepcopy">protoc deep copy
|
||
generator</a>
|
||
which is a <code>protoc</code> plugin and can automatically create <code>deepcopy</code> method
|
||
based on annotations using the Proto library utility <a href="https://godoc.org/github.com/golang/protobuf/proto#Clone">Proto
|
||
Clone</a>. Here&rsquo;s an
|
||
<a href="https://github.com/istio/api/blob/release-1.12/authentication/v1alpha1/policy_deepcopy.gen.go">example</a>
|
||
of the generated <code>deepcopy</code> method.</p></li>
|
||
<li><p><strong>Marshaling and Unmarshaling types to/from JSON</strong> - For the types generated
|
||
from proto definitions, it is often problematic to use the default Go JSON
|
||
encoder/decoder as there are various fields like protobuf&rsquo;s <code>oneof</code> which requires
|
||
special handling. Additionally, any Proto fields with underscores in their
|
||
name might serialize/deserialize to different field names depending on the
|
||
encoder/decoder as the Go struct tag are <a href="https://github.com/istio/istio/issues/17600">generated
|
||
differently</a>.
|
||
It is always recommended to use protobuf primitives for
|
||
serializing/deserializing to JSON instead of relying on default Go
|
||
library. We created a tool <a href="https://github.com/istio/tools/tree/master/cmd/protoc-gen-jsonshim">protoc JSON
|
||
shim</a> which
|
||
is a <code>protoc</code> plugin and can automatically create Marshalers/Unmarshalers for
|
||
all Go type generated from Proto definitions. Here&rsquo;s an
|
||
<a href="https://github.com/istio/api/blob/release-1.12/authentication/v1alpha1/policy_json.gen.go">example</a>
|
||
of the code generated by this tool.</p></li>
|
||
</ul>
|
||
<p>I&rsquo;m hoping that the newly released client library enables users to create more
|
||
integrations and controllers for the Istio APIs, and the tools mentioned above
|
||
can be used by developers to generate Kubernetes client set from Proto APIs.</p></description><pubDate>Thu, 14 Nov 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/announcing-istio-client-go/</link><author>Neeraj Poddar (Aspen Mesh)</author><guid isPermaLink="true">/v1.12/blog/2019/announcing-istio-client-go/</guid><category>client-go</category><category>tools</category><category>crd</category></item><item><title>Istio as a Proxy for External Services</title><description>
|
||
<p>The <a href="/v1.12/docs/tasks/traffic-management/ingress/ingress-control/">Control Ingress Traffic</a> and the
|
||
<a href="/v1.12/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/">Ingress Gateway without TLS Termination</a> tasks describe
|
||
how to configure an ingress gateway to expose services inside the mesh to external traffic. The services can be HTTP or
|
||
HTTPS. In the case of HTTPS, the gateway passes the traffic through, without terminating TLS.</p>
|
||
<p>This blog post describes how to use the same ingress gateway mechanism of Istio to enable access to external services and
|
||
not to applications inside the mesh. This way Istio as a whole can serve just as a proxy server, with the added value of
|
||
observability, traffic management and policy enforcement.</p>
|
||
<p>The blog post shows configuring access to an HTTP and an HTTPS external service, namely <code>httpbin.org</code> and
|
||
<code>edition.cnn.com</code>.</p>
|
||
<h2 id="configure-an-ingress-gateway">Configure an ingress gateway</h2>
|
||
<ol>
|
||
<li><p>Define an ingress gateway with a <code>servers:</code> section configuring the <code>80</code> and <code>443</code> ports.
|
||
Ensure <code>mode:</code> is set to <code>PASSTHROUGH</code> for <code>tls:</code> in the port <code>443</code>, which instructs the gateway to pass the
|
||
ingress traffic AS IS, without terminating TLS.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: Gateway
|
||
metadata:
|
||
name: proxy
|
||
spec:
|
||
selector:
|
||
istio: ingressgateway # use istio default ingress gateway
|
||
servers:
|
||
- port:
|
||
number: 80
|
||
name: http
|
||
protocol: HTTP
|
||
hosts:
|
||
- httpbin.org
|
||
- port:
|
||
number: 443
|
||
name: tls
|
||
protocol: TLS
|
||
tls:
|
||
mode: PASSTHROUGH
|
||
hosts:
|
||
- edition.cnn.com
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Create service entries for the <code>httpbin.org</code> and <code>edition.cnn.com</code> services to make them accessible from the ingress
|
||
gateway:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: httpbin-ext
|
||
spec:
|
||
hosts:
|
||
- httpbin.org
|
||
ports:
|
||
- number: 80
|
||
name: http
|
||
protocol: HTTP
|
||
resolution: DNS
|
||
location: MESH_EXTERNAL
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: cnn
|
||
spec:
|
||
hosts:
|
||
- edition.cnn.com
|
||
ports:
|
||
- number: 443
|
||
name: tls
|
||
protocol: TLS
|
||
resolution: DNS
|
||
location: MESH_EXTERNAL
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Create a service entry and configure a destination rule for the <code>localhost</code> service.
|
||
You need this service entry in the next step as a destination for traffic to the external services from
|
||
applications inside the mesh to block traffic from inside the mesh. In this example you use Istio as a proxy between
|
||
external applications and external services.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: localhost
|
||
spec:
|
||
hosts:
|
||
- localhost.local
|
||
location: MESH_EXTERNAL
|
||
ports:
|
||
- number: 80
|
||
name: http
|
||
protocol: HTTP
|
||
- number: 443
|
||
name: tls
|
||
protocol: TLS
|
||
resolution: STATIC
|
||
endpoints:
|
||
- address: 127.0.0.1
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: localhost
|
||
spec:
|
||
host: localhost.local
|
||
trafficPolicy:
|
||
tls:
|
||
mode: DISABLE
|
||
sni: localhost.local
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Create a virtual service for each external service to configure routing to it. Both virtual services include the
|
||
<code>proxy</code> gateway in the <code>gateways:</code> section and in the <code>match:</code> section for HTTP and HTTPS traffic accordingly.</p>
|
||
<p>Notice the <code>route:</code> section for the <code>mesh</code> gateway, the gateway that represents the applications inside
|
||
the mesh. The <code>route:</code> for the <code>mesh</code> gateway shows how the traffic is directed to the <code>localhost.local</code> service,
|
||
effectively blocking the traffic.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: httpbin
|
||
spec:
|
||
hosts:
|
||
- httpbin.org
|
||
gateways:
|
||
- proxy
|
||
- mesh
|
||
http:
|
||
- match:
|
||
- gateways:
|
||
- proxy
|
||
port: 80
|
||
uri:
|
||
prefix: /status
|
||
route:
|
||
- destination:
|
||
host: httpbin.org
|
||
port:
|
||
number: 80
|
||
- match:
|
||
- gateways:
|
||
- mesh
|
||
port: 80
|
||
route:
|
||
- destination:
|
||
host: localhost.local
|
||
port:
|
||
number: 80
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: cnn
|
||
spec:
|
||
hosts:
|
||
- edition.cnn.com
|
||
gateways:
|
||
- proxy
|
||
- mesh
|
||
tls:
|
||
- match:
|
||
- gateways:
|
||
- proxy
|
||
port: 443
|
||
sni_hosts:
|
||
- edition.cnn.com
|
||
route:
|
||
- destination:
|
||
host: edition.cnn.com
|
||
port:
|
||
number: 443
|
||
- match:
|
||
- gateways:
|
||
- mesh
|
||
port: 443
|
||
sni_hosts:
|
||
- edition.cnn.com
|
||
route:
|
||
- destination:
|
||
host: localhost.local
|
||
port:
|
||
number: 443
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p><a href="/v1.12/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging">Enable Envoy&rsquo;s access logging</a>.</p></li>
|
||
<li><p>Follow the instructions in
|
||
<a href="/v1.12/docs/tasks/traffic-management/ingress/ingress-control/#determining-the-ingress-ip-and-ports">Determining the ingress IP and ports</a>
|
||
to define the <code>SECURE_INGRESS_PORT</code> and <code>INGRESS_HOST</code> environment variables.</p></li>
|
||
<li><p>Access the <code>httbin.org</code> service through your ingress IP and port which you stored in the
|
||
<code>$INGRESS_HOST</code> and <code>$INGRESS_PORT</code> environment variables, respectively, during the previous step.
|
||
Access the <code>/status/418</code> path of the <code>httpbin.org</code> service that returns the HTTP status
|
||
<a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/418">418 I&rsquo;m a teapot</a>.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl $INGRESS_HOST:$INGRESS_PORT/status/418 -Hhost:httpbin.org
|
||
-=[ teapot ]=-
|
||
_...._
|
||
.&#39; _ _ `.
|
||
| .&#34;` ^ `&#34;. _,
|
||
\_;`&#34;---&#34;`|//
|
||
| ;/
|
||
\_ _/
|
||
`&#34;&#34;&#34;`
|
||
</code></pre></li>
|
||
<li><p>If the Istio ingress gateway is deployed in the <code>istio-system</code> namespace, print the gateway&rsquo;s log with the following command:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl logs -l istio=ingressgateway -c istio-proxy -n istio-system | grep &#39;httpbin.org&#39;
|
||
</code></pre></li>
|
||
<li><p>Search the log for an entry similar to:</p>
|
||
<pre><code class='language-plain' data-expandlinks='true' data-repo='istio' >[2019-01-31T14:40:18.645Z] &#34;GET /status/418 HTTP/1.1&#34; 418 - 0 135 187 186 &#34;10.127.220.75&#34; &#34;curl/7.54.0&#34; &#34;28255618-6ca5-9d91-9634-c562694a3625&#34; &#34;httpbin.org&#34; &#34;34.232.181.106:80&#34; outbound|80||httpbin.org - 172.30.230.33:80 10.127.220.75:52077 -
|
||
</code></pre></li>
|
||
<li><p>Access the <code>edition.cnn.com</code> service through your ingress gateway:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl -s --resolve edition.cnn.com:$SECURE_INGRESS_PORT:$INGRESS_HOST https://edition.cnn.com:$SECURE_INGRESS_PORT | grep -o &#34;&lt;title&gt;.*&lt;/title&gt;&#34;
|
||
&lt;title&gt;CNN International - Breaking News, US News, World News and Video&lt;/title&gt;
|
||
</code></pre></li>
|
||
<li><p>If the Istio ingress gateway is deployed in the <code>istio-system</code> namespace, print the gateway&rsquo;s log with the following command:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl logs -l istio=ingressgateway -c istio-proxy -n istio-system | grep &#39;edition.cnn.com&#39;
|
||
</code></pre></li>
|
||
<li><p>Search the log for an entry similar to:</p>
|
||
<pre><code class='language-plain' data-expandlinks='true' data-repo='istio' >[2019-01-31T13:40:11.076Z] &#34;- - -&#34; 0 - 589 17798 1644 - &#34;-&#34; &#34;-&#34; &#34;-&#34; &#34;-&#34; &#34;172.217.31.132:443&#34; outbound|443||edition.cnn.com 172.30.230.33:54508 172.30.230.33:443 10.127.220.75:49467 edition.cnn.com
|
||
</code></pre></li>
|
||
</ol>
|
||
<h2 id="cleanup">Cleanup</h2>
|
||
<p>Remove the gateway, the virtual services and the service entries:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete gateway proxy
|
||
$ kubectl delete virtualservice cnn httpbin
|
||
$ kubectl delete serviceentry cnn httpbin-ext localhost
|
||
$ kubectl delete destinationrule localhost
|
||
</code></pre></description><pubDate>Tue, 15 Oct 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/proxy/</link><author>Vadim Eisenberg (IBM)</author><guid isPermaLink="true">/v1.12/blog/2019/proxy/</guid><category>traffic-management</category><category>ingress</category><category>https</category><category>http</category></item><item><title>Multi-Mesh Deployments for Isolation and Boundary Protection</title><description>
|
||
<p>Various compliance standards require protection of sensitive data environments. Some of the important standards and the
|
||
types of sensitive data they protect appear in the following table:</p>
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
<th>Standard</th>
|
||
<th>Sensitive data</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td><a href="https://www.pcisecuritystandards.org/pci_security">PCI DSS</a></td>
|
||
<td>payment card data</td>
|
||
</tr>
|
||
<tr>
|
||
<td><a href="https://www.fedramp.gov">FedRAMP</a></td>
|
||
<td>federal information, data and metadata</td>
|
||
</tr>
|
||
<tr>
|
||
<td><a href="http://www.gpo.gov/fdsys/search/pagedetails.action?granuleId=CRPT-104hrpt736&amp;packageId=CRPT-104hrpt736">HIPAA</a></td>
|
||
<td>personal health data</td>
|
||
</tr>
|
||
<tr>
|
||
<td><a href="https://gdpr-info.eu">GDPR</a></td>
|
||
<td>personal data</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<p><a href="https://www.pcisecuritystandards.org/pci_security">PCI DSS</a>, for example, recommends putting cardholder data
|
||
environment on a network, separate from the rest of the system. It also requires using a <a href="https://en.wikipedia.org/wiki/DMZ_(computing)">DMZ</a>,
|
||
and setting firewalls between the public Internet and the DMZ, and between the DMZ and the internal network.</p>
|
||
<p>Isolation of sensitive data environments from other information systems can reduce the scope of the compliance checks
|
||
and improve the security of the sensitive data. Reducing the scope reduces the risks of failing a compliance check and
|
||
reduces the costs of compliance since there are less components to check and secure, according to compliance
|
||
requirements.</p>
|
||
<p>You can achieve isolation of sensitive data by separating the parts of the application that process that data
|
||
into a separate service mesh, preferably on a separate network, and then connect the meshes with different
|
||
compliance requirements together in a <span class="term" data-title="Multi-Mesh" data-body="&lt;p&gt;Multi-mesh is a deployment model that consists of two or more &lt;a href=&#34;/docs/reference/glossary/#service-mesh&#34;&gt;service meshes&lt;/a&gt;.
|
||
Each mesh has independent administration for naming and identities but you can
|
||
expose services between meshes through &lt;a href=&#34;/docs/reference/glossary/#mesh-federation&#34;&gt;mesh federation&lt;/a&gt;.
|
||
The resulting deployment is a multi-mesh deployment.&lt;/p&gt;
|
||
">multi-mesh</span> deployment.
|
||
The process of connecting inter-mesh
|
||
applications is called <span class="term" data-title="Mesh Federation" data-body="&lt;p&gt;Mesh federation is the act of exposing services between meshes and enabling
|
||
communication across mesh boundaries. Each mesh may expose a subset of its
|
||
services to enable one or more other meshes to consume the exposed services. You
|
||
can use mesh federation to enable communication between meshes in a
|
||
&lt;a href=&#34;/docs/ops/deployment/deployment-models/#multiple-meshes&#34;&gt;multi-mesh deployment&lt;/a&gt;.&lt;/p&gt;
|
||
">mesh federation</span>.</p>
|
||
<p>Note that using mesh federation to create a multi-mesh deployment is very different than creating a
|
||
<span class="term" data-title="Multicluster" data-body="&lt;p&gt;Multicluster is a deployment model that consists of a
|
||
&lt;a href=&#34;/docs/reference/glossary/#service-mesh&#34;&gt;mesh&lt;/a&gt; with multiple
|
||
&lt;a href=&#34;/docs/reference/glossary/#cluster&#34;&gt;clusters&lt;/a&gt;.&lt;/p&gt;
|
||
">multicluster</span> deployment, which defines a single service mesh composed from services spanning more than one cluster. Unlike multi-mesh, a multicluster deployment is not suitable for
|
||
applications that require isolation and boundary protection.</p>
|
||
<p>In this blog post I describe the requirements for isolation and boundary protection, and outline the principles of
|
||
multi-mesh deployments. Finally, I touch on the current state of mesh-federation support and automation work under way for
|
||
Istio.</p>
|
||
<h2 id="isolation-and-boundary-protection">Isolation and boundary protection</h2>
|
||
<p>Isolation and boundary protection mechanisms are explained in the
|
||
<a href="http://dx.doi.org/10.6028/NIST.SP.800-53r4">NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations</a>,
|
||
<em>Appendix F, Security Control Catalog, SC-7 Boundary Protection</em>.</p>
|
||
<p>In particular, the <em>Boundary protection, isolation of information system components</em> control enhancement:</p>
|
||
<div>
|
||
<aside class="callout quote">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-quote"/></svg>
|
||
</div>
|
||
<div class="content">Organizations can isolate information system components performing different missions and/or business functions.
|
||
Such isolation limits unauthorized information flows among system components and also provides the opportunity to deploy
|
||
greater levels of protection for selected components. Separating system components with boundary protection mechanisms
|
||
provides the capability for increased protection of individual components and to more effectively control information
|
||
flows between those components. This type of enhanced protection limits the potential harm from cyber attacks and
|
||
errors. The degree of separation provided varies depending upon the mechanisms chosen. Boundary protection mechanisms
|
||
include, for example, routers, gateways, and firewalls separating system components into physically separate networks or
|
||
subnetworks, cross-domain devices separating subnetworks, virtualization techniques, and encrypting information flows
|
||
among system components using distinct encryption keys.</div>
|
||
</aside>
|
||
</div>
|
||
<p>Various compliance standards recommend isolating environments that process sensitive data from the rest of the
|
||
organization.
|
||
The <a href="https://www.pcisecuritystandards.org/pci_security/">Payment Card Industry (PCI) Data Security Standard</a>
|
||
recommends implementing network isolation for <em>cardholder data</em> environment and requires isolating this environment from
|
||
the <a href="https://en.wikipedia.org/wiki/DMZ_(computing)">DMZ</a>.
|
||
<a href="https://www.fedramp.gov/assets/resources/documents/CSP_A_FedRAMP_Authorization_Boundary_Guidance.pdf">FedRAMP Authorization Boundary Guidance</a>
|
||
describes <em>authorization boundary</em> for federal information and data, while
|
||
<a href="https://doi.org/10.6028/NIST.SP.800-37r2">NIST Special Publication 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy</a>
|
||
recommends protecting of such a boundary in <em>Appendix G, Authorization Boundary Considerations</em>:</p>
|
||
<div>
|
||
<aside class="callout quote">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-quote"/></svg>
|
||
</div>
|
||
<div class="content">Dividing a system into subsystems (i.e., divide and conquer) facilitates a targeted application of controls to achieve
|
||
adequate security, protection of individual privacy, and a cost-effective risk management process. Dividing complex
|
||
systems into subsystems also supports the important security concepts of domain separation and network segmentation,
|
||
which can be significant when dealing with high value assets. When systems are divided into subsystems, organizations
|
||
may choose to develop individual subsystem security and privacy plans or address the system and subsystems in the same
|
||
security and privacy plans.
|
||
Information security and privacy architectures play a key part in the process of dividing complex systems into
|
||
subsystems. This includes monitoring and controlling communications at internal boundaries among subsystems and
|
||
selecting, allocating, and implementing controls that meet or exceed the security and privacy requirements of the
|
||
constituent subsystems.</div>
|
||
</aside>
|
||
</div>
|
||
<p>Boundary protection, in particular, means:</p>
|
||
<ul>
|
||
<li>put an access control mechanism at the boundary (firewall, gateway, etc.)</li>
|
||
<li>monitor the incoming/outgoing traffic at the boundary</li>
|
||
<li>all the access control mechanisms must be <em>deny-all</em> by default</li>
|
||
<li>do not expose private IP addresses from the boundary</li>
|
||
<li>do not let components from outside the boundary to impact security inside the boundary</li>
|
||
</ul>
|
||
<p>Multi-mesh deployments facilitate division of a system into subsystems with different
|
||
security and compliance requirements, and facilitate the boundary protection.
|
||
You put each subsystem into a separate service mesh, preferably on a separate network.
|
||
You connect the Istio meshes using gateways. The gateways monitor and control cross-mesh traffic at the boundary of
|
||
each mesh.</p>
|
||
<h2 id="features-of-multi-mesh-deployments">Features of multi-mesh deployments</h2>
|
||
<ul>
|
||
<li><strong>non-uniform naming</strong>. The <code>withdraw</code> service in the <code>accounts</code> namespace in one mesh might have
|
||
different functionality and API than the <code>withdraw</code> services in the <code>accounts</code> namespace in other meshes.
|
||
Such situation could happen in an organization where there is no uniform policy on naming of namespaces and services, or
|
||
when the meshes belong to different organizations.</li>
|
||
<li><strong>expose-nothing by default</strong>. None of the services in a mesh are exposed by default, the mesh owners must
|
||
explicitly specify which services are exposed.</li>
|
||
<li><strong>boundary protection</strong>. The access control of the traffic must be enforced at the ingress gateway, which stops
|
||
forbidden traffic from entering the mesh. This requirement implements
|
||
<a href="https://en.wikipedia.org/wiki/Defense_in_depth_(computing)">Defense-in-depth principle</a> and is part of some compliance
|
||
standards, such as the
|
||
<a href="https://www.pcisecuritystandards.org/pci_security/">Payment Card Industry (PCI) Data Security Standard</a>.</li>
|
||
<li><strong>common trust may not exist</strong>. The Istio sidecars in one mesh may not trust the Citadel certificates in other
|
||
meshes, due to some security requirement or due to the fact that the mesh owners did not initially plan to federate
|
||
the meshes.</li>
|
||
</ul>
|
||
<p>While <strong>expose-nothing by default</strong> and <strong>boundary protection</strong> are required to facilitate compliance and improve
|
||
security, <strong>non-uniform naming</strong> and <strong>common trust may not exist</strong> are required when connecting
|
||
meshes of different organizations, or of an organization that cannot enforce uniform naming or cannot or may not
|
||
establish common trust between the meshes.</p>
|
||
<p>An optional feature that you may want to use is <strong>service location transparency</strong>: consuming services send requests
|
||
to the exposed services in remote meshes using local service names. The consuming services are oblivious to the fact
|
||
that some of the destinations are in remote meshes and some are local services. The access is uniform, using the local
|
||
service names, for example, in Kubernetes, <code>reviews.default.svc.cluster.local</code>.
|
||
<strong>Service location transparency</strong> is useful in the cases when you want to be able to change the location of the
|
||
consumed services, for example when some service is migrated from private cloud to public cloud, without changing the
|
||
code of your applications.</p>
|
||
<h2 id="the-current-mesh-federation-work">The current mesh-federation work</h2>
|
||
<p>While you can perform mesh federation using standard Istio configurations already today,
|
||
it requires writing a lot of boilerplate YAML files and is error-prone. There is an effort under way to automate
|
||
the mesh federation process. In the meantime, you can look at these
|
||
<a href="https://github.com/istio-ecosystem/multi-mesh-examples">multi-mesh deployment examples</a>
|
||
to get an idea of what a generated federation might include.</p>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>In this blog post I described the requirements for isolation and boundary protection of sensitive data environments by
|
||
using Istio multi-mesh deployments. I outlined the principles of Istio
|
||
multi-mesh deployments and reported the current work on
|
||
mesh federation in Istio.</p>
|
||
<p>I will be happy to hear your opinion about <span class="term" data-title="Multi-Mesh" data-body="&lt;p&gt;Multi-mesh is a deployment model that consists of two or more &lt;a href=&#34;/docs/reference/glossary/#service-mesh&#34;&gt;service meshes&lt;/a&gt;.
|
||
Each mesh has independent administration for naming and identities but you can
|
||
expose services between meshes through &lt;a href=&#34;/docs/reference/glossary/#mesh-federation&#34;&gt;mesh federation&lt;/a&gt;.
|
||
The resulting deployment is a multi-mesh deployment.&lt;/p&gt;
|
||
">multi-mesh</span> and
|
||
<span class="term" data-title="Multicluster" data-body="&lt;p&gt;Multicluster is a deployment model that consists of a
|
||
&lt;a href=&#34;/docs/reference/glossary/#service-mesh&#34;&gt;mesh&lt;/a&gt; with multiple
|
||
&lt;a href=&#34;/docs/reference/glossary/#cluster&#34;&gt;clusters&lt;/a&gt;.&lt;/p&gt;
|
||
">multicluster</span> at <a href="https://discuss.istio.io">discuss.istio.io</a>.</p></description><pubDate>Wed, 02 Oct 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/isolated-clusters/</link><author>Vadim Eisenberg (IBM)</author><guid isPermaLink="true">/v1.12/blog/2019/isolated-clusters/</guid><category>traffic-management</category><category>multicluster</category><category>security</category><category>gateway</category><category>tls</category></item><item><title>Monitoring Blocked and Passthrough External Service Traffic</title><description>
|
||
<p>Understanding, controlling and securing your external service access is one
|
||
of the key benefits that you get from a service mesh like Istio. From a security
|
||
and operations point of view, it is critical to monitor what external service traffic
|
||
is getting blocked as they might surface possible misconfigurations or a
|
||
security vulnerability if an application is attempting to communicate with a
|
||
service that it should not be allowed to. Similarly, if you currently have a
|
||
policy of allowing any external service access, it is beneficial to monitor
|
||
the traffic so you can incrementally add explicit Istio configuration to allow
|
||
access and better secure your cluster. In either case, having visibility into this
|
||
traffic via telemetry is quite helpful as it enables you to create alerts and
|
||
dashboards, and better reason about your security posture. This was a highly
|
||
requested feature by production users of Istio and we are excited that the
|
||
support for this was added in release 1.3.</p>
|
||
<p>To implement this, the Istio <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/metrics">default
|
||
metrics</a> are augmented with
|
||
explicit labels to capture blocked and passthrough external service traffic.
|
||
This blog will cover how you can use these augmented metrics to monitor all
|
||
external service traffic.</p>
|
||
<p>The Istio control plane configures the sidecar proxy with
|
||
predefined clusters called BlackHoleCluster and Passthrough which block or
|
||
allow all traffic respectively. To understand these clusters, let&rsquo;s start with
|
||
what external and internal services mean in the context of Istio service mesh.</p>
|
||
<h2 id="external-and-internal-services">External and internal services</h2>
|
||
<p>Internal services are defined as services which are part of your platform
|
||
and are considered to be in the mesh. For internal services, Istio control
|
||
plane provides all the required configuration to the sidecars by default.
|
||
For example, in Kubernetes clusters, Istio configures the sidecars for all
|
||
Kubernetes services to preserve the default Kubernetes behavior of all
|
||
services being able to communicate with other.</p>
|
||
<p>External services are services which are not part of your platform i.e. services
|
||
which are outside of the mesh. For external services, Istio provides two
|
||
options, first to block all external service access (enabled by setting
|
||
<code>global.outboundTrafficPolicy.mode</code> to <code>REGISTRY_ONLY</code>) and
|
||
second to allow all access to external service (enabled by setting
|
||
<code>global.outboundTrafficPolicy.mode</code> to <code>ALLOW_ANY</code>). The default option for this
|
||
setting (as of Istio 1.3) is to allow all external service access. This
|
||
option can be configured via <a href="/v1.12/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-OutboundTrafficPolicy-Mode">mesh configuration</a>.</p>
|
||
<p>This is where the BlackHole and Passthrough clusters are used.</p>
|
||
<h2 id="what-are-blackhole-and-passthrough-clusters">What are BlackHole and Passthrough clusters?</h2>
|
||
<ul>
|
||
<li><strong>BlackHoleCluster</strong> - The BlackHoleCluster is a virtual cluster created
|
||
in the Envoy configuration when <code>global.outboundTrafficPolicy.mode</code> is set to
|
||
<code>REGISTRY_ONLY</code>. In this mode, all traffic to external service is blocked unless
|
||
<a href="/v1.12/docs/reference/config/networking/service-entry">service entries</a>
|
||
are explicitly added for each service. To implement this, the default virtual
|
||
outbound listener at <code>0.0.0.0:15001</code> which uses
|
||
<a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/service_discovery#original-destination">original destination</a>
|
||
is setup as a TCP Proxy with the BlackHoleCluster as the static cluster.
|
||
The configuration for the BlackHoleCluster looks like this:</li>
|
||
</ul>
|
||
<pre><code class='language-json' data-expandlinks='true' data-repo='istio' >{
|
||
&#34;name&#34;: &#34;BlackHoleCluster&#34;,
|
||
&#34;type&#34;: &#34;STATIC&#34;,
|
||
&#34;connectTimeout&#34;: &#34;10s&#34;
|
||
}
|
||
</code></pre>
|
||
<p>As you can see, this cluster is static with no endpoints so all the traffic
|
||
will be dropped. Additionally, Istio creates unique listeners for every
|
||
port/protocol combination of platform services which gets hit instead of the
|
||
virtual listener if the request is made to an external service on the same port.
|
||
In that case, the route configuration of every virtual route in Envoy is augmented to
|
||
add the BlackHoleCluster like this:</p>
|
||
<pre><code class='language-json' data-expandlinks='true' data-repo='istio' >{
|
||
&#34;name&#34;: &#34;block_all&#34;,
|
||
&#34;domains&#34;: [
|
||
&#34;*&#34;
|
||
],
|
||
&#34;routes&#34;: [
|
||
{
|
||
&#34;match&#34;: {
|
||
&#34;prefix&#34;: &#34;/&#34;
|
||
},
|
||
&#34;directResponse&#34;: {
|
||
&#34;status&#34;: 502
|
||
}
|
||
}
|
||
]
|
||
}
|
||
</code></pre>
|
||
<p>The route is setup as <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/route/route_components.proto#envoy-api-field-route-route-direct-response">direct response</a>
|
||
with <code>502</code> response code which means if no other routes match the Envoy proxy
|
||
will directly return a <code>502</code> HTTP status code.</p>
|
||
<ul>
|
||
<li><strong>PassthroughCluster</strong> - The PassthroughCluster is a virtual cluster created
|
||
in the Envoy configuration when <code>global.outboundTrafficPolicy.mode</code> is set to
|
||
<code>ALLOW_ANY</code>. In this mode, all traffic to any external service external is allowed.
|
||
To implement this, the default virtual outbound listener at <code>0.0.0.0:15001</code>
|
||
which uses <code>SO_ORIGINAL_DST</code>, is setup as a TCP Proxy with the PassthroughCluster
|
||
as the static cluster.
|
||
The configuration for the PassthroughCluster looks like this:</li>
|
||
</ul>
|
||
<pre><code class='language-json' data-expandlinks='true' data-repo='istio' >{
|
||
&#34;name&#34;: &#34;PassthroughCluster&#34;,
|
||
&#34;type&#34;: &#34;ORIGINAL_DST&#34;,
|
||
&#34;connectTimeout&#34;: &#34;10s&#34;,
|
||
&#34;lbPolicy&#34;: &#34;ORIGINAL_DST_LB&#34;,
|
||
&#34;circuitBreakers&#34;: {
|
||
&#34;thresholds&#34;: [
|
||
{
|
||
&#34;maxConnections&#34;: 102400,
|
||
&#34;maxRetries&#34;: 1024
|
||
}
|
||
]
|
||
}
|
||
}
|
||
</code></pre>
|
||
<p>This cluster uses the <a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/service_discovery#original-destination">original destination load balancing</a>
|
||
policy which configures Envoy to send the traffic to the
|
||
original destination i.e. passthrough.</p>
|
||
<p>Similar to the BlackHoleCluster, for every port/protocol based listener the
|
||
virtual route configuration is augmented to add the PassthroughCluster as the
|
||
default route:</p>
|
||
<pre><code class='language-json' data-expandlinks='true' data-repo='istio' >{
|
||
&#34;name&#34;: &#34;allow_any&#34;,
|
||
&#34;domains&#34;: [
|
||
&#34;*&#34;
|
||
],
|
||
&#34;routes&#34;: [
|
||
{
|
||
&#34;match&#34;: {
|
||
&#34;prefix&#34;: &#34;/&#34;
|
||
},
|
||
&#34;route&#34;: {
|
||
&#34;cluster&#34;: &#34;PassthroughCluster&#34;
|
||
}
|
||
}
|
||
]
|
||
}
|
||
</code></pre>
|
||
<p>Prior to Istio 1.3, there were no metrics reported or if metrics were reported
|
||
there were no explicit labels set when traffic hit these clusters, resulting in
|
||
lack of visibility in traffic flowing through the mesh.</p>
|
||
<p>The next section covers how to take advantage of this enhancement as the metrics
|
||
and labels emitted are conditional on whether the virtual outbound or explicit port/protocol
|
||
listener is being hit.</p>
|
||
<h2 id="using-the-augmented-metrics">Using the augmented metrics</h2>
|
||
<p>To capture all external service traffic in either of the cases (BlackHole or
|
||
Passthrough), you will need to monitor <code>istio_requests_total</code> and
|
||
<code>istio_tcp_connections_closed_total</code> metrics. Depending upon the Envoy listener
|
||
type i.e. TCP proxy or HTTP proxy that gets invoked, one of these metrics
|
||
will be incremented.</p>
|
||
<p>Additionally, in case of a TCP proxy listener in order to see the IP address of
|
||
the external service that is blocked or allowed via BlackHole or Passthrough
|
||
cluster, you will need to add the <code>destination_ip</code> label to the
|
||
<code>istio_tcp_connections_closed_total</code> metric. In this scenario, the host name of
|
||
the external service is not captured. This label is not added by default and can
|
||
be easily added by augmenting the Istio configuration for attribute generation
|
||
and Prometheus handler. You should be careful about cardinality explosion in
|
||
time series if you have many services with non-stable IP addresses.</p>
|
||
<h3 id="passthroughcluster-metrics">PassthroughCluster metrics</h3>
|
||
<p>This section explains the metrics and the labels emitted based on the listener
|
||
type invoked in Envoy.</p>
|
||
<ul>
|
||
<li>HTTP proxy listener: This happens when the port of the external service is
|
||
same as one of the service ports defined in the cluster. In this scenario,
|
||
when the PassthroughCluster is hit, <code>istio_requests_total</code> will get increased
|
||
like this:</li>
|
||
</ul>
|
||
<pre><code class='language-json' data-expandlinks='true' data-repo='istio' >{
|
||
&#34;metric&#34;: {
|
||
&#34;__name__&#34;: &#34;istio_requests_total&#34;,
|
||
&#34;connection_security_policy&#34;: &#34;unknown&#34;,
|
||
&#34;destination_app&#34;: &#34;unknown&#34;,
|
||
&#34;destination_principal&#34;: &#34;unknown&#34;,
|
||
&#34;destination_service&#34;: &#34;httpbin.org&#34;,
|
||
&#34;destination_service_name&#34;: &#34;PassthroughCluster&#34;,
|
||
&#34;destination_service_namespace&#34;: &#34;unknown&#34;,
|
||
&#34;destination_version&#34;: &#34;unknown&#34;,
|
||
&#34;destination_workload&#34;: &#34;unknown&#34;,
|
||
&#34;destination_workload_namespace&#34;: &#34;unknown&#34;,
|
||
&#34;instance&#34;: &#34;100.96.2.183:42422&#34;,
|
||
&#34;job&#34;: &#34;istio-mesh&#34;,
|
||
&#34;permissive_response_code&#34;: &#34;none&#34;,
|
||
&#34;permissive_response_policyid&#34;: &#34;none&#34;,
|
||
&#34;reporter&#34;: &#34;source&#34;,
|
||
&#34;request_protocol&#34;: &#34;http&#34;,
|
||
&#34;response_code&#34;: &#34;200&#34;,
|
||
&#34;response_flags&#34;: &#34;-&#34;,
|
||
&#34;source_app&#34;: &#34;sleep&#34;,
|
||
&#34;source_principal&#34;: &#34;unknown&#34;,
|
||
&#34;source_version&#34;: &#34;unknown&#34;,
|
||
&#34;source_workload&#34;: &#34;sleep&#34;,
|
||
&#34;source_workload_namespace&#34;: &#34;default&#34;
|
||
},
|
||
&#34;value&#34;: [
|
||
1567033080.282,
|
||
&#34;1&#34;
|
||
]
|
||
}
|
||
</code></pre>
|
||
<p>Note that the <code>destination_service_name</code> label is set to PassthroughCluster to
|
||
indicate that this cluster was hit and the <code>destination_service</code> is set to the
|
||
host of the external service.</p>
|
||
<ul>
|
||
<li>TCP proxy virtual listener - If the external service port doesn&rsquo;t map to any
|
||
HTTP based service ports within the cluster, this listener is invoked and
|
||
<code>istio_tcp_connections_closed_total</code> is the metric that will be increased:</li>
|
||
</ul>
|
||
<pre><code class='language-json' data-expandlinks='true' data-repo='istio' >{
|
||
&#34;status&#34;: &#34;success&#34;,
|
||
&#34;data&#34;: {
|
||
&#34;resultType&#34;: &#34;vector&#34;,
|
||
&#34;result&#34;: [
|
||
{
|
||
&#34;metric&#34;: {
|
||
&#34;__name__&#34;: &#34;istio_tcp_connections_closed_total&#34;,
|
||
&#34;connection_security_policy&#34;: &#34;unknown&#34;,
|
||
&#34;destination_app&#34;: &#34;unknown&#34;,
|
||
&#34;destination_ip&#34;: &#34;52.22.188.80&#34;,
|
||
&#34;destination_principal&#34;: &#34;unknown&#34;,
|
||
&#34;destination_service&#34;: &#34;unknown&#34;,
|
||
&#34;destination_service_name&#34;: &#34;PassthroughCluster&#34;,
|
||
&#34;destination_service_namespace&#34;: &#34;unknown&#34;,
|
||
&#34;destination_version&#34;: &#34;unknown&#34;,
|
||
&#34;destination_workload&#34;: &#34;unknown&#34;,
|
||
&#34;destination_workload_namespace&#34;: &#34;unknown&#34;,
|
||
&#34;instance&#34;: &#34;100.96.2.183:42422&#34;,
|
||
&#34;job&#34;: &#34;istio-mesh&#34;,
|
||
&#34;reporter&#34;: &#34;source&#34;,
|
||
&#34;response_flags&#34;: &#34;-&#34;,
|
||
&#34;source_app&#34;: &#34;sleep&#34;,
|
||
&#34;source_principal&#34;: &#34;unknown&#34;,
|
||
&#34;source_version&#34;: &#34;unknown&#34;,
|
||
&#34;source_workload&#34;: &#34;sleep&#34;,
|
||
&#34;source_workload_namespace&#34;: &#34;default&#34;
|
||
},
|
||
&#34;value&#34;: [
|
||
1567033761.879,
|
||
&#34;1&#34;
|
||
]
|
||
}
|
||
]
|
||
}
|
||
}
|
||
</code></pre>
|
||
<p>In this case, <code>destination_service_name</code> is set to PassthroughCluster and
|
||
the <code>destination_ip</code> is set to the IP address of the external service.
|
||
The <code>destination_ip</code> label can be used to do a reverse DNS lookup and
|
||
get the host name of the external service. As this cluster is passthrough,
|
||
other TCP related metrics like <code>istio_tcp_connections_opened_total</code>,
|
||
<code>istio_tcp_received_bytes_total</code> and <code>istio_tcp_sent_bytes_total</code> are also
|
||
updated.</p>
|
||
<h3 id="blackholecluster-metrics">BlackHoleCluster metrics</h3>
|
||
<p>Similar to the PassthroughCluster, this section explains the metrics and the
|
||
labels emitted based on the listener type invoked in Envoy.</p>
|
||
<ul>
|
||
<li>HTTP proxy listener: This happens when the port of the external service is same
|
||
as one of the service ports defined in the cluster.
|
||
In this scenario, when the BlackHoleCluster is hit,
|
||
<code>istio_requests_total</code> will get increased like this:</li>
|
||
</ul>
|
||
<pre><code class='language-json' data-expandlinks='true' data-repo='istio' >{
|
||
&#34;metric&#34;: {
|
||
&#34;__name__&#34;: &#34;istio_requests_total&#34;,
|
||
&#34;connection_security_policy&#34;: &#34;unknown&#34;,
|
||
&#34;destination_app&#34;: &#34;unknown&#34;,
|
||
&#34;destination_principal&#34;: &#34;unknown&#34;,
|
||
&#34;destination_service&#34;: &#34;httpbin.org&#34;,
|
||
&#34;destination_service_name&#34;: &#34;BlackHoleCluster&#34;,
|
||
&#34;destination_service_namespace&#34;: &#34;unknown&#34;,
|
||
&#34;destination_version&#34;: &#34;unknown&#34;,
|
||
&#34;destination_workload&#34;: &#34;unknown&#34;,
|
||
&#34;destination_workload_namespace&#34;: &#34;unknown&#34;,
|
||
&#34;instance&#34;: &#34;100.96.2.183:42422&#34;,
|
||
&#34;job&#34;: &#34;istio-mesh&#34;,
|
||
&#34;permissive_response_code&#34;: &#34;none&#34;,
|
||
&#34;permissive_response_policyid&#34;: &#34;none&#34;,
|
||
&#34;reporter&#34;: &#34;source&#34;,
|
||
&#34;request_protocol&#34;: &#34;http&#34;,
|
||
&#34;response_code&#34;: &#34;502&#34;,
|
||
&#34;response_flags&#34;: &#34;-&#34;,
|
||
&#34;source_app&#34;: &#34;sleep&#34;,
|
||
&#34;source_principal&#34;: &#34;unknown&#34;,
|
||
&#34;source_version&#34;: &#34;unknown&#34;,
|
||
&#34;source_workload&#34;: &#34;sleep&#34;,
|
||
&#34;source_workload_namespace&#34;: &#34;default&#34;
|
||
},
|
||
&#34;value&#34;: [
|
||
1567034251.717,
|
||
&#34;1&#34;
|
||
]
|
||
}
|
||
</code></pre>
|
||
<p>Note the <code>destination_service_name</code> label is set to BlackHoleCluster and the
|
||
<code>destination_service</code> to the host name of the external service. The response
|
||
code should always be <code>502</code> in this case.</p>
|
||
<ul>
|
||
<li>TCP proxy virtual listener - If the external service port doesn&rsquo;t map to any
|
||
HTTP based service ports within the cluster, this listener is invoked and
|
||
<code>istio_tcp_connections_closed_total</code> is the metric that will be increased:</li>
|
||
</ul>
|
||
<pre><code class='language-json' data-expandlinks='true' data-repo='istio' >{
|
||
&#34;metric&#34;: {
|
||
&#34;__name__&#34;: &#34;istio_tcp_connections_closed_total&#34;,
|
||
&#34;connection_security_policy&#34;: &#34;unknown&#34;,
|
||
&#34;destination_app&#34;: &#34;unknown&#34;,
|
||
&#34;destination_ip&#34;: &#34;52.22.188.80&#34;,
|
||
&#34;destination_principal&#34;: &#34;unknown&#34;,
|
||
&#34;destination_service&#34;: &#34;unknown&#34;,
|
||
&#34;destination_service_name&#34;: &#34;BlackHoleCluster&#34;,
|
||
&#34;destination_service_namespace&#34;: &#34;unknown&#34;,
|
||
&#34;destination_version&#34;: &#34;unknown&#34;,
|
||
&#34;destination_workload&#34;: &#34;unknown&#34;,
|
||
&#34;destination_workload_namespace&#34;: &#34;unknown&#34;,
|
||
&#34;instance&#34;: &#34;100.96.2.183:42422&#34;,
|
||
&#34;job&#34;: &#34;istio-mesh&#34;,
|
||
&#34;reporter&#34;: &#34;source&#34;,
|
||
&#34;response_flags&#34;: &#34;-&#34;,
|
||
&#34;source_app&#34;: &#34;sleep&#34;,
|
||
&#34;source_principal&#34;: &#34;unknown&#34;,
|
||
&#34;source_version&#34;: &#34;unknown&#34;,
|
||
&#34;source_workload&#34;: &#34;sleep&#34;,
|
||
&#34;source_workload_namespace&#34;: &#34;default&#34;
|
||
},
|
||
&#34;value&#34;: [
|
||
1567034481.03,
|
||
&#34;1&#34;
|
||
]
|
||
}
|
||
</code></pre>
|
||
<p>Note the <code>destination_ip</code> label represents the IP address of the external
|
||
service and the <code>destination_service_name</code> is set to BlackHoleCluster
|
||
to indicate that this traffic was blocked by the mesh. Is is interesting to
|
||
note that for the BlackHole cluster case, other TCP related metrics like
|
||
<code>istio_tcp_connections_opened_total</code> are not increased as there&rsquo;s no
|
||
connection that is ever established.</p>
|
||
<p>Monitoring these metrics can help operators easily understand all the external
|
||
services consumed by the applications in their cluster.</p></description><pubDate>Sat, 28 Sep 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/monitoring-external-service-traffic/</link><author>Neeraj Poddar (Aspen Mesh)</author><guid isPermaLink="true">/v1.12/blog/2019/monitoring-external-service-traffic/</guid><category>monitoring</category><category>blackhole</category><category>passthrough</category></item><item><title>Mixer Adapter for Knative</title><description>
|
||
<p>This post demonstrates how you can use Mixer to push application logic
|
||
into Istio. It describes a Mixer adapter which implements the <a href="https://knative.dev/">Knative</a> scale-from-zero logic
|
||
with simple code and similar performance to the original implementation.</p>
|
||
<h2 id="knative-serving">Knative serving</h2>
|
||
<p><a href="https://knative.dev/docs/serving/">Knative Serving</a> builds on <a href="https://kubernetes.io/">Kubernetes</a> to support deploying
|
||
and serving of serverless applications. A core capability of serverless platforms is scale-to-zero
|
||
functionality which reduces resource usage and cost of inactive workloads.
|
||
A new mechanism is required to scale from zero when an idle application receives a new request.</p>
|
||
<p>The following diagram represents the current Knative architecture for scale-from-zero.</p>
|
||
<figure style="width:60%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:76.29350893697084%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/knative-activator-adapter/knative-activator.png" title="Knative scale-from-zero">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/knative-activator-adapter/knative-activator.png" alt="Knative scale-from-zero" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Knative scale-from-zero</figcaption>
|
||
</figure>
|
||
<p>The traffic for an idle application is redirected to <strong>Activator</strong> component by programming Istio with <code>VirtualServices</code>
|
||
and <code>DestinationRules</code>. When <strong>Activator</strong> receives a new request, it:</p>
|
||
<ol>
|
||
<li>buffers incoming requests</li>
|
||
<li>triggers the <strong>Autoscaler</strong></li>
|
||
<li>redirects requests to the application after it has been scaled up, including retries and load-balancing (if needed)</li>
|
||
</ol>
|
||
<p>Once the application is up and running again, Knative restores the routing from <strong>Activator</strong> to the running application.</p>
|
||
<h2 id="mixer-adapter">Mixer adapter</h2>
|
||
<p>Mixer provides a rich intermediation layer between the Istio components and infrastructure backends.
|
||
It is designed as a stand-alone component, separate from <a href="https://www.envoyproxy.io/">Envoy</a>, and has a simple extensibility model
|
||
to enable Istio to interoperate with a wide breadth of backends. Mixer is inherently easier to extend
|
||
than Envoy is.</p>
|
||
<p>Mixer is an attribute processing engine that uses operator-supplied configuration to map request attributes from the Istio proxy into calls
|
||
to the infrastructure backends systems via a pluggable set of adapters. Adapters enable <strong>Mixer</strong> to expose a single consistent API, independent of the
|
||
infrastructure backends in use. The exact set of adapters used at runtime is determined through operator configuration and can easily
|
||
be extended to target new or custom infrastructure backends.</p>
|
||
<p>In order to achieve Knative scale-from-zero, we use a Mixer <a href="https://github.com/istio/istio/wiki/Mixer-Out-Of-Process-Adapter-Dev-Guide">out-of-process adapter</a>
|
||
to call the Autoscaler. Out-of-process adapters for Mixer allow developers to use any
|
||
programming language and to build and maintain your extension as a stand-alone program
|
||
without the need to build the Istio proxy.</p>
|
||
<p>The following diagram represents the Knative design using the <strong>Mixer</strong> adapter.</p>
|
||
<figure style="width:60%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:76.29350893697084%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/knative-activator-adapter/knative-mixer-adapter.png" title="Knative scale-from-zero">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/knative-activator-adapter/knative-mixer-adapter.png" alt="Knative scale-from-zero" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Knative scale-from-zero</figcaption>
|
||
</figure>
|
||
<p>In this design, there is no need to change the routing from/to <strong>Activator</strong> for an idle application as in the original Knative setup.
|
||
When the Istio proxy represented by the ingress gateway component receives a new request for an idle application, it informs <strong>Mixer</strong>, including all the
|
||
relevant metadata information.
|
||
<strong>Mixer</strong> then calls your adapter which triggers the Knative <strong>Autoscaler</strong> using the original Knative protocol.</p>
|
||
<div>
|
||
<aside class="callout idea">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-idea"/></svg>
|
||
</div>
|
||
<div class="content">By using this design you do not need to deal with buffering, retries and load-balancing because it is already handled by the Istio proxy.</div>
|
||
</aside>
|
||
</div>
|
||
<p>Istio&rsquo;s use of Mixer adapters makes it possible to replace otherwise complex networking-based application logic with a more
|
||
straightforward implementation, as demonstrated in the <a href="https://github.com/zachidan/istio-kactivator">Knative adapter</a>.</p>
|
||
<p>When the adapter receives a message from <strong>Mixer</strong>, it sends a <code>StatMessage</code> directly to <strong>Autoscaler</strong>
|
||
component using the Knative protocol.
|
||
The metadata information (<code>namespace</code> and <code>service name</code>) required by <strong>Autoscaler</strong> are transferred by Istio proxy to
|
||
<strong>Mixer</strong> and from there to the adapter.</p>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>I compared the cold-start time of the original Knative reference architecture to the new Istio Mixer adapter reference architecture.
|
||
The results show similar cold-start times.
|
||
The implementation using the Mixer adapter has greater simplicity. It is not necessary to handle low-level network-based mechanisms as these are handled by Envoy.</p>
|
||
<p>The next step is converting this Mixer adapter into an Envoy-specific filter running inside an ingress gateway.
|
||
This will allow to further improve the latency overhead (no more calls to <strong>Mixer</strong> and the adapter) and
|
||
to remove the dependency on the Istio Mixer.</p></description><pubDate>Wed, 18 Sep 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/knative-activator-adapter/</link><author>Idan Zach (IBM)</author><guid isPermaLink="true">/v1.12/blog/2019/knative-activator-adapter/</guid><category>mixer</category><category>adapter</category><category>knative</category><category>scale-from-zero</category></item><item><title>App Identity and Access Adapter</title><description>
|
||
<p>If you are running your containerized applications on Kubernetes, you can benefit from using the App Identity and Access Adapter for an abstracted level of security with zero code changes or redeploys.</p>
|
||
<p>Whether your computing environment is based on a single cloud provider, a combination of multiple cloud providers, or following a hybrid cloud approach, having a centralized identity management can help you to preserve existing infrastructure and avoid vendor lock-in.</p>
|
||
<p>With the <a href="https://github.com/ibm-cloud-security/app-identity-and-access-adapter">App Identity and Access Adapter</a>, you can use any OAuth2/OIDC provider: IBM Cloud App ID, Auth0, Okta, Ping Identity, AWS Cognito, Azure AD B2C and more. Authentication and authorization policies can be applied in a streamlined way in all environments — including frontend and backend applications — all without code changes or redeploys.</p>
|
||
<h2 id="understanding-istio-and-the-adapter">Understanding Istio and the adapter</h2>
|
||
<p><a href="/v1.12/about/service-mesh/">Istio</a> is an open source service mesh that
|
||
transparently layers onto distributed applications and seamlessly integrates
|
||
with Kubernetes. To reduce the complexity of deployments Istio provides
|
||
behavioral insights and operational control over the service mesh as a whole.
|
||
See the <a href="/v1.12/docs/ops/deployment/architecture/">Istio Architecture</a> for more details.</p>
|
||
<p>Istio uses <a href="/v1.12/blog/2019/data-plane-setup/">Envoy proxy sidecars</a> to mediate inbound and outbound traffic for all pods in the service mesh. Istio extracts telemetry from the Envoy sidecars and sends it to Mixer, the Istio component responsible for collecting telemetry and enforcing policy.</p>
|
||
<p>The App Identity and Access adapter extends the Mixer functionality by analyzing the telemetry (attributes) against various access control policies across the service mesh. The access control policies can be linked to a particular Kubernetes services and can be finely tuned to specific service endpoints. For more information about policies and telemetry, see the Istio documentation.</p>
|
||
<p>When <a href="https://github.com/ibm-cloud-security/app-identity-and-access-adapter">App Identity and Access Adapter</a> is combined with Istio, it provides a scalable, integrated identity and access solution for multicloud architectures that does not require any custom application code changes.</p>
|
||
<h2 id="installation">Installation</h2>
|
||
<p>App Identity and Access adapter can be installed using Helm directly from the <code>github.com</code> repository</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ helm repo add appidentityandaccessadapter https://raw.githubusercontent.com/ibm-cloud-security/app-identity-and-access-adapter/master/helm/appidentityandaccessadapter
|
||
$ helm install --name appidentityandaccessadapter appidentityandaccessadapter/appidentityandaccessadapter
|
||
</code></pre>
|
||
<p>Alternatively, you can clone the repository and install the Helm chart locally</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ git clone git@github.com:ibm-cloud-security/app-identity-and-access-adapter.git
|
||
$ helm install ./helm/appidentityandaccessadapter --name appidentityandaccessadapter.
|
||
</code></pre>
|
||
<h2 id="protecting-web-applications">Protecting web applications</h2>
|
||
<p>Web applications are most commonly protected by the OpenID Connect (OIDC) workflow called <code>authorization_code</code>. When an unauthenticated/unauthorized user is detected, they are automatically redirected to the identity service of your choice and presented with the authentication page. When authentication completes, the browser is redirected back to an implicit <code>/oidc/callback</code> endpoint intercepted by the adapter. At this point, the adapter obtains access and identity tokens from the identity service and then redirects users back to their originally requested URL in the web app.</p>
|
||
<p>Authentication state and tokens are maintained by the adapter. Each request processed by the adapter will include the Authorization header bearing both access and identity tokens in the following format <code>Authorization: Bearer &lt;access_token&gt; &lt;id_token&gt;</code></p>
|
||
<p>Developers can read leverage the tokens for application experience adjustments, e.g. displaying user name, adjusting UI based on user role etc.</p>
|
||
<p>In order to terminate the authenticated session and wipe tokens, aka user logout, simply redirect browser to the <code>/oidc/logout</code> endpoint under the protected service, e.g. if you&rsquo;re serving your app from <code>https://example.com/myapp</code>, redirect users to <code>https://example.com/myapp/oidc/logout</code></p>
|
||
<p>Whenever access token expires, a refresh token is used to automatically acquire new access and identity tokens without your user&rsquo;s needing to re-authenticate. If the configured identity provider returns a refresh token, it is persisted by the adapter and used to retrieve new access and identity tokens when the old ones expire.</p>
|
||
<h3 id="applying-web-application-protection">Applying web application protection</h3>
|
||
<p>Protecting web applications requires creating two types of resources - use <code>OidcConfig</code> resources to define various OIDC providers, and <code>Policy</code> resources to define the web app protection policies.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &#34;security.cloud.ibm.com/v1&#34;
|
||
kind: OidcConfig
|
||
metadata:
|
||
name: my-oidc-provider-config
|
||
namespace: sample-namespace
|
||
spec:
|
||
discoveryUrl: &lt;discovery-url-from-oidc-provider&gt;
|
||
clientId: &lt;client-id-from-oidc-provider&gt;
|
||
clientSecretRef:
|
||
name: &lt;kubernetes-secret-name&gt;
|
||
key: &lt;kubernetes-secret-key&gt;
|
||
</code></pre>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &#34;security.cloud.ibm.com/v1&#34;
|
||
kind: Policy
|
||
metadata:
|
||
name: my-sample-web-policy
|
||
namespace: sample-namespace
|
||
spec:
|
||
targets:
|
||
- serviceName: &lt;kubernetes-service-name-to-protect&gt;
|
||
paths:
|
||
- prefix: /webapp
|
||
method: ALL
|
||
policies:
|
||
- policyType: oidc
|
||
config: my-oidc-provider-config
|
||
rules: // optional
|
||
- claim: iss
|
||
match: ALL
|
||
source: access_token
|
||
values:
|
||
- &lt;expected-issuer-id&gt;
|
||
- claim: scope
|
||
match: ALL
|
||
source: access_token
|
||
values:
|
||
- openid
|
||
</code></pre>
|
||
<p><a href="https://github.com/ibm-cloud-security/app-identity-and-access-adapter">Read more about protecting web applications</a></p>
|
||
<h2 id="protecting-backend-application-and-apis">Protecting backend application and APIs</h2>
|
||
<p>Backend applications and APIs are protected using the Bearer Token flow, where an incoming token is validated against a particular policy. The Bearer Token authorization flow expects a request to contain the <code>Authorization</code> header with a valid access token in JWT format. The expected header structure is <code>Authorization: Bearer {access_token}</code>. In case token is successfully validated request will be forwarded to the requested service. In case token validation fails the HTTP 401 will be returned back to the client with a list of scopes that are required to access the API.</p>
|
||
<h3 id="applying-backend-application-and-apis-protection">Applying backend application and APIs protection</h3>
|
||
<p>Protecting backend applications and APIs requires creating two types of resources - use <code>JwtConfig</code> resources to define various JWT providers, and <code>Policy</code> resources to define the backend app protection policies.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &#34;security.cloud.ibm.com/v1&#34;
|
||
kind: JwtConfig
|
||
metadata:
|
||
name: my-jwt-config
|
||
namespace: sample-namespace
|
||
spec:
|
||
jwksUrl: &lt;the-jwks-url&gt;
|
||
</code></pre>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &#34;security.cloud.ibm.com/v1&#34;
|
||
kind: Policy
|
||
metadata:
|
||
name: my-sample-backend-policy
|
||
namespace: sample-namespace
|
||
spec:
|
||
targets:
|
||
- serviceName: &lt;kubernetes-service-name-to-protect&gt;
|
||
paths:
|
||
- prefix: /api/files
|
||
method: ALL
|
||
policies:
|
||
- policyType: jwt
|
||
config: my-oidc-provider-config
|
||
rules: // optional
|
||
- claim: iss
|
||
match: ALL
|
||
source: access_token
|
||
values:
|
||
- &lt;expected-issuer-id&gt;
|
||
- claim: scope
|
||
match: ALL
|
||
source: access_token
|
||
values:
|
||
- files.read
|
||
- files.write
|
||
</code></pre>
|
||
<p><a href="https://github.com/ibm-cloud-security/app-identity-and-access-adapter">Read more about protecting backend applications</a></p>
|
||
<h2 id="known-limitations">Known limitations</h2>
|
||
<p>At the time of writing this blog there are two known limitations of the App Identity and Access adapter:</p>
|
||
<ul>
|
||
<li><p>If you use the App Identity and Access adapter for Web Applications you should not create more than a single replica of the adapter. Due to the way Envoy Proxy was handling HTTP headers it was impossible to return multiple <code>Set-Cookie</code> headers from Mixer back to Envoy. Therefore we couldn&rsquo;t set all the cookies required for handling Web Application scenarios. The issue was recently addressed in Envoy and Mixer and we&rsquo;re planning to address this in future versions of our adapter. <strong>Note that this only affects Web Applications, and doesn&rsquo;t affect Backend Apps and APIs in any way</strong>.</p></li>
|
||
<li><p>As a general best practice you should always consider using mutual-tls for any in-cluster communications. At the moment the communications channel between Mixer and App Identity and Access adapter currently does not use mutual-tls. In future we plan to address this by implementing an approach described in the <a href="https://github.com/istio/istio/wiki/Mixer-Out-of-Process-Adapter-Walkthrough#step-7-encrypt-connection-between-mixer-and-grpc-adapter">Mixer Adapter developer guide</a>.</p></li>
|
||
</ul>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>When a multicloud strategy is in place, security can become complicated as the environment grows and diversifies. While cloud providers supply protocols and tools to ensure their offerings are safe, the development teams are still responsible for the application-level security, such as API access control with OAuth2, defending against man-in-the-middle attacks with traffic encryption, and providing mutual TLS for service access control. However, this becomes complex in a multicloud environment since you might need to define those security details for each service separately. With proper security protocols in place, those external and internal threats can be mitigated.</p>
|
||
<p>Development teams have spent time making their services portable to different cloud providers, and in the same regard, the security in place should be flexible and not infrastructure-dependent.</p>
|
||
<p>Istio and App Identity and Access Adapter allow you to secure your Kubernetes apps with absolutely zero code changes or redeployments regardless of which programming language and which frameworks you use. Following this approach ensures maximum portability of your apps, and ability to easily enforce same security policies across multiple environments.</p>
|
||
<p>You can read more about the App Identity and Access Adapter in the <a href="https://www.ibm.com/cloud/blog/using-istio-to-secure-your-multicloud-kubernetes-applications-with-zero-code-change">release blog</a>.</p></description><pubDate>Wed, 18 Sep 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/app-identity-and-access-adapter/</link><author>Anton Aleksandrov (IBM)</author><guid isPermaLink="true">/v1.12/blog/2019/app-identity-and-access-adapter/</guid><category>security</category><category>oidc</category><category>jwt</category><category>policies</category></item><item><title>Change in Secret Discovery Service in Istio 1.3</title><description><p>In Istio 1.3, we are taking advantage of improvements in Kubernetes to issue certificates for workload instances more securely.</p>
|
||
<p>When a Citadel Agent sends a certificate signing request to Citadel to get a certificate for a workload instance,
|
||
it includes the JWT that the Kubernetes API server issued representing the service account of the workload instance.
|
||
If Citadel can authenticate the JWT, it extracts the service account name needed to issue the certificate for the workload instance.</p>
|
||
<p>Before Kubernetes 1.12, the Kubernetes API server issues JWTs with the following issues:</p>
|
||
<ol>
|
||
<li>The tokens don&rsquo;t have important fields to limit their scope of usage, such as <code>aud</code> or <code>exp</code>. See <a href="https://github.com/kubernetes/community/blob/master/contributors/design-proposals/auth/bound-service-account-tokens.md">Bound Service Tokens</a> for more info.</li>
|
||
<li>The tokens are mounted onto all the pods without a way to opt-out. See <a href="https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/svcacct-token-volume-source.md">Service Account Token Volumes</a> for motivation.</li>
|
||
</ol>
|
||
<p>Kubernetes 1.12 introduces <code>trustworthy</code> JWTs to solve these issues.
|
||
However, support for the <code>aud</code> field to have a different value than the API server audience didn&rsquo;t become available until <a href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.13.md">Kubernetes 1.13</a>.
|
||
To better secure the mesh, Istio 1.3 only supports <code>trustworthy</code> JWTs and requires the value of the <code>aud</code> field to be <code>istio-ca</code> when you enable SDS.
|
||
Before upgrading your Istio deployment to 1.3 with SDS enabled, verify that you use Kubernetes 1.13 or later.</p>
|
||
<p>Make the following considerations based on your platform of choice:</p>
|
||
<ul>
|
||
<li><strong>GKE:</strong> Upgrade your cluster version to at least 1.13.</li>
|
||
<li><strong>On-prem Kubernetes</strong> and <strong>GKE on-prem:</strong> Add <a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection">extra configurations</a> to your Kubernetes. You may
|
||
also want to refer to the <a href="https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/">api-server page</a> for the most up-to-date flag names.</li>
|
||
<li>For other platforms, check with your provider. If your vendor does not support trustworthy JWTs, you will need to fall back to the file-mount approach to propagate the workload keys and certificates in Istio 1.3.</li>
|
||
</ul></description><pubDate>Tue, 10 Sep 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/trustworthy-jwt-sds/</link><author>Phillip Quy Le (Google)</author><guid isPermaLink="true">/v1.12/blog/2019/trustworthy-jwt-sds/</guid><category>security</category><category>PKI</category><category>certificate</category><category>nodeagent</category><category>sds</category></item><item><title>The Evolution of Istio's APIs</title><description>
|
||
<p>One of Istio’s main goals has always been, and continues to be, enabling teams to develop abstractions that work best for their specific organization and workloads. Istio provides robust and powerful building blocks for service-to-service networking. Since <a href="/v1.12/news/releases/0.x/announcing-0.1">Istio 0.1</a>, the Istio team has been learning from production users about how they map their own architectures, workloads, and constraints to Istio’s capabilities, and we’ve been evolving Istio’s APIs to make them work better for you.</p>
|
||
<h2 id="evolving-istio-s-apis">Evolving Istio’s APIs</h2>
|
||
<p>The next step in Istio’s evolution is to sharpen our focus and align with the roles of Istio’s users. A security admin should be able to interact with an API that logically groups and simplifies security operations within an Istio mesh; the same goes for service operators and traffic management operations.</p>
|
||
<p>Taking it a step further, there’s an opportunity to provide improved experiences for beginning, intermediate, and advanced use cases for each role. There are many common use cases that can be addressed with obvious default settings and a better defined initial experience that requires little to no configuration. For intermediate use cases, the Istio team wants to leverage contextual cues from the environment and provide you with a simpler configuration experience. Finally, for advanced scenarios, our goal is to make <a href="https://www.quora.com/What-is-the-origin-of-the-phrase-make-the-easy-things-easy-and-the-hard-things-possible">easy things easy and hard things possible</a>.</p>
|
||
<p>To provide these sorts of role-centric abstractions, however, the APIs underneath them must be able to describe all of Istio’s power and capabilities. Historically, Istio’s approach to API design followed paths similar to those of other infrastructure APIs. Istio follows these design principles:</p>
|
||
<ol>
|
||
<li>The Istio APIs should seek to:
|
||
<ul>
|
||
<li>Properly represent the underlying resources to which they are mapped</li>
|
||
<li>Shouldn’t hide any of the underlying resource’s useful capabilities</li>
|
||
</ul></li>
|
||
<li>The Istio APIs should also be <a href="https://en.wikipedia.org/wiki/Composability">composable</a>, so end users can combine infrastructure APIs in a way that makes sense for their own needs.</li>
|
||
<li>The Istio APIs should be flexible: Within an organization, it should be possible to have different representations of the underlying resources and surface the ones that make sense for each individual team.</li>
|
||
</ol>
|
||
<p>Over the course of the next several releases we will share our progress as we strengthen the alignment between Istio’s APIs and the roles of Istio users.</p>
|
||
<h2 id="composability-and-abstractions">Composability and abstractions</h2>
|
||
<p>Istio and Kubernetes often go together, but Istio is much more than an add-on to Kubernetes – it is as much a <em>platform</em> as Kubernetes is. Istio aims to provide infrastructure, and surface the capabilities you need in a powerful service mesh. For example, there are platform-as-a-service offerings that use Kubernetes as their foundation, and build on Kubernetes’ composability to provide a subset of APIs to application developers.</p>
|
||
<p>The number of objects that must be configured to deploy applications is a concrete example of Kubernetes’ composability. By our count, at least 10 objects need to be configured: <code>Namespace</code>, <code>Service</code>, <code>Ingress</code>, <code>Deployment</code>, <code>HorizontalPodAutoscaler</code>, <code>Secret</code>, <code>ConfigMap</code>, <code>RBAC</code>, <code>PodDisruptionBudget</code>, and <code>NetworkPolicy</code>.</p>
|
||
<p>It sounds complicated, but not everyone needs to interact with those concepts. Some are the responsibility of different teams like the cluster, network, or security admin teams, and many provide sensible defaults. A great benefit of cloud native platforms and deployment tools is that they can hide that complexity by taking in a small amount of information and configuring those objects for you.</p>
|
||
<p>Another example of composability in the networking space can be found in the <a href="https://cloud.google.com/load-balancing/docs/https/">Google Cloud HTTP(S) Load Balancer</a> (GCLB). To correctly use an instance of the GCLB, six different infrastructure objects need to be created and configured. This design is the result of our 20 years of experience in operating distributed systems and <a href="https://www.youtube.com/watch?v=J5HJ1y6PeyE">there is a reason why each one is separate from the others</a>. But the steps are simplified when you’re creating an instance via the Google Cloud console. We provide the more common end-user/role-specific configurations, and you can configure less common settings later. Ultimately, the goals of infrastructure APIs are to offer the most flexibility without sacrificing functionality.</p>
|
||
<p><a href="http://knative.dev">Knative</a> is a platform for building, running, and operating serverless workloads that provides a great real-world example of role-centric,
|
||
higher-level APIs. <a href="https://knative.dev/docs/serving/">Knative Serving</a>, a component of Knative that builds on Kubernetes and Istio to support deploying and
|
||
serving serverless applications and functions, provides an opinionated workflow for application developers to manage routes and revisions of their services.
|
||
Thanks to that opinionated approach, Knative Serving exposes a subset of Istio’s networking APIs that are most relevant to application developers via a simplified
|
||
<a href="https://github.com/knative/docs/blob/master/docs/serving/spec/knative-api-specification-1.0.md#route">Routes</a> object that supports revisions and traffic routing,
|
||
abstracting Istio’s <a href="/v1.12/docs/reference/config/networking/virtual-service/"><code>VirtualService</code></a> and <a href="/v1.12/docs/reference/config/networking/destination-rule/"><code>DestinationRule</code></a>
|
||
resources.</p>
|
||
<p>As Istio has matured, we’ve also seen production users develop workload- and organization-specific abstractions on top of Istio’s infrastructure APIs.</p>
|
||
<p>AutoTrader UK has one of our favorite examples of a custom platform built on Istio. In <a href="https://kubernetespodcast.com/episode/052-autotrader/">an interview with the Kubernetes Podcast from Google</a>, Russel Warman and Karl Stoney describe their Kubernetes-based delivery platform, with <a href="https://karlstoney.com/2018/07/07/managing-your-costs-on-kubernetes/">cost dashboards using Prometheus and Grafana</a>. With minimal effort, they added configuration options to determine what their developers want configured on the network, and it now manages the Istio objects required to make that happen. There are countless other platforms being built in enterprise and cloud-native companies: some designed to replace a web of company-specific custom scripts, and some aimed to be a general-purpose public tool. As more companies start to talk about their tooling publicly, we&rsquo;ll bring their stories to this blog.</p>
|
||
<h2 id="what-s-coming-next">What’s coming next</h2>
|
||
<p>Some areas of improvement that we’re working on for upcoming releases include:</p>
|
||
<ul>
|
||
<li>Installation profiles to setup standard patterns for ingress and egress, with the Istio operator</li>
|
||
<li>Automatic inference of container ports and protocols for telemetry</li>
|
||
<li>Support for routing all traffic by default to constrain routing incrementally</li>
|
||
<li>Add a single global flag to enable mutual TLS and encrypt all inter-pod traffic</li>
|
||
</ul>
|
||
<p>Oh, and if for some reason you judge a toolbox by the list of CRDs it installs, in Istio 1.2 we cut the number from 54 down to 23. Why? It turns out that if you have a bunch of features, you need to have a way to configure them all. With the improvements we’ve made to our installer, you can now install Istio using a <a href="/v1.12/docs/setup/additional-setup/config-profiles/">configuration</a> that works with your adapters.</p>
|
||
<p>All service meshes and, by extension, Istio seeks to automate complex infrastructure operations, like networking and security. That means there will always be complexity in its APIs, but Istio will always aim to solve the needs of operators, while continuing to evolve the API to provide robust building blocks and prioritize flexibility through role-centric abstractions.</p>
|
||
<p>We can&rsquo;t wait for you to join our <a href="/v1.12/get-involved/">community</a> to see what you build with Istio next!</p></description><pubDate>Mon, 05 Aug 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/evolving-istios-apis/</link><author>Louis Ryan (Google), Sandeep Parikh (Google)</author><guid isPermaLink="true">/v1.12/blog/2019/evolving-istios-apis/</guid><category>apis</category><category>composability</category><category>evolution</category></item><item><title>Secure Control of Egress Traffic in Istio, part 3</title><description>
|
||
<p>Welcome to part 3 in our series about secure control of egress traffic in Istio.
|
||
In <a href="/v1.12/blog/2019/egress-traffic-control-in-istio-part-1/">the first part in the series</a>, I presented the attacks involving
|
||
egress traffic and the requirements we collected for a secure control system for egress traffic.
|
||
In <a href="/v1.12/blog/2019/egress-traffic-control-in-istio-part-2/">the second part in the series</a>, I presented the Istio way of
|
||
securing egress traffic and showed how you can prevent the attacks using Istio.</p>
|
||
<p>In this installment, I compare secure control of egress traffic in Istio with alternative solutions such as using Kubernetes
|
||
network policies and legacy egress proxies and firewalls. Finally, I describe the performance considerations regarding the
|
||
secure control of egress traffic in Istio.</p>
|
||
<h2 id="alternative-solutions-for-egress-traffic-control">Alternative solutions for egress traffic control</h2>
|
||
<p>First, let&rsquo;s remember the <a href="/v1.12/blog/2019/egress-traffic-control-in-istio-part-1/#requirements-for-egress-traffic-control">requirements for egress traffic control</a> we previously collected:</p>
|
||
<ol>
|
||
<li>Support of <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security">TLS</a> with
|
||
<a href="https://en.wikipedia.org/wiki/Server_Name_Indication">SNI</a> or of <a href="/v1.12/docs/reference/glossary/#tls-origination">TLS origination</a>.</li>
|
||
<li><strong>Monitor</strong> SNI and the source workload of every egress access.</li>
|
||
<li>Define and enforce <strong>policies per cluster</strong>.</li>
|
||
<li>Define and enforce <strong>policies per source</strong>, <em>Kubernetes-aware</em>.</li>
|
||
<li><strong>Prevent tampering</strong>.</li>
|
||
<li>Traffic control is <strong>transparent</strong> to the applications.</li>
|
||
</ol>
|
||
<p>Next, I&rsquo;m going to cover two alternative solutions for egress traffic control: the Kubernetes network policies and
|
||
egress proxies and firewalls. I show the requirements they satisfy, and, more importantly, the requirements they can&rsquo;t satisfy.</p>
|
||
<p>Kubernetes provides a native solution for traffic control, and in particular, for control of egress traffic, through the <a href="https://kubernetes.io/docs/concepts/services-networking/network-policies/">network policies</a>.
|
||
Using these network policies, cluster operators can configure which pods can access specific external services.
|
||
Cluster operators can identify pods by pod labels, namespace labels, or by IP ranges. To specify the external services, cluster operators can use IP ranges, but cannot use domain names like <code>cnn.com</code>. This is because <strong>Kubernetes network policies are not DNS-aware</strong>.
|
||
Network policies satisfy the first requirement since they can control any TCP traffic.
|
||
Network policies only partially satisfy the third and the fourth requirements because cluster operators can specify policies
|
||
per cluster or per pod but operators can&rsquo;t identify external services by domain names.
|
||
Network policies only satisfy the fifth requirement if the attackers are not able to break from a malicious container into the Kubernetes
|
||
node and interfere with the implementation of the policies inside said node.
|
||
Lastly, network policies do satisfy the sixth requirement: Operators don&rsquo;t need to change the code or the
|
||
container environment. In summary, we can say that Kubernetes Network Policies provide transparent, Kubernetes-aware egress traffic
|
||
control, which is not DNS-aware.</p>
|
||
<p>The second alternative predates the Kubernetes network policies. Using a <strong>DNS-aware egress proxy or firewall</strong> lets you
|
||
configure applications to direct the traffic to the proxy and use some proxy protocol, for example,
|
||
<a href="https://en.wikipedia.org/wiki/SOCKS">SOCKS</a>.
|
||
Since operators must configure the applications, this solution is not transparent. Moreover, operators can&rsquo;t use
|
||
pod labels or pod service accounts to configure the proxies because the egress proxies don&rsquo;t know about them. Therefore, <strong>the egress proxies are not Kubernetes-aware</strong> and can&rsquo;t fulfill the fourth requirement because
|
||
egress proxies cannot enforce policies by source if a Kubernetes artifact specifies the source.
|
||
In summary, egress proxies can fulfill the first, second, third and fifth requirements, but can&rsquo;t satisfy the fourth and
|
||
the six requirements because they are not transparent and not Kubernetes-aware.</p>
|
||
<h2 id="advantages-of-istio-egress-traffic-control">Advantages of Istio egress traffic control</h2>
|
||
<p>Istio egress traffic control is <strong>DNS-aware</strong>: you can define policies based on URLs or on wildcard domains like
|
||
<code>*.ibm.com</code>. In this sense, it is better than Kubernetes network policies which are not DNS-aware.</p>
|
||
<p>Istio egress traffic control is <strong>transparent</strong> with regard to TLS traffic, since Istio is transparent:
|
||
you don&rsquo;t need to change the applications or configure their containers.
|
||
For HTTP traffic with TLS origination, you must configure the applications in the mesh to use HTTP instead of HTTPS.</p>
|
||
<p>Istio egress traffic control is <strong>Kubernetes-aware</strong>: the identity of the source of egress traffic is based on
|
||
Kubernetes service accounts. Istio egress traffic control is better than the legacy DNS-aware proxies or firewalls which
|
||
are not transparent and not Kubernetes-aware.</p>
|
||
<p>Istio egress traffic control is <strong>secure</strong>: it is based on the strong identity of Istio and, when you
|
||
apply
|
||
<a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations">additional security measures</a>,
|
||
Istio&rsquo;s traffic control is resilient to tampering.</p>
|
||
<p>Additionally, Istio&rsquo;s egress traffic control provides the following advantages:</p>
|
||
<ul>
|
||
<li>Define access policies in the same language for ingress, egress, and in-cluster traffic. You
|
||
need to learn a single policy and configuration language for all types of traffic.</li>
|
||
<li>Out-of-the-Box integration of Istio&rsquo;s egress traffic control with Istio&rsquo;s policy and observability adapters.</li>
|
||
<li>Write the adapters to use external monitoring or access control systems with Istio only once and
|
||
apply them for all types of traffic: ingress, egress, and in-cluster.</li>
|
||
<li>Use Istio&rsquo;s <a href="/v1.12/docs/concepts/traffic-management/">traffic management features</a> for egress traffic:
|
||
load balancing, passive and active health checking, circuit breaker, timeouts, retries, fault injection, and others.</li>
|
||
</ul>
|
||
<p>We refer to a system with the advantages above as <strong>Istio-aware</strong>.</p>
|
||
<p>The following table summarizes the egress traffic control features that Istio and the alternative solutions provide:</p>
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
<th></th>
|
||
<th>Istio Egress Traffic Control</th>
|
||
<th>Kubernetes Network Policies</th>
|
||
<th>Legacy Egress Proxy or Firewall</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td>DNS-aware</td>
|
||
<td><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#checkmark"/></svg></td>
|
||
<td><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#cancel"/></svg></td>
|
||
<td><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#checkmark"/></svg></td>
|
||
</tr>
|
||
<tr>
|
||
<td>Kubernetes-aware</td>
|
||
<td><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#checkmark"/></svg></td>
|
||
<td><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#checkmark"/></svg></td>
|
||
<td><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#cancel"/></svg></td>
|
||
</tr>
|
||
<tr>
|
||
<td>Transparent</td>
|
||
<td><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#checkmark"/></svg></td>
|
||
<td><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#checkmark"/></svg></td>
|
||
<td><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#cancel"/></svg></td>
|
||
</tr>
|
||
<tr>
|
||
<td>Istio-aware</td>
|
||
<td><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#checkmark"/></svg></td>
|
||
<td><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#cancel"/></svg></td>
|
||
<td><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#cancel"/></svg></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<h2 id="performance-considerations">Performance considerations</h2>
|
||
<p>Controlling egress traffic using Istio has a price: increased latency of calls to external services and
|
||
increased CPU usage by the cluster&rsquo;s pods.
|
||
Traffic passes through two proxies:</p>
|
||
<ul>
|
||
<li>The application&rsquo;s sidecar proxy</li>
|
||
<li>The egress gateway&rsquo;s proxy</li>
|
||
</ul>
|
||
<p>If you use <a href="/v1.12/docs/tasks/traffic-management/egress/wildcard-egress-hosts/">TLS egress traffic to wildcard domains</a>,
|
||
you must add
|
||
<a href="/v1.12/docs/tasks/traffic-management/egress/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains">an additional proxy</a>
|
||
between the application and the external service. Since the traffic between the egress gateway&rsquo;s proxy and
|
||
the proxy needed for the configuration of arbitrary domains using wildcards is on the pod&rsquo;s local
|
||
network, that traffic shouldn&rsquo;t have a significant impact on latency.</p>
|
||
<p>See a <a href="/v1.12/blog/2019/egress-performance/">performance evaluation</a> of different Istio configurations set to control egress
|
||
traffic. I would encourage you to carefully measure different configurations with your own applications and your own
|
||
external services, before you decide whether you can afford the performance overhead for your use cases. You should weigh the
|
||
required level of security versus your performance requirements and compare the performance overhead of all
|
||
alternative solutions.</p>
|
||
<p>Let me share my thoughts on the performance overhead that controlling egress traffic using Istio adds:
|
||
Accessing external services already could have high latency and the overhead added
|
||
because of two or three proxies inside the cluster could likely not be very significant by comparison.
|
||
After all, applications with a microservice architecture can have chains of dozens of calls between microservices.
|
||
Therefore, an additional hop with one or two proxies in the egress gateway should not have a large impact.</p>
|
||
<p>Moreover, we continue to work towards reducing Istio&rsquo;s performance overhead.
|
||
Possible optimizations include:</p>
|
||
<ul>
|
||
<li>Extending Envoy to handle wildcard domains: This would eliminate the need for a third proxy between
|
||
the application and the external services for that use case.</li>
|
||
<li>Using mutual TLS for authentication only without encrypting the TLS traffic, since the traffic is already
|
||
encrypted.</li>
|
||
</ul>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>I hope that after reading this series you are convinced that controlling egress traffic is very important for the
|
||
security of your cluster.
|
||
Hopefully, I also managed to convince you that Istio is an effective tool to control egress traffic
|
||
securely, and that Istio has multiple advantages over the alternative solutions.
|
||
Istio is the only solution I&rsquo;m aware of that lets you:</p>
|
||
<ul>
|
||
<li>Control egress traffic in a secure and transparent way</li>
|
||
<li>Specify external services as domain names</li>
|
||
<li>Use Kubernetes artifacts to specify the traffic source</li>
|
||
</ul>
|
||
<p>In my opinion, secure control of egress traffic is a great choice if you are looking for your first Istio use case.
|
||
In this case, Istio already provides you some benefits even before you start using all other Istio features:
|
||
<a href="/v1.12/docs/tasks/traffic-management/">traffic management</a>, <a href="/v1.12/docs/tasks/security/">security</a>,
|
||
<a href="https://istio.io/v1.6/docs/tasks/policy-enforcement/">policies</a> and <a href="/v1.12/docs/tasks/observability/">observability</a>, applied to traffic between
|
||
microservices inside the cluster.</p>
|
||
<p>So, if you haven&rsquo;t had the chance to work with Istio yet, <a href="/v1.12/docs/setup/install/">install Istio</a> on your cluster
|
||
and check our <a href="/v1.12/docs/tasks/traffic-management/egress/">egress traffic control tasks</a> and the tasks for the other
|
||
<a href="/v1.12/docs/tasks/">Istio features</a>. We also want to hear from you, please join us at <a href="https://discuss.istio.io">discuss.istio.io</a>.</p></description><pubDate>Mon, 22 Jul 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/egress-traffic-control-in-istio-part-3/</link><author>Vadim Eisenberg (IBM)</author><guid isPermaLink="true">/v1.12/blog/2019/egress-traffic-control-in-istio-part-3/</guid><category>traffic-management</category><category>egress</category><category>security</category><category>gateway</category><category>tls</category></item><item><title>Secure Control of Egress Traffic in Istio, part 2</title><description>
|
||
<p>Welcome to part 2 in our new series about secure control of egress traffic in Istio.
|
||
In <a href="/v1.12/blog/2019/egress-traffic-control-in-istio-part-1/">the first part in the series</a>, I presented the attacks involving
|
||
egress traffic and the requirements we collected for a secure control system for egress traffic.
|
||
In this installment, I describe the Istio way to securely control the egress traffic, and show how Istio can help you
|
||
prevent the attacks.</p>
|
||
<h2 id="secure-control-of-egress-traffic-in-istio">Secure control of egress traffic in Istio</h2>
|
||
<p>To implement secure control of egress traffic in Istio, you must
|
||
<a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway/#egress-gateway-for-https-traffic">direct TLS traffic to external services through an egress gateway</a>.
|
||
Alternatively, you
|
||
can <a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway/#egress-gateway-for-http-traffic">direct HTTP traffic through an egress gateway</a>
|
||
and <a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/#perform-tls-origination-with-an-egress-gateway">let the egress gateway perform TLS origination</a>.</p>
|
||
<p>Both alternatives have their pros and cons, you should choose between them according to your circumstances.
|
||
The choice mainly depends on whether your application can send unencrypted HTTP requests and whether your
|
||
organization&rsquo;s security policies allow sending unencrypted HTTP requests.
|
||
For example, if your application uses some client library that encrypts the traffic without a possibility to cancel the
|
||
encryption, you cannot use the option of sending unencrypted HTTP traffic.
|
||
The same in the case your organization&rsquo;s security policies do not allow sending unencrypted HTTP requests
|
||
<strong>inside the pod</strong> (outside the pod the traffic is encrypted by Istio).</p>
|
||
<p>If the application sends HTTP requests and the egress gateway performs TLS origination, you can monitor HTTP
|
||
information like HTTP methods, headers, and URL paths. You can also
|
||
<a href="/v1.12/blog/2018/egress-monitoring-access-control">define policies</a> based on said HTTP information. If the application
|
||
performs TLS origination, you can
|
||
<a href="https://istio.io/v1.6/docs/tasks/traffic-management/egress/egress_sni_monitoring_and_policies/">monitor SNI and the service account</a> of the
|
||
source pod&rsquo;s TLS traffic, and define policies based on SNI and service accounts.</p>
|
||
<p>You must ensure that traffic from your cluster to the outside cannot bypass the egress gateway. Istio cannot enforce it
|
||
for you, so you must apply some
|
||
<a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations">additional security mechanisms</a>,
|
||
for example,
|
||
the <a href="https://kubernetes.io/docs/concepts/services-networking/network-policies/">Kubernetes network policies</a> or an L3
|
||
firewall. See an example of the
|
||
<a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway/#apply-kubernetes-network-policies">Kubernetes network policies configuration</a>.
|
||
According to the <a href="https://en.wikipedia.org/wiki/Defense_in_depth_(computing)">Defense in depth</a> concept, the more
|
||
security mechanisms you apply for the same goal, the better.</p>
|
||
<p>You must also ensure that Istio control plane and the egress gateway cannot be compromised. While you may have hundreds
|
||
or thousands of application pods in your cluster, there are only a dozen of Istio control plane pods and the gateways.
|
||
You can and should focus on protecting the control plane pods and the gateways, since it is easy (there is a small
|
||
number of pods to protect) and it is most crucial for the security of your cluster.
|
||
If attackers compromise the control plane or the egress gateway, they could violate any policy.</p>
|
||
<p>You might have multiple tools to protect the control plane pods, depending on your environment.
|
||
The reasonable security measures are:</p>
|
||
<ul>
|
||
<li>Run the control plane pods on nodes separate from the application nodes.</li>
|
||
<li>Run the control plane pods in their own separate namespace.</li>
|
||
<li>Apply the Kubernetes RBAC and network policies to protect the control plane pods.</li>
|
||
<li>Monitor the control plane pods more closely than you do the application pods.</li>
|
||
</ul>
|
||
<p>Once you direct egress traffic through an egress gateway and apply the additional security mechanisms,
|
||
you can securely monitor and enforce security policies for the traffic.</p>
|
||
<p>The following diagram shows Istio&rsquo;s security architecture, augmented with an L3 firewall which is part of the
|
||
<a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations">additional security mechanisms</a>
|
||
that should be provided outside of Istio.</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:54.89557965057057%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/egress-traffic-control-in-istio-part-2/SecurityArchitectureWithL3Firewalls.svg" title="Istio Security Architecture with Egress Gateway and L3 Firewall">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/egress-traffic-control-in-istio-part-2/SecurityArchitectureWithL3Firewalls.svg" alt="Istio Security Architecture with Egress Gateway and L3 Firewall" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Istio Security Architecture with Egress Gateway and L3 Firewall</figcaption>
|
||
</figure>
|
||
<p>You can configure the L3 firewall trivially to only allow incoming traffic through the Istio ingress gateway and
|
||
only allow outgoing traffic through the Istio egress gateway. The Istio proxies of the gateways enforce
|
||
policies and report telemetry just as all other proxies in the mesh do.</p>
|
||
<p>Now let&rsquo;s examine possible attacks and let me show you how the secure control of egress traffic in Istio prevents them.</p>
|
||
<h2 id="preventing-possible-attacks">Preventing possible attacks</h2>
|
||
<p>Consider the following security policies for egress traffic:</p>
|
||
<ul>
|
||
<li>Application <strong>A</strong> is allowed to access <code>*.ibm.com</code>, which includes all the external services with URLs matching
|
||
<code>*.ibm.com</code>.</li>
|
||
<li>Application <strong>B</strong> is allowed to access <code>mongo1.composedb.com</code>.</li>
|
||
<li>All egress traffic is monitored.</li>
|
||
</ul>
|
||
<p>Suppose the attackers have the following goals:</p>
|
||
<ul>
|
||
<li>Access <code>*.ibm.com</code> from your cluster.</li>
|
||
<li>Access <code>*.ibm.com</code> from your cluster, unmonitored. The attackers want their traffic to be unmonitored to prevent a
|
||
possibility that you will detect the forbidden access.</li>
|
||
<li>Access <code>mongo1.composedb.com</code> from your cluster.</li>
|
||
</ul>
|
||
<p>Now suppose that the attackers manage to break into one of the pods of application <strong>A</strong>, and try to use the compromised
|
||
pod to perform the forbidden access. The attackers may try their luck and access the external services in a
|
||
straightforward way. You will react to the straightforward attempts as follows:</p>
|
||
<ul>
|
||
<li>Initially, there is no way to prevent a compromised application <strong>A</strong> to access <code>*.ibm.com</code>, because the compromised
|
||
pod is indistinguishable from the original pod.</li>
|
||
<li>Fortunately, you can monitor all access to external services, detect suspicious traffic, and thwart attackers from
|
||
gaining unmonitored access to <code>*.ibm.com</code>. For example, you could apply anomaly detection tools on the
|
||
egress traffic logs.</li>
|
||
<li>To stop attackers from accessing <code>mongo1.composedb.com</code> from your cluster, Istio will correctly detect the source of
|
||
the traffic, application <strong>A</strong> in this case, and verify that it is not allowed to access <code>mongo1.composedb.com</code>
|
||
according to the security policies mentioned above.</li>
|
||
</ul>
|
||
<p>Having failed to achieve their goals in a straightforward way, the malicious actors may resort to advanced attacks:</p>
|
||
<ul>
|
||
<li><strong>Bypass the container&rsquo;s sidecar proxy</strong> to be able to access any external service directly, without the sidecar&rsquo;s
|
||
policy enforcement and reporting. This attack is prevented by a Kubernetes Network Policy or by an L3 firewall that
|
||
allow egress traffic to exit the mesh only from the egress gateway.</li>
|
||
<li><strong>Compromise the egress gateway</strong> to be able to force it to send fake information to the monitoring system or to
|
||
disable enforcement of the security policies. This attack is prevented by applying the special security measures to
|
||
the egress gateway pods.</li>
|
||
<li><strong>Impersonate as application B</strong> since application <strong>B</strong> is allowed to access <code>mongo1.composedb.com</code>. This attack,
|
||
fortunately, is prevented by Istio&rsquo;s <a href="/v1.12/docs/concepts/security/#istio-identity">strong identity support</a>.</li>
|
||
</ul>
|
||
<p>As far as we can see, all the forbidden access is prevented, or at least is monitored and can be prevented later.
|
||
If you see other attacks that involve egress traffic or security holes in the current design, we would be happy
|
||
<a href="https://discuss.istio.io">to hear about it</a>.</p>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>Hopefully, I managed to convince you that Istio is an effective tool to prevent attacks involving egress
|
||
traffic. In <a href="/v1.12/blog/2019/egress-traffic-control-in-istio-part-3/">the next part of this series</a>, I compare secure control of egress traffic in Istio with alternative
|
||
solutions such as
|
||
<a href="https://kubernetes.io/docs/concepts/services-networking/network-policies/">Kubernetes Network Policies</a> and legacy
|
||
egress proxies/firewalls.</p></description><pubDate>Wed, 10 Jul 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/egress-traffic-control-in-istio-part-2/</link><author>Vadim Eisenberg (IBM)</author><guid isPermaLink="true">/v1.12/blog/2019/egress-traffic-control-in-istio-part-2/</guid><category>traffic-management</category><category>egress</category><category>security</category><category>gateway</category><category>tls</category></item><item><title>Best Practices: Benchmarking Service Mesh Performance</title><description>
|
||
<p>Service meshes add a lot of functionality to application deployments, including <a href="/v1.12/docs/concepts/traffic-management">traffic policies</a>, <a href="/v1.12/docs/concepts/observability">observability</a>, and <a href="/v1.12/docs/concepts/security">secure communication</a>. But adding a service mesh to your environment comes at a cost, whether that&rsquo;s time (added latency) or resources (CPU cycles). To make an informed decision on whether a service mesh is right for your use case, it&rsquo;s important to evaluate how your application performs when deployed with a service mesh.</p>
|
||
<p>Earlier this year, we published a <a href="/v1.12/blog/2019/istio1.1_perf/">blog post</a> on Istio&rsquo;s performance improvements in version 1.1. Following the release of <a href="/v1.12/news/releases/1.2.x/announcing-1.2/">Istio 1.2</a>, we want to provide guidance and tools to help you benchmark Istio&rsquo;s data plane performance in a production-ready Kubernetes environment.</p>
|
||
<p>Overall, we found that Istio&rsquo;s <a href="/v1.12/docs/ops/deployment/architecture/#envoy">sidecar proxy</a> latency scales with the number of concurrent connections. At 1000 requests per second (RPS), across 16 connections, Istio adds <strong>3 milliseconds</strong> per request in the 50th percentile, and <strong>10 milliseconds</strong> in the 99th percentile.</p>
|
||
<p>In the <a href="https://github.com/istio/tools/tree/3ac7ab40db8a0d595b71f47b8ba246763ecd6213/perf/benchmark">Istio Tools repository</a>, you’ll find scripts and instructions for measuring Istio&rsquo;s data plane performance, with additional instructions on how to run the scripts with <a href="https://linkerd.io">Linkerd</a>, another service mesh implementation. <a href="https://github.com/istio/tools/tree/3ac7ab40db8a0d595b71f47b8ba246763ecd6213/perf/benchmark#setup">Follow along</a> as we detail some best practices for each step of the performance test framework.</p>
|
||
<h2 id="1-use-a-production-ready-istio-installation">1. Use a production-ready Istio installation</h2>
|
||
<p>To accurately measure the performance of a service mesh at scale, it&rsquo;s important to use an <a href="https://github.com/istio/tools/tree/3ac7ab40db8a0d595b71f47b8ba246763ecd6213/perf/istio-install#istio-setup">adequately-sized</a> Kubernetes cluster. We test using three worker nodes, each with at least 4 vCPUs and 15 GB of memory.</p>
|
||
<p>Then, it&rsquo;s important to use a production-ready Istio <strong>installation profile</strong> on that cluster. This lets us achieve performance-oriented settings such as control plane pod autoscaling, and ensures that resource limits are appropriate for heavy traffic load. The <a href="https://archive.istio.io/1.4/docs/setup/install/helm/#installation-steps">default</a> Istio installation is suitable for most benchmarking use cases. For extensive performance benchmarking, with thousands of proxy-injected services, we also provide <a href="https://github.com/istio/tools/blob/3ac7ab40db8a0d595b71f47b8ba246763ecd6213/perf/istio-install/values.yaml">a tuned Istio install</a> that allocates extra memory and CPU to the Istio control plane.</p>
|
||
<p><svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#exclamation-mark"/></svg> Istio&rsquo;s <a href="/v1.12/docs/setup/getting-started/">demo installation</a> is not suitable for performance testing, because it is designed to be deployed on a small trial cluster, and has full tracing and access logs enabled to showcase Istio&rsquo;s features.</p>
|
||
<h2 id="2-focus-on-the-data-plane">2. Focus on the data plane</h2>
|
||
<p>Our benchmarking scripts focus on evaluating the Istio data plane: the <span class="term" data-title="Envoy" data-body="&lt;p&gt;The high-performance proxy that Istio uses to mediate inbound and outbound traffic for all &lt;a href=&#34;/docs/reference/glossary/#service&#34;&gt;services&lt;/a&gt; in the
|
||
&lt;a href=&#34;/docs/reference/glossary/#service-mesh&#34;&gt;service mesh&lt;/a&gt;. &lt;a href=&#34;https://envoyproxy.github.io/envoy/&#34;&gt;Learn more about Envoy&lt;/a&gt;.&lt;/p&gt;
|
||
">Envoy</span> proxies that mediate traffic between application containers. Why focus on the data plane? Because at scale, with lots of application containers, the data plane’s <strong>memory</strong> and <strong>CPU</strong> usage quickly eclipses that of the Istio control plane. Let&rsquo;s look at an example of how this happens:</p>
|
||
<p>Say you run 2,000 Envoy-injected pods, each handling 1,000 requests per second. Each proxy is using 50 MB of memory, and to configure all these proxies, Pilot is using 1 vCPU and 1.5 GB of memory. All together, the Istio data plane (the sum of all the Envoy proxies) is using 100 GB of memory, compared to Pilot&rsquo;s 1.5 GB.</p>
|
||
<p>It is also important to focus on data plane performance for <strong>latency</strong> reasons. This is because most application requests move through the Istio data plane, not the control plane. There are two exceptions:</p>
|
||
<ol>
|
||
<li><strong>Telemetry reporting:</strong> Each proxy sends raw telemetry data to Mixer, which Mixer processes into metrics, traces, and other telemetry. The raw telemetry data is similar to access logs, and therefore comes at a cost. Access log processing consumes CPU and keeps a worker thread from picking up the next unit of work. At higher throughput, it is more likely that the next unit of work is waiting in the queue to be picked up by the worker. This can lead to long-tail (99th percentile) latency for Envoy.</li>
|
||
<li><strong>Custom policy checks:</strong> When using <a href="/v1.12/docs/concepts/observability/">custom Istio policy adapters</a>, policy checks are on the request path. This means that request headers and metadata on the data path will be sent to the control plane (Mixer), resulting in higher request latency. <strong>Note:</strong> These policy checks are <a href="https://archive.istio.io/v1.4/docs/reference/config/installation-options/">disabled by default</a>, as the most common policy use case (<a href="https://archive.istio.io/v1.4/docs/reference/config/security/istio.rbac.v1alpha1">RBAC</a>) is performed entirely by the Envoy proxies.</li>
|
||
</ol>
|
||
<p>Both of these exceptions will go away in a future Istio release, when <a href="https://docs.google.com/document/d/1QKmtem5jU_2F3Lh5SqLp0IuPb80_70J7aJEYu4_gS-s">Mixer V2</a> moves all policy and telemetry features directly into the proxies.</p>
|
||
<p>Next, when testing Istio&rsquo;s data plane performance at scale, it&rsquo;s important to test not only at increasing requests per second, but also against an increasing number of <strong>concurrent</strong> connections. This is because real-world, high-throughput traffic comes from multiple clients. The <a href="https://github.com/istio/tools/tree/3ac7ab40db8a0d595b71f47b8ba246763ecd6213/perf/benchmark#run-performance-tests">provided scripts</a> allow you to perform the same load test with any number of concurrent connections, at increasing RPS.</p>
|
||
<p>Lastly, our test environment measures requests between two pods, not many. The client pod is <a href="http://fortio.org/">Fortio</a>, which sends traffic to the server pod.</p>
|
||
<p>Why test with only two pods? Because scaling up throughput (RPS) and connections (threads) has a greater effect on Envoy&rsquo;s performance than increasing the total size of the service registry — or, the total number of pods and services in the Kubernetes cluster. When the size of the service registry grows, Envoy does have to keep track of more endpoints, and lookup time per request does increase, but by a tiny constant. If you have many services, and this constant becomes a latency concern, Istio provides a <a href="/v1.12/docs/reference/config/networking/sidecar/">Sidecar resource</a>, which allows you to limit which services each Envoy knows about.</p>
|
||
<h2 id="3-measure-with-and-without-proxies">3. Measure with and without proxies</h2>
|
||
<p>While many Istio features, such as <a href="/v1.12/docs/concepts/security/#mutual-tls-authentication">mutual TLS authentication</a>, rely on an Envoy proxy next to an application pod, you can <a href="https://archive.istio.io/1.4/docs/setup/additional-setup/sidecar-injection/#disabling-or-updating-the-webhook">selectively disable</a> sidecar proxy injection for some of your mesh services. As you scale up Istio for production, you may want to incrementally add the sidecar proxy to your workloads.</p>
|
||
<p>To that end, the test scripts provide <a href="https://github.com/istio/tools/tree/3ac7ab40db8a0d595b71f47b8ba246763ecd6213/perf/benchmark#run-performance-tests">three different modes</a>. These modes analyze Istio&rsquo;s performance when a request goes through both the client and server proxies (<code>both</code>), just the server proxy (<code>serveronly</code>), and neither proxy (<code>baseline</code>).</p>
|
||
<p>You can also disable <a href="/v1.12/docs/concepts/observability/">Mixer</a> to stop Istio&rsquo;s telemetry during the performance tests, which provides results in line with the performance we expect when the Mixer V2 work is completed. Istio also supports <a href="https://github.com/istio/istio/wiki/Envoy-native-telemetry">Envoy native telemetry</a>, which performs similarly to having Istio&rsquo;s telemetry disabled.</p>
|
||
<h2 id="istio-1-2-performance">Istio 1.2 Performance</h2>
|
||
<p>Let&rsquo;s see how to use this test environment to analyze the data plane performance of Istio 1.2. We also provide instructions to run the <a href="https://github.com/istio/tools/tree/3ac7ab40db8a0d595b71f47b8ba246763ecd6213/perf/benchmark/linkerd">same performance tests for the Linkerd data plane</a>. Currently, only latency benchmarking is supported for Linkerd.</p>
|
||
<p>For measuring Istio&rsquo;s sidecar proxy latency, we look at the 50th, 90th, and 99th percentiles for an increasing number of concurrent connections,keeping request throughput (RPS) constant.</p>
|
||
<p>We found that with 16 concurrent connections and 1000 RPS, Istio adds <strong>3ms</strong> over the baseline (P50) when a request travels through both a client and server proxy. (Subtract the pink line, <code>base</code>, from the green line, <code>both</code>.) At 64 concurrent connections, Istio adds <strong>12ms</strong> over the baseline, but with Mixer disabled (<code>nomixer_both</code>), Istio only adds <strong>7ms</strong>.</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:60%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/performance-best-practices/latency_p50.png" title="Istio sidecar proxy, 50th percentile latency">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/performance-best-practices/latency_p50.png" alt="Istio sidecar proxy, 50th percentile latency" />
|
||
</a>
|
||
</div>
|
||
<figcaption></figcaption>
|
||
</figure>
|
||
<p>In the 90th percentile, with 16 concurrent connections, Istio adds <strong>6ms</strong>; with 64 connections, Istio adds <strong>20ms</strong>.</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:60%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/performance-best-practices/latency_p90.png" title="Istio sidecar proxy, 90th percentile latency">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/performance-best-practices/latency_p90.png" alt="Istio sidecar proxy, 90th percentile latency" />
|
||
</a>
|
||
</div>
|
||
<figcaption></figcaption>
|
||
</figure>
|
||
<p>Finally, in the 99th percentile, with 16 connections, Istio adds <strong>10ms</strong> over the baseline. At 64 connections, Istio adds <strong>25ms</strong> with Mixer, or <strong>10ms</strong> without Mixer.</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:60%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/performance-best-practices/latency_p99.png" title="Istio sidecar proxy, 99th percentile latency">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/performance-best-practices/latency_p99.png" alt="Istio sidecar proxy, 99th percentile latency" />
|
||
</a>
|
||
</div>
|
||
<figcaption></figcaption>
|
||
</figure>
|
||
<p>For CPU usage, we measured with an increasing request throughput (RPS), and a constant number of concurrent connections. We found that Envoy&rsquo;s maximum CPU usage at 3000 RPS, with Mixer enabled, was <strong>1.2 vCPUs</strong>. At 1000 RPS, one Envoy uses approximately half of a CPU.</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:60%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/performance-best-practices/cpu_max.png" title="Istio sidecar proxy, max CPU usage">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/performance-best-practices/cpu_max.png" alt="Istio sidecar proxy, max CPU usage" />
|
||
</a>
|
||
</div>
|
||
<figcaption></figcaption>
|
||
</figure>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>In the process of benchmarking Istio&rsquo;s performance, we learned several key lessons:</p>
|
||
<ul>
|
||
<li>Use an environment that mimics production.</li>
|
||
<li>Focus on data plane traffic.</li>
|
||
<li>Measure against a baseline.</li>
|
||
<li>Increase concurrent connections as well as total throughput.</li>
|
||
</ul>
|
||
<p>For a mesh with 1000 RPS across 16 connections, Istio 1.2 adds just <strong>3 milliseconds</strong> of latency over the baseline, in the 50th percentile.</p>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">Istio&rsquo;s performance depends on your specific setup and traffic load. Because of this variance, make sure your test setup accurately reflects your production workloads. To try out the benchmarking scripts, head over <a href="https://github.com/istio/tools/tree/3ac7ab40db8a0d595b71f47b8ba246763ecd6213/perf/benchmark">to the Istio Tools repository</a>.</div>
|
||
</aside>
|
||
</div>
|
||
<p>Also check out the <a href="/v1.12/docs/ops/deployment/performance-and-scalability">Istio Performance and Scalability guide</a> for the most up-to-date performance data.</p>
|
||
<p>Thank you for reading, and happy benchmarking!</p></description><pubDate>Tue, 09 Jul 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/performance-best-practices/</link><author>Megan O'Keefe (Google), John Howard (Google), Mandar Jog (Google)</author><guid isPermaLink="true">/v1.12/blog/2019/performance-best-practices/</guid><category>performance</category><category>scalability</category><category>scale</category><category>benchmarks</category></item><item><title>Extending Istio Self-Signed Root Certificate Lifetime</title><description><p>Istio self-signed certificates have historically had a 1 year default lifetime.
|
||
If you are using Istio self-signed certificates,
|
||
you need to schedule regular root transitions before they expire.
|
||
An expiration of a root certificate may lead to an unexpected cluster-wide outage.
|
||
The issue affects new clusters created with versions up to 1.0.7 and 1.1.7.</p>
|
||
<p>See <a href="https://istio.io/v1.7/docs/ops/configuration/security/root-transition/">Extending Self-Signed Certificate Lifetime</a> for
|
||
information on how to gauge the age of your certificates and how to perform rotation.</p>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">We strongly recommend you rotate root keys and root certificates annually as a security best practice.
|
||
We will send out instructions for root key/cert rotation soon.</div>
|
||
</aside>
|
||
</div></description><pubDate>Fri, 07 Jun 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/root-transition/</link><author>Oliver Liu</author><guid isPermaLink="true">/v1.12/blog/2019/root-transition/</guid><category>security</category><category>PKI</category><category>certificate</category><category>Citadel</category></item><item><title>Secure Control of Egress Traffic in Istio, part 1</title><description>
|
||
<p>This is part 1 in a new series about secure control of egress traffic in Istio that I am going to publish.
|
||
In this installment, I explain why you should apply egress traffic control to your cluster, the attacks
|
||
involving egress traffic you want to prevent, and the requirements for a system for egress traffic control
|
||
to do so.
|
||
Once you agree that you should control the egress traffic coming from your cluster, the following questions arise:
|
||
What is required from a system for secure control of egress traffic? Which is the best solution to fulfill
|
||
these requirements? (spoiler: Istio in my opinion)
|
||
Future installments will describe
|
||
<a href="/v1.12/blog/2019/egress-traffic-control-in-istio-part-2/">the implementation of the secure control of egress traffic in Istio</a>
|
||
and compare it with other solutions.</p>
|
||
<p>The most important security aspect for a service mesh is probably ingress traffic. You definitely must prevent attackers
|
||
from penetrating the cluster through ingress APIs. Having said that, securing
|
||
the traffic leaving the mesh is also very important. Once your cluster is compromised, and you must be
|
||
prepared for that scenario, you want to reduce the damage as much as possible and prevent the attackers from using the
|
||
cluster for further attacks on external services and legacy systems outside of the cluster. To achieve that goal,
|
||
you need secure control of egress traffic.</p>
|
||
<p>Compliance requirements are another reason to implement secure control of egress traffic. For example, the <a href="https://www.pcisecuritystandards.org/pci_security/">Payment Card
|
||
Industry (PCI) Data Security Standard</a> requires that inbound
|
||
and outbound traffic must be restricted to that which is necessary:</p>
|
||
<div>
|
||
<aside class="callout quote">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-quote"/></svg>
|
||
</div>
|
||
<div class="content"><em>1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.</em></div>
|
||
</aside>
|
||
</div>
|
||
<p>And specifically regarding outbound traffic:</p>
|
||
<div>
|
||
<aside class="callout quote">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-quote"/></svg>
|
||
</div>
|
||
<div class="content"><em>1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet&hellip; All traffic outbound from the cardholder data environment should be evaluated to ensure that it follows established, authorized rules. Connections should be inspected to restrict traffic to only authorized communications (for example by restricting source/destination addresses/ports, and/or blocking of content).</em></div>
|
||
</aside>
|
||
</div>
|
||
<p>Let&rsquo;s start with the attacks that involve egress traffic.</p>
|
||
<h2 id="the-attacks">The attacks</h2>
|
||
<p>An IT organization must assume it will be attacked if it hasn&rsquo;t been attacked already, and that
|
||
part of its infrastructure could already be compromised or become compromised in the future.
|
||
Once attackers are able to penetrate an application in a cluster, they can proceed to attack external services:
|
||
legacy systems, external web services and databases. The attackers may want to steal the data of the application and to
|
||
transfer it to their external servers. Attackers&rsquo; malware may require access to attackers&rsquo; servers to download
|
||
updates. The attackers may use pods in the cluster to perform DDOS attacks or to break into external systems.
|
||
Even though you <a href="https://en.wikipedia.org/wiki/There_are_known_knowns">cannot know</a> all the possible types of
|
||
attacks, you want to reduce possibilities for any attacks, both for known and unknown ones.</p>
|
||
<p>The external attackers gain access to the application’s container from outside the mesh through a
|
||
bug in the application but attackers can also be internal, for example, malicious DevOps people inside the
|
||
organization.</p>
|
||
<p>To prevent the attacks described above, some form of egress traffic control must be applied. Let me present egress
|
||
traffic control in the following section.</p>
|
||
<h2 id="the-solution-secure-control-of-egress-traffic">The solution: secure control of egress traffic</h2>
|
||
<p>Secure control of egress traffic means monitoring the egress traffic and enforcing all the security policies regarding
|
||
the egress traffic.
|
||
Monitoring the egress traffic, enables you to analyze it, possibly offline, and detect the attacks even if
|
||
you were unable to prevent them in real time.
|
||
Another good practice to reduce possibilities of attacks is to specify policies that limit access following the
|
||
<a href="https://en.wikipedia.org/wiki/Need_to_know#In_computer_technology]">Need to know</a> principle: only the applications that
|
||
need external services should be allowed to access the external services they need.</p>
|
||
<p>Let me now turn to the requirements for egress traffic control we collected.</p>
|
||
<h2 id="requirements-for-egress-traffic-control">Requirements for egress traffic control</h2>
|
||
<p>My colleagues at IBM and I collected requirements for secure control of egress traffic from several customers, and
|
||
combined them with the
|
||
<a href="https://docs.google.com/document/d/1-Cq_Y-yuyNklvdnaZF9Qngl3xe0NnArT7Xt_Wno9beg">egress traffic control requirements from Kubernetes Network Special Interest Group</a>.</p>
|
||
<p>Istio 1.1 satisfies all gathered requirements:</p>
|
||
<ol>
|
||
<li><p>Support for <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security">TLS</a> with
|
||
<a href="https://en.wikipedia.org/wiki/Server_Name_Indication">SNI</a> or for <a href="/v1.12/docs/reference/glossary/#tls-origination">TLS origination</a> by Istio.</p></li>
|
||
<li><p><strong>Monitor</strong> SNI and the source workload of every egress access.</p></li>
|
||
<li><p>Define and enforce <strong>policies per cluster</strong>, e.g.:</p>
|
||
<ul>
|
||
<li><p>all applications in the cluster may access <code>service1.foo.com</code> (a specific host)</p></li>
|
||
<li><p>all applications in the cluster may access any host of the form <code>*.bar.com</code> (a wildcarded domain)</p></li>
|
||
</ul>
|
||
<p>All unspecified access must be blocked.</p></li>
|
||
<li><p>Define and enforce <strong>policies per source</strong>, <em>Kubernetes-aware</em>:</p>
|
||
<ul>
|
||
<li><p>application <code>A</code> may access <code>*.foo.com</code>.</p></li>
|
||
<li><p>application <code>B</code> may access <code>*.bar.com</code>.</p></li>
|
||
</ul>
|
||
<p>All other access must be blocked, in particular access of application <code>A</code> to <code>service1.bar.com</code>.</p></li>
|
||
<li><p><strong>Prevent tampering</strong>. In case an application pod is compromised, prevent the compromised pod from escaping
|
||
monitoring, from sending fake information to the monitoring system, and from breaking the egress policies.</p></li>
|
||
<li><p>Nice to have: traffic control is <strong>transparent</strong> to the applications.</p></li>
|
||
</ol>
|
||
<p>Let me explain each requirement in more detail. The first requirement states that only TLS traffic to the external
|
||
services must be supported.
|
||
The requirement emerged upon observation that all the traffic that leaves the cluster must be encrypted.
|
||
This means that either the applications perform TLS origination or Istio must perform TLS origination
|
||
for them.
|
||
Note that in the case an application performs TLS origination, the Istio proxies cannot see the original traffic,
|
||
only the encrypted one, so the proxies see the TLS protocol only. For the proxies it does not matter if the original
|
||
protocol is HTTP or MongoDB, all the Istio proxies can see is TLS traffic.</p>
|
||
<p>The second requirement states that SNI and the source of the traffic must be monitored. Monitoring is the first step to
|
||
prevent attacks. Even if attackers would be able to access external services from the cluster, if the access is
|
||
monitored, there is a chance to discover the suspicious traffic and take a corrective action.</p>
|
||
<p>Note that in the case of TLS originated by an application, the Istio sidecar proxies can only see TCP traffic and a
|
||
TLS handshake that includes SNI.
|
||
A label of the source pod could identify the source of the traffic but a service account of the pod or some
|
||
other source identifier could be used. We call this property of an egress control system as <em>being Kubernetes-aware</em>:
|
||
the system must understand Kubernetes artifacts like pods and service accounts. If the system is not Kubernetes-aware,
|
||
it can only monitor the IP address as the identifier of the source.</p>
|
||
<p>The third requirement states that Istio operators must be able to define policies for egress traffic for the entire
|
||
cluster.
|
||
The policies state which external services may be accessed by any pod in the cluster. The external services can be
|
||
identified either by a <a href="https://en.wikipedia.org/wiki/Fully_qualified_domain_name">Fully qualified domain name</a> of the
|
||
service, e.g. <code>www.ibm.com</code> or by a wildcarded domain, e.g. <code>*.ibm.com</code>. Only the specified external services may be
|
||
accessed, all other egress traffic is blocked.</p>
|
||
<p>This requirement originates from the need to prevent
|
||
attackers from accessing malicious sites, for example for downloading updates/instructions for their malware. You also
|
||
want to limit the number of external sites that the attackers can access and attack.
|
||
You want to allow access only to the external services that the applications in the cluster need to
|
||
access and to block access to all the other services, this way you reduce the
|
||
<a href="https://en.wikipedia.org/wiki/Attack_surface">attack surface</a>. While the external services
|
||
can have their own security mechanisms, you want to exercise <a href="https://en.wikipedia.org/wiki/Defense_in_depth_(computing)">Defense in depth</a> and to have multiple security layers: a security layer in your cluster in addition to
|
||
the security layers in the external systems.</p>
|
||
<p>This requirement means that the external services must be identifiable by domain names. We call this property
|
||
of an egress control system as <em>being DNS-aware</em>.
|
||
If the system is not DNS-aware, the external services must be specified by IP addresses.
|
||
Using IP addresses is not convenient and often is not feasible, since the IP addresses of a service can change. Sometimes
|
||
all the IP addresses of a service are not even known, for example in the case of
|
||
<a href="https://en.wikipedia.org/wiki/Content_delivery_network">CDNs</a>.</p>
|
||
<p>The fourth requirement states that the source of the egress traffic must be added to the policies effectively extending
|
||
the third requirement.
|
||
Policies can specify which source can access which external service and the source must be identified just as in the
|
||
second requirement, for example, by a label of the source pod or by service account of the pod.
|
||
It means that policy enforcement must also be <em>Kubernetes-aware</em>.
|
||
If policy enforcement is not Kubernetes-aware, the policies must identify the source of traffic by
|
||
the IP of the pod, which is not convenient, especially since the pods can come and go so their IPs are not static.</p>
|
||
<p>The fifth requirement states that even if the cluster is compromised and the attackers control some of the pods, they
|
||
must not be able to cheat the monitoring or to violate policies of the egress control system. We say that such a
|
||
system provides <em>secure</em> control of egress traffic.</p>
|
||
<p>The sixth requirement states that the traffic control should be provided without changing the application containers, in
|
||
particular without changing the code of the applications and without changing the environment of the containers.
|
||
We call such a control of egress traffic <em>transparent</em>.</p>
|
||
<p>In the next posts I will show that Istio can function as an example of an egress traffic control system that satisfies
|
||
all of these requirements, in particular it is transparent, DNS-aware, and Kubernetes-aware.</p>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>I hope that you are convinced that controlling egress traffic is important for the security of your cluster. In <a href="/v1.12/blog/2019/egress-traffic-control-in-istio-part-2/">the
|
||
part 2 of this series</a> I describe the Istio way to perform secure
|
||
control of egress traffic. In
|
||
<a href="/v1.12/blog/2019/egress-traffic-control-in-istio-part-3/">the
|
||
part 3 of this series</a> I compare it with alternative solutions such as
|
||
<a href="https://kubernetes.io/docs/concepts/services-networking/network-policies/">Kubernetes Network Policies</a> and legacy
|
||
egress proxies/firewalls.</p></description><pubDate>Wed, 22 May 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/egress-traffic-control-in-istio-part-1/</link><author>Vadim Eisenberg (IBM)</author><guid isPermaLink="true">/v1.12/blog/2019/egress-traffic-control-in-istio-part-1/</guid><category>traffic-management</category><category>egress</category><category>security</category></item><item><title>Architecting Istio 1.1 for Performance</title><description>
|
||
<p>Hyper-scale, microservice-based cloud environments have been exciting to build but challenging to manage. Along came Kubernetes (container orchestration) in 2014, followed by Istio (container service management) in 2017. Both open-source projects enable developers to scale container-based applications without spending too much time on administration tasks.</p>
|
||
<p>Now, new enhancements in Istio 1.1 deliver scale-up with improved application performance and service management efficiency.
|
||
Simulations using our sample commercial airline reservation application show the following improvements, compared to Istio 1.0.</p>
|
||
<p>We&rsquo;ve seen substantial application performance gains:</p>
|
||
<ul>
|
||
<li>up to 30% reduction in application average latency</li>
|
||
<li>up to 40% faster service startup times in a large mesh</li>
|
||
</ul>
|
||
<p>As well as impressive improvements in service management efficiency:</p>
|
||
<ul>
|
||
<li>up to 90% reduction in Pilot CPU usage in a large mesh</li>
|
||
<li>up to 50% reduction in Pilot memory usage in a large mesh</li>
|
||
</ul>
|
||
<p>With Istio 1.1, organizations can be more confident in their ability to scale applications with consistency and control &ndash; even in hyper-scale cloud environments.</p>
|
||
<p>Congratulations to the Istio experts around the world who contributed to this release. We could not be more pleased with these results.</p>
|
||
<h2 id="istio-1-1-performance-enhancements">Istio 1.1 performance enhancements</h2>
|
||
<p>As members of the Istio Performance and Scalability workgroup, we have done extensive performance evaluations. We introduced many performance design features for Istio 1.1, in collaboration with other Istio contributors.
|
||
Some of the most visible performance enhancements in 1.1 include:</p>
|
||
<ul>
|
||
<li>Significant reduction in default collection of Envoy-generated statistics</li>
|
||
<li>Added load-shedding functionality to Mixer workloads</li>
|
||
<li>Improved the protocol between Envoy and Mixer</li>
|
||
<li>Namespace isolation, to reduce operational overhead</li>
|
||
<li>Configurable concurrent worker threads, which can improve overall throughput</li>
|
||
<li>Configurable filters that limit telemetry data</li>
|
||
<li>Removal of synchronization bottlenecks</li>
|
||
</ul>
|
||
<h2 id="continuous-code-quality-and-performance-verification">Continuous code quality and performance verification</h2>
|
||
<p>Regression Patrol drives continuous improvement in Istio performance and quality. Behind the scenes, the Regression Patrol helps Istio developers to identify and fix code issues. Daily builds are checked using a customer-centric benchmark, <a href="https://github.com/blueperf/">BluePerf</a>. The results are published to the <a href="https://ibmcloud-perf.istio.io/regpatrol/">Istio community web portal</a>. Various application configurations are evaluated to help provide insights on Istio component performance.</p>
|
||
<p>Another tool that is used to evaluate the performance of Istio’s builds is <a href="https://fortio.org/">Fortio</a>, which provides a synthetic end to end load testing benchmark.</p>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>Istio 1.1 was designed for performance and scalability. The Istio Performance and Scalability workgroup measured significant performance improvements over 1.0.
|
||
Istio 1.1 introduces new features and optimizations to help harden the service mesh for enterprise microservice workloads. The Istio 1.1 Performance and Tuning Guide documents performance simulations, provides sizing and capacity planning guidance, and includes best practices for tuning custom use cases.</p>
|
||
<h2 id="useful-links">Useful links</h2>
|
||
<ul>
|
||
<li><a href="https://www.youtube.com/watch?time_continue=349&amp;v=G4F5aRFEXnU">Istio Service Mesh Performance (34:30)</a>, by Surya Duggirala, Laurent Demailly and Fawad Khaliq at KubeCon Europe 2018</li>
|
||
<li><a href="https://discuss.istio.io/c/performance-and-scalability">Istio Performance and Scalability discussion forum</a></li>
|
||
</ul>
|
||
<h2 id="disclaimer">Disclaimer</h2>
|
||
<p>The performance data contained herein was obtained in a controlled, isolated environment. Actual results that may be obtained in other operating environments may vary significantly. There is no guarantee that the same or similar results will be obtained elsewhere.</p></description><pubDate>Tue, 19 Mar 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/istio1.1_perf/</link><author>Surya V Duggirala (IBM), Mandar Jog (Google), Jose Nativio (IBM)</author><guid isPermaLink="true">/v1.12/blog/2019/istio1.1_perf/</guid><category>performance</category><category>scalability</category><category>scale</category><category>benchmarks</category></item><item><title>Version Routing in a Multicluster Service Mesh</title><description>
|
||
<p>If you&rsquo;ve spent any time looking at Istio, you&rsquo;ve probably noticed that it includes a lot of features that
|
||
can be demonstrated with simple <a href="/v1.12/docs/tasks/">tasks</a> and <a href="/v1.12/docs/examples/">examples</a>
|
||
running on a single Kubernetes cluster.
|
||
Because most, if not all, real-world cloud and microservices-based applications are not that simple
|
||
and will need to have the services distributed and running in more than one location, you may be
|
||
wondering if all these things will be just as simple in your real production environment.</p>
|
||
<p>Fortunately, Istio provides several ways to configure a service mesh so that applications
|
||
can, more-or-less transparently, be part of a mesh where the services are running
|
||
in more than one cluster, i.e., in a
|
||
<a href="/v1.12/docs/ops/deployment/deployment-models/#multiple-clusters">multicluster deployment</a>.
|
||
The simplest way to set up a multicluster mesh, because it has no special networking requirements,
|
||
is using a replicated
|
||
<a href="/v1.12/docs/ops/deployment/deployment-models/#control-plane-models">control plane model</a>.
|
||
In this configuration, each Kubernetes cluster contributing to the mesh has its own control plane,
|
||
but each control plane is synchronized and running under a single administrative control.</p>
|
||
<p>In this article we&rsquo;ll look at how one of the features of Istio,
|
||
<a href="/v1.12/docs/concepts/traffic-management/">traffic management</a>, works in a multicluster mesh with
|
||
a dedicated control plane topology.
|
||
We&rsquo;ll show how to configure Istio route rules to call remote services in a multicluster service mesh
|
||
by deploying the <a href="https://github.com/istio/istio/tree/release-1.12/samples/bookinfo">Bookinfo sample</a> with version <code>v1</code> of the <code>reviews</code> service
|
||
running in one cluster, versions <code>v2</code> and <code>v3</code> running in a second cluster.</p>
|
||
<h2 id="set-up-clusters">Set up clusters</h2>
|
||
<p>To start, you&rsquo;ll need two Kubernetes clusters, both running a slightly customized configuration of Istio.</p>
|
||
<ul>
|
||
<li><p>Set up a multicluster environment with two Istio clusters by following the
|
||
<a href="/v1.12/docs/setup/install/multicluster">replicated control planes</a> instructions.</p></li>
|
||
<li><p>The <code>kubectl</code> command is used to access both clusters with the <code>--context</code> flag.
|
||
Use the following command to list your contexts:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl config get-contexts
|
||
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
|
||
* cluster1 cluster1 user@foo.com default
|
||
cluster2 cluster2 user@foo.com default
|
||
</code></pre></li>
|
||
<li><p>Export the following environment variables with the context names of your configuration:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export CTX_CLUSTER1=&lt;cluster1 context name&gt;
|
||
$ export CTX_CLUSTER2=&lt;cluster2 context name&gt;
|
||
</code></pre></li>
|
||
</ul>
|
||
<h2 id="deploy-version-v1-of-the-bookinfo-application-in-cluster1">Deploy version v1 of the <code>bookinfo</code> application in <code>cluster1</code></h2>
|
||
<p>Run the <code>productpage</code> and <code>details</code> services and version <code>v1</code> of the <code>reviews</code> service in <code>cluster1</code>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl label --context=$CTX_CLUSTER1 namespace default istio-injection=enabled
|
||
$ kubectl apply --context=$CTX_CLUSTER1 -f - &lt;&lt;EOF
|
||
apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: productpage
|
||
labels:
|
||
app: productpage
|
||
spec:
|
||
ports:
|
||
- port: 9080
|
||
name: http
|
||
selector:
|
||
app: productpage
|
||
---
|
||
apiVersion: extensions/v1beta1
|
||
kind: Deployment
|
||
metadata:
|
||
name: productpage-v1
|
||
spec:
|
||
replicas: 1
|
||
template:
|
||
metadata:
|
||
labels:
|
||
app: productpage
|
||
version: v1
|
||
spec:
|
||
containers:
|
||
- name: productpage
|
||
image: istio/examples-bookinfo-productpage-v1:1.10.0
|
||
imagePullPolicy: IfNotPresent
|
||
ports:
|
||
- containerPort: 9080
|
||
---
|
||
apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: details
|
||
labels:
|
||
app: details
|
||
spec:
|
||
ports:
|
||
- port: 9080
|
||
name: http
|
||
selector:
|
||
app: details
|
||
---
|
||
apiVersion: extensions/v1beta1
|
||
kind: Deployment
|
||
metadata:
|
||
name: details-v1
|
||
spec:
|
||
replicas: 1
|
||
template:
|
||
metadata:
|
||
labels:
|
||
app: details
|
||
version: v1
|
||
spec:
|
||
containers:
|
||
- name: details
|
||
image: istio/examples-bookinfo-details-v1:1.10.0
|
||
imagePullPolicy: IfNotPresent
|
||
ports:
|
||
- containerPort: 9080
|
||
---
|
||
apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: reviews
|
||
labels:
|
||
app: reviews
|
||
spec:
|
||
ports:
|
||
- port: 9080
|
||
name: http
|
||
selector:
|
||
app: reviews
|
||
---
|
||
apiVersion: extensions/v1beta1
|
||
kind: Deployment
|
||
metadata:
|
||
name: reviews-v1
|
||
spec:
|
||
replicas: 1
|
||
template:
|
||
metadata:
|
||
labels:
|
||
app: reviews
|
||
version: v1
|
||
spec:
|
||
containers:
|
||
- name: reviews
|
||
image: istio/examples-bookinfo-reviews-v1:1.10.0
|
||
imagePullPolicy: IfNotPresent
|
||
ports:
|
||
- containerPort: 9080
|
||
EOF
|
||
</code></pre>
|
||
<h2 id="deploy-bookinfo-v2-and-v3-services-in-cluster2">Deploy <code>bookinfo</code> v2 and v3 services in <code>cluster2</code></h2>
|
||
<p>Run the <code>ratings</code> service and version <code>v2</code> and <code>v3</code> of the <code>reviews</code> service in <code>cluster2</code>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl label --context=$CTX_CLUSTER2 namespace default istio-injection=enabled
|
||
$ kubectl apply --context=$CTX_CLUSTER2 -f - &lt;&lt;EOF
|
||
apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: ratings
|
||
labels:
|
||
app: ratings
|
||
spec:
|
||
ports:
|
||
- port: 9080
|
||
name: http
|
||
selector:
|
||
app: ratings
|
||
---
|
||
apiVersion: extensions/v1beta1
|
||
kind: Deployment
|
||
metadata:
|
||
name: ratings-v1
|
||
spec:
|
||
replicas: 1
|
||
template:
|
||
metadata:
|
||
labels:
|
||
app: ratings
|
||
version: v1
|
||
spec:
|
||
containers:
|
||
- name: ratings
|
||
image: istio/examples-bookinfo-ratings-v1:1.10.0
|
||
imagePullPolicy: IfNotPresent
|
||
ports:
|
||
- containerPort: 9080
|
||
---
|
||
apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: reviews
|
||
labels:
|
||
app: reviews
|
||
spec:
|
||
ports:
|
||
- port: 9080
|
||
name: http
|
||
selector:
|
||
app: reviews
|
||
---
|
||
apiVersion: extensions/v1beta1
|
||
kind: Deployment
|
||
metadata:
|
||
name: reviews-v2
|
||
spec:
|
||
replicas: 1
|
||
template:
|
||
metadata:
|
||
labels:
|
||
app: reviews
|
||
version: v2
|
||
spec:
|
||
containers:
|
||
- name: reviews
|
||
image: istio/examples-bookinfo-reviews-v2:1.10.0
|
||
imagePullPolicy: IfNotPresent
|
||
ports:
|
||
- containerPort: 9080
|
||
---
|
||
apiVersion: extensions/v1beta1
|
||
kind: Deployment
|
||
metadata:
|
||
name: reviews-v3
|
||
spec:
|
||
replicas: 1
|
||
template:
|
||
metadata:
|
||
labels:
|
||
app: reviews
|
||
version: v3
|
||
spec:
|
||
containers:
|
||
- name: reviews
|
||
image: istio/examples-bookinfo-reviews-v3:1.10.0
|
||
imagePullPolicy: IfNotPresent
|
||
ports:
|
||
- containerPort: 9080
|
||
EOF
|
||
</code></pre>
|
||
<h2 id="access-the-bookinfo-application">Access the <code>bookinfo</code> application</h2>
|
||
<p>Just like any application, we&rsquo;ll use an Istio gateway to access the <code>bookinfo</code> application.</p>
|
||
<ul>
|
||
<li><p>Create the <code>bookinfo</code> gateway in <code>cluster1</code>:</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/networking/bookinfo-gateway.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply --context=$CTX_CLUSTER1 -f @samples/bookinfo/networking/bookinfo-gateway.yaml@
|
||
</code></pre></div></li>
|
||
<li><p>Follow the <a href="/v1.12/docs/examples/bookinfo/#determine-the-ingress-ip-and-port">Bookinfo sample instructions</a>
|
||
to determine the ingress IP and port and then point your browser to <code>http://$GATEWAY_URL/productpage</code>.</p></li>
|
||
</ul>
|
||
<p>You should see the <code>productpage</code> with reviews, but without ratings, because only <code>v1</code> of the <code>reviews</code> service
|
||
is running on <code>cluster1</code> and we have not yet configured access to <code>cluster2</code>.</p>
|
||
<h2 id="create-a-service-entry-and-destination-rule-on-cluster1-for-the-remote-reviews-service">Create a service entry and destination rule on <code>cluster1</code> for the remote reviews service</h2>
|
||
<p>As described in the <a href="https://istio.io/v1.6/docs/docs/setup/install/multicluster/gateways/#setup-dns">setup instructions</a>,
|
||
remote services are accessed with a <code>.global</code> DNS name. In our case, it&rsquo;s <code>reviews.default.global</code>,
|
||
so we need to create a service entry and destination rule for that host.
|
||
The service entry will use the <code>cluster2</code> gateway as the endpoint address to access the service.
|
||
You can use the gateway&rsquo;s DNS name, if it has one, or its public IP, like this:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export CLUSTER2_GW_ADDR=$(kubectl get --context=$CTX_CLUSTER2 svc --selector=app=istio-ingressgateway \
|
||
-n istio-system -o jsonpath=&#34;{.items[0].status.loadBalancer.ingress[0].ip}&#34;)
|
||
</code></pre>
|
||
<p>Now create the service entry and destination rule using the following command:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply --context=$CTX_CLUSTER1 -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: reviews-default
|
||
spec:
|
||
hosts:
|
||
- reviews.default.global
|
||
location: MESH_INTERNAL
|
||
ports:
|
||
- name: http1
|
||
number: 9080
|
||
protocol: http
|
||
resolution: DNS
|
||
addresses:
|
||
- 240.0.0.3
|
||
endpoints:
|
||
- address: ${CLUSTER2_GW_ADDR}
|
||
labels:
|
||
cluster: cluster2
|
||
ports:
|
||
http1: 15443 # Do not change this port value
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: reviews-global
|
||
spec:
|
||
host: reviews.default.global
|
||
trafficPolicy:
|
||
tls:
|
||
mode: ISTIO_MUTUAL
|
||
subsets:
|
||
- name: v2
|
||
labels:
|
||
cluster: cluster2
|
||
- name: v3
|
||
labels:
|
||
cluster: cluster2
|
||
EOF
|
||
</code></pre>
|
||
<p>The address <code>240.0.0.3</code> of the service entry can be any arbitrary unallocated IP.
|
||
Using an IP from the class E addresses range 240.0.0.0/4 is a good choice.
|
||
Check out the
|
||
<a href="/v1.12/docs/setup/install/multicluster">gateway-connected multicluster example</a>
|
||
for more details.</p>
|
||
<p>Note that the labels of the subsets in the destination rule map to the service entry
|
||
endpoint label (<code>cluster: cluster2</code>) corresponding to the <code>cluster2</code> gateway.
|
||
Once the request reaches the destination cluster, a local destination rule will be used
|
||
to identify the actual pod labels (<code>version: v1</code> or <code>version: v2</code>) corresponding to the
|
||
requested subset.</p>
|
||
<h2 id="create-a-destination-rule-on-both-clusters-for-the-local-reviews-service">Create a destination rule on both clusters for the local reviews service</h2>
|
||
<p>Technically, we only need to define the subsets of the local service that are being used
|
||
in each cluster (i.e., <code>v1</code> in <code>cluster1</code>, <code>v2</code> and <code>v3</code> in <code>cluster2</code>), but for simplicity we&rsquo;ll
|
||
just define all three subsets in both clusters, since there&rsquo;s nothing wrong with defining subsets
|
||
for versions that are not actually deployed.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply --context=$CTX_CLUSTER1 -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: reviews
|
||
spec:
|
||
host: reviews.default.svc.cluster.local
|
||
trafficPolicy:
|
||
tls:
|
||
mode: ISTIO_MUTUAL
|
||
subsets:
|
||
- name: v1
|
||
labels:
|
||
version: v1
|
||
- name: v2
|
||
labels:
|
||
version: v2
|
||
- name: v3
|
||
labels:
|
||
version: v3
|
||
EOF
|
||
</code></pre>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply --context=$CTX_CLUSTER2 -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: reviews
|
||
spec:
|
||
host: reviews.default.svc.cluster.local
|
||
trafficPolicy:
|
||
tls:
|
||
mode: ISTIO_MUTUAL
|
||
subsets:
|
||
- name: v1
|
||
labels:
|
||
version: v1
|
||
- name: v2
|
||
labels:
|
||
version: v2
|
||
- name: v3
|
||
labels:
|
||
version: v3
|
||
EOF
|
||
</code></pre>
|
||
<h2 id="create-a-virtual-service-to-route-reviews-service-traffic">Create a virtual service to route reviews service traffic</h2>
|
||
<p>At this point, all calls to the <code>reviews</code> service will go to the local <code>reviews</code> pods (<code>v1</code>) because
|
||
if you look at the source code you will see that the <code>productpage</code> implementation is simply making
|
||
requests to <code>http://reviews:9080</code> (which expands to host <code>reviews.default.svc.cluster.local</code>), the
|
||
local version of the service.
|
||
The corresponding remote service is named <code>reviews.default.global</code>, so route rules are needed to
|
||
redirect requests to the global host.</p>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">Note that if all of the versions of the <code>reviews</code> service were remote, so there is no local <code>reviews</code>
|
||
service defined, the DNS would resolve <code>reviews</code> directly to <code>reviews.default.global</code>. In that case
|
||
we could call the remote <code>reviews</code> service without any route rules.</div>
|
||
</aside>
|
||
</div>
|
||
<p>Apply the following virtual service to direct traffic for user <code>jason</code> to <code>reviews</code> versions <code>v2</code> and <code>v3</code> (<sup>50</sup>&frasl;<sub>50</sub>)
|
||
which are running on <code>cluster2</code>. Traffic for any other user will go to <code>reviews</code> version <code>v1</code>.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply --context=$CTX_CLUSTER1 -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: reviews
|
||
spec:
|
||
hosts:
|
||
- reviews.default.svc.cluster.local
|
||
http:
|
||
- match:
|
||
- headers:
|
||
end-user:
|
||
exact: jason
|
||
route:
|
||
- destination:
|
||
host: reviews.default.global
|
||
subset: v2
|
||
weight: 50
|
||
- destination:
|
||
host: reviews.default.global
|
||
subset: v3
|
||
weight: 50
|
||
- route:
|
||
- destination:
|
||
host: reviews.default.svc.cluster.local
|
||
subset: v1
|
||
EOF
|
||
</code></pre>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">This <sup>50</sup>&frasl;<sub>50</sub> rule isn&rsquo;t a particularly realistic example. It&rsquo;s just a convenient way to demonstrate
|
||
accessing multiple subsets of a remote service.</div>
|
||
</aside>
|
||
</div>
|
||
<p>Return to your browser and login as user <code>jason</code>. If you refresh the page several times, you should see
|
||
the display alternating between black and red ratings stars (<code>v2</code> and <code>v3</code>). If you logout, you will
|
||
only see reviews without ratings (<code>v1</code>).</p>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>In this article, we&rsquo;ve seen how to use Istio route rules to distribute the versions of a service
|
||
across clusters in a multicluster service mesh with a replicated control plane model.
|
||
In this example, we manually configured the <code>.global</code> service entry and destination rules needed to provide
|
||
connectivity to one remote service, <code>reviews</code>. In general, however, if we wanted to enable any service
|
||
to run either locally or remotely, we would need to create <code>.global</code> resources for every service.
|
||
Fortunately, this process could be automated and likely will be in a future Istio release.</p></description><pubDate>Thu, 07 Feb 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/multicluster-version-routing/</link><author>Frank Budinsky (IBM)</author><guid isPermaLink="true">/v1.12/blog/2019/multicluster-version-routing/</guid><category>traffic-management</category><category>multicluster</category></item><item><title>Sail the Blog!</title><description><p>Welcome to the Istio blog!</p>
|
||
<p>To make it easier to publish your content on our website, we
|
||
<a href="/v1.12/docs/releases/contribute/add-content/#content-types">updated the content types guide</a>.</p>
|
||
<p>The goal of the updated guide is to make sharing and finding content easier.</p>
|
||
<p>We want to make sharing timely information on Istio easy and the <a href="/v1.12/blog">Istio blog</a>
|
||
is a good place to start.</p>
|
||
<p>We welcome your posts to the blog if you think your content falls in one of the
|
||
following four categories:</p>
|
||
<ul>
|
||
<li>Your post details your experience using and configuring Istio. Ideally, your
|
||
post shares a novel experience or perspective.</li>
|
||
<li>Your post highlights Istio features.</li>
|
||
<li>Your post details how to accomplish a task or fulfill a specific use case
|
||
using Istio.</li>
|
||
</ul>
|
||
<p>Posting your blog is only <a href="/v1.12/docs/releases/contribute/github/">one PR away</a>
|
||
and, if you wish, you can <a href="/v1.12/docs/releases/contribute/review">request a review</a>.</p>
|
||
<p>We look forward to reading about your Istio experience on the blog soon!</p></description><pubDate>Tue, 05 Feb 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/sail-the-blog/</link><author>Rigs Caballero, Google</author><guid isPermaLink="true">/v1.12/blog/2019/sail-the-blog/</guid><category>community</category><category>blog</category><category>contribution</category><category>guide</category><category>guideline</category><category>event</category></item><item><title>Egress Gateway Performance Investigation</title><description>
|
||
<p>The main objective of this investigation was to determine the impact on performance and resource utilization when an egress gateway is added in the service mesh to access an external service (MongoDB, in this case). The steps to configure an egress gateway for an external MongoDB are described in the blog <a href="/v1.12/blog/2018/egress-mongo/">Consuming External MongoDB Services</a>.</p>
|
||
<p>The application used for this investigation was the Java version of Acmeair, which simulates an airline reservation system. This application is used in the Performance Regression Patrol of Istio daily builds, but on that setup the microservices have been accessing the external MongoDB directly via their sidecars, without an egress gateway.</p>
|
||
<p>The diagram below illustrates how regression patrol currently runs with Acmeair and Istio:</p>
|
||
<figure style="width:70%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:62.69230769230769%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/egress-performance/acmeair_regpatrol3.png" title="Acmeair benchmark in the Istio performance regression patrol environment">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/egress-performance/acmeair_regpatrol3.png" alt="Acmeair benchmark in the Istio performance regression patrol environment" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Acmeair benchmark in the Istio performance regression patrol environment</figcaption>
|
||
</figure>
|
||
<p>Another difference is that the application communicates with the external DB with plain MongoDB protocol. The first change made for this study was to establish a TLS communication between the MongoDB and its clients running within the application, as this is a more realistic scenario.</p>
|
||
<p>Several cases for accessing the external database from the mesh were tested and described next.</p>
|
||
<h2 id="egress-traffic-cases">Egress traffic cases</h2>
|
||
<h3 id="case-1-bypassing-the-sidecar">Case 1: Bypassing the sidecar</h3>
|
||
<p>In this case, the sidecar does not intercept the communication between the application and the external DB. This is accomplished by setting the init container argument -x with the CIDR of the MongoDB, which makes the sidecar ignore messages to/from this IP address. For example:</p>
|
||
<pre><code> - -x
|
||
- &#34;169.47.232.211/32&#34;</code></pre>
|
||
<figure style="width:70%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:76.45536869340232%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/egress-performance/case1_sidecar_bypass3.png" title="Traffic to external MongoDB by-passing the sidecar">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/egress-performance/case1_sidecar_bypass3.png" alt="Traffic to external MongoDB by-passing the sidecar" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Traffic to external MongoDB by-passing the sidecar</figcaption>
|
||
</figure>
|
||
<h3 id="case-2-through-the-sidecar-with-service-entry">Case 2: Through the sidecar, with service entry</h3>
|
||
<p>This is the default configuration when the sidecar is injected into the application pod. All messages are intercepted by the sidecar and routed to the destination according to the configured rules, including the communication with external services. The MongoDB was defined as a <code>ServiceEntry</code>.</p>
|
||
<figure style="width:70%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:74.41253263707573%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/egress-performance/case2_sidecar_passthru3.png" title="Sidecar intercepting traffic to external MongoDB">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/egress-performance/case2_sidecar_passthru3.png" alt="Sidecar intercepting traffic to external MongoDB" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Sidecar intercepting traffic to external MongoDB</figcaption>
|
||
</figure>
|
||
<h3 id="case-3-egress-gateway">Case 3: Egress gateway</h3>
|
||
<p>The egress gateway and corresponding destination rule and virtual service resources are defined for accessing MongoDB. All traffic to and from the external DB goes through the egress gateway (envoy).</p>
|
||
<figure style="width:70%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:62.309368191721134%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/egress-performance/case3_egressgw3.png" title="Introduction of the egress gateway to access MongoDB">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/egress-performance/case3_egressgw3.png" alt="Introduction of the egress gateway to access MongoDB" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Introduction of the egress gateway to access MongoDB</figcaption>
|
||
</figure>
|
||
<h3 id="case-4-mutual-tls-between-sidecars-and-the-egress-gateway">Case 4: Mutual TLS between sidecars and the egress gateway</h3>
|
||
<p>In this case, there is an extra layer of security between the sidecars and the gateway, so some impact in performance is expected.</p>
|
||
<figure style="width:70%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:63.968957871396896%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/egress-performance/case4_egressgw_mtls3.png" title="Enabling mutual TLS between sidecars and the egress gateway">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/egress-performance/case4_egressgw_mtls3.png" alt="Enabling mutual TLS between sidecars and the egress gateway" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Enabling mutual TLS between sidecars and the egress gateway</figcaption>
|
||
</figure>
|
||
<h3 id="case-5-egress-gateway-with-sni-proxy">Case 5: Egress gateway with SNI proxy</h3>
|
||
<p>This scenario is used to evaluate the case where another proxy is required to access wildcarded domains. This may be required due current limitations of envoy. An nginx proxy was created as sidecar in the egress gateway pod.</p>
|
||
<figure style="width:70%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:65.2762119503946%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/egress-performance/case5_egressgw_sni_proxy3.png" title="Egress gateway with additional SNI Proxy">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/egress-performance/case5_egressgw_sni_proxy3.png" alt="Egress gateway with additional SNI Proxy" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Egress gateway with additional SNI Proxy</figcaption>
|
||
</figure>
|
||
<h2 id="environment">Environment</h2>
|
||
<ul>
|
||
<li>Istio version: 1.0.2</li>
|
||
<li><code>K8s</code> version: <code>1.10.5_1517</code></li>
|
||
<li>Acmeair App: 4 services (1 replica of each), inter-services transactions, external Mongo DB, avg payload: 620 bytes.</li>
|
||
</ul>
|
||
<h2 id="results">Results</h2>
|
||
<p><code>Jmeter</code> was used to generate the workload which consisted in a sequence of 5-minute runs, each one using a growing number of clients making http requests. The number of clients used were 1, 5, 10, 20, 30, 40, 50 and 60.</p>
|
||
<h3 id="throughput">Throughput</h3>
|
||
<p>The chart below shows the throughput obtained for the different cases:</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:54.29638854296388%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/egress-performance/throughput3.png" title="Throughput obtained for the different cases">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/egress-performance/throughput3.png" alt="Throughput obtained for the different cases" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Throughput obtained for the different cases</figcaption>
|
||
</figure>
|
||
<p>As you can see, there is no major impact in having sidecars and the egress gateway between the application and the external MongoDB, but enabling mutual TLS and then adding the SNI proxy caused a degradation in the throughput of about 10% and 24%, respectively.</p>
|
||
<h3 id="response-time">Response time</h3>
|
||
<p>The average response times for the different requests were collected when traffic was being driven with 20 clients. The chart below shows the average, median, 90%, 95% and 99% average values for each case:</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:48.76783398184176%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/egress-performance/response_times3.png" title="Response times obtained for the different configurations">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/egress-performance/response_times3.png" alt="Response times obtained for the different configurations" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Response times obtained for the different configurations</figcaption>
|
||
</figure>
|
||
<p>Likewise, not much difference in the response times for the 3 first cases, but mutual TLS and the extra proxy adds noticeable latency.</p>
|
||
<h3 id="cpu-utilization">CPU utilization</h3>
|
||
<p>The CPU usage was collected for all Istio components as well as for the sidecars during the runs. For a fair comparison, CPU used by Istio was normalized by the throughput obtained for a given run. The results are shown in the following graph:</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:53.96174863387978%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/egress-performance/cpu_usage3.png" title="CPU usage normalized by TPS">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/egress-performance/cpu_usage3.png" alt="CPU usage normalized by TPS" />
|
||
</a>
|
||
</div>
|
||
<figcaption>CPU usage normalized by TPS</figcaption>
|
||
</figure>
|
||
<p>In terms of CPU consumption per transaction, Istio has used significantly more CPU only in the egress gateway + SNI proxy case.</p>
|
||
<h2 id="conclusion">Conclusion</h2>
|
||
<p>In this investigation, we tried different options to access an external TLS-enabled MongoDB to compare their performance. The introduction of the Egress Gateway did not have a significant impact on the performance nor meaningful additional CPU consumption. Only when enabling mutual TLS between sidecars and egress gateway or using an additional SNI proxy for wildcarded domains we could observe some degradation.</p></description><pubDate>Thu, 31 Jan 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/egress-performance/</link><author>Jose Nativio, IBM</author><guid isPermaLink="true">/v1.12/blog/2019/egress-performance/</guid><category>performance</category><category>traffic-management</category><category>egress</category><category>mongo</category></item><item><title>Demystifying Istio's Sidecar Injection Model</title><description>
|
||
<p>A simple overview of an Istio service-mesh architecture always starts with describing the control-plane and data-plane.</p>
|
||
<p><a href="/v1.12/docs/ops/deployment/architecture/">From Istio’s documentation</a>:</p>
|
||
<div>
|
||
<aside class="callout quote">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-quote"/></svg>
|
||
</div>
|
||
<div class="content"><p>An Istio service mesh is logically split into a data plane and a control plane.</p>
|
||
<p>The data plane is composed of a set of intelligent proxies (Envoy) deployed as sidecars. These proxies mediate and control all network communication between microservices along with Mixer, a general-purpose policy and telemetry hub.</p>
|
||
<p>The control plane manages and configures the proxies to route traffic. Additionally, the control plane configures Mixers to enforce policies and collect telemetry.</p>
|
||
</div>
|
||
</aside>
|
||
</div>
|
||
<figure style="width:40%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:80%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2019/data-plane-setup/arch-2.svg" title="Istio Architecture">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2019/data-plane-setup/arch-2.svg" alt="The overall architecture of an Istio-based application." />
|
||
</a>
|
||
</div>
|
||
<figcaption>Istio Architecture</figcaption>
|
||
</figure>
|
||
<p>It is important to understand that the sidecar injection into the application pods happens automatically, though manual injection is also possible. Traffic is directed from the application services to and from these sidecars without developers needing to worry about it. Once the applications are connected to the Istio service mesh, developers can start using and reaping the benefits of all that the service mesh has to offer. However, how does the data plane plumbing happen and what is really required to make it work seamlessly? In this post, we will deep-dive into the specifics of the sidecar injection models to gain a very clear understanding of how sidecar injection works.</p>
|
||
<h2 id="sidecar-injection">Sidecar injection</h2>
|
||
<p>In simple terms, sidecar injection is adding the configuration of additional containers to the pod template. The added containers needed for the Istio service mesh are:</p>
|
||
<p><code>istio-init</code>
|
||
This <a href="https://kubernetes.io/docs/concepts/workloads/pods/init-containers/">init container</a> is used to setup the <code>iptables</code> rules so that inbound/outbound traffic will go through the sidecar proxy. An init container is different than an app container in following ways:</p>
|
||
<ul>
|
||
<li>It runs before an app container is started and it always runs to completion.</li>
|
||
<li>If there are many init containers, each should complete with success before the next container is started.</li>
|
||
</ul>
|
||
<p>So, you can see how this type of container is perfect for a set-up or initialization job which does not need to be a part of the actual application container. In this case, <code>istio-init</code> does just that and sets up the <code>iptables</code> rules.</p>
|
||
<p><code>istio-proxy</code>
|
||
This is the actual sidecar proxy (based on Envoy).</p>
|
||
<h3 id="manual-injection">Manual injection</h3>
|
||
<p>In the manual injection method, you can use <a href="/v1.12/docs/reference/commands/istioctl"><code>istioctl</code></a> to modify the pod template and add the configuration of the two containers previously mentioned. For both manual as well as automatic injection, Istio takes the configuration from the <code>istio-sidecar-injector</code> configuration map (configmap) and the mesh&rsquo;s <code>istio</code> configmap.</p>
|
||
<p>Let’s look at the configuration of the <code>istio-sidecar-injector</code> configmap, to get an idea of what actually is going on.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-outputis='yaml' data-repo='istio' >$ kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath=&#39;{.data.config}&#39;
|
||
SNIPPET from the output:
|
||
policy: enabled
|
||
template: |-
|
||
initContainers:
|
||
- name: istio-init
|
||
image: docker.io/istio/proxy_init:1.0.2
|
||
args:
|
||
- &#34;-p&#34;
|
||
- [[ .MeshConfig.ProxyListenPort ]]
|
||
- &#34;-u&#34;
|
||
- 1337
|
||
.....
|
||
imagePullPolicy: IfNotPresent
|
||
securityContext:
|
||
capabilities:
|
||
add:
|
||
- NET_ADMIN
|
||
restartPolicy: Always
|
||
containers:
|
||
- name: istio-proxy
|
||
image: [[ if (isset .ObjectMeta.Annotations &#34;sidecar.istio.io/proxyImage&#34;) -]]
|
||
&#34;[[ index .ObjectMeta.Annotations &#34;sidecar.istio.io/proxyImage&#34; ]]&#34;
|
||
[[ else -]]
|
||
docker.io/istio/proxyv2:1.0.2
|
||
[[ end -]]
|
||
args:
|
||
- proxy
|
||
- sidecar
|
||
.....
|
||
env:
|
||
.....
|
||
- name: ISTIO_META_INTERCEPTION_MODE
|
||
value: [[ or (index .ObjectMeta.Annotations &#34;sidecar.istio.io/interceptionMode&#34;) .ProxyConfig.InterceptionMode.String ]]
|
||
imagePullPolicy: IfNotPresent
|
||
securityContext:
|
||
readOnlyRootFilesystem: true
|
||
[[ if eq (or (index .ObjectMeta.Annotations &#34;sidecar.istio.io/interceptionMode&#34;) .ProxyConfig.InterceptionMode.String) &#34;TPROXY&#34; -]]
|
||
capabilities:
|
||
add:
|
||
- NET_ADMIN
|
||
restartPolicy: Always
|
||
.....
|
||
</code></pre>
|
||
<p>As you can see, the configmap contains the configuration for both, the <code>istio-init</code> init container and the <code>istio-proxy</code> proxy container. The configuration includes the name of the container image and arguments like interception mode, capabilities, etc.</p>
|
||
<p>From a security point of view, it is important to note that <code>istio-init</code> requires <code>NET_ADMIN</code> capabilities to modify <code>iptables</code> within the pod&rsquo;s namespace and so does <code>istio-proxy</code> if configured in <code>TPROXY</code> mode. As this is restricted to a pod&rsquo;s namespace, there should be no problem. However, I have noticed that recent open-shift versions may have some issues with it and a workaround is needed. One such option is mentioned at the end of this post.</p>
|
||
<p>To modify the current pod template for sidecar injection, you can:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl kube-inject -f demo-red.yaml | kubectl apply -f -
|
||
</code></pre>
|
||
<p>OR</p>
|
||
<p>To use modified configmaps or local configmaps:</p>
|
||
<ul>
|
||
<li><p>Create <code>inject-config.yaml</code> and <code>mesh-config.yaml</code> from the configmaps</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath=&#39;{.data.config}&#39; &gt; inject-config.yaml
|
||
$ kubectl -n istio-system get configmap istio -o=jsonpath=&#39;{.data.mesh}&#39; &gt; mesh-config.yaml
|
||
</code></pre></li>
|
||
<li><p>Modify the existing pod template, in my case, <code>demo-red.yaml</code>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ istioctl kube-inject --injectConfigFile inject-config.yaml --meshConfigFile mesh-config.yaml --filename demo-red.yaml --output demo-red-injected.yaml
|
||
</code></pre></li>
|
||
<li><p>Apply the <code>demo-red-injected.yaml</code></p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f demo-red-injected.yaml
|
||
</code></pre></li>
|
||
</ul>
|
||
<p>As seen above, we create a new template using the <code>sidecar-injector</code> and the mesh configuration to then apply that new template using <code>kubectl</code>. If we look at the injected YAML file, it has the configuration of the Istio-specific containers, as we discussed above. Once we apply the injected YAML file, we see two containers running. One of them is the actual application container, and the other is the <code>istio-proxy</code> sidecar.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods | grep demo-red
|
||
demo-red-pod-8b5df99cc-pgnl7 2/2 Running 0 3d
|
||
</code></pre>
|
||
<p>The count is not 3 because the <code>istio-init</code> container is an init type container that exits after doing what it supposed to do, which is setting up the <code>iptable</code> rules within the pod. To confirm the init container exit, let’s look at the output of <code>kubectl describe</code>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-outputis='yaml' data-repo='istio' >$ kubectl describe pod demo-red-pod-8b5df99cc-pgnl7
|
||
SNIPPET from the output:
|
||
Name: demo-red-pod-8b5df99cc-pgnl7
|
||
Namespace: default
|
||
.....
|
||
Labels: app=demo-red
|
||
pod-template-hash=8b5df99cc
|
||
version=version-red
|
||
Annotations: sidecar.istio.io/status={&#34;version&#34;:&#34;3c0b8d11844e85232bc77ad85365487638ee3134c91edda28def191c086dc23e&#34;,&#34;initContainers&#34;:[&#34;istio-init&#34;],&#34;containers&#34;:[&#34;istio-proxy&#34;],&#34;volumes&#34;:[&#34;istio-envoy&#34;,&#34;istio-certs...
|
||
Status: Running
|
||
IP: 10.32.0.6
|
||
Controlled By: ReplicaSet/demo-red-pod-8b5df99cc
|
||
Init Containers:
|
||
istio-init:
|
||
Container ID: docker://bef731eae1eb3b6c9d926cacb497bb39a7d9796db49cd14a63014fc1a177d95b
|
||
Image: docker.io/istio/proxy_init:1.0.2
|
||
Image ID: docker-pullable://docker.io/istio/proxy_init@sha256:e16a0746f46cd45a9f63c27b9e09daff5432e33a2d80c8cc0956d7d63e2f9185
|
||
.....
|
||
State: Terminated
|
||
Reason: Completed
|
||
.....
|
||
Ready: True
|
||
Containers:
|
||
demo-red:
|
||
Container ID: docker://8cd9957955ff7e534376eb6f28b56462099af6dfb8b9bc37aaf06e516175495e
|
||
Image: chugtum/blue-green-image:v3
|
||
Image ID: docker-pullable://docker.io/chugtum/blue-green-image@sha256:274756dbc215a6b2bd089c10de24fcece296f4c940067ac1a9b4aea67cf815db
|
||
State: Running
|
||
Started: Sun, 09 Dec 2018 18:12:31 -0800
|
||
Ready: True
|
||
istio-proxy:
|
||
Container ID: docker://ca5d690be8cd6557419cc19ec4e76163c14aed2336eaad7ebf17dd46ca188b4a
|
||
Image: docker.io/istio/proxyv2:1.0.2
|
||
Image ID: docker-pullable://docker.io/istio/proxyv2@sha256:54e206530ba6ca9b3820254454e01b7592e9f986d27a5640b6c03704b3b68332
|
||
Args:
|
||
proxy
|
||
sidecar
|
||
.....
|
||
State: Running
|
||
Started: Sun, 09 Dec 2018 18:12:31 -0800
|
||
Ready: True
|
||
.....
|
||
</code></pre>
|
||
<p>As seen in the output, the <code>State</code> of the <code>istio-init</code> container is <code>Terminated</code> with the <code>Reason</code> being <code>Completed</code>. The only two containers running are the main application <code>demo-red</code> container and the <code>istio-proxy</code> container.</p>
|
||
<h3 id="automatic-injection">Automatic injection</h3>
|
||
<p>Most of the times, you don’t want to manually inject a sidecar every time you deploy an application, using the <a href="/v1.12/docs/reference/commands/istioctl"><code>istioctl</code></a> command, but would prefer that Istio automatically inject the sidecar to your pod. This is the recommended approach and for it to work, all you need to do is to label the namespace where you are deploying the app with <code>istio-injection=enabled</code>.</p>
|
||
<p>Once labeled, Istio injects the sidecar automatically for any pod you deploy in that namespace. In the following example, the sidecar gets automatically injected in the deployed pods in the <code>istio-dev</code> namespace.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get namespaces --show-labels
|
||
NAME STATUS AGE LABELS
|
||
default Active 40d &lt;none&gt;
|
||
istio-dev Active 19d istio-injection=enabled
|
||
istio-system Active 24d &lt;none&gt;
|
||
kube-public Active 40d &lt;none&gt;
|
||
kube-system Active 40d &lt;none&gt;
|
||
</code></pre>
|
||
<p>But how does this work? To get to the bottom of this, we need to understand Kubernetes admission controllers.</p>
|
||
<p><a href="https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/">From Kubernetes documentation:</a></p>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized. You can define two types of admission webhooks, validating admission Webhook and mutating admission webhook. With validating admission Webhooks, you may reject requests to enforce custom admission policies. With mutating admission Webhooks, you may change requests to enforce custom defaults.</div>
|
||
</aside>
|
||
</div>
|
||
<p>For automatic sidecar injection, Istio relies on <code>Mutating Admission Webhook</code>. Let’s look at the details of the <code>istio-sidecar-injector</code> mutating webhook configuration.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-outputis='yaml' data-repo='istio' >$ kubectl get mutatingwebhookconfiguration istio-sidecar-injector -o yaml
|
||
SNIPPET from the output:
|
||
apiVersion: admissionregistration.k8s.io/v1beta1
|
||
kind: MutatingWebhookConfiguration
|
||
metadata:
|
||
annotations:
|
||
kubectl.kubernetes.io/last-applied-configuration: |
|
||
{&#34;apiVersion&#34;:&#34;admissionregistration.k8s.io/v1beta1&#34;,&#34;kind&#34;:&#34;MutatingWebhookConfiguration&#34;,&#34;metadata&#34;:{&#34;annotations&#34;:{},&#34;labels&#34;:{&#34;app&#34;:&#34;istio-sidecar-injector&#34;,&#34;chart&#34;:&#34;sidecarInjectorWebhook-1.0.1&#34;,&#34;heritage&#34;:&#34;Tiller&#34;,&#34;release&#34;:&#34;istio-remote&#34;},&#34;name&#34;:&#34;istio-sidecar-injector&#34;,&#34;namespace&#34;:&#34;&#34;},&#34;webhooks&#34;:[{&#34;clientConfig&#34;:{&#34;caBundle&#34;:&#34;&#34;,&#34;service&#34;:{&#34;name&#34;:&#34;istio-sidecar-injector&#34;,&#34;namespace&#34;:&#34;istio-system&#34;,&#34;path&#34;:&#34;/inject&#34;}},&#34;failurePolicy&#34;:&#34;Fail&#34;,&#34;name&#34;:&#34;sidecar-injector.istio.io&#34;,&#34;namespaceSelector&#34;:{&#34;matchLabels&#34;:{&#34;istio-injection&#34;:&#34;enabled&#34;}},&#34;rules&#34;:[{&#34;apiGroups&#34;:[&#34;&#34;],&#34;apiVersions&#34;:[&#34;v1&#34;],&#34;operations&#34;:[&#34;CREATE&#34;],&#34;resources&#34;:[&#34;pods&#34;]}]}]}
|
||
creationTimestamp: 2018-12-10T08:40:15Z
|
||
generation: 2
|
||
labels:
|
||
app: istio-sidecar-injector
|
||
chart: sidecarInjectorWebhook-1.0.1
|
||
heritage: Tiller
|
||
release: istio-remote
|
||
name: istio-sidecar-injector
|
||
.....
|
||
webhooks:
|
||
- clientConfig:
|
||
service:
|
||
name: istio-sidecar-injector
|
||
namespace: istio-system
|
||
path: /inject
|
||
name: sidecar-injector.istio.io
|
||
namespaceSelector:
|
||
matchLabels:
|
||
istio-injection: enabled
|
||
rules:
|
||
- apiGroups:
|
||
- &#34;&#34;
|
||
apiVersions:
|
||
- v1
|
||
operations:
|
||
- CREATE
|
||
resources:
|
||
- pods
|
||
</code></pre>
|
||
<p>This is where you can see the webhook <code>namespaceSelector</code> label that is matched for sidecar injection with the label <code>istio-injection: enabled</code>. In this case, you also see the operations and resources for which this is done when the pods are created. When an <code>apiserver</code> receives a request that matches one of the rules, the <code>apiserver</code> sends an admission review request to the webhook service as specified in the <code>clientConfig:</code>configuration with the <code>name: istio-sidecar-injector</code> key-value pair. We should be able to see that this service is running in the <code>istio-system</code> namespace.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get svc --namespace=istio-system | grep sidecar-injector
|
||
istio-sidecar-injector ClusterIP 10.102.70.184 &lt;none&gt; 443/TCP 24d
|
||
</code></pre>
|
||
<p>This configuration ultimately does pretty much the same as we saw in manual injection. Just that it is done automatically during pod creation, so you won’t see the change in the deployment. You need to use <code>kubectl describe</code> to see the sidecar proxy and the init proxy.</p>
|
||
<p>The automatic sidecar injection not only depends on the <code>namespaceSelector</code> mechanism of the webhook, but also on the default injection policy and the per-pod override annotation.</p>
|
||
<p>If you look at the <code>istio-sidecar-injector</code> ConfigMap again, it has the default injection policy defined. In our case, it is enabled by default.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-outputis='yaml' data-repo='istio' >$ kubectl -n istio-system get configmap istio-sidecar-injector -o=jsonpath=&#39;{.data.config}&#39;
|
||
SNIPPET from the output:
|
||
policy: enabled
|
||
template: |-
|
||
initContainers:
|
||
- name: istio-init
|
||
image: &#34;gcr.io/istio-release/proxy_init:1.0.2&#34;
|
||
args:
|
||
- &#34;-p&#34;
|
||
- [[ .MeshConfig.ProxyListenPort ]]
|
||
</code></pre>
|
||
<p>You can also use the annotation <code>sidecar.istio.io/inject</code> in the pod template to override the default policy. The following example disables the automatic injection of the sidecar for the pods in a <code>Deployment</code>.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: extensions/v1beta1
|
||
kind: Deployment
|
||
metadata:
|
||
name: ignored
|
||
spec:
|
||
template:
|
||
metadata:
|
||
annotations:
|
||
sidecar.istio.io/inject: &#34;false&#34;
|
||
spec:
|
||
containers:
|
||
- name: ignored
|
||
image: tutum/curl
|
||
command: [&#34;/bin/sleep&#34;,&#34;infinity&#34;]
|
||
</code></pre>
|
||
<p>This example shows there are many variables, based on whether the automatic sidecar injection is controlled in your namespace, ConfigMap, or pod and they are:</p>
|
||
<ul>
|
||
<li>webhooks <code>namespaceSelector</code> (<code>istio-injection: enabled</code>)</li>
|
||
<li>default policy (Configured in the ConfigMap <code>istio-sidecar-injector</code>)</li>
|
||
<li>per-pod override annotation (<code>sidecar.istio.io/inject</code>)</li>
|
||
</ul>
|
||
<p>The <a href="/v1.12/docs/ops/common-problems/injection/">injection status table</a> shows a clear picture of the final injection status based on the value of the above variables.</p>
|
||
<h2 id="traffic-flow-from-application-container-to-sidecar-proxy">Traffic flow from application container to sidecar proxy</h2>
|
||
<p>Now that we are clear about how a sidecar container and an init container are injected into an application manifest, how does the sidecar proxy grab the inbound and outbound traffic to and from the container? We did briefly mention that it is done by setting up the <code>iptable</code> rules within the pod namespace, which in turn is done by the <code>istio-init</code> container. Now, it is time to verify what actually gets updated within the namespace.</p>
|
||
<p>Let’s get into the application pod namespace we deployed in the previous section and look at the configured iptables. I am going to show an example using <code>nsenter</code>. Alternatively, you can enter the container in a privileged mode to see the same information. For folks without access to the nodes, using <code>exec</code> to get into the sidecar and running <code>iptables</code> is more practical.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ docker inspect b8de099d3510 --format &#39;{{ .State.Pid }}&#39;
|
||
4125
|
||
</code></pre>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ nsenter -t 4215 -n iptables -t nat -S
|
||
-P PREROUTING ACCEPT
|
||
-P INPUT ACCEPT
|
||
-P OUTPUT ACCEPT
|
||
-P POSTROUTING ACCEPT
|
||
-N ISTIO_INBOUND
|
||
-N ISTIO_IN_REDIRECT
|
||
-N ISTIO_OUTPUT
|
||
-N ISTIO_REDIRECT
|
||
-A PREROUTING -p tcp -j ISTIO_INBOUND
|
||
-A OUTPUT -p tcp -j ISTIO_OUTPUT
|
||
-A ISTIO_INBOUND -p tcp -m tcp --dport 80 -j ISTIO_IN_REDIRECT
|
||
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15001
|
||
-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -j ISTIO_REDIRECT
|
||
-A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN
|
||
-A ISTIO_OUTPUT -m owner --gid-owner 1337 -j RETURN
|
||
-A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
|
||
-A ISTIO_OUTPUT -j ISTIO_REDIRECT
|
||
-A ISTIO_REDIRECT -p tcp -j REDIRECT --to-ports 15001
|
||
</code></pre>
|
||
<p>The output above clearly shows that all the incoming traffic to port 80, which is the port our <code>red-demo</code> application is listening, is now <code>REDIRECTED</code> to port <code>15001</code>, which is the port that the <code>istio-proxy</code>, an Envoy proxy, is listening. The same holds true for the outgoing traffic.</p>
|
||
<p>This brings us to the end of this post. I hope it helped to de-mystify how Istio manages to inject the sidecar proxies into an existing deployment and how Istio routes the traffic to the proxy.</p>
|
||
<div>
|
||
<aside class="callout idea">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-idea"/></svg>
|
||
</div>
|
||
<div class="content">Update: In place of <code>istio-init</code>, there now seems to be an option of using the new CNI, which removes the need for the init container and associated privileges. This <a href="https://github.com/istio/cni"><code>istio-cni</code></a> plugin sets up the pods&rsquo; networking to fulfill this requirement in place of the current Istio injected pod <code>istio-init</code> approach.</div>
|
||
</aside>
|
||
</div></description><pubDate>Thu, 31 Jan 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/data-plane-setup/</link><author>Manish Chugtu</author><guid isPermaLink="true">/v1.12/blog/2019/data-plane-setup/</guid><category>kubernetes</category><category>sidecar-injection</category><category>traffic-management</category></item><item><title>Sidestepping Dependency Ordering with AppSwitch</title><description>
|
||
<p>We are going through an interesting cycle of application decomposition and recomposition. While the microservice paradigm is driving monolithic applications to be broken into separate individual services, the service mesh approach is helping them to be connected back together into well-structured applications. As such, microservices are logically separate but not independent. They are usually closely interdependent and taking them apart introduces many new concerns such as need for mutual authentication between services. Istio directly addresses most of those issues.</p>
|
||
<h2 id="dependency-ordering-problem">Dependency ordering problem</h2>
|
||
<p>An issue that arises due to application decomposition and one that Istio doesn’t address is dependency ordering &ndash; bringing up individual services of an application in an order that guarantees that the application as a whole comes up quickly and correctly. In a monolithic application, with all its components built-in, dependency ordering between the components is enforced by internal locking mechanisms. But with individual services potentially scattered across the cluster in a service mesh, starting a service first requires checking that the services it depends on are up and available.</p>
|
||
<p>Dependency ordering is deceptively nuanced with a host of interrelated problems. Ordering individual services requires having the dependency graph of the services so that they can be brought up starting from leaf nodes back to the root nodes. It is not easy to construct such a graph and keep it updated over time as interdependencies evolve with the behavior of the application. Even if the dependency graph is somehow provided, enforcing the ordering itself is not easy. Simply starting the services in the specified order obviously won’t do. A service may have started but not be ready to accept connections yet. This is the problem with docker-compose&rsquo;s <code>depends-on</code> tag, for example.</p>
|
||
<p>Apart from introducing sufficiently long sleeps between service startups, a common pattern that is often used is to check for readiness of dependencies before starting a service. In Kubernetes, this could be done with a wait script as part of the init container of the pod. However that means that the entire application would be held up until all its dependencies come alive. Sometimes applications spend several minutes initializing themselves on startup before making their first outbound connection. Not allowing a service to start at all adds substantial overhead to overall startup time of the application. Also, the strategy of waiting on the init container won&rsquo;t work for the case of multiple interdependent services within the same pod.</p>
|
||
<h3 id="example-scenario-ibm-websphere-nd">Example scenario: IBM WebSphere ND</h3>
|
||
<p>Let us consider IBM WebSphere ND &ndash; a widely deployed application middleware &ndash; to grok these problems more closely. It is a fairly complex framework in itself and consists of a central component called deployment manager (<code>dmgr</code>) that manages a set of node instances. It uses UDP to negotiate cluster membership among the nodes and requires that deployment manager is up and operational before any of the node instances can come up and join the cluster.</p>
|
||
<p>Why are we talking about a traditional application in the modern cloud-native context? It turns out that there are significant gains to be had by enabling them to run on the Kubernetes and Istio platforms. Essentially it&rsquo;s a part of the modernization journey that allows running traditional apps alongside green-field apps on the same modern platform to facilitate interoperation between the two. In fact, WebSphere ND is a demanding application. It expects a consistent network environment with specific network interface attributes etc. AppSwitch is equipped to take care of those requirements. For the purpose of this blog however, I&rsquo;ll focus on the dependency ordering requirement and how AppSwitch addresses it.</p>
|
||
<p>Simply deploying <code>dmgr</code> and node instances as pods on a Kubernetes cluster does not work. <code>dmgr</code> and the node instances happen to have a lengthy initialization process that can take several minutes. If they are all co-scheduled, the application typically ends up in a funny state. When a node instance comes up and finds that <code>dmgr</code> is missing, it would take an alternate startup path. Instead, if it had exited immediately, Kubernetes crash-loop would have taken over and perhaps the application would have come up. But even in that case, it turns out that a timely startup is not guaranteed.</p>
|
||
<p>One <code>dmgr</code> along with its node instances is a basic deployment configuration for WebSphere ND. Applications like IBM Business Process Manager that are built on top of WebSphere ND running in production environments include several other services. In those configurations, there could be a chain of interdependencies. Depending on the applications hosted by the node instances, there may be an ordering requirement among them as well. With long service initialization times and crash-loop restarts, there is little chance for the application to start in any reasonable length of time.</p>
|
||
<h3 id="sidecar-dependency-in-istio">Sidecar dependency in Istio</h3>
|
||
<p>Istio itself is affected by a version of the dependency ordering problem. Since connections into and out of a service running under Istio are redirected through its sidecar proxy, an implicit dependency is created between the application service and its sidecar. Unless the sidecar is fully operational, all requests from and to the service get dropped.</p>
|
||
<h2 id="dependency-ordering-with-appswitch">Dependency ordering with AppSwitch</h2>
|
||
<p>So how do we go about addressing these issues? One way is to defer it to the applications and say that they are supposed to be &ldquo;well behaved&rdquo; and implement appropriate logic to make themselves immune to startup order issues. However, many applications (especially traditional ones) either timeout or deadlock if misordered. Even for new applications, implementing one off logic for each service is substantial additional burden that is best avoided. Service mesh needs to provide adequate support around these problems. After all, factoring out common patterns into an underlying framework is really the point of service mesh.</p>
|
||
<p><a href="http://appswitch.io">AppSwitch</a> explicitly addresses dependency ordering. It sits on the control path of the application’s network interactions between clients and services in a cluster and knows precisely when a service becomes a client by making the <code>connect</code> call and when a particular service becomes ready to accept connections by making the <code>listen</code> call. It&rsquo;s <em>service router</em> component disseminates information about these events across the cluster and arbitrates interactions among clients and servers. That is how AppSwitch implements functionality such as load balancing and isolation in a simple and efficient manner. Leveraging the same strategic location of the application&rsquo;s network control path, it is conceivable that the <code>connect</code> and <code>listen</code> calls made by those services can be lined up at a finer granularity rather than coarsely sequencing entire services as per a dependency graph. That would effectively solve the multilevel dependency problem and speedup application startup.</p>
|
||
<p>But that still requires a dependency graph. A number of products and tools exist to help with discovering service dependencies. But they are typically based on passive monitoring of network traffic and cannot provide the information beforehand for any arbitrary application. Network level obfuscation due to encryption and tunneling also makes them unreliable. The burden of discovering and specifying the dependencies ultimately falls to the developer or the operator of the application. As it is, even consistency checking a dependency specification is itself quite complex and any way to avoid requiring a dependency graph would be most desirable.</p>
|
||
<p>The point of a dependency graph is to know which clients depend on a particular service so that those clients can then be made to wait for the respective service to become live. But does it really matter which specific clients? Ultimately one tautology that always holds is that all clients of a service have an implicit dependency on the service. That’s what AppSwitch leverages to get around the requirement. In fact, that sidesteps dependency ordering altogether. All services of the application can be co-scheduled without regard to any startup order. Interdependencies among them automatically work themselves out at the granularity of individual requests and responses, resulting in quick and correct application startups.</p>
|
||
<h3 id="appswitch-model-and-constructs">AppSwitch model and constructs</h3>
|
||
<p>Now that we have a conceptual understanding of AppSwitch’s high-level approach, let’s look at the constructs involved. But first a quick summary of the usage model is in order. Even though it is written for a different context, reviewing my earlier <a href="/v1.12/blog/2018/delayering-istio/">blog</a> on this topic would be useful as well. For completeness, let me also note AppSwitch doesn’t bother with non-network dependencies. For example it may be possible for two services to interact using IPC mechanisms or through the shared file system. Processes with deep ties like that are typically part of the same service anyway and don’t require framework’s intervention for ordering.</p>
|
||
<p>At its core, AppSwitch is built on a mechanism that allows instrumenting the BSD socket API and other related calls like <code>fcntl</code> and <code>ioctl</code> that deal with sockets. As interesting as the details of its implementation are, it’s going to distract us from the main topic, so I’d just summarize the key properties that distinguish it from other implementations. (1) It’s fast. It uses a combination of <code>seccomp</code> filtering and binary instrumentation to aggressively limit intervening with application’s normal execution. AppSwitch is particularly suited for service mesh and application networking use cases given that it implements those features without ever having to actually touch the data. In contrast, network level approaches incur per-packet cost. Take a look at this <a href="/v1.12/blog/2018/delayering-istio/">blog</a> for some of the performance measurements. (2) It doesn’t require any kernel support, kernel module or a patch and works on standard distro kernels (3) It can run as regular user (no root). In fact, the mechanism can even make it possible to run <a href="https://linuxpiter.com/en/materials/2478">Docker daemon without root</a> by removing root requirement to network containers (4) It doesn’t require any changes to the applications whatsoever and works for any type of application &ndash; from WebSphere ND and SAP to custom C apps to statically linked Go apps. Only requirement at this point is Linux/x86.</p>
|
||
<h3 id="decoupling-services-from-their-references">Decoupling services from their references</h3>
|
||
<p>AppSwitch is built on the fundamental premise that applications should be decoupled from their references. The identity of applications is traditionally derived from the identity of the host on which they run. However, applications and hosts are very different objects that need to be referenced independently. Detailed discussion around this topic along with a conceptual foundation of AppSwitch is presented in this <a href="https://arxiv.org/abs/1711.02294">research paper</a>.</p>
|
||
<p>The central AppSwitch construct that achieves the decoupling between services objects and their identities is <em>service reference</em> (<em>reference</em>, for short). AppSwitch implements service references based on the API instrumentation mechanism outlined above. A service reference consists of an IP:port pair (and optionally a DNS name) and a label-selector that selects the service represented by the reference and the clients to which this reference applies. A reference supports a few key properties. (1) It can be named independently of the name of the object it refers to. That is, a service may be listening on an IP and port but a reference allows that service to be reached on any other IP and port chosen by the user. This is what allows AppSwitch to run traditional applications captured from their source environments with static IP configurations to run on Kubernetes by providing them with necessary IP addresses and ports regardless of the target network environment. (2) It remains unchanged even if the location of the target service changes. A reference automatically redirects itself as its label-selector now resolves to the new instance of the service (3) Most important for this discussion, a reference remains valid even as the target service is coming up.</p>
|
||
<p>To facilitate discovering services that can be accessed through service references, AppSwitch provides an <em>auto-curated service registry</em>. The registry is automatically kept up to date as services come and go across the cluster based on the network API that AppSwitch tracks. Each entry in the registry consists of the IP and port where the respective service is bound. Along with that, it includes a set of labels indicating the application to which this service belongs, the IP and port that the application passed through the socket API when creating the service, the IP and port where AppSwitch actually bound the service on the underlying host on behalf of the application etc. In addition, applications created under AppSwitch carry a set of labels passed by the user that describe the application together with a few default system labels indicating the user that created the application and the host where the application is running etc. These labels are all available to be expressed in the label-selector carried by a service reference. A service in the registry can be made accessible to clients by creating a service reference. A client would then be able to reach the service at the reference’s name (IP:port). Now let’s look at how AppSwitch guarantees that the reference remains valid even when the target service has not yet come up.</p>
|
||
<h3 id="non-blocking-requests">Non-blocking requests</h3>
|
||
<p>AppSwitch leverages the semantics of the BSD socket API to ensure that service references appear valid from the perspective of clients as corresponding services come up. When a client makes a blocking connect call to another service that has not yet come up, AppSwitch blocks the call for a certain time waiting for the target service to become live. Since it is known that the target service is a part of the application and is expected to come up shortly, making the client block rather than returning an error such as <code>ECONNREFUSED</code> prevents the application from failing to start. If the service doesn’t come up within time, an error is returned to the application so that framework-level mechanisms like Kubernetes crash-loop can kick in.</p>
|
||
<p>If the client request is marked as non-blocking, AppSwitch handles that by returning <code>EAGAIN</code> to inform the application to retry rather than give up. Once again, that is in-line with the semantics of socket API and prevents failures due to startup races. AppSwitch essentially enables the retry logic already built into applications in support of the BSD socket API to be transparently repurposed for dependency ordering.</p>
|
||
<h3 id="application-timeouts">Application timeouts</h3>
|
||
<p>What if the application times out based on its own internal timer? Truth be told, AppSwitch can also fake application’s perception of time if wanted but that would be overstepping and actually unnecessary. Application decides and knows best how long it should wait and it’s not appropriate for AppSwitch to mess with that. Application timeouts are conservatively long and if the target service still hasn’t come up in time, it is unlikely to be a dependency ordering issue. There must be something else going on that should not be masked.</p>
|
||
<h3 id="wildcard-service-references-for-sidecar-dependency">Wildcard service references for sidecar dependency</h3>
|
||
<p>Service references can be used to address the Istio sidecar dependency issue mentioned earlier. AppSwitch allows the IP:port specified as part of a service reference to be a wildcard. That is, the service reference IP address can be a netmask indicating the IP address range to be captured. If the label selector of the service reference points to the sidecar service, then all outgoing connections of any application for which this service reference is applied, will be transparently redirected to the sidecar. And of course, the service reference remains valid while sidecar is still coming up and the race is removed.</p>
|
||
<p>Using service references for sidecar dependency ordering also implicitly redirects application’s connections to the sidecar without requiring iptables and attendant privilege issues. Essentially it works as if the application is directly making connections to the sidecar rather than the target destination, leaving the sidecar in charge of what to do. AppSwitch would interject metadata about the original destination etc. into the data stream of the connection using the proxy protocol that the sidecar could decode before passing the connection through to the application. Some of these details were discussed <a href="/v1.12/blog/2018/delayering-istio/">here</a>. That takes care of outbound connections but what about incoming connections? With all services and their sidecars running under AppSwitch, any incoming connections that would have come from remote nodes would be redirected to their respective remote sidecars. So nothing special to do about incoming connections.</p>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>Dependency ordering is a pesky problem. This is mostly due to lack of access to fine-grain application-level events around inter-service interactions. Addressing this problem would have normally required applications to implement their own internal logic. But AppSwitch makes those internal application events to be instrumented without requiring application changes. AppSwitch then leverages the ubiquitous support for the BSD socket API to sidestep the requirement of ordering dependencies.</p>
|
||
<h2 id="acknowledgements">Acknowledgements</h2>
|
||
<p>Thanks to Eric Herness and team for their insights and support with IBM WebSphere and BPM products as we modernized them onto the Kubernetes platform and to Mandar Jog, Martin Taillefer and Shriram Rajagopalan for reviewing early drafts of this blog.</p></description><pubDate>Mon, 14 Jan 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/appswitch/</link><author>Dinesh Subhraveti (AppOrbit and Columbia University)</author><guid isPermaLink="true">/v1.12/blog/2019/appswitch/</guid><category>appswitch</category><category>performance</category></item><item><title>Deploy a Custom Ingress Gateway Using Cert-Manager</title><description>
|
||
<p>This post provides instructions to manually create a custom ingress <a href="/v1.12/docs/reference/config/networking/gateway/">gateway</a> with automatic provisioning of certificates based on cert-manager.</p>
|
||
<p>The creation of custom ingress gateway could be used in order to have different <code>loadbalancer</code> in order to isolate traffic.</p>
|
||
<h2 id="before-you-begin">Before you begin</h2>
|
||
<ul>
|
||
<li>Set up Istio by following the instructions in the
|
||
<a href="/v1.12/docs/setup/">Installation guide</a>.</li>
|
||
<li>Set up <code>cert-manager</code> with helm <a href="https://github.com/helm/charts/tree/master/stable/cert-manager#installing-the-chart">chart</a></li>
|
||
<li>We will use <code>demo.mydemo.com</code> for our example,
|
||
it must be resolved with your DNS</li>
|
||
</ul>
|
||
<h2 id="configuring-the-custom-ingress-gateway">Configuring the custom ingress gateway</h2>
|
||
<ol>
|
||
<li><p>Check if <a href="https://github.com/helm/charts/tree/master/stable/cert-manager">cert-manager</a> was installed using Helm with the following command:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ helm ls
|
||
</code></pre>
|
||
<p>The output should be similar to the example below and show cert-manager with a <code>STATUS</code> of <code>DEPLOYED</code>:</p>
|
||
<pre><code class='language-plain' data-expandlinks='true' data-repo='istio' >NAME REVISION UPDATED STATUS CHART APP VERSION NAMESPACE
|
||
istio 1 Thu Oct 11 13:34:24 2018 DEPLOYED istio-1.0.X 1.0.X istio-system
|
||
cert 1 Wed Oct 24 14:08:36 2018 DEPLOYED cert-manager-v0.6.0-dev.2 v0.6.0-dev.2 istio-system
|
||
</code></pre></li>
|
||
<li><p>To create the cluster&rsquo;s issuer, apply the following configuration:</p>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">Change the cluster&rsquo;s <a href="https://cert-manager.readthedocs.io/en/latest/reference/issuers.html">issuer</a> provider with your own configuration values. The example uses the values under <code>route53</code>.</div>
|
||
</aside>
|
||
</div>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: certmanager.k8s.io/v1alpha1
|
||
kind: ClusterIssuer
|
||
metadata:
|
||
name: letsencrypt-demo
|
||
namespace: kube-system
|
||
spec:
|
||
acme:
|
||
# The ACME server URL
|
||
server: https://acme-v02.api.letsencrypt.org/directory
|
||
# Email address used for ACME registration
|
||
email: &lt;REDACTED&gt;
|
||
# Name of a secret used to store the ACME account private key
|
||
privateKeySecretRef:
|
||
name: letsencrypt-demo
|
||
dns01:
|
||
# Here we define a list of DNS-01 providers that can solve DNS challenges
|
||
providers:
|
||
- name: your-dns
|
||
route53:
|
||
accessKeyID: &lt;REDACTED&gt;
|
||
region: eu-central-1
|
||
secretAccessKeySecretRef:
|
||
name: prod-route53-credentials-secret
|
||
key: secret-access-key
|
||
</code></pre></li>
|
||
<li><p>If you use the <code>route53</code> <a href="https://cert-manager.readthedocs.io/en/latest/tasks/acme/configuring-dns01/route53.html">provider</a>, you must provide a secret to perform DNS ACME Validation. To create the secret, apply the following configuration file:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
|
||
kind: Secret
|
||
metadata:
|
||
name: prod-route53-credentials-secret
|
||
type: Opaque
|
||
data:
|
||
secret-access-key: &lt;REDACTED BASE64&gt;
|
||
</code></pre></li>
|
||
<li><p>Create your own certificate:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: certmanager.k8s.io/v1alpha1
|
||
kind: Certificate
|
||
metadata:
|
||
name: demo-certificate
|
||
namespace: istio-system
|
||
spec:
|
||
acme:
|
||
config:
|
||
- dns01:
|
||
provider: your-dns
|
||
domains:
|
||
- &#39;*.mydemo.com&#39;
|
||
commonName: &#39;*.mydemo.com&#39;
|
||
dnsNames:
|
||
- &#39;*.mydemo.com&#39;
|
||
issuerRef:
|
||
kind: ClusterIssuer
|
||
name: letsencrypt-demo
|
||
secretName: istio-customingressgateway-certs
|
||
</code></pre>
|
||
<p>Make a note of the value of <code>secretName</code> since a future step requires it.</p></li>
|
||
<li><p>To scale automatically, declare a new horizontal pod autoscaler with the following configuration:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: autoscaling/v1
|
||
kind: HorizontalPodAutoscaler
|
||
metadata:
|
||
name: my-ingressgateway
|
||
namespace: istio-system
|
||
spec:
|
||
maxReplicas: 5
|
||
minReplicas: 1
|
||
scaleTargetRef:
|
||
apiVersion: apps/v1beta1
|
||
kind: Deployment
|
||
name: my-ingressgateway
|
||
targetCPUUtilizationPercentage: 80
|
||
status:
|
||
currentCPUUtilizationPercentage: 0
|
||
currentReplicas: 1
|
||
desiredReplicas: 1
|
||
</code></pre></li>
|
||
<li><p>Apply your deployment with declaration provided in the <a href="/v1.12/blog/2019/custom-ingress-gateway/deployment-custom-ingress.yaml">yaml definition</a></p>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">The annotations used, for example <code>aws-load-balancer-type</code>, only apply for AWS.</div>
|
||
</aside>
|
||
</div>
|
||
</li>
|
||
<li><p>Create your service:</p>
|
||
<div>
|
||
<aside class="callout warning">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-warning"/></svg>
|
||
</div>
|
||
<div class="content">The <code>NodePort</code> used needs to be an available port.</div>
|
||
</aside>
|
||
</div>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: my-ingressgateway
|
||
annotations:
|
||
service.beta.kubernetes.io/aws-load-balancer-type: nlb
|
||
labels:
|
||
app: my-ingressgateway
|
||
istio: my-ingressgateway
|
||
spec:
|
||
type: LoadBalancer
|
||
selector:
|
||
app: my-ingressgateway
|
||
istio: my-ingressgateway
|
||
ports:
|
||
-
|
||
name: http2
|
||
nodePort: 32380
|
||
port: 80
|
||
targetPort: 80
|
||
-
|
||
name: https
|
||
nodePort: 32390
|
||
port: 443
|
||
-
|
||
name: tcp
|
||
nodePort: 32400
|
||
port: 31400
|
||
</code></pre></li>
|
||
<li><p>Create your Istio custom gateway configuration object:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: Gateway
|
||
metadata:
|
||
annotations:
|
||
name: istio-custom-gateway
|
||
namespace: default
|
||
spec:
|
||
selector:
|
||
istio: my-ingressgateway
|
||
servers:
|
||
- hosts:
|
||
- &#39;*.mydemo.com&#39;
|
||
port:
|
||
name: http
|
||
number: 80
|
||
protocol: HTTP
|
||
tls:
|
||
httpsRedirect: true
|
||
- hosts:
|
||
- &#39;*.mydemo.com&#39;
|
||
port:
|
||
name: https
|
||
number: 443
|
||
protocol: HTTPS
|
||
tls:
|
||
mode: SIMPLE
|
||
privateKey: /etc/istio/ingressgateway-certs/tls.key
|
||
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
|
||
</code></pre></li>
|
||
<li><p>Link your <code>istio-custom-gateway</code> with your <code>VirtualService</code>:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: my-virtualservice
|
||
spec:
|
||
hosts:
|
||
- &#34;demo.mydemo.com&#34;
|
||
gateways:
|
||
- istio-custom-gateway
|
||
http:
|
||
- route:
|
||
- destination:
|
||
host: my-demoapp
|
||
</code></pre></li>
|
||
<li><p>Correct certificate is returned by the server and it is successfully verified (<em>SSL certificate verify ok</em> is printed):</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl -v `https://demo.mydemo.com`
|
||
Server certificate:
|
||
SSL certificate verify ok.
|
||
</code></pre></li>
|
||
</ol>
|
||
<p><strong>Congratulations!</strong> You can now use your custom <code>istio-custom-gateway</code> <a href="/v1.12/docs/reference/config/networking/gateway/">gateway</a> configuration object.</p></description><pubDate>Thu, 10 Jan 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/custom-ingress-gateway/</link><author>Julien Senon</author><guid isPermaLink="true">/v1.12/blog/2019/custom-ingress-gateway/</guid><category>ingress</category><category>traffic-management</category></item><item><title>Announcing discuss.istio.io</title><description><p>We in the Istio community have been working to find the right medium for users to engage with other members of the community &ndash; to ask questions,
|
||
to get help from other users, and to engage with developers working on the project.</p>
|
||
<p>We’ve tried several different avenues, but each has had some downsides. RocketChat was our most recent endeavor, but the lack of certain
|
||
features (for example, threading) meant it wasn’t ideal for any longer discussions around a single issue. It also led to a dilemma for
|
||
some users &ndash; when should I email istio-users@googlegroups.com and when should I use RocketChat?</p>
|
||
<p>We think we’ve found the right balance of features in a single platform, and we’re happy to announce
|
||
<a href="https://discuss.istio.io">discuss.istio.io</a>. It’s a full-featured forum where we will have discussions about Istio from here on out.
|
||
It will allow you to ask a question and get threaded replies! As a real bonus, you can use your GitHub identity.</p>
|
||
<p>If you prefer emails, you can configure it to send emails just like Google groups did.</p>
|
||
<p>We will be marking our Google groups &ldquo;read only&rdquo; so that the content remains, but we ask you to send further questions over to
|
||
<a href="https://discuss.istio.io">discuss.istio.io</a>. If you have any outstanding questions or discussions in the groups, please move the conversation over.</p>
|
||
<p>Happy meshing!</p></description><pubDate>Thu, 10 Jan 2019 00:00:00 +0000</pubDate><link>/v1.12/blog/2019/announcing-discuss.istio.io/</link><author/><guid isPermaLink="true">/v1.12/blog/2019/announcing-discuss.istio.io/</guid></item><item><title>Incremental Istio Part 1, Traffic Management</title><description>
|
||
<p>Traffic management is one of the critical benefits provided by Istio. At the heart of Istio’s traffic management is the ability to decouple traffic flow and infrastructure scaling. This lets you control your traffic in ways that aren’t possible without a service mesh like Istio.</p>
|
||
<p>For example, let’s say you want to execute a <a href="https://martinfowler.com/bliki/CanaryRelease.html">canary deployment</a>. With Istio, you can specify that <strong>v1</strong> of a service receives 90% of incoming traffic, while <strong>v2</strong> of that service only receives 10%. With standard Kubernetes deployments, the only way to achieve this is to manually control the number of available Pods for each version, for example 9 Pods running v1 and 1 Pod running v2. This type of manual control is hard to implement, and over time may have trouble scaling. For more information, check out <a href="/v1.12/blog/2017/0.1-canary/">Canary Deployments using Istio</a>.</p>
|
||
<p>The same issue exists when deploying updates to existing services. While you can update deployments with Kubernetes, it requires replacing v1 Pods with v2 Pods. Using Istio, you can deploy v2 of your service and use built-in traffic management mechanisms to shift traffic to your updated services at a network level, then remove the v1 Pods.</p>
|
||
<p>In addition to canary deployments and general traffic shifting, Istio also gives you the ability to implement dynamic request routing (based on HTTP headers), failure recovery, retries, circuit breakers, and fault injection. For more information, check out the <a href="/v1.12/docs/concepts/traffic-management/">Traffic Management documentation</a>.</p>
|
||
<p>This post walks through a technique that highlights a particularly useful way that you can implement Istio incrementally &ndash; in this case, only the traffic management features &ndash; without having to individually update each of your Pods.</p>
|
||
<h2 id="setup-why-implement-istio-traffic-management-features">Setup: why implement Istio traffic management features?</h2>
|
||
<p>Of course, the first question is: Why would you want to do this?</p>
|
||
<p>If you’re part of one of the many organizations out there that have a large cluster with lots of teams deploying, the answer is pretty clear. Let’s say Team A is getting started with Istio and wants to start some canary deployments on Service A, but Team B hasn’t started using Istio, so they don’t have sidecars deployed.</p>
|
||
<p>With Istio, Team A can still implement their canaries by having Service B call Service A through Istio’s ingress gateway.</p>
|
||
<h2 id="background-traffic-routing-in-an-istio-mesh">Background: traffic routing in an Istio mesh</h2>
|
||
<p>But how can you use Istio’s traffic management capabilities without updating each of your applications’ Pods to include the Istio sidecar? Before answering that question, let’s take a quick high-level look at how traffic enters an Istio mesh and how it’s routed.</p>
|
||
<p>Pods that are part of the Istio mesh contain a sidecar proxy that is responsible for mediating all inbound and outbound traffic to the Pod. Within an Istio mesh, Pilot is responsible for converting high-level routing rules into configurations and propagating them to the sidecar proxies. That means when services communicate with one another, their routing decisions are determined from the client side.</p>
|
||
<p>Let’s say you have two services that are part of the Istio mesh, Service A and Service B. When A wants to communicate with B, the sidecar proxy of Pod A is responsible for directing traffic to Service B. For example, if you wanted to split traffic <sup>50</sup>&frasl;<sub>50</sub> across Service B v1 and v2, the traffic would flow as follows:</p>
|
||
<figure style="width:60%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:42.66666666666667%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/incremental-traffic-management/fifty-fifty.png" title="50/50 Traffic Split">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/incremental-traffic-management/fifty-fifty.png" alt="50/50 Traffic Split" />
|
||
</a>
|
||
</div>
|
||
<figcaption>50/50 Traffic Split</figcaption>
|
||
</figure>
|
||
<p>If Services A and B are not part of the Istio mesh, there is no sidecar proxy that knows how to route traffic to different versions of Service B. In that case you need to use another approach to get traffic from Service A to Service B, following the <sup>50</sup>&frasl;<sub>50</sub> rules you’ve setup.</p>
|
||
<p>Fortunately, a standard Istio deployment already includes a <a href="/v1.12/docs/concepts/traffic-management/#gateways">Gateway</a> that specifically deals with ingress traffic outside of the Istio mesh. This Gateway is used to allow ingress traffic from outside the cluster via an external load balancer, or to allow ingress traffic from within the Kubernetes cluster but outside the service mesh. It can be configured to proxy incoming ingress traffic to the appropriate Pods, even if they don’t have a sidecar proxy. While this approach allows you to leverage Istio’s traffic management features, it does mean that traffic going through the ingress gateway will incur an extra hop.</p>
|
||
<figure style="width:60%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:54.83870967741935%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/incremental-traffic-management/fifty-fifty-ingress-gateway.png" title="50/50 Traffic Split using Ingress Gateway">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/incremental-traffic-management/fifty-fifty-ingress-gateway.png" alt="50/50 Traffic Split using Ingress Gateway" />
|
||
</a>
|
||
</div>
|
||
<figcaption>50/50 Traffic Split using Ingress Gateway</figcaption>
|
||
</figure>
|
||
<h2 id="in-action-traffic-routing-with-istio">In action: traffic routing with Istio</h2>
|
||
<p>A simple way to see this type of approach in action is to first setup your Kubernetes environment using the <a href="/v1.12/docs/setup/platform-setup/">Platform Setup</a> instructions, and then install the <strong>minimal</strong> Istio profile using <a href="https://archive.istio.io/1.4/docs/setup/install/helm/">Helm</a>, including only the traffic management components (ingress gateway, egress gateway, Pilot). The following example uses <a href="https://cloud.google.com/gke">Google Kubernetes Engine</a>.</p>
|
||
<p>First, setup and configure <a href="/v1.12/docs/setup/platform-setup/gke/">GKE</a>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ gcloud container clusters create istio-inc --zone us-central1-f
|
||
$ gcloud container clusters get-credentials istio-inc
|
||
$ kubectl create clusterrolebinding cluster-admin-binding \
|
||
--clusterrole=cluster-admin \
|
||
--user=$(gcloud config get-value core/account)
|
||
</code></pre>
|
||
<p>Next, <a href="https://helm.sh/docs/intro/install/">install Helm</a> and <a href="https://archive.istio.io/1.4/docs/setup/install/helm/">generate a minimal Istio install</a> &ndash; only traffic management components:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ helm template install/kubernetes/helm/istio \
|
||
--name istio \
|
||
--namespace istio-system \
|
||
--set security.enabled=false \
|
||
--set galley.enabled=false \
|
||
--set sidecarInjectorWebhook.enabled=false \
|
||
--set mixer.enabled=false \
|
||
--set prometheus.enabled=false \
|
||
--set pilot.sidecar=false &gt; istio-minimal.yaml
|
||
</code></pre>
|
||
<p>Then create the <code>istio-system</code> namespace and deploy Istio:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl create namespace istio-system
|
||
$ kubectl apply -f istio-minimal.yaml
|
||
</code></pre>
|
||
<p>Next, deploy the Bookinfo sample without the Istio sidecar containers:</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/platform/kube/bookinfo.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo.yaml@
|
||
</code></pre></div>
|
||
<p>Now, configure a new Gateway that allows access to the reviews service from outside the Istio mesh, a new <code>VirtualService</code> that splits traffic evenly between v1 and v2 of the reviews service, and a set of new <code>DestinationRule</code> resources that match destination subsets to service versions:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | kubectl apply -f -
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: Gateway
|
||
metadata:
|
||
name: reviews-gateway
|
||
spec:
|
||
selector:
|
||
istio: ingressgateway # use istio default controller
|
||
servers:
|
||
- port:
|
||
number: 80
|
||
name: http
|
||
protocol: HTTP
|
||
hosts:
|
||
- &#34;*&#34;
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: reviews
|
||
spec:
|
||
hosts:
|
||
- &#34;*&#34;
|
||
gateways:
|
||
- reviews-gateway
|
||
http:
|
||
- match:
|
||
- uri:
|
||
prefix: /reviews
|
||
route:
|
||
- destination:
|
||
host: reviews
|
||
subset: v1
|
||
weight: 50
|
||
- destination:
|
||
host: reviews
|
||
subset: v2
|
||
weight: 50
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: reviews
|
||
spec:
|
||
host: reviews
|
||
subsets:
|
||
- name: v1
|
||
labels:
|
||
version: v1
|
||
- name: v2
|
||
labels:
|
||
version: v2
|
||
- name: v3
|
||
labels:
|
||
version: v3
|
||
EOF
|
||
</code></pre>
|
||
<p>Finally, deploy a pod that you can use for testing with <code>curl</code> (and without the Istio sidecar container):</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/sleep/sleep.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/sleep/sleep.yaml@
|
||
</code></pre></div>
|
||
<h2 id="testing-your-deployment">Testing your deployment</h2>
|
||
<p>Now, you can test different behaviors using the <code>curl</code> commands via the sleep Pod.</p>
|
||
<p>The first example is to issue requests to the reviews service using standard Kubernetes service DNS behavior (<strong>note</strong>: <a href="https://stedolan.github.io/jq/"><code>jq</code></a> is used in the examples below to filter the output from <code>curl</code>):</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export SLEEP_POD=$(kubectl get pod -l app=sleep \
|
||
-o jsonpath={.items..metadata.name})
|
||
$ for i in `seq 3`; do \
|
||
kubectl exec -it $SLEEP_POD curl http://reviews:9080/reviews/0 | \
|
||
jq &#39;.reviews|.[]|.rating?&#39;; \
|
||
done
|
||
</code></pre>
|
||
<pre><code class='language-json' data-expandlinks='true' data-repo='istio' >{
|
||
&#34;stars&#34;: 5,
|
||
&#34;color&#34;: &#34;black&#34;
|
||
}
|
||
{
|
||
&#34;stars&#34;: 4,
|
||
&#34;color&#34;: &#34;black&#34;
|
||
}
|
||
null
|
||
null
|
||
{
|
||
&#34;stars&#34;: 5,
|
||
&#34;color&#34;: &#34;red&#34;
|
||
}
|
||
{
|
||
&#34;stars&#34;: 4,
|
||
&#34;color&#34;: &#34;red&#34;
|
||
}
|
||
</code></pre>
|
||
<p>Notice how we’re getting responses from all three versions of the reviews service (<code>null</code> is from reviews v1 which doesn’t have ratings) and not getting the even split across v1 and v2. This is expected behavior because the <code>curl</code> command is using Kubernetes service load balancing across all three versions of the reviews service. In order to access the reviews <sup>50</sup>&frasl;<sub>50</sub> split we need to access the service via the ingress Gateway:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ for i in `seq 4`; do \
|
||
kubectl exec -it $SLEEP_POD curl http://istio-ingressgateway.istio-system/reviews/0 | \
|
||
jq &#39;.reviews|.[]|.rating?&#39;; \
|
||
done
|
||
</code></pre>
|
||
<pre><code class='language-json' data-expandlinks='true' data-repo='istio' >{
|
||
&#34;stars&#34;: 5,
|
||
&#34;color&#34;: &#34;black&#34;
|
||
}
|
||
{
|
||
&#34;stars&#34;: 4,
|
||
&#34;color&#34;: &#34;black&#34;
|
||
}
|
||
null
|
||
null
|
||
{
|
||
&#34;stars&#34;: 5,
|
||
&#34;color&#34;: &#34;black&#34;
|
||
}
|
||
{
|
||
&#34;stars&#34;: 4,
|
||
&#34;color&#34;: &#34;black&#34;
|
||
}
|
||
null
|
||
null
|
||
</code></pre>
|
||
<p>Mission accomplished! This post showed how to deploy a minimal installation of Istio that only contains the traffic management components (Pilot, ingress Gateway), and then use those components to direct traffic to specific versions of the reviews service. And it wasn&rsquo;t necessary to deploy the Istio sidecar proxy to gain these capabilities, so there was little to no interruption of existing workloads or applications.</p>
|
||
<p>Using the built-in ingress gateway (along with some <code>VirtualService</code> and <code>DestinationRule</code> resources) this post showed how you can easily leverage Istio’s traffic management for cluster-external ingress traffic and cluster-internal service-to-service traffic. This technique is a great example of an incremental approach to adopting Istio, and can be especially useful in real-world cases where Pods are owned by different teams or deployed to different namespaces.</p></description><pubDate>Wed, 21 Nov 2018 00:00:00 +0000</pubDate><link>/v1.12/blog/2018/incremental-traffic-management/</link><author>Sandeep Parikh</author><guid isPermaLink="true">/v1.12/blog/2018/incremental-traffic-management/</guid><category>traffic-management</category><category>gateway</category></item><item><title>Consuming External MongoDB Services</title><description>
|
||
<p>In the <a href="/v1.12/blog/2018/egress-tcp/">Consuming External TCP Services</a> blog post, I described how external services
|
||
can be consumed by in-mesh Istio applications via TCP. In this post, I demonstrate consuming external MongoDB services.
|
||
You use the <a href="/v1.12/docs/examples/bookinfo/">Istio Bookinfo sample application</a>, the version in which the book
|
||
ratings data is persisted in a MongoDB database. You deploy this database outside the cluster and configure the
|
||
<em>ratings</em> microservice to use it. You will learn multiple options of controlling traffic to external MongoDB services and their
|
||
pros and cons.</p>
|
||
<h2 id="bookinfo-with-external-ratings-database">Bookinfo with external ratings database</h2>
|
||
<p>First, you set up a MongoDB database instance to hold book ratings data outside of your Kubernetes cluster. Then you
|
||
modify the <a href="/v1.12/docs/examples/bookinfo/">Bookinfo sample application</a> to use your database.</p>
|
||
<h3 id="setting-up-the-ratings-database">Setting up the ratings database</h3>
|
||
<p>For this task you set up an instance of <a href="https://www.mongodb.com">MongoDB</a>. You can use any MongoDB instance; I used
|
||
<a href="https://www.ibm.com/cloud/compose/mongodb">Compose for MongoDB</a>.</p>
|
||
<ol>
|
||
<li><p>Set an environment variable for the password of your <code>admin</code> user. To prevent the password from being preserved in
|
||
the Bash history, remove the command from the history immediately after running the command, using
|
||
<a href="https://www.gnu.org/software/bash/manual/html_node/Bash-History-Builtins.html#Bash-History-Builtins">history -d</a>.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export MONGO_ADMIN_PASSWORD=&lt;your MongoDB admin password&gt;
|
||
</code></pre></li>
|
||
<li><p>Set an environment variable for the password of the new user you will create, namely <code>bookinfo</code>.
|
||
Remove the command from the history using
|
||
<a href="https://www.gnu.org/software/bash/manual/html_node/Bash-History-Builtins.html#Bash-History-Builtins">history -d</a>.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export BOOKINFO_PASSWORD=&lt;password&gt;
|
||
</code></pre></li>
|
||
<li><p>Set environment variables for your MongoDB service, <code>MONGODB_HOST</code> and <code>MONGODB_PORT</code>.</p></li>
|
||
<li><p>Create the <code>bookinfo</code> user:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u admin -p $MONGO_ADMIN_PASSWORD --authenticationDatabase admin
|
||
use test
|
||
db.createUser(
|
||
{
|
||
user: &#34;bookinfo&#34;,
|
||
pwd: &#34;$BOOKINFO_PASSWORD&#34;,
|
||
roles: [ &#34;read&#34;]
|
||
}
|
||
);
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Create a <em>collection</em> to hold ratings. The following command sets both ratings to be equal <code>1</code> to provide a visual
|
||
clue when your database is used by the Bookinfo <em>ratings</em> service (the default Bookinfo <em>ratings</em> are <code>4</code> and <code>5</code>).</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u admin -p $MONGO_ADMIN_PASSWORD --authenticationDatabase admin
|
||
use test
|
||
db.createCollection(&#34;ratings&#34;);
|
||
db.ratings.insert(
|
||
[{rating: 1},
|
||
{rating: 1}]
|
||
);
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Check that <code>bookinfo</code> user can get ratings:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u bookinfo -p $BOOKINFO_PASSWORD --authenticationDatabase test
|
||
use test
|
||
db.ratings.find({});
|
||
EOF
|
||
</code></pre>
|
||
<p>The output should be similar to:</p>
|
||
<pre><code class='language-plain' data-expandlinks='true' data-repo='istio' >MongoDB server version: 3.4.10
|
||
switched to db test
|
||
{ &#34;_id&#34; : ObjectId(&#34;5b7c29efd7596e65b6ed2572&#34;), &#34;rating&#34; : 1 }
|
||
{ &#34;_id&#34; : ObjectId(&#34;5b7c29efd7596e65b6ed2573&#34;), &#34;rating&#34; : 1 }
|
||
bye
|
||
</code></pre></li>
|
||
</ol>
|
||
<h3 id="initial-setting-of-bookinfo-application">Initial setting of Bookinfo application</h3>
|
||
<p>To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with <a href="/v1.12/docs/setup/getting-started/">Istio installed</a>. Then you deploy the
|
||
<a href="/v1.12/docs/examples/bookinfo/">Istio Bookinfo sample application</a>, <a href="/v1.12/docs/examples/bookinfo/#apply-default-destination-rules">apply the default destination rules</a>, and
|
||
<a href="/v1.12/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy">change Istio to the blocking-egress-by-default policy</a>.</p>
|
||
<p>This application uses the <code>ratings</code> microservice to fetch book ratings, a number between 1 and 5. The ratings are
|
||
displayed as stars for each review. There are several versions of the <code>ratings</code> microservice. You will deploy the
|
||
version that uses <a href="https://www.mongodb.com">MongoDB</a> as the ratings database in the next subsection.</p>
|
||
<p>The example commands in this blog post work with Istio 1.0.</p>
|
||
<p>As a reminder, here is the end-to-end architecture of the application from the
|
||
<a href="/v1.12/docs/examples/bookinfo/">Bookinfo sample application</a>.</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:59.086918235567985%">
|
||
<a data-skipendnotes="true" href="/v1.12/docs/examples/bookinfo/withistio.svg" title="The original Bookinfo application">
|
||
<img class="element-to-stretch" src="/v1.12/docs/examples/bookinfo/withistio.svg" alt="The original Bookinfo application" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The original Bookinfo application</figcaption>
|
||
</figure>
|
||
<h3 id="use-the-external-database-in-bookinfo-application">Use the external database in Bookinfo application</h3>
|
||
<ol>
|
||
<li><p>Deploy the spec of the <em>ratings</em> microservice that uses a MongoDB database (<em>ratings v2</em>):</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml@
|
||
serviceaccount &#34;bookinfo-ratings-v2&#34; created
|
||
deployment &#34;ratings-v2&#34; created
|
||
</code></pre></div></li>
|
||
<li><p>Update the <code>MONGO_DB_URL</code> environment variable to the value of your MongoDB:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl set env deployment/ratings-v2 &#34;MONGO_DB_URL=mongodb://bookinfo:$BOOKINFO_PASSWORD@$MONGODB_HOST:$MONGODB_PORT/test?authSource=test&amp;ssl=true&#34;
|
||
deployment.extensions/ratings-v2 env updated
|
||
</code></pre></li>
|
||
<li><p>Route all the traffic destined to the <em>reviews</em> service to its <em>v3</em> version. You do this to ensure that the
|
||
<em>reviews</em> service always calls the <em>ratings</em> service. In addition, route all the traffic destined to the <em>ratings</em>
|
||
service to <em>ratings v2</em> that uses your database.</p>
|
||
<p>Specify the routing for both services above by adding two
|
||
<a href="/v1.12/docs/reference/config/networking/virtual-service/">virtual services</a>. These virtual services are
|
||
specified in <code>samples/bookinfo/networking/virtual-service-ratings-mongodb.yaml</code> of an Istio release archive.
|
||
<strong><em>Important:</em></strong> make sure you
|
||
<a href="/v1.12/docs/examples/bookinfo/#apply-default-destination-rules">applied the default destination rules</a> before running the
|
||
following command.</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/networking/virtual-service-ratings-db.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/networking/virtual-service-ratings-db.yaml@
|
||
</code></pre></div></li>
|
||
</ol>
|
||
<p>The updated architecture appears below. Note that the blue arrows inside the mesh mark the traffic configured according
|
||
to the virtual services we added. According to the virtual services, the traffic is sent to <em>reviews v3</em> and
|
||
<em>ratings v2</em>.</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:59.314858206480224%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/egress-mongo/bookinfo-ratings-v2-mongodb-external.svg" title="The Bookinfo application with ratings v2 and an external MongoDB database">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/egress-mongo/bookinfo-ratings-v2-mongodb-external.svg" alt="The Bookinfo application with ratings v2 and an external MongoDB database" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The Bookinfo application with ratings v2 and an external MongoDB database</figcaption>
|
||
</figure>
|
||
<p>Note that the MongoDB database is outside the Istio service mesh, or more precisely outside the Kubernetes cluster. The
|
||
boundary of the service mesh is marked by a dashed line.</p>
|
||
<h3 id="access-the-webpage">Access the webpage</h3>
|
||
<p>Access the webpage of the application, after
|
||
<a href="/v1.12/docs/examples/bookinfo/#determine-the-ingress-ip-and-port">determining the ingress IP and port</a>.</p>
|
||
<p>Since you did not configure the egress traffic control yet, the access to the MongoDB service is blocked by Istio.
|
||
This is why instead of the rating stars, the message <em>&ldquo;Ratings service is currently unavailable&rdquo;</em> is currently
|
||
displayed below each review:</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:36.18705035971223%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/egress-mongo/errorFetchingBookRating.png" title="The Ratings service error messages">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/egress-mongo/errorFetchingBookRating.png" alt="The Ratings service error messages" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The Ratings service error messages</figcaption>
|
||
</figure>
|
||
<p>In the following sections you will configure egress access to the external MongoDB service, using different options for
|
||
egress control in Istio.</p>
|
||
<h2 id="egress-control-for-tcp">Egress control for TCP</h2>
|
||
<p>Since <a href="https://docs.mongodb.com/manual/reference/mongodb-wire-protocol/">MongoDB Wire Protocol</a> runs on top of TCP, you
|
||
can control the egress traffic to your MongoDB as traffic to any other <a href="/v1.12/blog/2018/egress-tcp/">external TCP service</a>. To
|
||
control TCP traffic, a block of IPs in the <a href="https://tools.ietf.org/html/rfc2317">CIDR</a> notation that includes the IP
|
||
address of your MongoDB host must be specified. The caveat here is that sometimes the IP of the MongoDB host is not
|
||
stable or known in advance.</p>
|
||
<p>In the cases when the IP of the MongoDB host is not stable, the egress traffic can either be
|
||
<a href="#egress-control-for-tls">controlled as TLS traffic</a>, or the traffic can be routed
|
||
<a href="/v1.12/docs/tasks/traffic-management/egress/egress-control/#direct-access-to-external-services">directly</a>, bypassing the Istio sidecar
|
||
proxies.</p>
|
||
<p>Get the IP address of your MongoDB database instance. As an option, you can use the
|
||
<a href="https://linux.die.net/man/1/host">host</a> command:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export MONGODB_IP=$(host $MONGODB_HOST | grep &#34; has address &#34; | cut -d&#34; &#34; -f4)
|
||
</code></pre>
|
||
<h3 id="control-tcp-egress-traffic-without-a-gateway">Control TCP egress traffic without a gateway</h3>
|
||
<p>In case you do not need to direct the traffic through an
|
||
<a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway/#use-case">egress gateway</a>, for example if you do not have a
|
||
requirement that all the traffic that exists your mesh must exit through the gateway, follow the
|
||
instructions in this section. Alternatively, if you do want to direct your traffic through an egress gateway, proceed to
|
||
<a href="#direct-tcp-egress-traffic-through-an-egress-gateway">Direct TCP egress traffic through an egress gateway</a>.</p>
|
||
<ol>
|
||
<li><p>Define a TCP mesh-external service entry:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: mongo
|
||
spec:
|
||
hosts:
|
||
- my-mongo.tcp.svc
|
||
addresses:
|
||
- $MONGODB_IP/32
|
||
ports:
|
||
- number: $MONGODB_PORT
|
||
name: tcp
|
||
protocol: TCP
|
||
location: MESH_EXTERNAL
|
||
resolution: STATIC
|
||
endpoints:
|
||
- address: $MONGODB_IP
|
||
EOF
|
||
</code></pre>
|
||
<p>Note that the protocol <code>TCP</code> is specified instead of <code>MONGO</code> due to the fact that the traffic can be encrypted in
|
||
case <a href="https://docs.mongodb.com/manual/tutorial/configure-ssl/">the MongoDB protocol runs on top of TLS</a>.
|
||
If the traffic is encrypted, the encrypted MongoDB protocol cannot be parsed by the Istio proxy.</p>
|
||
<p>If you know that the plain MongoDB protocol is used, without encryption, you can specify the protocol as <code>MONGO</code> and
|
||
let the Istio proxy produce
|
||
<a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/mongo_proxy_filter#statistics">MongoDB related statistics</a>.
|
||
Also note that when the protocol <code>TCP</code> is specified, the configuration is not specific for MongoDB, but is the same
|
||
for any other database with the protocol on top of TCP.</p>
|
||
<p>Note that the host of your MongoDB is not used in TCP routing, so you can use any host, for example <code>my-mongo.tcp.svc</code>. Notice the <code>STATIC</code> resolution and the endpoint with the IP of your MongoDB service. Once you define such an endpoint, you can access MongoDB services that do not have a domain name.</p></li>
|
||
<li><p>Refresh the web page of the application. Now the application should display the ratings without error:</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:36.69064748201439%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/egress-mongo/externalDBRatings.png" title="Book Ratings Displayed Correctly">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/egress-mongo/externalDBRatings.png" alt="Book Ratings Displayed Correctly" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Book Ratings Displayed Correctly</figcaption>
|
||
</figure>
|
||
<p>Note that you see a one-star rating for both displayed reviews, as expected. You set the ratings to be one star to
|
||
provide yourself with a visual clue that your external database is indeed being used.</p></li>
|
||
<li><p>If you want to direct the traffic through an egress gateway, proceed to the next section. Otherwise, perform
|
||
<a href="#cleanup-of-tcp-egress-traffic-control">cleanup</a>.</p></li>
|
||
</ol>
|
||
<h3 id="direct-tcp-egress-traffic-through-an-egress-gateway">Direct TCP Egress traffic through an egress gateway</h3>
|
||
<p>In this section you handle the case when you need to direct the traffic through an
|
||
<a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway/#use-case">egress gateway</a>. The sidecar proxy routes TCP
|
||
connections from the MongoDB client to the egress gateway, by matching the IP of the MongoDB host (a CIDR block of
|
||
length 32). The egress gateway forwards the traffic to the MongoDB host, by its hostname.</p>
|
||
<ol>
|
||
<li><p><a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway/#deploy-istio-egress-gateway">Deploy Istio egress gateway</a>.</p></li>
|
||
<li><p>If you did not perform the steps in <a href="#control-tcp-egress-traffic-without-a-gateway">the previous section</a>, perform them now.</p></li>
|
||
<li><p>You may want to enable <span class="term" data-title="Mutual TLS Authentication" data-body="&lt;p&gt;Mutual TLS provides strong service-to-service authentication with built-in identity and credential management.
|
||
&lt;a href=&#34;/docs/concepts/security/#mutual-tls-authentication&#34;&gt;Learn more about mutual TLS authentication&lt;/a&gt;.&lt;/p&gt;
|
||
">mutual TLS Authentication</span> between the sidecar proxies of
|
||
your MongoDB clients and the egress gateway to let the egress gateway monitor the identity of the source pods and to
|
||
enable Mixer policy enforcement based on that identity. By enabling mutual TLS you also encrypt the traffic.
|
||
If you do not want to enable mutual TLS, proceed to the <a href="/v1.12/blog/2018/egress-mongo/#mutual-tls-between-the-sidecar-proxies-and-the-egress-gateway">Mutual TLS between the sidecar proxies and the egress gateway</a> section.
|
||
Otherwise, proceed to the following section.</p></li>
|
||
</ol>
|
||
<h4 id="configure-tcp-traffic-from-sidecars-to-the-egress-gateway">Configure TCP traffic from sidecars to the egress gateway</h4>
|
||
<ol>
|
||
<li><p>Define the <code>EGRESS_GATEWAY_MONGODB_PORT</code> environment variable to hold some port for directing traffic through
|
||
the egress gateway, e.g. <code>7777</code>. You must select a port that is not used for any other service in the mesh.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export EGRESS_GATEWAY_MONGODB_PORT=7777
|
||
</code></pre></li>
|
||
<li><p>Add the selected port to the <code>istio-egressgateway</code> service. You should use the same values you used for installing
|
||
Istio, in particular you have to specify all the ports of the <code>istio-egressgateway</code> service that you previously
|
||
configured.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ helm template install/kubernetes/helm/istio/ --name istio-egressgateway --namespace istio-system -x charts/gateways/templates/deployment.yaml -x charts/gateways/templates/service.yaml --set gateways.istio-ingressgateway.enabled=false --set gateways.istio-egressgateway.enabled=true --set gateways.istio-egressgateway.ports[0].port=80 --set gateways.istio-egressgateway.ports[0].name=http --set gateways.istio-egressgateway.ports[1].port=443 --set gateways.istio-egressgateway.ports[1].name=https --set gateways.istio-egressgateway.ports[2].port=$EGRESS_GATEWAY_MONGODB_PORT --set gateways.istio-egressgateway.ports[2].name=mongo | kubectl apply -f -
|
||
</code></pre></li>
|
||
<li><p>Check that the <code>istio-egressgateway</code> service indeed has the selected port:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get svc istio-egressgateway -n istio-system
|
||
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
|
||
istio-egressgateway ClusterIP 172.21.202.204 &lt;none&gt; 80/TCP,443/TCP,7777/TCP 34d
|
||
</code></pre></li>
|
||
<li><p>Disable mutual TLS authentication for the <code>istio-egressgateway</code> service:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: authentication.istio.io/v1alpha1
|
||
kind: Policy
|
||
metadata:
|
||
name: istio-egressgateway
|
||
namespace: istio-system
|
||
spec:
|
||
targets:
|
||
- name: istio-egressgateway
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Create an egress <code>Gateway</code> for your MongoDB service, and destination rules and a virtual service to direct the
|
||
traffic through the egress gateway and from the egress gateway to the external service.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: Gateway
|
||
metadata:
|
||
name: istio-egressgateway
|
||
spec:
|
||
selector:
|
||
istio: egressgateway
|
||
servers:
|
||
- port:
|
||
number: $EGRESS_GATEWAY_MONGODB_PORT
|
||
name: tcp
|
||
protocol: TCP
|
||
hosts:
|
||
- my-mongo.tcp.svc
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: egressgateway-for-mongo
|
||
spec:
|
||
host: istio-egressgateway.istio-system.svc.cluster.local
|
||
subsets:
|
||
- name: mongo
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: mongo
|
||
spec:
|
||
host: my-mongo.tcp.svc
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: direct-mongo-through-egress-gateway
|
||
spec:
|
||
hosts:
|
||
- my-mongo.tcp.svc
|
||
gateways:
|
||
- mesh
|
||
- istio-egressgateway
|
||
tcp:
|
||
- match:
|
||
- gateways:
|
||
- mesh
|
||
destinationSubnets:
|
||
- $MONGODB_IP/32
|
||
port: $MONGODB_PORT
|
||
route:
|
||
- destination:
|
||
host: istio-egressgateway.istio-system.svc.cluster.local
|
||
subset: mongo
|
||
port:
|
||
number: $EGRESS_GATEWAY_MONGODB_PORT
|
||
- match:
|
||
- gateways:
|
||
- istio-egressgateway
|
||
port: $EGRESS_GATEWAY_MONGODB_PORT
|
||
route:
|
||
- destination:
|
||
host: my-mongo.tcp.svc
|
||
port:
|
||
number: $MONGODB_PORT
|
||
weight: 100
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p><a href="#verify-that-egress-traffic-is-directed-through-the-egress-gateway">Verify that egress traffic is directed through the egress gateway</a>.</p></li>
|
||
</ol>
|
||
<h4 id="mutual-tls-between-the-sidecar-proxies-and-the-egress-gateway">Mutual TLS between the sidecar proxies and the egress gateway</h4>
|
||
<ol>
|
||
<li><p>Delete the previous configuration:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete gateway istio-egressgateway --ignore-not-found=true
|
||
$ kubectl delete virtualservice direct-mongo-through-egress-gateway --ignore-not-found=true
|
||
$ kubectl delete destinationrule egressgateway-for-mongo mongo --ignore-not-found=true
|
||
$ kubectl delete policy istio-egressgateway -n istio-system --ignore-not-found=true
|
||
</code></pre></li>
|
||
<li><p>Enforce mutual TLS authentication for the <code>istio-egressgateway</code> service:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: authentication.istio.io/v1alpha1
|
||
kind: Policy
|
||
metadata:
|
||
name: istio-egressgateway
|
||
namespace: istio-system
|
||
spec:
|
||
targets:
|
||
- name: istio-egressgateway
|
||
peers:
|
||
- mtls: {}
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Create an egress <code>Gateway</code> for your MongoDB service, and destination rules and a virtual service
|
||
to direct the traffic through the egress gateway and from the egress gateway to the external service.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: Gateway
|
||
metadata:
|
||
name: istio-egressgateway
|
||
spec:
|
||
selector:
|
||
istio: egressgateway
|
||
servers:
|
||
- port:
|
||
number: 443
|
||
name: tls
|
||
protocol: TLS
|
||
hosts:
|
||
- my-mongo.tcp.svc
|
||
tls:
|
||
mode: MUTUAL
|
||
serverCertificate: /etc/certs/cert-chain.pem
|
||
privateKey: /etc/certs/key.pem
|
||
caCertificates: /etc/certs/root-cert.pem
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: egressgateway-for-mongo
|
||
spec:
|
||
host: istio-egressgateway.istio-system.svc.cluster.local
|
||
subsets:
|
||
- name: mongo
|
||
trafficPolicy:
|
||
loadBalancer:
|
||
simple: ROUND_ROBIN
|
||
portLevelSettings:
|
||
- port:
|
||
number: 443
|
||
tls:
|
||
mode: ISTIO_MUTUAL
|
||
sni: my-mongo.tcp.svc
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: mongo
|
||
spec:
|
||
host: my-mongo.tcp.svc
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: direct-mongo-through-egress-gateway
|
||
spec:
|
||
hosts:
|
||
- my-mongo.tcp.svc
|
||
gateways:
|
||
- mesh
|
||
- istio-egressgateway
|
||
tcp:
|
||
- match:
|
||
- gateways:
|
||
- mesh
|
||
destinationSubnets:
|
||
- $MONGODB_IP/32
|
||
port: $MONGODB_PORT
|
||
route:
|
||
- destination:
|
||
host: istio-egressgateway.istio-system.svc.cluster.local
|
||
subset: mongo
|
||
port:
|
||
number: 443
|
||
- match:
|
||
- gateways:
|
||
- istio-egressgateway
|
||
port: 443
|
||
route:
|
||
- destination:
|
||
host: my-mongo.tcp.svc
|
||
port:
|
||
number: $MONGODB_PORT
|
||
weight: 100
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Proceed to the next section.</p></li>
|
||
</ol>
|
||
<h4 id="verify-that-egress-traffic-is-directed-through-the-egress-gateway">Verify that egress traffic is directed through the egress gateway</h4>
|
||
<ol>
|
||
<li><p>Refresh the web page of the application again and verify that the ratings are still displayed correctly.</p></li>
|
||
<li><p><a href="/v1.12/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging">Enable Envoy’s access logging</a></p></li>
|
||
<li><p>Check the log of the egress gateway&rsquo;s Envoy and see a line that corresponds to your
|
||
requests to the MongoDB service. If Istio is deployed in the <code>istio-system</code> namespace, the command to print the
|
||
log is:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl logs -l istio=egressgateway -n istio-system
|
||
[2019-04-14T06:12:07.636Z] &#34;- - -&#34; 0 - &#34;-&#34; 1591 4393 94 - &#34;-&#34; &#34;-&#34; &#34;-&#34; &#34;-&#34; &#34;&lt;Your MongoDB IP&gt;:&lt;your MongoDB port&gt;&#34; outbound|&lt;your MongoDB port&gt;||my-mongo.tcp.svc 172.30.146.119:59924 172.30.146.119:443 172.30.230.1:59206 -
|
||
</code></pre></li>
|
||
</ol>
|
||
<h3 id="cleanup-of-tcp-egress-traffic-control">Cleanup of TCP egress traffic control</h3>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry mongo
|
||
$ kubectl delete gateway istio-egressgateway --ignore-not-found=true
|
||
$ kubectl delete virtualservice direct-mongo-through-egress-gateway --ignore-not-found=true
|
||
$ kubectl delete destinationrule egressgateway-for-mongo mongo --ignore-not-found=true
|
||
$ kubectl delete policy istio-egressgateway -n istio-system --ignore-not-found=true
|
||
</code></pre>
|
||
<h2 id="egress-control-for-tls">Egress control for TLS</h2>
|
||
<p>In the real life, most of the communication to the external services must be encrypted and
|
||
<a href="https://docs.mongodb.com/manual/tutorial/configure-ssl/">the MongoDB protocol runs on top of TLS</a>.
|
||
Also, the TLS clients usually send
|
||
<a href="https://en.wikipedia.org/wiki/Server_Name_Indication">Server Name Indication</a>, SNI, as part of their handshake. If your
|
||
MongoDB server runs TLS and your MongoDB client sends SNI as part of the handshake, you can control your MongoDB egress
|
||
traffic as any other TLS-with-SNI traffic. With TLS and SNI, you do not need to specify the IP addresses of your MongoDB
|
||
servers. You specify their host names instead, which is more convenient since you do not have to rely on the stability of
|
||
the IP addresses. You can also specify wildcards as a prefix of the host names, for example allowing access to any
|
||
server from the <code>*.com</code> domain.</p>
|
||
<p>To check if your MongoDB server supports TLS, run:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ openssl s_client -connect $MONGODB_HOST:$MONGODB_PORT -servername $MONGODB_HOST
|
||
</code></pre>
|
||
<p>If the command above prints a certificate returned by the server, the server supports TLS. If not, you have to control
|
||
your MongoDB egress traffic on the TCP level, as described in the previous sections.</p>
|
||
<h3 id="control-tls-egress-traffic-without-a-gateway">Control TLS egress traffic without a gateway</h3>
|
||
<p>In case you <a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway/#use-case">do not need an egress gateway</a>, follow the
|
||
instructions in this section. If you want to direct your traffic through an egress gateway, proceed to
|
||
<a href="#direct-tcp-egress-traffic-through-an-egress-gateway">Direct TCP Egress traffic through an egress gateway</a>.</p>
|
||
<ol>
|
||
<li><p>Create a <code>ServiceEntry</code> for the MongoDB service:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: mongo
|
||
spec:
|
||
hosts:
|
||
- $MONGODB_HOST
|
||
ports:
|
||
- number: $MONGODB_PORT
|
||
name: tls
|
||
protocol: TLS
|
||
resolution: DNS
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Refresh the web page of the application. The application should display the ratings without error.</p></li>
|
||
</ol>
|
||
<h4 id="cleanup-of-the-egress-configuration-for-tls">Cleanup of the egress configuration for TLS</h4>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry mongo
|
||
</code></pre>
|
||
<h3 id="direct-tls-egress-traffic-through-an-egress-gateway">Direct TLS Egress traffic through an egress gateway</h3>
|
||
<p>In this section you handle the case when you need to direct the traffic through an
|
||
<a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway/#use-case">egress gateway</a>. The sidecar proxy routes TLS
|
||
connections from the MongoDB client to the egress gateway, by matching the SNI of the MongoDB host.
|
||
The egress gateway forwards the traffic to the MongoDB host. Note that the sidecar proxy rewrites the destination port
|
||
to be 443. The egress gateway accepts the MongoDB traffic on the port 443, matches the MongoDB host by SNI, and rewrites
|
||
the port again to be the port of the MongoDB server.</p>
|
||
<ol>
|
||
<li><p><a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway/#deploy-istio-egress-gateway">Deploy Istio egress gateway</a>.</p></li>
|
||
<li><p>Create a <code>ServiceEntry</code> for the MongoDB service:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: mongo
|
||
spec:
|
||
hosts:
|
||
- $MONGODB_HOST
|
||
ports:
|
||
- number: $MONGODB_PORT
|
||
name: tls
|
||
protocol: TLS
|
||
- number: 443
|
||
name: tls-port-for-egress-gateway
|
||
protocol: TLS
|
||
resolution: DNS
|
||
location: MESH_EXTERNAL
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Refresh the web page of the application and verify that the ratings are displayed correctly.</p></li>
|
||
<li><p>Create an egress <code>Gateway</code> for your MongoDB service, and destination rules and virtual services
|
||
to direct the traffic through the egress gateway and from the egress gateway to the external service.</p>
|
||
<p>If you want to enable <a href="/v1.12/docs/tasks/security/authentication/authn-policy/">mutual TLS Authentication</a> between the sidecar proxies of
|
||
your application pods and the egress gateway, use the following command. (You may want to enable mutual TLS to let
|
||
the egress gateway monitor the identity of the source pods and to enable Mixer policy enforcement based on that
|
||
identity.)</p>
|
||
<div id="tabset-blog-2018-egress-mongo-1" role="tablist" class="tabset ">
|
||
<div class="tab-strip" data-category-name="mtls" ><button aria-selected="true" data-category-value="enabled"
|
||
aria-controls="tabset-blog-2018-egress-mongo-1-0-panel" id="tabset-blog-2018-egress-mongo-1-0-tab" role="tab"><span>mutual TLS enabled</span>
|
||
</button><button tabindex="-1" data-category-value="disabled"
|
||
aria-controls="tabset-blog-2018-egress-mongo-1-1-panel" id="tabset-blog-2018-egress-mongo-1-1-tab" role="tab"><span>mutual TLS disabled</span>
|
||
</button></div>
|
||
<div class="tab-content"><div id="tabset-blog-2018-egress-mongo-1-0-panel" role="tabpanel" tabindex="0" aria-labelledby="tabset-blog-2018-egress-mongo-1-0-tab">
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: Gateway
|
||
metadata:
|
||
name: istio-egressgateway
|
||
spec:
|
||
selector:
|
||
istio: egressgateway
|
||
servers:
|
||
- port:
|
||
number: 443
|
||
name: tls
|
||
protocol: TLS
|
||
hosts:
|
||
- $MONGODB_HOST
|
||
tls:
|
||
mode: MUTUAL
|
||
serverCertificate: /etc/certs/cert-chain.pem
|
||
privateKey: /etc/certs/key.pem
|
||
caCertificates: /etc/certs/root-cert.pem
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: egressgateway-for-mongo
|
||
spec:
|
||
host: istio-egressgateway.istio-system.svc.cluster.local
|
||
subsets:
|
||
- name: mongo
|
||
trafficPolicy:
|
||
loadBalancer:
|
||
simple: ROUND_ROBIN
|
||
portLevelSettings:
|
||
- port:
|
||
number: 443
|
||
tls:
|
||
mode: ISTIO_MUTUAL
|
||
sni: $MONGODB_HOST
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: direct-mongo-through-egress-gateway
|
||
spec:
|
||
hosts:
|
||
- $MONGODB_HOST
|
||
gateways:
|
||
- mesh
|
||
- istio-egressgateway
|
||
tls:
|
||
- match:
|
||
- gateways:
|
||
- mesh
|
||
port: $MONGODB_PORT
|
||
sni_hosts:
|
||
- $MONGODB_HOST
|
||
route:
|
||
- destination:
|
||
host: istio-egressgateway.istio-system.svc.cluster.local
|
||
subset: mongo
|
||
port:
|
||
number: 443
|
||
tcp:
|
||
- match:
|
||
- gateways:
|
||
- istio-egressgateway
|
||
port: 443
|
||
route:
|
||
- destination:
|
||
host: $MONGODB_HOST
|
||
port:
|
||
number: $MONGODB_PORT
|
||
weight: 100
|
||
EOF
|
||
</code></pre>
|
||
</div><div hidden id="tabset-blog-2018-egress-mongo-1-1-panel" role="tabpanel" tabindex="0" aria-labelledby="tabset-blog-2018-egress-mongo-1-1-tab">
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: Gateway
|
||
metadata:
|
||
name: istio-egressgateway
|
||
spec:
|
||
selector:
|
||
istio: egressgateway
|
||
servers:
|
||
- port:
|
||
number: 443
|
||
name: tls
|
||
protocol: TLS
|
||
hosts:
|
||
- $MONGODB_HOST
|
||
tls:
|
||
mode: PASSTHROUGH
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: egressgateway-for-mongo
|
||
spec:
|
||
host: istio-egressgateway.istio-system.svc.cluster.local
|
||
subsets:
|
||
- name: mongo
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: direct-mongo-through-egress-gateway
|
||
spec:
|
||
hosts:
|
||
- $MONGODB_HOST
|
||
gateways:
|
||
- mesh
|
||
- istio-egressgateway
|
||
tls:
|
||
- match:
|
||
- gateways:
|
||
- mesh
|
||
port: $MONGODB_PORT
|
||
sni_hosts:
|
||
- $MONGODB_HOST
|
||
route:
|
||
- destination:
|
||
host: istio-egressgateway.istio-system.svc.cluster.local
|
||
subset: mongo
|
||
port:
|
||
number: 443
|
||
- match:
|
||
- gateways:
|
||
- istio-egressgateway
|
||
port: 443
|
||
sni_hosts:
|
||
- $MONGODB_HOST
|
||
route:
|
||
- destination:
|
||
host: $MONGODB_HOST
|
||
port:
|
||
number: $MONGODB_PORT
|
||
weight: 100
|
||
EOF
|
||
</code></pre>
|
||
</div></div>
|
||
</div>
|
||
</li>
|
||
<li><p><a href="#verify-that-egress-traffic-is-directed-through-the-egress-gateway">Verify that the traffic is directed though the egress gateway</a></p></li>
|
||
</ol>
|
||
<h4 id="cleanup-directing-tls-egress-traffic-through-an-egress-gateway">Cleanup directing TLS egress traffic through an egress gateway</h4>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry mongo
|
||
$ kubectl delete gateway istio-egressgateway
|
||
$ kubectl delete virtualservice direct-mongo-through-egress-gateway
|
||
$ kubectl delete destinationrule egressgateway-for-mongo
|
||
</code></pre>
|
||
<h3 id="enable-mongodb-tls-egress-traffic-to-arbitrary-wildcarded-domains">Enable MongoDB TLS egress traffic to arbitrary wildcarded domains</h3>
|
||
<p>Sometimes you want to configure egress traffic to multiple hostnames from the same domain, for example traffic to all
|
||
MongoDB services from <code>*.&lt;your company domain&gt;.com</code>. You do not want to create multiple configuration items, one for
|
||
each and every MongoDB service in your company. To configure access to all the external services from the same domain by
|
||
a single configuration, you use <em>wildcarded</em> hosts.</p>
|
||
<p>In this section you configure egress traffic for a wildcarded domain. I used a MongoDB instance at <code>composedb.com</code>
|
||
domain, so configuring egress traffic for <code>*.com</code> worked for me (I could have used <code>*.composedb.com</code> as well).
|
||
You can pick a wildcarded domain according to your MongoDB host.</p>
|
||
<p>To configure egress gateway traffic for a wildcarded domain, you will first need to deploy a custom egress
|
||
gateway with
|
||
<a href="/v1.12/docs/tasks/traffic-management/egress/wildcard-egress-hosts/#wildcard-configuration-for-arbitrary-domains">an additional SNI proxy</a>.
|
||
This is needed due to current limitations of Envoy, the proxy used by the standard Istio egress gateway.</p>
|
||
<h4 id="prepare-a-new-egress-gateway-with-an-sni-proxy">Prepare a new egress gateway with an SNI proxy</h4>
|
||
<p>In this subsection you deploy an egress gateway with an SNI proxy, in addition to the standard Istio Envoy proxy. You
|
||
can use any SNI proxy that is capable of routing traffic according to arbitrary, not-preconfigured SNI values; we used
|
||
<a href="http://nginx.org">Nginx</a> to achieve this functionality.</p>
|
||
<ol>
|
||
<li><p>Create a configuration file for the Nginx SNI proxy. You may want to edit the file to specify additional Nginx
|
||
settings, if required.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF &gt; ./sni-proxy.conf
|
||
user www-data;
|
||
events {
|
||
}
|
||
stream {
|
||
log_format log_stream &#39;\$remote_addr [\$time_local] \$protocol [\$ssl_preread_server_name]&#39;
|
||
&#39;\$status \$bytes_sent \$bytes_received \$session_time&#39;;
|
||
access_log /var/log/nginx/access.log log_stream;
|
||
error_log /var/log/nginx/error.log;
|
||
# tcp forward proxy by SNI
|
||
server {
|
||
resolver 8.8.8.8 ipv6=off;
|
||
listen 127.0.0.1:$MONGODB_PORT;
|
||
proxy_pass \$ssl_preread_server_name:$MONGODB_PORT;
|
||
ssl_preread on;
|
||
}
|
||
}
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Create a Kubernetes <a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/">ConfigMap</a>
|
||
to hold the configuration of the Nginx SNI proxy:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl create configmap egress-sni-proxy-configmap -n istio-system --from-file=nginx.conf=./sni-proxy.conf
|
||
</code></pre></li>
|
||
<li><p>The following command will generate <code>istio-egressgateway-with-sni-proxy.yaml</code> to edit and deploy.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | helm template install/kubernetes/helm/istio/ --name istio-egressgateway-with-sni-proxy --namespace istio-system -x charts/gateways/templates/deployment.yaml -x charts/gateways/templates/service.yaml -x charts/gateways/templates/serviceaccount.yaml -x charts/gateways/templates/autoscale.yaml -x charts/gateways/templates/role.yaml -x charts/gateways/templates/rolebindings.yaml --set global.mtls.enabled=true --set global.istioNamespace=istio-system -f - &gt; ./istio-egressgateway-with-sni-proxy.yaml
|
||
gateways:
|
||
enabled: true
|
||
istio-ingressgateway:
|
||
enabled: false
|
||
istio-egressgateway:
|
||
enabled: false
|
||
istio-egressgateway-with-sni-proxy:
|
||
enabled: true
|
||
labels:
|
||
app: istio-egressgateway-with-sni-proxy
|
||
istio: egressgateway-with-sni-proxy
|
||
replicaCount: 1
|
||
autoscaleMin: 1
|
||
autoscaleMax: 5
|
||
cpu:
|
||
targetAverageUtilization: 80
|
||
serviceAnnotations: {}
|
||
type: ClusterIP
|
||
ports:
|
||
- port: 443
|
||
name: https
|
||
secretVolumes:
|
||
- name: egressgateway-certs
|
||
secretName: istio-egressgateway-certs
|
||
mountPath: /etc/istio/egressgateway-certs
|
||
- name: egressgateway-ca-certs
|
||
secretName: istio-egressgateway-ca-certs
|
||
mountPath: /etc/istio/egressgateway-ca-certs
|
||
configVolumes:
|
||
- name: sni-proxy-config
|
||
configMapName: egress-sni-proxy-configmap
|
||
additionalContainers:
|
||
- name: sni-proxy
|
||
image: nginx
|
||
volumeMounts:
|
||
- name: sni-proxy-config
|
||
mountPath: /etc/nginx
|
||
readOnly: true
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Deploy the new egress gateway:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f ./istio-egressgateway-with-sni-proxy.yaml
|
||
serviceaccount &#34;istio-egressgateway-with-sni-proxy-service-account&#34; created
|
||
role &#34;istio-egressgateway-with-sni-proxy-istio-system&#34; created
|
||
rolebinding &#34;istio-egressgateway-with-sni-proxy-istio-system&#34; created
|
||
service &#34;istio-egressgateway-with-sni-proxy&#34; created
|
||
deployment &#34;istio-egressgateway-with-sni-proxy&#34; created
|
||
horizontalpodautoscaler &#34;istio-egressgateway-with-sni-proxy&#34; created
|
||
</code></pre></li>
|
||
<li><p>Verify that the new egress gateway is running. Note that the pod has two containers (one is the Envoy proxy and the
|
||
second one is the SNI proxy).</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pod -l istio=egressgateway-with-sni-proxy -n istio-system
|
||
NAME READY STATUS RESTARTS AGE
|
||
istio-egressgateway-with-sni-proxy-79f6744569-pf9t2 2/2 Running 0 17s
|
||
</code></pre></li>
|
||
<li><p>Create a service entry with a static address equal to 127.0.0.1 (<code>localhost</code>), and disable mutual TLS on the traffic directed to the new
|
||
service entry:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: sni-proxy
|
||
spec:
|
||
hosts:
|
||
- sni-proxy.local
|
||
location: MESH_EXTERNAL
|
||
ports:
|
||
- number: $MONGODB_PORT
|
||
name: tcp
|
||
protocol: TCP
|
||
resolution: STATIC
|
||
endpoints:
|
||
- address: 127.0.0.1
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: disable-mtls-for-sni-proxy
|
||
spec:
|
||
host: sni-proxy.local
|
||
trafficPolicy:
|
||
tls:
|
||
mode: DISABLE
|
||
EOF
|
||
</code></pre></li>
|
||
</ol>
|
||
<h4 id="configure-access-to-com-using-the-new-egress-gateway">Configure access to <code>*.com</code> using the new egress gateway</h4>
|
||
<ol>
|
||
<li><p>Define a <code>ServiceEntry</code> for <code>*.com</code>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | kubectl create -f -
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: mongo
|
||
spec:
|
||
hosts:
|
||
- &#34;*.com&#34;
|
||
ports:
|
||
- number: 443
|
||
name: tls
|
||
protocol: TLS
|
||
- number: $MONGODB_PORT
|
||
name: tls-mongodb
|
||
protocol: TLS
|
||
location: MESH_EXTERNAL
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Create an egress <code>Gateway</code> for <em>*.com</em>, port 443, protocol TLS, a destination rule to set the
|
||
<a href="https://en.wikipedia.org/wiki/Server_Name_Indication">SNI</a> for the gateway, and Envoy filters to prevent tampering
|
||
with SNI by a malicious application (the filters verify that the SNI issued by the application is the SNI reported
|
||
to Mixer).</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: Gateway
|
||
metadata:
|
||
name: istio-egressgateway-with-sni-proxy
|
||
spec:
|
||
selector:
|
||
istio: egressgateway-with-sni-proxy
|
||
servers:
|
||
- port:
|
||
number: 443
|
||
name: tls
|
||
protocol: TLS
|
||
hosts:
|
||
- &#34;*.com&#34;
|
||
tls:
|
||
mode: MUTUAL
|
||
serverCertificate: /etc/certs/cert-chain.pem
|
||
privateKey: /etc/certs/key.pem
|
||
caCertificates: /etc/certs/root-cert.pem
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: mtls-for-egress-gateway
|
||
spec:
|
||
host: istio-egressgateway-with-sni-proxy.istio-system.svc.cluster.local
|
||
subsets:
|
||
- name: mongo
|
||
trafficPolicy:
|
||
loadBalancer:
|
||
simple: ROUND_ROBIN
|
||
portLevelSettings:
|
||
- port:
|
||
number: 443
|
||
tls:
|
||
mode: ISTIO_MUTUAL
|
||
---
|
||
# The following filter is used to forward the original SNI (sent by the application) as the SNI of the mutual TLS
|
||
# connection.
|
||
# The forwarded SNI will be reported to Mixer so that policies will be enforced based on the original SNI value.
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: EnvoyFilter
|
||
metadata:
|
||
name: forward-downstream-sni
|
||
spec:
|
||
filters:
|
||
- listenerMatch:
|
||
portNumber: $MONGODB_PORT
|
||
listenerType: SIDECAR_OUTBOUND
|
||
filterName: forward_downstream_sni
|
||
filterType: NETWORK
|
||
filterConfig: {}
|
||
---
|
||
# The following filter verifies that the SNI of the mutual TLS connection (the SNI reported to Mixer) is
|
||
# identical to the original SNI issued by the application (the SNI used for routing by the SNI proxy).
|
||
# The filter prevents Mixer from being deceived by a malicious application: routing to one SNI while
|
||
# reporting some other value of SNI. If the original SNI does not match the SNI of the mutual TLS connection, the
|
||
# filter will block the connection to the external service.
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: EnvoyFilter
|
||
metadata:
|
||
name: egress-gateway-sni-verifier
|
||
spec:
|
||
workloadLabels:
|
||
app: istio-egressgateway-with-sni-proxy
|
||
filters:
|
||
- listenerMatch:
|
||
portNumber: 443
|
||
listenerType: GATEWAY
|
||
filterName: sni_verifier
|
||
filterType: NETWORK
|
||
filterConfig: {}
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Route the traffic destined for <em>*.com</em> to the egress gateway and from the egress gateway to the SNI proxy.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: direct-mongo-through-egress-gateway
|
||
spec:
|
||
hosts:
|
||
- &#34;*.com&#34;
|
||
gateways:
|
||
- mesh
|
||
- istio-egressgateway-with-sni-proxy
|
||
tls:
|
||
- match:
|
||
- gateways:
|
||
- mesh
|
||
port: $MONGODB_PORT
|
||
sni_hosts:
|
||
- &#34;*.com&#34;
|
||
route:
|
||
- destination:
|
||
host: istio-egressgateway-with-sni-proxy.istio-system.svc.cluster.local
|
||
subset: mongo
|
||
port:
|
||
number: 443
|
||
weight: 100
|
||
tcp:
|
||
- match:
|
||
- gateways:
|
||
- istio-egressgateway-with-sni-proxy
|
||
port: 443
|
||
route:
|
||
- destination:
|
||
host: sni-proxy.local
|
||
port:
|
||
number: $MONGODB_PORT
|
||
weight: 100
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Refresh the web page of the application again and verify that the ratings are still displayed correctly.</p></li>
|
||
<li><p><a href="/v1.12/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging">Enable Envoy’s access logging</a></p></li>
|
||
<li><p>Check the log of the egress gateway&rsquo;s Envoy proxy. If Istio is deployed in the <code>istio-system</code> namespace, the command
|
||
to print the log is:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl logs -l istio=egressgateway-with-sni-proxy -c istio-proxy -n istio-system
|
||
</code></pre>
|
||
<p>You should see lines similar to the following:</p>
|
||
<pre><code class='language-plain' data-expandlinks='true' data-repo='istio' >[2019-01-02T17:22:04.602Z] &#34;- - -&#34; 0 - 768 1863 88 - &#34;-&#34; &#34;-&#34; &#34;-&#34; &#34;-&#34; &#34;127.0.0.1:28543&#34; outbound|28543||sni-proxy.local 127.0.0.1:49976 172.30.146.115:443 172.30.146.118:58510 &lt;your MongoDB host&gt;
|
||
[2019-01-02T17:22:04.713Z] &#34;- - -&#34; 0 - 1534 2590 85 - &#34;-&#34; &#34;-&#34; &#34;-&#34; &#34;-&#34; &#34;127.0.0.1:28543&#34; outbound|28543||sni-proxy.local 127.0.0.1:49988 172.30.146.115:443 172.30.146.118:58522 &lt;your MongoDB host&gt;
|
||
</code></pre></li>
|
||
<li><p>Check the logs of the SNI proxy. If Istio is deployed in the <code>istio-system</code> namespace, the command to print the
|
||
log is:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl logs -l istio=egressgateway-with-sni-proxy -n istio-system -c sni-proxy
|
||
127.0.0.1 [23/Aug/2018:03:28:18 +0000] TCP [&lt;your MongoDB host&gt;]200 1863 482 0.089
|
||
127.0.0.1 [23/Aug/2018:03:28:18 +0000] TCP [&lt;your MongoDB host&gt;]200 2590 1248 0.095
|
||
</code></pre></li>
|
||
</ol>
|
||
<h4 id="understanding-what-happened">Understanding what happened</h4>
|
||
<p>In this section you configured egress traffic to your MongoDB host using a wildcarded domain. While for a single MongoDB
|
||
host there is no gain in using wildcarded domains (an exact hostname can be specified), it could be beneficial for
|
||
cases when the applications in the cluster access multiple MongoDB hosts that match some wildcarded domain. For example,
|
||
if the applications access <code>mongodb1.composedb.com</code>, <code>mongodb2.composedb.com</code> and <code>mongodb3.composedb.com</code>, the egress
|
||
traffic can be configured by a single configuration for the wildcarded domain <code>*.composedb.com</code>.</p>
|
||
<p>I will leave it as an exercise for the reader to verify that no additional Istio configuration is required when you
|
||
configure an app to use another instance of MongoDB with a hostname that matches the wildcarded domain used in this
|
||
section.</p>
|
||
<h4 id="cleanup-of-configuration-for-mongodb-tls-egress-traffic-to-arbitrary-wildcarded-domains">Cleanup of configuration for MongoDB TLS egress traffic to arbitrary wildcarded domains</h4>
|
||
<ol>
|
||
<li><p>Delete the configuration items for <em>*.com</em>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry mongo
|
||
$ kubectl delete gateway istio-egressgateway-with-sni-proxy
|
||
$ kubectl delete virtualservice direct-mongo-through-egress-gateway
|
||
$ kubectl delete destinationrule mtls-for-egress-gateway
|
||
$ kubectl delete envoyfilter forward-downstream-sni egress-gateway-sni-verifier
|
||
</code></pre></li>
|
||
<li><p>Delete the configuration items for the <code>egressgateway-with-sni-proxy</code> deployment:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry sni-proxy
|
||
$ kubectl delete destinationrule disable-mtls-for-sni-proxy
|
||
$ kubectl delete -f ./istio-egressgateway-with-sni-proxy.yaml
|
||
$ kubectl delete configmap egress-sni-proxy-configmap -n istio-system
|
||
</code></pre></li>
|
||
<li><p>Remove the configuration files you created:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ rm ./istio-egressgateway-with-sni-proxy.yaml
|
||
$ rm ./nginx-sni-proxy.conf
|
||
</code></pre></li>
|
||
</ol>
|
||
<h2 id="cleanup">Cleanup</h2>
|
||
<ol>
|
||
<li><p>Drop the <code>bookinfo</code> user:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u admin -p $MONGO_ADMIN_PASSWORD --authenticationDatabase admin
|
||
use test
|
||
db.dropUser(&#34;bookinfo&#34;);
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Drop the <em>ratings</em> collection:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | mongo --ssl --sslAllowInvalidCertificates $MONGODB_HOST:$MONGODB_PORT -u admin -p $MONGO_ADMIN_PASSWORD --authenticationDatabase admin
|
||
use test
|
||
db.ratings.drop();
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Unset the environment variables you used:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ unset MONGO_ADMIN_PASSWORD BOOKINFO_PASSWORD MONGODB_HOST MONGODB_PORT MONGODB_IP
|
||
</code></pre></li>
|
||
<li><p>Remove the virtual services:</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/networking/virtual-service-ratings-db.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete -f @samples/bookinfo/networking/virtual-service-ratings-db.yaml@
|
||
Deleted config: virtual-service/default/reviews
|
||
Deleted config: virtual-service/default/ratings
|
||
</code></pre></div></li>
|
||
<li><p>Undeploy <em>ratings v2-mongodb</em>:</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml@
|
||
deployment &#34;ratings-v2&#34; deleted
|
||
</code></pre></div></li>
|
||
</ol>
|
||
<h2 id="conclusion">Conclusion</h2>
|
||
<p>In this blog post I demonstrated various options for MongoDB egress traffic control. You can control the MongoDB egress
|
||
traffic on a TCP or TLS level where applicable. In both TCP and TLS cases, you can direct the traffic from the sidecar
|
||
proxies directly to the external MongoDB host, or direct the traffic through an egress gateway, according to your
|
||
organization&rsquo;s security requirements. In the latter case, you can also decide to apply or disable mutual TLS
|
||
authentication between the sidecar proxies and the egress gateway. If you want to control MongoDB egress traffic on the
|
||
TLS level by specifying wildcarded domains like <code>*.com</code> and you need to direct the traffic through the egress gateway,
|
||
you must deploy a custom egress gateway with an SNI proxy.</p>
|
||
<p>Note that the configuration and considerations described in this blog post for MongoDB are rather the same for other
|
||
non-HTTP protocols on top of TCP/TLS.</p></description><pubDate>Fri, 16 Nov 2018 00:00:00 +0000</pubDate><link>/v1.12/blog/2018/egress-mongo/</link><author>Vadim Eisenberg</author><guid isPermaLink="true">/v1.12/blog/2018/egress-mongo/</guid><category>traffic-management</category><category>egress</category><category>tcp</category><category>mongo</category></item><item><title>All Day Istio Twitch Stream</title><description>
|
||
<p>To celebrate the 1.0 release and to promote the software to a wider audience, the Istio community is hosting an all day live stream on Twitch on August 17th.</p>
|
||
<h2 id="what-is-twitch">What is Twitch?</h2>
|
||
<p><a href="https://twitch.tv/">Twitch</a> is a popular video gaming live streaming platform and recently has seen a lot of coding content showing up. The IBM Advocates have been doing live coding and presentations there and it&rsquo;s been fun. While mostly used for gaming content, there is a <a href="https://www.twitch.tv/communities/programming">growing community</a> sharing and watching programming content on the site.</p>
|
||
<h2 id="what-does-this-have-to-do-with-istio">What does this have to do with Istio?</h2>
|
||
<p>The stream is going to be a full day of Istio content. Hopefully we&rsquo;ll have a good mix of deep technical content, beginner content and line-of-business content for our audience. We&rsquo;ll have developers, users, and evangelists on throughout the day to share their demos and stories. Expect live coding, q and a, and some surprises. We have stellar guests lined up from IBM, Google, Datadog, Pivotal, and more!</p>
|
||
<h2 id="recordings">Recordings</h2>
|
||
<p>Recordings are available <a href="https://www.youtube.com/playlist?list=PLzpeuWUENMK0V3dwpx5gPJun-SLG0USqU">here</a>.</p>
|
||
<h2 id="schedule">Schedule</h2>
|
||
<p>All times are <code>PDT</code>.</p>
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
<th>Time</th>
|
||
<th>Speaker</th>
|
||
<th>Affiliation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td>10:00 - 10:30</td>
|
||
<td><code>Spencer Krum + Lisa-Marie Namphy</code></td>
|
||
<td><code>IBM / Portworx</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>10:30 - 11:00</td>
|
||
<td><code>Lin Sun / Spencer Krum / Sven Mawson</code></td>
|
||
<td><code>IBM / Google</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>11:00 - 11:10</td>
|
||
<td><code>Lin Sun / Spencer Krum</code></td>
|
||
<td><code>IBM</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>11:10 - 11:30</td>
|
||
<td><code>Jason Yee / Ilan Rabinovich</code></td>
|
||
<td><code>Datadog</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>11:30 - 11:50</td>
|
||
<td><code>April Nassl</code></td>
|
||
<td><code>Google</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>11:50 - 12:10</td>
|
||
<td><code>Spike Curtis</code></td>
|
||
<td><code>Tigera</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>12:10 - 12:30</td>
|
||
<td><code>Shannon Coen</code></td>
|
||
<td><code>Pivotal</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>12:30 - 1:00</td>
|
||
<td><code>Matt Klein</code></td>
|
||
<td><code>Lyft</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>1:00 - 1:20</td>
|
||
<td><code>Zach Jory</code></td>
|
||
<td><code>F5/Aspen Mesh</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>1:20 - 1:40</td>
|
||
<td><code>Dan Ciruli</code></td>
|
||
<td><code>Google</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>1:40 - 2:00</td>
|
||
<td><code>Isaiah Snell-Feikema</code> / <code>Greg Hanson</code></td>
|
||
<td><code>IBM</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>2:00 - 2:20</td>
|
||
<td><code>Zach Butcher</code></td>
|
||
<td><code>Tetrate</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>2:20 - 2:40</td>
|
||
<td><code>Ray Hudaihed</code></td>
|
||
<td><code>American Airlines</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>2:40 - 3:00</td>
|
||
<td><code>Christian Posta</code></td>
|
||
<td><code>Red Hat</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>3:00 - 3:20</td>
|
||
<td><code>Google/IBM China</code></td>
|
||
<td><code>Google / IBM</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>3:20 - 3:40</td>
|
||
<td><code>Colby Dyess</code></td>
|
||
<td><code>Tuffin</code></td>
|
||
</tr>
|
||
<tr>
|
||
<td>3:40 - 4:00</td>
|
||
<td><code>Rohit Agarwalla</code></td>
|
||
<td><code>Cisco</code></td>
|
||
</tr>
|
||
</tbody>
|
||
</table></description><pubDate>Fri, 03 Aug 2018 00:00:00 +0000</pubDate><link>/v1.12/blog/2018/istio-twitch-stream/</link><author>Spencer Krum, IBM</author><guid isPermaLink="true">/v1.12/blog/2018/istio-twitch-stream/</guid></item><item><title>Istio a Game Changer for HP's FitStation Platform</title><description><p>The FitStation team at HP strongly believes in the future of Kubernetes, BPF and service-mesh as the next standards in cloud infrastructure. We are also very happy to see Istio coming to its official Istio 1.0 release &ndash; thanks to the joint collaboration that started at Google, IBM and Lyft beginning in May 2017.</p>
|
||
<p>Throughout the development of FitStation’s large scale and progressive cloud platform, Istio, Cilium and Kubernetes technologies have delivered a multitude of opportunities to make our systems more robust and scalable. Istio was a game changer in creating reliable and dynamic network communication.</p>
|
||
<p><a href="http://www.fitstation.com">FitStation powered by HP</a> is a technology platform that captures 3D biometric data to design personalized footwear to perfectly fit individual foot size and shape as well as gait profile. It uses 3D scanning, pressure sensing, 3D printing and variable density injection molding to create unique footwear. Footwear brands such as Brooks, Steitz Secura or Superfeet are connecting to FitStation to build their next generation of high performance sports, professional and medical shoes.</p>
|
||
<p>FitStation is built on the promise of ultimate security and privacy for users&rsquo; biometric data. ISTIO is the cornerstone to make that possible for data-at-flight within our cloud. By managing these aspects at the infrastructure level, we focused on solving business problems instead of spending time on individual implementations of secure service communication. Using Istio allowed us to dramatically reduce the complexity of maintaining a multitude of libraries and services to provide secure service communication.</p>
|
||
<p>As a bonus benefit of Istio 1.0, we gained network visibility, metrics and tracing out of the box. This radically improved decision-making and response quality for our development
|
||
and devops teams. The team got in-depth insight in the network communication across the entire platform, both for new as well as legacy applications. The integration of Cilium
|
||
with Envoy delivered a remarkable performance benefit on Istio service mesh communication, combined with a fine-grained kernel driven L7 network security layer. This was due to the powers of BPF brought to Istio by Cilium. We believe this will drive the future of Linux kernel security.</p>
|
||
<p>It has been very exciting to follow Istio’s growth. We have been able to see clear improvements of performance and stability over the different development versions. The improvements between version 0.7 and 0.8 made our teams feel comfortable with version 1.0, we can state that Istio is now ready for real production usage.</p>
|
||
<p>We are looking forward to the promising roadmaps of Istio, Envoy, Cilium and CNCF.</p></description><pubDate>Tue, 31 Jul 2018 00:00:00 +0000</pubDate><link>/v1.12/blog/2018/hp/</link><author>Steven Ceuppens, Chief Software Architect @ HP FitStation, Open Source Advocate & Contributor</author><guid isPermaLink="true">/v1.12/blog/2018/hp/</guid></item><item><title>Delayering Istio with AppSwitch</title><description>
|
||
<div>
|
||
<aside class="callout quote">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-quote"/></svg>
|
||
</div>
|
||
<div class="content">All problems in computer science can be solved with another layer, except of course the problem of too many layers. &ndash; David Wheeler</div>
|
||
</aside>
|
||
</div>
|
||
<p>The sidecar proxy approach enables a lot of awesomeness. Squarely in the datapath between microservices, the sidecar can precisely tell what the application is trying to do. It can monitor and instrument protocol traffic, not in the bowels of the networking layers but at the application level, to enable deep visibility, access controls and traffic management.</p>
|
||
<p>If we look closely however, there are many intermediate layers that the data has to pass through before the high-value analysis of application-traffic can be performed. Most of those layers are part of the base plumbing infrastructure that are there just to push the data along. In doing so, they add latency to communication and complexity to the overall system.</p>
|
||
<p>Over the years, there has been much collective effort in implementing aggressive fine-grained optimizations within the layers of the network datapath. Each iteration may shave another few microseconds. But then the true necessity of those layers itself has not been questioned.</p>
|
||
<h2 id="don-t-optimize-layers-remove-them">Don’t optimize layers, remove them</h2>
|
||
<p>In my belief, optimizing something is a poor fallback to removing its requirement altogether. That was the goal of my initial work (broken link: <code>https://apporbit.com/a-brief-history-of-containers-from-reality-to-hype/</code>) on OS-level virtualization that led to Linux containers which effectively <a href="https://www.oreilly.com/ideas/the-unwelcome-guest-why-vms-arent-the-solution-for-next-gen-applications">removed virtual machines</a> by running applications directly on the host operating system without requiring an intermediate guest. For a long time the industry was fighting the wrong battle distracted by optimizing VMs rather than removing the additional layer altogether.</p>
|
||
<p>I see the same pattern repeat itself with the connectivity of microservices, and networking in general. The network has been going through the changes that physical servers have gone through a decade earlier. New set of layers and constructs are being introduced. They are being baked deep into the protocol stack and even silicon without adequately considering low-touch alternatives. Perhaps there is a way to remove those additional layers altogether.</p>
|
||
<p>I have been thinking about these problems for some time and believe that an approach similar in concept to containers can be applied to the network stack that would fundamentally simplify how application endpoints are connected across the complexity of many intermediate layers. I have reapplied the same principles from the original work on containers to create <a href="http://appswitch.io">AppSwitch</a>. Similar to the way containers provide an interface that applications can directly consume, AppSwitch plugs directly into well-defined and ubiquitous network API that applications currently use and directly connects application clients to appropriate servers, skipping all intermediate layers. In the end, that&rsquo;s what networking is all about.</p>
|
||
<p>Before going into the details of how AppSwitch promises to remove unnecessary layers from the Istio stack, let me give a very brief introduction to its architecture. Further details are available at the <a href="https://appswitch.readthedocs.io/en/latest/">documentation</a> page.</p>
|
||
<h2 id="appswitch">AppSwitch</h2>
|
||
<p>Not unlike the container runtime, AppSwitch consists of a client and a daemon that speak over HTTP via a REST API. Both the client and the daemon are built as one self-contained binary, <code>ax</code>. The client transparently plugs into the application and tracks its system calls related to network connectivity and notifies the daemon about their occurrences. As an example, let’s say an application makes the <code>connect(2)</code> system call to the service IP of a Kubernetes service. The AppSwitch client intercepts the connect call, nullifies it and notifies the daemon about its occurrence along with some context that includes the system call arguments. The daemon would then handle the system call, potentially by directly connecting to the Pod IP of the upstream server on behalf of the application.</p>
|
||
<p>It is important to note that no data is forwarded between AppSwitch client and daemon. They are designed to exchange file descriptors (FDs) over a Unix domain socket to avoid having to copy data. Note also that client is not a separate process. Rather it directly runs in the context of the application itself. There is no data copy between the application and AppSwitch client either.</p>
|
||
<h2 id="delayering-the-stack">Delayering the stack</h2>
|
||
<p>Now that we have an idea about what AppSwitch does, let’s look at the layers that it optimizes away from a standard service mesh.</p>
|
||
<h3 id="network-devirtualization">Network devirtualization</h3>
|
||
<p>Kubernetes offers simple and well-defined network constructs to the microservice applications it runs. In order to support them however, it imposes specific <a href="https://kubernetes.io/docs/concepts/cluster-administration/networking/">requirements</a> on the underlying network. Meeting those requirements is often not easy. The go-to solution of adding another layer is typically adopted to satisfy the requirements. In most cases the additional layer consists of a network overlay that sits between Kubernetes and underlying network. Traffic produced by the applications is encapsulated at the source and decapsulated at the target, which not only costs network resources but also takes up compute cores.</p>
|
||
<p>Because AppSwitch arbitrates what the application sees through its touchpoints with the platform, it projects a consistent virtual view of the underlying network to the application similar to an overlay but without introducing an additional layer of processing along the datapath. Just to draw a parallel to containers, the inside of a container looks and feels like a VM. However the underlying implementation does not intervene along the high-incidence control paths of low-level interrupts etc.</p>
|
||
<p>AppSwitch can be injected into a standard Kubernetes manifest (similar to Istio injection) such that the application’s network is directly handled by AppSwitch bypassing any network overlay underneath. More details to follow in just a bit.</p>
|
||
<h3 id="artifacts-of-container-networking">Artifacts of container networking</h3>
|
||
<p>Extending network connectivity from host into the container has been a <a href="https://kubernetes.io/blog/2016/01/why-kubernetes-doesnt-use-libnetwork/">major challenge</a>. New layers of network plumbing were invented explicitly for that purpose. As such, an application running in a container is simply a process on the host. However due to a <a href="http://appswitch.io/blog/kubernetes_istio_and_network_function_devirtualization_with_appswitch/">fundamental misalignment</a> between the network abstraction expected by the application and the abstraction exposed by container network namespace, the process cannot directly access the host network. Applications think of networking in terms of sockets or sessions whereas network namespaces expose a device abstraction. Once placed in a network namespace, the process suddenly loses all connectivity. The notion of veth-pair and corresponding tooling were invented just to close that gap. The data would now have to go from a host interface into a virtual switch and then through a veth-pair to the virtual network interface of the container network namespace.</p>
|
||
<p>AppSwitch can effectively remove both the virtual switch and veth-pair layers on both ends of the connection. Since the connections are established by the daemon running on the host using the network that’s already available on the host, there is no need for additional plumbing to bridge host network into the container. The socket FDs created on the host are passed to the application running within the pod’s network namespace. By the time the application receives the FD, all control path work (security checks, connection establishment) is already done and the FD is ready for actual IO.</p>
|
||
<h3 id="skip-tcp-ip-for-colocated-endpoints">Skip TCP/IP for colocated endpoints</h3>
|
||
<p>TCP/IP is the universal protocol medium over which pretty much all communication occurs. But if application endpoints happen to be on the same host, is TCP/IP really required? After all, it does do quite a bit of work and it is quite complex. Unix sockets are explicitly designed for intrahost communication and AppSwitch can transparently switch the communication to occur over a Unix socket for colocated endpoints.</p>
|
||
<p>For each listening socket of an application, AppSwitch maintains two listening sockets, one each for TCP and Unix. When a client tries to connect to a server that happens to be colocated, AppSwitch daemon would choose to connect to the Unix listening socket of the server. The resulting Unix sockets on each end are passed into respective applications. Once a fully connected FD is returned, the application would simply treat it as a bit pipe. The protocol doesn’t really matter. The application may occasionally make protocol specific calls such as <code>getsockname(2)</code> and AppSwitch would handle them in kind. It would present consistent responses such that the application would continue to run on.</p>
|
||
<h3 id="data-pushing-proxy">Data pushing proxy</h3>
|
||
<p>As we continue to look for layers to remove, let us also reconsider the requirement of the proxy layer itself. There are times when the role of the proxy may degenerate into a plain data pusher:</p>
|
||
<ul>
|
||
<li>There may not be a need for any protocol decoding</li>
|
||
<li>The protocol may not be recognized by the proxy</li>
|
||
<li>The communication may be encrypted and the proxy cannot access relevant headers</li>
|
||
<li>The application (redis, memcached etc.) may be too latency-sensitive and cannot afford the cost of an intermediate proxy</li>
|
||
</ul>
|
||
<p>In all these cases, the proxy is not different from any low-level plumbing layer. In fact, the latency introduced can be far higher because the same level of optimizations won’t be available to a proxy.</p>
|
||
<p>To illustrate this with an example, consider the application shown below. It consists of a Python app and a set of memcached servers behind it. An upstream memcached server is selected based on connection time routing. Speed is the primary concern here.</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:38.63965267727931%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/delayering-istio/memcached.png" title="Latency-sensitive application scenario">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/delayering-istio/memcached.png" alt="Proxyless datapath" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Latency-sensitive application scenario</figcaption>
|
||
</figure>
|
||
<p>If we look at the data flow in this setup, the Python app makes a connection to the service IP of memcached. It is redirected to the client-side sidecar. The sidecar routes the connection to one of the memcached servers and copies the data between the two sockets &ndash; one connected to the app and another connected to memcached. And the same also occurs on the server side between the server-side sidecar and memcached. The role of proxy at that point is just boring shoveling of bits between the two sockets. However, it ends up adding substantial latency to the end-to-end connection.</p>
|
||
<p>Now let us imagine that the app is somehow made to connect directly to memcached, then the two intermediate proxies could be skipped. The data would flow directly between the app and memcached without any intermediate hops. AppSwitch can arrange for that by transparently tweaking the target address passed by the Python app when it makes the <code>connect(2)</code> system call.</p>
|
||
<h3 id="proxyless-protocol-decoding">Proxyless protocol decoding</h3>
|
||
<p>Things are going to get a bit strange here. We have seen that the proxy can be bypassed for cases that don’t involve looking into application traffic. But is there anything we can do even for those other cases? It turns out, yes.</p>
|
||
<p>In a typical communication between microservices, much of the interesting information is exchanged in the initial headers. Headers are followed by body or payload which typically represents bulk of the communication. And once again the proxy degenerates into a data pusher for this part of communication. AppSwitch provides a nifty mechanism to skip proxy for these cases.</p>
|
||
<p>Even though AppSwitch is not a proxy, it <em>does</em> arbitrate connections between application endpoints and it <em>does</em> have access to corresponding socket FDs. Normally, AppSwitch simply passes those FDs to the application. But it can also peek into the initial message received on the connection using the <code>MSG_PEEK</code> option of the <code>recvfrom(2)</code> system call on the socket. It allows AppSwitch to examine application traffic without actually removing it from the socket buffers. When AppSwitch returns the FD to the application and steps out of the datapath, the application would do an actual read on the connection. AppSwitch uses this technique to perform deeper analysis of application-level traffic and implement sophisticated network functions as discussed in the next section, all without getting into the datapath.</p>
|
||
<h3 id="zero-cost-load-balancer-firewall-and-network-analyzer">Zero-cost load balancer, firewall and network analyzer</h3>
|
||
<p>Typical implementations of network functions such as load balancers and firewalls require an intermediate layer that needs to tap into data/packet stream. Kubernetes&rsquo; implementation of load balancer (<code>kube-proxy</code>) for example introduces a probe into the packet stream through iptables and Istio implements the same at the proxy layer. But if all that is required is to redirect or drop connections based on policy, it is not really necessary to stay in the datapath during the entire course of the connection. AppSwitch can take care of that much more efficiently by simply manipulating the control path at the API level. Given its intimate proximity to the application, AppSwitch also has easy access to various pieces of application level metrics such as dynamics of stack and heap usage, precisely when a service comes alive, attributes of active connections etc., all of which could potentially form a rich signal for monitoring and analytics.</p>
|
||
<p>To go a step further, AppSwitch can also perform L7 load balancing and firewall functions based on the protocol data that it obtains from the socket buffers. It can synthesize the protocol data and various other signals with the policy information acquired from Pilot to implement a highly efficient form of routing and access control enforcement. It can essentially &ldquo;influence&rdquo; the application to connect to the right backend server without requiring any changes to the application or its configuration. It is as if the application itself is infused with policy and traffic-management intelligence. Except in this case, the application can&rsquo;t escape the influence.</p>
|
||
<p>There is some more black-magic possible that would actually allow modifying the application data stream without getting into the datapath but I am going to save that for a later post. Current implementation of AppSwitch uses a proxy if the use case requires application protocol traffic to be modified. For those cases, AppSwitch provides a highly optimal mechanism to attract traffic to the proxy as discussed in the next section.</p>
|
||
<h3 id="traffic-redirection">Traffic redirection</h3>
|
||
<p>Before the sidecar proxy can look into application protocol traffic, it needs to first receive the connections. Redirection of connections coming into and going out of the application is currently done by a layer of packet filtering that rewrites packets such that they go to respective sidecars. Creating potentially large number of rules required to represent the redirection policy is tedious. And the process of applying the rules and updating them, as the target subnets to be captured by the sidecar change, is expensive.</p>
|
||
<p>While some of the performance concerns are being addressed by the Linux community, there is another concern related to privilege: iptables rules need to be updated whenever the policy changes. Given the current architecture, all privileged operations are performed in an init container that runs just once at the very beginning before privileges are dropped for the actual application. Since updating iptables rules requires root privileges, there is no way to do that without restarting the application.</p>
|
||
<p>AppSwitch provides a way to redirect application connections without root privilege. As such, an unprivileged application is already able to connect to any host (modulo firewall rules etc.) and the owner of the application should be allowed to change the host address passed by its application via <code>connect(2)</code> without requiring additional privilege.</p>
|
||
<h4 id="socket-delegation">Socket delegation</h4>
|
||
<p>Let&rsquo;s see how AppSwitch could help redirect connections without using iptables. Imagine that the application somehow voluntarily passes the socket FDs that it uses for its communication to the sidecar, then there would be no need for iptables. AppSwitch provides a feature called <em>socket delegation</em> that does exactly that. It allows the sidecar to transparently gain access to copies of socket FDs that the application uses for its communication without any changes to the application itself.</p>
|
||
<p>Here are the sequence of steps that would achieve this in the context of the Python application example.</p>
|
||
<ol>
|
||
<li>The application initiates a connection request to the service IP of memcached service.</li>
|
||
<li>The connection request from client is forwarded to the daemon.</li>
|
||
<li>The daemon creates a pair of pre-connected Unix sockets (using <code>socketpair(2)</code> system call).</li>
|
||
<li>It passes one end of the socket pair into the application such that the application would use that socket FD for read/write. It also ensures that the application consistently sees it as a legitimate TCP socket as it expects by interposing all calls that query connection properties.</li>
|
||
<li>The other end is passed to sidecar over a different Unix socket where the daemon exposes its API. Information such as the original destination that the application was connecting to is also conveyed over the same interface.</li>
|
||
</ol>
|
||
<figure style="width:50%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:22.442748091603054%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/delayering-istio/socket-delegation.png" title="Socket delegation based connection redirection">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/delayering-istio/socket-delegation.png" alt="Socket delegation protocol" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Socket delegation based connection redirection</figcaption>
|
||
</figure>
|
||
<p>Once the application and sidecar are connected, the rest happens as usual. Sidecar would initiate a connection to upstream server and proxy data between the socket received from the daemon and the socket connected to upstream server. The main difference here is that sidecar would get the connection, not through the <code>accept(2)</code> system call as it is in the normal case, but from the daemon over the Unix socket. In addition to listening for connections from applications through the normal <code>accept(2)</code> channel, the sidecar proxy would connect to the AppSwitch daemon’s REST endpoint and receive sockets that way.</p>
|
||
<p>For completeness, here are the sequence of steps that would occur on the server side:</p>
|
||
<ol>
|
||
<li>The application receives a connection</li>
|
||
<li>AppSwitch daemon accepts the connection on behalf of the application</li>
|
||
<li>It creates a pair of pre-connected Unix sockets using <code>socketpair(2)</code> system call</li>
|
||
<li>One end of the socket pair is returned to the application through the <code>accept(2)</code> system call</li>
|
||
<li>The other end of the socket pair along with the socket originally accepted by the daemon on behalf of the application is sent to sidecar</li>
|
||
<li>Sidecar would extract the two socket FDs &ndash; a Unix socket FD connected to the application and a TCP socket FD connected to the remote client</li>
|
||
<li>Sidecar would read the metadata supplied by the daemon about the remote client and perform its usual operations</li>
|
||
</ol>
|
||
<h4 id="sidecar-aware-applications">&ldquo;Sidecar-aware&rdquo; applications</h4>
|
||
<p>Socket delegation feature can be very useful for applications that are explicitly aware of the sidecar and wish to take advantage of its features. They can voluntarily delegate their network interactions by passing their sockets to the sidecar using the same feature. In a way, AppSwitch transparently turns every application into a sidecar-aware application.</p>
|
||
<h2 id="how-does-it-all-come-together">How does it all come together?</h2>
|
||
<p>Just to step back, Istio offloads common connectivity concerns from applications to a sidecar proxy that performs those functions on behalf of the application. And AppSwitch simplifies and optimizes the service mesh by sidestepping intermediate layers and invoking the proxy only for cases where it is truly necessary.</p>
|
||
<p>In the rest of this section, I outline how AppSwitch may be integrated with Istio based on a very cursory initial implementation. This is not intended to be anything like a design doc &ndash; not every possible way of integration is explored and not every detail is worked out. The intent is to discuss high-level aspects of the implementation to present a rough idea of how the two systems may come together. The key is that AppSwitch would act as a cushion between Istio and a real proxy. It would serve as the &ldquo;fast-path&rdquo; for cases that can be performed more efficiently without invoking the sidecar proxy. And for the cases where the proxy is used, it would shorten the datapath by cutting through unnecessary layers. Look at this <a href="http://appswitch.io/blog/kubernetes_istio_and_network_function_devirtualization_with_appswitch/">blog</a> for a more detailed walk through of the integration.</p>
|
||
<h3 id="appswitch-client-injection">AppSwitch client injection</h3>
|
||
<p>Similar to Istio sidecar-injector, a simple tool called <code>ax-injector</code> injects AppSwitch client into a standard Kubernetes manifest. Injected client transparently monitors the application and intimates AppSwitch daemon of the control path network API events that the application produces.</p>
|
||
<p>It is possible to not require the injection and work with standard Kubernetes manifests if AppSwitch CNI plugin is used. In that case, the CNI plugin would perform necessary injection when it gets the initialization callback. Using injector does have some advantages, however: (1) It works in tightly-controlled environments like GKE (2) It can be easily extended to support other frameworks such as Mesos (3) Same cluster would be able to run standard applications alongside &ldquo;AppSwitch-enabled&rdquo; applications.</p>
|
||
<h3 id="appswitch-daemonset">AppSwitch <code>DaemonSet</code></h3>
|
||
<p>AppSwitch daemon can be configured to run as a <code>DaemonSet</code> or as an extension to the application that is directly injected into application manifest. In either case it handles network events coming in from the applications that it supports.</p>
|
||
<h3 id="agent-for-policy-acquisition">Agent for policy acquisition</h3>
|
||
<p>This is the component that conveys policy and configuration dictated by Istio to AppSwitch. It implements xDS API to listen from Pilot and calls appropriate AppSwitch APIs to program the daemon. For example, it allows the load balancing strategy, as specified by <code>istioctl</code>, to be translated into equivalent AppSwitch capability.</p>
|
||
<h3 id="platform-adapter-for-appswitch-auto-curated-service-registry">Platform adapter for AppSwitch &ldquo;Auto-Curated&rdquo; service registry</h3>
|
||
<p>Given that AppSwitch is in the control path of applications’ network APIs, it has ready access to the topology of services across the cluster. AppSwitch exposes that information in the form of a service registry that is automatically and (almost) synchronously updated as applications and their services come and go. A new platform adapter for AppSwitch alongside Kubernetes, Eureka etc. would provide the details of upstream services to Istio. This is not strictly necessary but it does make it easier to correlate service endpoints received from Pilot by AppSwitch agent above.</p>
|
||
<h3 id="proxy-integration-and-chaining">Proxy integration and chaining</h3>
|
||
<p>Connections that do require deep scanning and mutation of application traffic are handed off to an external proxy through the socket delegation mechanism discussed earlier. It uses an extended version of <a href="https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt">proxy protocol</a>. In addition to the simple parameters supported by the proxy protocol, a variety of other metadata (including the initial protocol headers obtained from the socket buffers) and live socket FDs (representing application connections) are forwarded to the proxy.</p>
|
||
<p>The proxy can look at the metadata and decide how to proceed. It could respond by accepting the connection to do the proxying or by directing AppSwitch to allow the connection and use the fast-path or to just drop the connection.</p>
|
||
<p>One of the interesting aspects of the mechanism is that, when the proxy accepts a socket from AppSwitch, it can in turn delegate the socket to another proxy. In fact that is how AppSwitch currently works. It uses a simple built-in proxy to examine the metadata and decide whether to handle the connection internally or to hand it off to an external proxy (Envoy). The same mechanism can be potentially extended to allow for a chain of plugins, each looking for a specific signature, with the last one in the chain doing the real proxy work.</p>
|
||
<h2 id="it-s-not-just-about-performance">It&rsquo;s not just about performance</h2>
|
||
<p>Removing intermediate layers along the datapath is not just about improving performance. Performance is a great side effect, but it <em>is</em> a side effect. There are a number of important advantages to an API level approach.</p>
|
||
<h3 id="automatic-application-onboarding-and-policy-authoring">Automatic application onboarding and policy authoring</h3>
|
||
<p>Before microservices and service mesh, traffic management was done by load balancers and access controls were enforced by firewalls. Applications were identified by IP addresses and DNS names which were relatively static. In fact, that&rsquo;s still the status quo in most environments. Such environments stand to benefit immensely from service mesh. However a practical and scalable bridge to the new world needs to be provided. The difficulty in transformation is not as much due to lack of features and functionality but the investment required to rethink and reimplement the entire application infrastructure. Currently most of the policy and configuration exists in the form of load balancer and firewall rules. Somehow that existing context needs to be leveraged in providing a scalable path to adopting the service mesh model.</p>
|
||
<p>AppSwitch can substantially ease the onboarding process. It can project the same network environment to the application at the target as its current source environment. Not having any assistance here is typically a non-starter in case of traditional applications which have complex configuration files with static IP addresses or specific DNS names hard-coded in them. AppSwitch could help capture those applications along with their existing configuration and connect them over a service mesh without requiring any changes.</p>
|
||
<h3 id="broader-application-and-protocol-support">Broader application and protocol support</h3>
|
||
<p>HTTP clearly dominates the modern application landscapes but once we talk about traditional applications and environments, we&rsquo;d encounter all kinds of protocols and transports. Particularly, support for UDP becomes unavoidable. Traditional application servers such as IBM WebSphere rely extensively on UDP. Most multimedia applications use UDP media streams. Of course DNS is probably the most widely used UDP &ldquo;application&rdquo;. AppSwitch supports UDP at the API level much the same way as TCP and when it detects a UDP connection, it can transparently handle it in its &ldquo;fast-path&rdquo; rather than delegating it to the proxy.</p>
|
||
<h3 id="client-ip-preservation-and-end-to-end-principle">Client IP preservation and end-to-end principle</h3>
|
||
<p>The same mechanism that preserves the source network environment can also preserve client IP addresses as seen by the servers. With a sidecar proxy in place, connection requests come from the proxy rather than the client. As a result, the peer address (IP:port) of the connection as seen by the server would be that of the proxy rather than the client. AppSwitch ensures that the server sees correct address of the client, logs it correctly and any decisions made based on the client address remain valid. More generally, AppSwitch preserves the <a href="https://en.wikipedia.org/wiki/End-to-end_principle">end-to-end principle</a> which is otherwise broken by intermediate layers that obfuscate the true underlying context.</p>
|
||
<h3 id="enhanced-application-signal-with-access-to-encrypted-headers">Enhanced application signal with access to encrypted headers</h3>
|
||
<p>Encrypted traffic completely undermines the ability of the service mesh to analyze application traffic. API level interposition could potentially offer a way around it. Current implementation of AppSwitch gains access to application&rsquo;s network API at the system call level. However it is possible in principle to influence the application at an API boundary, higher in the stack where application data is not yet encrypted or already decrypted. Ultimately the data is always produced in the clear by the application and then encrypted at some point before it goes out. Since AppSwitch directly runs within the memory context of the application, it is possible to tap into the data higher on the stack where it is still held in clear. Only requirement for this to work is that the API used for encryption should be well-defined and amenable for interposition. Particularly, it requires access to the symbol table of the application binaries. Just to be clear, AppSwitch doesn&rsquo;t implement this today.</p>
|
||
<h2 id="so-what-s-the-net">So what’s the net?</h2>
|
||
<p>AppSwitch removes a number of layers and processing from the standard service mesh stack. What does all that translate to in terms of performance?</p>
|
||
<p>We ran some initial experiments to characterize the extent of the opportunity for optimization based on the initial integration of AppSwitch discussed earlier. The experiments were run on GKE using <code>fortio-0.11.0</code>, <code>istio-0.8.0</code> and <code>appswitch-0.4.0-2</code>. In case of the proxyless test, AppSwitch daemon was run as a <code>DaemonSet</code> on the Kubernetes cluster and the Fortio pod spec was modified to inject AppSwitch client. These were the only two changes made to the setup. The test was configured to measure the latency of GRPC requests across 100 concurrent connections.</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:54.66034755134282%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/delayering-istio/perf.png" title="Latency with and without AppSwitch">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/delayering-istio/perf.png" alt="Performance comparison" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Latency with and without AppSwitch</figcaption>
|
||
</figure>
|
||
<p>Initial results indicate a difference of over 18x in p50 latency with and without AppSwitch (3.99ms vs 72.96ms). The difference was around 8x when mixer and access logs were disabled. Clearly the difference was due to sidestepping all those intermediate layers along the datapath. Unix socket optimization wasn&rsquo;t triggered in case of AppSwitch because client and server pods were scheduled to separate hosts. End-to-end latency of AppSwitch case would have been even lower if the client and server happened to be colocated. Essentially the client and server running in their respective pods of the Kubernetes cluster are directly connected over a TCP socket going over the GKE network &ndash; no tunneling, bridge or proxies.</p>
|
||
<h2 id="net-net">Net Net</h2>
|
||
<p>I started out with David Wheeler&rsquo;s seemingly reasonable quote that says adding another layer is not a solution for the problem of too many layers. And I argued through most of the blog that current network stack already has too many layers and that they should be removed. But isn&rsquo;t AppSwitch itself a layer?</p>
|
||
<p>Yes, AppSwitch is clearly another layer. However it is one that can remove multiple other layers. In doing so, it seamlessly glues the new service mesh layer with existing layers of traditional network environments. It offsets the cost of sidecar proxy and as Istio graduates to 1.0, it provides a bridge for existing applications and their network environments to transition to the new world of service mesh.</p>
|
||
<p>Perhaps Wheeler’s quote should read:</p>
|
||
<div>
|
||
<aside class="callout quote">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-quote"/></svg>
|
||
</div>
|
||
<div class="content">All problems in computer science can be solved with another layer, <strong>even</strong> the problem of too many layers!</div>
|
||
</aside>
|
||
</div>
|
||
<h2 id="acknowledgements">Acknowledgements</h2>
|
||
<p>Thanks to Mandar Jog (Google) for several discussions about the value of AppSwitch for Istio and to the following individuals (in alphabetical order) for their review of early drafts of this blog.</p>
|
||
<ul>
|
||
<li>Frank Budinsky (IBM)</li>
|
||
<li>Lin Sun (IBM)</li>
|
||
<li>Shriram Rajagopalan (VMware)</li>
|
||
</ul></description><pubDate>Mon, 30 Jul 2018 00:00:00 +0000</pubDate><link>/v1.12/blog/2018/delayering-istio/</link><author>Dinesh Subhraveti (AppOrbit and Columbia University)</author><guid isPermaLink="true">/v1.12/blog/2018/delayering-istio/</guid><category>appswitch</category><category>performance</category></item><item><title>Micro-Segmentation with Istio Authorization</title><description>
|
||
<p>Micro-segmentation is a security technique that creates secure zones in cloud deployments and allows organizations to
|
||
isolate workloads from one another and secure them individually.
|
||
<a href="/v1.12/docs/concepts/security/#authorization">Istio&rsquo;s authorization feature</a>, also known as Istio Role Based Access Control,
|
||
provides micro-segmentation for services in an Istio mesh. It features:</p>
|
||
<ul>
|
||
<li>Authorization at different levels of granularity, including namespace level, service level, and method level.</li>
|
||
<li>Service-to-service and end-user-to-service authorization.</li>
|
||
<li>High performance, as it is enforced natively on Envoy.</li>
|
||
<li>Role-based semantics, which makes it easy to use.</li>
|
||
<li>High flexibility as it allows users to define conditions using
|
||
<a href="/v1.12/docs/reference/config/security/conditions/">combinations of attributes</a>.</li>
|
||
</ul>
|
||
<p>In this blog post, you&rsquo;ll learn about the main authorization features and how to use them in different situations.</p>
|
||
<h2 id="characteristics">Characteristics</h2>
|
||
<h3 id="rpc-level-authorization">RPC level authorization</h3>
|
||
<p>Authorization is performed at the level of individual RPCs. Specifically, it controls &ldquo;who can access my <code>bookstore</code> service”,
|
||
or &ldquo;who can access method <code>getBook</code> in my <code>bookstore</code> service”. It is not designed to control access to application-specific
|
||
resource instances, like access to &ldquo;storage bucket X” or access to &ldquo;3rd book on 2nd shelf”. Today this kind of application
|
||
specific access control logic needs to be handled by the application itself.</p>
|
||
<h3 id="role-based-access-control-with-conditions">Role-based access control with conditions</h3>
|
||
<p>Authorization is a <a href="https://en.wikipedia.org/wiki/Role-based_access_control">role-based access control (RBAC)</a> system,
|
||
contrast this to an <a href="https://en.wikipedia.org/wiki/Attribute-based_access_control">attribute-based access control (ABAC)</a>
|
||
system. Compared to ABAC, RBAC has the following advantages:</p>
|
||
<ul>
|
||
<li><p><strong>Roles allow grouping of attributes.</strong> Roles are groups of permissions, which specifies the actions you are allowed
|
||
to perform on a system. Users are grouped based on the roles within an organization. You can define the roles and reuse
|
||
them for different cases.</p></li>
|
||
<li><p><strong>It is easier to understand and reason about who has access.</strong> The RBAC concepts map naturally to business concepts.
|
||
For example, a DB admin may have all access to DB backend services, while a web client may only be able to view the
|
||
frontend service.</p></li>
|
||
<li><p><strong>It reduces unintentional errors.</strong> RBAC policies make otherwise complex security changes easier. You won&rsquo;t have
|
||
duplicate configurations in multiple places and later forget to update some of them when you need to make changes.</p></li>
|
||
</ul>
|
||
<p>On the other hand, Istio&rsquo;s authorization system is not a traditional RBAC system. It also allows users to define <strong>conditions</strong> using
|
||
<a href="/v1.12/docs/reference/config/security/conditions/">combinations of attributes</a>. This gives Istio
|
||
flexibility to express complex access control policies. In fact, <strong>the &ldquo;RBAC + conditions” model
|
||
that Istio authorization adopts, has all the benefits an RBAC system has, and supports the level of flexibility that
|
||
normally an ABAC system provides.</strong> You&rsquo;ll see some <a href="#examples">examples</a> below.</p>
|
||
<h3 id="high-performance">High performance</h3>
|
||
<p>Because of its simple semantics, Istio authorization is enforced on Envoy as a native authorization support. At runtime, the
|
||
authorization decision is completely done locally inside an Envoy filter, without dependency to any external module.
|
||
This allows Istio authorization to achieve high performance and availability.</p>
|
||
<h3 id="work-with-without-primary-identities">Work with/without primary identities</h3>
|
||
<p>Like any other RBAC system, Istio authorization is identity aware. In Istio authorization policy, there is a primary
|
||
identity called <code>user</code>, which represents the principal of the client.</p>
|
||
<p>In addition to the primary identity, you can also specify any conditions that define the identities. For example,
|
||
you can specify the client identity as &ldquo;user Alice calling from Bookstore frontend service”, in which case,
|
||
you have a combined identity of the calling service (<code>Bookstore frontend</code>) and the end user (<code>Alice</code>).</p>
|
||
<p>To improve security, you should enable <a href="/v1.12/docs/concepts/security/#authentication">authentication features</a>,
|
||
and use authenticated identities in authorization policies. However, strongly authenticated identity is not required
|
||
for using authorization. Istio authorization works with or without identities. If you are working with a legacy system,
|
||
you may not have mutual TLS or JWT authentication setup for your mesh. In this case, the only way to identify the client is, for example,
|
||
through IP. You can still use Istio authorization to control which IP addresses or IP ranges are allowed to access your service.</p>
|
||
<h2 id="examples">Examples</h2>
|
||
<p>The <a href="/v1.12/docs/tasks/security/authorization/authz-http/">authorization task</a> shows you how to
|
||
use Istio&rsquo;s authorization feature to control namespace level and service level access using the
|
||
<a href="/v1.12/docs/examples/bookinfo/">Bookinfo application</a>. In this section, you&rsquo;ll see more examples on how to achieve
|
||
micro-segmentation with Istio authorization.</p>
|
||
<h3 id="namespace-level-segmentation-via-rbac-conditions">Namespace level segmentation via RBAC + conditions</h3>
|
||
<p>Suppose you have services in the <code>frontend</code> and <code>backend</code> namespaces. You would like to allow all your services
|
||
in the <code>frontend</code> namespace to access all services that are marked <code>external</code> in the <code>backend</code> namespace.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
|
||
kind: ServiceRole
|
||
metadata:
|
||
name: external-api-caller
|
||
namespace: backend
|
||
spec:
|
||
rules:
|
||
- services: [&#34;*&#34;]
|
||
methods: [&#34;*”]
|
||
constraints:
|
||
- key: &#34;destination.labels[visibility]”
|
||
values: [&#34;external&#34;]
|
||
---
|
||
apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
|
||
kind: ServiceRoleBinding
|
||
metadata:
|
||
name: external-api-caller
|
||
namespace: backend
|
||
spec:
|
||
subjects:
|
||
- properties:
|
||
source.namespace: &#34;frontend”
|
||
roleRef:
|
||
kind: ServiceRole
|
||
name: &#34;external-api-caller&#34;
|
||
</code></pre>
|
||
<p>The <code>ServiceRole</code> and <code>ServiceRoleBinding</code> above expressed &ldquo;<em>who</em> is allowed to do <em>what</em> under *which conditions*”
|
||
(RBAC + conditions). Specifically:</p>
|
||
<ul>
|
||
<li><strong>&ldquo;who”</strong> are the services in the <code>frontend</code> namespace.</li>
|
||
<li><strong>&ldquo;what”</strong> is to call services in <code>backend</code> namespace.</li>
|
||
<li><strong>&ldquo;conditions”</strong> is the <code>visibility</code> label of the destination service having the value <code>external</code>.</li>
|
||
</ul>
|
||
<h3 id="service-method-level-isolation-with-without-primary-identities">Service/method level isolation with/without primary identities</h3>
|
||
<p>Here is another example that demonstrates finer grained access control at service/method level. The first step
|
||
is to define a <code>book-reader</code> service role that allows READ access to <code>/books/*</code> resource in <code>bookstore</code> service.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
|
||
kind: ServiceRole
|
||
metadata:
|
||
name: book-reader
|
||
namespace: default
|
||
spec:
|
||
rules:
|
||
- services: [&#34;bookstore.default.svc.cluster.local&#34;]
|
||
paths: [&#34;/books/*”]
|
||
methods: [&#34;GET”]
|
||
</code></pre>
|
||
<h4 id="using-authenticated-client-identities">Using authenticated client identities</h4>
|
||
<p>Suppose you want to grant this <code>book-reader</code> role to your <code>bookstore-frontend</code> service. If you have enabled
|
||
<a href="/v1.12/docs/concepts/security/#mutual-tls-authentication">mutual TLS authentication</a> for your mesh, you can use a
|
||
service account to identify your <code>bookstore-frontend</code> service. Granting the <code>book-reader</code> role to the <code>bookstore-frontend</code>
|
||
service can be done by creating a <code>ServiceRoleBinding</code> as shown below:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
|
||
kind: ServiceRoleBinding
|
||
metadata:
|
||
name: book-reader
|
||
namespace: default
|
||
spec:
|
||
subjects:
|
||
- user: &#34;cluster.local/ns/default/sa/bookstore-frontend”
|
||
roleRef:
|
||
kind: ServiceRole
|
||
name: &#34;book-reader&#34;
|
||
</code></pre>
|
||
<p>You may want to restrict this further by adding a condition that &ldquo;only users who belong to the <code>qualified-reviewer</code> group are
|
||
allowed to read books”. The <code>qualified-reviewer</code> group is the end user identity that is authenticated by
|
||
<a href="/v1.12/docs/concepts/security/#authentication">JWT authentication</a>. In this case, the combination of the client service identity
|
||
(<code>bookstore-frontend</code>) and the end user identity (<code>qualified-reviewer</code>) is used in the authorization policy.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
|
||
kind: ServiceRoleBinding
|
||
metadata:
|
||
name: book-reader
|
||
namespace: default
|
||
spec:
|
||
subjects:
|
||
- user: &#34;cluster.local/ns/default/sa/bookstore-frontend&#34;
|
||
properties:
|
||
request.auth.claims[group]: &#34;qualified-reviewer&#34;
|
||
roleRef:
|
||
kind: ServiceRole
|
||
name: &#34;book-reader&#34;
|
||
</code></pre>
|
||
<h4 id="client-does-not-have-identity">Client does not have identity</h4>
|
||
<p>Using authenticated identities in authorization policies is strongly recommended for security. However, if you have a
|
||
legacy system that does not support authentication, you may not have authenticated identities for your services.
|
||
You can still use Istio authorization to protect your services even without authenticated identities. The example below
|
||
shows that you can specify allowed source IP range in your authorization policy.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &#34;rbac.istio.io/v1alpha1&#34;
|
||
kind: ServiceRoleBinding
|
||
metadata:
|
||
name: book-reader
|
||
namespace: default
|
||
spec:
|
||
subjects:
|
||
- properties:
|
||
source.ip: 10.20.0.0/9
|
||
roleRef:
|
||
kind: ServiceRole
|
||
name: &#34;book-reader&#34;
|
||
</code></pre>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>Istio’s authorization feature provides authorization at namespace-level, service-level, and method-level granularity.
|
||
It adopts &ldquo;RBAC + conditions” model, which makes it easy to use and understand as an RBAC system, while providing the level of
|
||
flexibility that an ABAC system normally provides. Istio authorization achieves high performance as it is enforced
|
||
natively on Envoy. While it provides the best security by working together with
|
||
<a href="/v1.12/docs/concepts/security/#authentication">Istio authentication features</a>, Istio authorization can also be used to
|
||
provide access control for legacy systems that do not have authentication.</p></description><pubDate>Fri, 20 Jul 2018 00:00:00 +0000</pubDate><link>/v1.12/blog/2018/istio-authorization/</link><author>Limin Wang</author><guid isPermaLink="true">/v1.12/blog/2018/istio-authorization/</guid><category>authorization</category><category>rbac</category><category>security</category></item><item><title>Exporting Logs to BigQuery, GCS, Pub/Sub through Stackdriver</title><description>
|
||
<p>This post shows how to direct Istio logs to <a href="https://cloud.google.com/stackdriver/">Stackdriver</a>
|
||
and export those logs to various configured sinks such as such as
|
||
<a href="https://cloud.google.com/bigquery/">BigQuery</a>, <a href="https://cloud.google.com/storage/">Google Cloud Storage</a>
|
||
or <a href="https://cloud.google.com/pubsub/">Cloud Pub/Sub</a>. At the end of this post you can perform
|
||
analytics on Istio data from your favorite places such as BigQuery, GCS or Cloud Pub/Sub.</p>
|
||
<p>The <a href="/v1.12/docs/examples/bookinfo/">Bookinfo</a> sample application is used as the example
|
||
application throughout this task.</p>
|
||
<h2 id="before-you-begin">Before you begin</h2>
|
||
<p><a href="/v1.12/docs/setup/">Install Istio</a> in your cluster and deploy an application.</p>
|
||
<h2 id="configuring-istio-to-export-logs">Configuring Istio to export logs</h2>
|
||
<p>Istio exports logs using the <code>logentry</code> <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/templates/logentry">template</a>.
|
||
This specifies all the variables that are available for analysis. It
|
||
contains information like source service, destination service, auth
|
||
metrics (coming..) among others. Following is a diagram of the pipeline:</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:75%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/export-logs-through-stackdriver/istio-analytics-using-stackdriver.png" title="Exporting logs from Istio to Stackdriver for analysis">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/export-logs-through-stackdriver/istio-analytics-using-stackdriver.png" alt="Exporting logs from Istio to Stackdriver for analysis" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Exporting logs from Istio to Stackdriver for analysis</figcaption>
|
||
</figure>
|
||
<p>Istio supports exporting logs to Stackdriver which can in turn be configured to export
|
||
logs to your favorite sink like BigQuery, Pub/Sub or GCS. Please follow the steps
|
||
below to setup your favorite sink for exporting logs first and then Stackdriver
|
||
in Istio.</p>
|
||
<h3 id="setting-up-various-log-sinks">Setting up various log sinks</h3>
|
||
<p>Common setup for all sinks:</p>
|
||
<ol>
|
||
<li>Enable <a href="https://cloud.google.com/monitoring/api/enable-api">Stackdriver Monitoring API</a> for the project.</li>
|
||
<li>Make sure <code>principalEmail</code> that would be setting up the sink has write access to the project and Logging Admin role permissions.</li>
|
||
<li>Make sure the <code>GOOGLE_APPLICATION_CREDENTIALS</code> environment variable is set. Please follow instructions <a href="https://cloud.google.com/docs/authentication/getting-started">here</a> to set it up.</li>
|
||
</ol>
|
||
<h4 id="bigquery">BigQuery</h4>
|
||
<ol>
|
||
<li><a href="https://cloud.google.com/bigquery/docs/datasets">Create a BigQuery dataset</a> as a destination for the logs export.</li>
|
||
<li>Record the ID of the dataset. It will be needed to configure the Stackdriver handler.
|
||
It would be of the form <code>bigquery.googleapis.com/projects/[PROJECT_ID]/datasets/[DATASET_ID]</code></li>
|
||
<li>Give <a href="https://cloud.google.com/logging/docs/api/tasks/exporting-logs#writing_to_the_destination">sink’s writer identity</a>: <code>cloud-logs@system.gserviceaccount.com</code> BigQuery Data Editor role in IAM.</li>
|
||
<li>If using <a href="/v1.12/docs/setup/platform-setup/gke/">Google Kubernetes Engine</a>, make sure <code>bigquery</code> <a href="https://cloud.google.com/sdk/gcloud/reference/container/clusters/create">Scope</a> is enabled on the cluster.</li>
|
||
</ol>
|
||
<h4 id="google-cloud-storage-gcs">Google Cloud Storage (GCS)</h4>
|
||
<ol>
|
||
<li><a href="https://cloud.google.com/storage/docs/creating-buckets">Create a GCS bucket</a> where you would like logs to get exported in GCS.</li>
|
||
<li>Recode the ID of the bucket. It will be needed to configure Stackdriver.
|
||
It would be of the form <code>storage.googleapis.com/[BUCKET_ID]</code></li>
|
||
<li>Give <a href="https://cloud.google.com/logging/docs/api/tasks/exporting-logs#writing_to_the_destination">sink’s writer identity</a>: <code>cloud-logs@system.gserviceaccount.com</code> Storage Object Creator role in IAM.</li>
|
||
</ol>
|
||
<h4 id="google-cloud-pub-sub">Google Cloud Pub/Sub</h4>
|
||
<ol>
|
||
<li><a href="https://cloud.google.com/pubsub/docs/admin">Create a topic</a> where you would like logs to get exported in Google Cloud Pub/Sub.</li>
|
||
<li>Recode the ID of the topic. It will be needed to configure Stackdriver.
|
||
It would be of the form <code>pubsub.googleapis.com/projects/[PROJECT_ID]/topics/[TOPIC_ID]</code></li>
|
||
<li>Give <a href="https://cloud.google.com/logging/docs/api/tasks/exporting-logs#writing_to_the_destination">sink’s writer identity</a>: <code>cloud-logs@system.gserviceaccount.com</code> Pub/Sub Publisher role in IAM.</li>
|
||
<li>If using <a href="/v1.12/docs/setup/platform-setup/gke/">Google Kubernetes Engine</a>, make sure <code>pubsub</code> <a href="https://cloud.google.com/sdk/gcloud/reference/container/clusters/create">Scope</a> is enabled on the cluster.</li>
|
||
</ol>
|
||
<h3 id="setting-up-stackdriver">Setting up Stackdriver</h3>
|
||
<p>A Stackdriver handler must be created to export data to Stackdriver. The configuration for
|
||
a Stackdriver handler is described <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/adapters/stackdriver/">here</a>.</p>
|
||
<ol>
|
||
<li><p>Save the following yaml file as <code>stackdriver.yaml</code>. Replace <code>&lt;project_id&gt;,
|
||
&lt;sink_id&gt;, &lt;sink_destination&gt;, &lt;log_filter&gt;</code> with their specific values.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &#34;config.istio.io/v1alpha2&#34;
|
||
kind: stackdriver
|
||
metadata:
|
||
name: handler
|
||
namespace: istio-system
|
||
spec:
|
||
# We&#39;ll use the default value from the adapter, once per minute, so we don&#39;t need to supply a value.
|
||
# pushInterval: 1m
|
||
# Must be supplied for the Stackdriver adapter to work
|
||
project_id: &#34;&lt;project_id&gt;&#34;
|
||
# One of the following must be set; the preferred method is `appCredentials`, which corresponds to
|
||
# Google Application Default Credentials.
|
||
# If none is provided we default to app credentials.
|
||
# appCredentials:
|
||
# apiKey:
|
||
# serviceAccountPath:
|
||
# Describes how to map Istio logs into Stackdriver.
|
||
logInfo:
|
||
accesslog.logentry.istio-system:
|
||
payloadTemplate: &#39;{{or (.sourceIp) &#34;-&#34;}} - {{or (.sourceUser) &#34;-&#34;}} [{{or (.timestamp.Format &#34;02/Jan/2006:15:04:05 -0700&#34;) &#34;-&#34;}}] &#34;{{or (.method) &#34;-&#34;}} {{or (.url) &#34;-&#34;}} {{or (.protocol) &#34;-&#34;}}&#34; {{or (.responseCode) &#34;-&#34;}} {{or (.responseSize) &#34;-&#34;}}&#39;
|
||
httpMapping:
|
||
url: url
|
||
status: responseCode
|
||
requestSize: requestSize
|
||
responseSize: responseSize
|
||
latency: latency
|
||
localIp: sourceIp
|
||
remoteIp: destinationIp
|
||
method: method
|
||
userAgent: userAgent
|
||
referer: referer
|
||
labelNames:
|
||
- sourceIp
|
||
- destinationIp
|
||
- sourceService
|
||
- sourceUser
|
||
- sourceNamespace
|
||
- destinationIp
|
||
- destinationService
|
||
- destinationNamespace
|
||
- apiClaims
|
||
- apiKey
|
||
- protocol
|
||
- method
|
||
- url
|
||
- responseCode
|
||
- responseSize
|
||
- requestSize
|
||
- latency
|
||
- connectionMtls
|
||
- userAgent
|
||
- responseTimestamp
|
||
- receivedBytes
|
||
- sentBytes
|
||
- referer
|
||
sinkInfo:
|
||
id: &#39;&lt;sink_id&gt;&#39;
|
||
destination: &#39;&lt;sink_destination&gt;&#39;
|
||
filter: &#39;&lt;log_filter&gt;&#39;
|
||
---
|
||
apiVersion: &#34;config.istio.io/v1alpha2&#34;
|
||
kind: rule
|
||
metadata:
|
||
name: stackdriver
|
||
namespace: istio-system
|
||
spec:
|
||
match: &#34;true&#34; # If omitted match is true.
|
||
actions:
|
||
- handler: handler.stackdriver
|
||
instances:
|
||
- accesslog.logentry
|
||
---
|
||
</code></pre></li>
|
||
<li><p>Push the configuration</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f stackdriver.yaml
|
||
stackdriver &#34;handler&#34; created
|
||
rule &#34;stackdriver&#34; created
|
||
logentry &#34;stackdriverglobalmr&#34; created
|
||
metric &#34;stackdriverrequestcount&#34; created
|
||
metric &#34;stackdriverrequestduration&#34; created
|
||
metric &#34;stackdriverrequestsize&#34; created
|
||
metric &#34;stackdriverresponsesize&#34; created
|
||
</code></pre></li>
|
||
<li><p>Send traffic to the sample application.</p>
|
||
<p>For the Bookinfo sample, visit <code>http://$GATEWAY_URL/productpage</code> in your web
|
||
browser or issue the following command:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl http://$GATEWAY_URL/productpage
|
||
</code></pre></li>
|
||
<li><p>Verify that logs are flowing through Stackdriver to the configured sink.</p>
|
||
<ul>
|
||
<li>Stackdriver: Navigate to the <a href="https://pantheon.corp.google.com/logs/viewer">Stackdriver Logs
|
||
Viewer</a> for your project
|
||
and look under &ldquo;GKE Container&rdquo; -&gt; &ldquo;Cluster Name&rdquo; -&gt; &ldquo;Namespace Id&rdquo; for
|
||
Istio Access logs.</li>
|
||
<li>BigQuery: Navigate to the <a href="https://bigquery.cloud.google.com/">BigQuery
|
||
Interface</a> for your project and you
|
||
should find a table with prefix <code>accesslog_logentry_istio</code> in your sink
|
||
dataset.</li>
|
||
<li>GCS: Navigate to the <a href="https://pantheon.corp.google.com/storage/browser/">Storage
|
||
Browser</a> for your
|
||
project and you should find a bucket named
|
||
<code>accesslog.logentry.istio-system</code> in your sink bucket.</li>
|
||
<li>Pub/Sub: Navigate to the <a href="https://pantheon.corp.google.com/cloudpubsub/topicList">Pub/Sub
|
||
Topic List</a> for
|
||
your project and you should find a topic for <code>accesslog</code> in your sink
|
||
topic.</li>
|
||
</ul></li>
|
||
</ol>
|
||
<h2 id="understanding-what-happened">Understanding what happened</h2>
|
||
<p><code>Stackdriver.yaml</code> file above configured Istio to send access logs to
|
||
Stackdriver and then added a sink configuration where these logs could be
|
||
exported. In detail as follows:</p>
|
||
<ol>
|
||
<li><p>Added a handler of kind <code>stackdriver</code></p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &#34;config.istio.io/v1alpha2&#34;
|
||
kind: stackdriver
|
||
metadata:
|
||
name: handler
|
||
namespace: &lt;your defined namespace&gt;
|
||
</code></pre></li>
|
||
<li><p>Added <code>logInfo</code> in spec</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >spec:
|
||
logInfo: accesslog.logentry.istio-system:
|
||
labelNames:
|
||
- sourceIp
|
||
- destinationIp
|
||
...
|
||
...
|
||
sinkInfo:
|
||
id: &#39;&lt;sink_id&gt;&#39;
|
||
destination: &#39;&lt;sink_destination&gt;&#39;
|
||
filter: &#39;&lt;log_filter&gt;&#39;
|
||
</code></pre>
|
||
<p>In the above configuration sinkInfo contains information about the sink where you want
|
||
the logs to get exported to. For more information on how this gets filled for different sinks please refer
|
||
<a href="https://cloud.google.com/logging/docs/export/#sink-terms">here</a>.</p></li>
|
||
<li><p>Added a rule for Stackdriver</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: &#34;config.istio.io/v1alpha2&#34;
|
||
kind: rule
|
||
metadata:
|
||
name: stackdriver
|
||
namespace: istio-system spec:
|
||
match: &#34;true&#34; # If omitted match is true
|
||
actions:
|
||
- handler: handler.stackdriver
|
||
instances:
|
||
- accesslog.logentry
|
||
</code></pre></li>
|
||
</ol>
|
||
<h2 id="cleanup">Cleanup</h2>
|
||
<ul>
|
||
<li><p>Remove the new Stackdriver configuration:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete -f stackdriver.yaml
|
||
</code></pre></li>
|
||
<li><p>If you are not planning to explore any follow-on tasks, refer to the
|
||
<a href="/v1.12/docs/examples/bookinfo/#cleanup">Bookinfo cleanup</a> instructions to shutdown
|
||
the application.</p></li>
|
||
</ul>
|
||
<h2 id="availability-of-logs-in-export-sinks">Availability of logs in export sinks</h2>
|
||
<p>Export to BigQuery is within minutes (we see it to be almost instant), GCS can
|
||
have a delay of 2 to 12 hours and Pub/Sub is almost immediately.</p></description><pubDate>Mon, 09 Jul 2018 00:00:00 +0000</pubDate><link>/v1.12/blog/2018/export-logs-through-stackdriver/</link><author>Nupur Garg and Douglas Reid</author><guid isPermaLink="true">/v1.12/blog/2018/export-logs-through-stackdriver/</guid></item><item><title>Monitoring and Access Policies for HTTP Egress Traffic</title><description>
|
||
<p>While Istio&rsquo;s main focus is management of traffic between microservices inside a service mesh, Istio can also manage
|
||
ingress (from outside into the mesh) and egress (from the mesh outwards) traffic. Istio can uniformly enforce access
|
||
policies and aggregate telemetry data for mesh-internal, ingress and egress traffic.</p>
|
||
<p>In this blog post, we show how to apply monitoring and access policies to HTTP egress traffic with Istio.</p>
|
||
<h2 id="use-case">Use case</h2>
|
||
<p>Consider an organization that runs applications that process content from <em>cnn.com</em>. The applications are decomposed
|
||
into microservices deployed in an Istio service mesh. The applications access pages of various topics from <em>cnn.com</em>: <a href="https://edition.cnn.com/politics">edition.cnn.com/politics</a>, <a href="https://edition.cnn.com/sport">edition.cnn.com/sport</a> and <a href="https://edition.cnn.com/health">edition.cnn.com/health</a>. The organization <a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/">configures Istio to allow access to edition.cnn.com</a> and everything works fine. However, at some
|
||
point in time, the organization decides to banish politics. Practically, it means blocking access to
|
||
<a href="https://edition.cnn.com/politics">edition.cnn.com/politics</a> and allowing access to
|
||
<a href="https://edition.cnn.com/sport">edition.cnn.com/sport</a> and <a href="https://edition.cnn.com/health">edition.cnn.com/health</a>
|
||
only. The organization will grant permissions to individual applications and to particular users to access <a href="https://edition.cnn.com/politics">edition.cnn.com/politics</a>, on a case-by-case basis.</p>
|
||
<p>To achieve that goal, the organization&rsquo;s operations people monitor access to the external services and
|
||
analyze Istio logs to verify that no unauthorized request was sent to
|
||
<a href="https://edition.cnn.com/politics">edition.cnn.com/politics</a>. They also configure Istio to prevent access to
|
||
<a href="https://edition.cnn.com/politics">edition.cnn.com/politics</a> automatically.</p>
|
||
<p>The organization is resolved to prevent any tampering with the new policy. It decides to put mechanisms in place that
|
||
will prevent any possibility for a malicious application to access the forbidden topic.</p>
|
||
<h2 id="related-tasks-and-examples">Related tasks and examples</h2>
|
||
<ul>
|
||
<li>The <a href="/v1.12/docs/tasks/traffic-management/egress/">Control Egress Traffic</a> task demonstrates how external (outside the
|
||
Kubernetes cluster) HTTP and HTTPS services can be accessed by applications inside the mesh.</li>
|
||
<li>The <a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway/">Configure an Egress Gateway</a> example describes how to configure
|
||
Istio to direct egress traffic through a dedicated gateway service called <em>egress gateway</em>.</li>
|
||
<li>The <a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/">Egress Gateway with TLS Origination</a> example
|
||
demonstrates how to allow applications to send HTTP requests to external servers that require HTTPS, while directing
|
||
traffic through egress gateway.</li>
|
||
<li>The <a href="/v1.12/docs/tasks/observability/metrics/using-istio-dashboard/">Visualizing Metrics with Grafana</a>
|
||
describes the Istio Dashboard to monitor mesh traffic.</li>
|
||
<li>The <a href="https://istio.io/v1.6/docs/tasks/policy-enforcement/denial-and-list/">Basic Access Control</a> task shows how to control access to
|
||
in-mesh services.</li>
|
||
<li>The <a href="https://istio.io/v1.6/docs/tasks/policy-enforcement/denial-and-list/">Denials and White/Black Listing</a> task shows how to configure
|
||
access policies using black or white list checkers.</li>
|
||
</ul>
|
||
<p>As opposed to the observability and security tasks above, this blog post describes Istio&rsquo;s monitoring and access policies
|
||
applied exclusively to the egress traffic.</p>
|
||
<h2 id="before-you-begin">Before you begin</h2>
|
||
<p>Follow the steps in the <a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/">Egress Gateway with TLS Origination</a> example, <strong>with mutual TLS authentication enabled</strong>, without
|
||
the <a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway-tls-origination//#cleanup">Cleanup</a> step.
|
||
After completing that example, you can access <a href="https://edition.cnn.com/politics">edition.cnn.com/politics</a> from an in-mesh container with <code>curl</code> installed. This blog post assumes that the <code>SOURCE_POD</code> environment variable contains the source pod&rsquo;s name and that the container&rsquo;s name is <code>sleep</code>.</p>
|
||
<h2 id="configure-monitoring-and-access-policies">Configure monitoring and access policies</h2>
|
||
<p>Since you want to accomplish your tasks in a <em>secure way</em>, you should direct egress traffic through
|
||
<em>egress gateway</em>, as described in the <a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/">Egress Gateway with TLS Origination</a>
|
||
task. The <em>secure way</em> here means that you want to prevent malicious applications from bypassing Istio monitoring and
|
||
policy enforcement.</p>
|
||
<p>According to our scenario, the organization performed the instructions in the
|
||
<a href="#before-you-begin">Before you begin</a> section, enabled HTTP traffic to <em>edition.cnn.com</em>, and configured that traffic
|
||
to pass through the egress gateway. The egress gateway performs TLS origination to <em>edition.cnn.com</em>, so the traffic
|
||
leaves the mesh encrypted. At this point, the organization is ready to configure Istio to monitor and apply access policies for
|
||
the traffic to <em>edition.cnn.com</em>.</p>
|
||
<h3 id="logging">Logging</h3>
|
||
<p>Configure Istio to log access to <em>*.cnn.com</em>. You create a <code>logentry</code> and two
|
||
<a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/adapters/stdio/">stdio</a> <code>handlers</code>, one for logging forbidden access
|
||
(<em>error</em> log level) and another one for logging all access to <em>*.cnn.com</em> (<em>info</em> log level). Then you create <code>rules</code> to
|
||
direct your <code>logentry</code> instances to your <code>handlers</code>. One rule directs access to <em>*.cnn.com/politics</em> to the handler for
|
||
logging forbidden access, another rule directs log entries to the handler that outputs each access to <em>*.cnn.com</em> as an
|
||
<em>info</em> log entry. To understand the Istio <code>logentries</code>, <code>rules</code>, and <code>handlers</code>, see
|
||
<a href="/v1.12/blog/2017/adapter-model/">Istio Adapter Model</a>. A diagram with the involved entities and dependencies between them
|
||
appears below:</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:46.46700562636976%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring.svg" title="Instances, rules and handlers for egress monitoring">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring.svg" alt="Instances, rules and handlers for egress monitoring" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Instances, rules and handlers for egress monitoring</figcaption>
|
||
</figure>
|
||
<ol>
|
||
<li><p>Create the <code>logentry</code>, <code>rules</code> and <code>handlers</code>. Note that you specify <code>context.reporter.uid</code> as
|
||
<code>kubernetes://istio-egressgateway</code> in the rules to get logs from the egress gateway only.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | kubectl apply -f -
|
||
# Log entry for egress access
|
||
apiVersion: &#34;config.istio.io/v1alpha2&#34;
|
||
kind: logentry
|
||
metadata:
|
||
name: egress-access
|
||
namespace: istio-system
|
||
spec:
|
||
severity: &#39;&#34;info&#34;&#39;
|
||
timestamp: request.time
|
||
variables:
|
||
destination: request.host | &#34;unknown&#34;
|
||
path: request.path | &#34;unknown&#34;
|
||
responseCode: response.code | 0
|
||
responseSize: response.size | 0
|
||
reporterUID: context.reporter.uid | &#34;unknown&#34;
|
||
sourcePrincipal: source.principal | &#34;unknown&#34;
|
||
monitored_resource_type: &#39;&#34;UNSPECIFIED&#34;&#39;
|
||
---
|
||
# Handler for error egress access entries
|
||
apiVersion: &#34;config.istio.io/v1alpha2&#34;
|
||
kind: stdio
|
||
metadata:
|
||
name: egress-error-logger
|
||
namespace: istio-system
|
||
spec:
|
||
severity_levels:
|
||
info: 2 # output log level as error
|
||
outputAsJson: true
|
||
---
|
||
# Rule to handle access to *.cnn.com/politics
|
||
apiVersion: &#34;config.istio.io/v1alpha2&#34;
|
||
kind: rule
|
||
metadata:
|
||
name: handle-politics
|
||
namespace: istio-system
|
||
spec:
|
||
match: request.host.endsWith(&#34;cnn.com&#34;) &amp;&amp; request.path.startsWith(&#34;/politics&#34;) &amp;&amp; context.reporter.uid.startsWith(&#34;kubernetes://istio-egressgateway&#34;)
|
||
actions:
|
||
- handler: egress-error-logger.stdio
|
||
instances:
|
||
- egress-access.logentry
|
||
---
|
||
# Handler for info egress access entries
|
||
apiVersion: &#34;config.istio.io/v1alpha2&#34;
|
||
kind: stdio
|
||
metadata:
|
||
name: egress-access-logger
|
||
namespace: istio-system
|
||
spec:
|
||
severity_levels:
|
||
info: 0 # output log level as info
|
||
outputAsJson: true
|
||
---
|
||
# Rule to handle access to *.cnn.com
|
||
apiVersion: &#34;config.istio.io/v1alpha2&#34;
|
||
kind: rule
|
||
metadata:
|
||
name: handle-cnn-access
|
||
namespace: istio-system
|
||
spec:
|
||
match: request.host.endsWith(&#34;.cnn.com&#34;) &amp;&amp; context.reporter.uid.startsWith(&#34;kubernetes://istio-egressgateway&#34;)
|
||
actions:
|
||
- handler: egress-access-logger.stdio
|
||
instances:
|
||
- egress-access.logentry
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Send three HTTP requests to <em>cnn.com</em>, to <a href="https://edition.cnn.com/politics">edition.cnn.com/politics</a>, <a href="https://edition.cnn.com/sport">edition.cnn.com/sport</a> and <a href="https://edition.cnn.com/health">edition.cnn.com/health</a>.
|
||
All three should return <em>200 OK</em>.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c &#39;curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/politics; curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/sport; curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/health&#39;
|
||
200
|
||
200
|
||
200
|
||
</code></pre></li>
|
||
<li><p>Query the Mixer log and see that the information about the requests appears in the log:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
|
||
{&#34;level&#34;:&#34;info&#34;,&#34;time&#34;:&#34;2019-01-29T07:43:24.611462Z&#34;,&#34;instance&#34;:&#34;egress-access.logentry.istio-system&#34;,&#34;destination&#34;:&#34;edition.cnn.com&#34;,&#34;path&#34;:&#34;/politics&#34;,&#34;reporterUID&#34;:&#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&#34;,&#34;responseCode&#34;:200,&#34;responseSize&#34;:1883355,&#34;sourcePrincipal&#34;:&#34;cluster.local/ns/default/sa/sleep&#34;}
|
||
{&#34;level&#34;:&#34;info&#34;,&#34;time&#34;:&#34;2019-01-29T07:43:24.886316Z&#34;,&#34;instance&#34;:&#34;egress-access.logentry.istio-system&#34;,&#34;destination&#34;:&#34;edition.cnn.com&#34;,&#34;path&#34;:&#34;/sport&#34;,&#34;reporterUID&#34;:&#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&#34;,&#34;responseCode&#34;:200,&#34;responseSize&#34;:2094561,&#34;sourcePrincipal&#34;:&#34;cluster.local/ns/default/sa/sleep&#34;}
|
||
{&#34;level&#34;:&#34;info&#34;,&#34;time&#34;:&#34;2019-01-29T07:43:25.369663Z&#34;,&#34;instance&#34;:&#34;egress-access.logentry.istio-system&#34;,&#34;destination&#34;:&#34;edition.cnn.com&#34;,&#34;path&#34;:&#34;/health&#34;,&#34;reporterUID&#34;:&#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&#34;,&#34;responseCode&#34;:200,&#34;responseSize&#34;:2157009,&#34;sourcePrincipal&#34;:&#34;cluster.local/ns/default/sa/sleep&#34;}
|
||
{&#34;level&#34;:&#34;error&#34;,&#34;time&#34;:&#34;2019-01-29T07:43:24.611462Z&#34;,&#34;instance&#34;:&#34;egress-access.logentry.istio-system&#34;,&#34;destination&#34;:&#34;edition.cnn.com&#34;,&#34;path&#34;:&#34;/politics&#34;,&#34;reporterUID&#34;:&#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&#34;,&#34;responseCode&#34;:200,&#34;responseSize&#34;:1883355,&#34;sourcePrincipal&#34;:&#34;cluster.local/ns/default/sa/sleep&#34;}
|
||
</code></pre>
|
||
<p>You see four log entries related to your three requests. Three <em>info</em> entries about the access to <em>edition.cnn.com</em>
|
||
and one <em>error</em> entry about the access to <em>edition.cnn.com/politics</em>. The service mesh operators can see all the
|
||
access instances, and can also search the log for <em>error</em> log entries that represent forbidden accesses. This is the
|
||
first security measure the organization can apply before blocking the forbidden accesses automatically, namely
|
||
logging all the forbidden access instances as errors. In some settings this can be a sufficient security measure.</p>
|
||
<p>Note the attributes:</p>
|
||
<ul>
|
||
<li><code>destination</code>, <code>path</code>, <code>responseCode</code>, <code>responseSize</code> are related to HTTP parameters of the requests</li>
|
||
<li><code>sourcePrincipal</code>:<code>cluster.local/ns/default/sa/sleep</code> - a string that represents the <code>sleep</code> service account in
|
||
the <code>default</code> namespace</li>
|
||
<li><code>reporterUID</code>: <code>kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system</code> - a UID of the reporting pod, in
|
||
this case <code>istio-egressgateway-747b6764b8-44rrh</code> in the <code>istio-system</code> namespace</li>
|
||
</ul></li>
|
||
</ol>
|
||
<h3 id="access-control-by-routing">Access control by routing</h3>
|
||
<p>After enabling logging of access to <em>edition.cnn.com</em>, automatically enforce an access policy, namely allow
|
||
accessing <em>/health</em> and <em>/sport</em> URL paths only. Such a simple policy control can be implemented with Istio routing.</p>
|
||
<ol>
|
||
<li><p>Redefine your <code>VirtualService</code> for <em>edition.cnn.com</em>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | kubectl apply -f -
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: direct-cnn-through-egress-gateway
|
||
spec:
|
||
hosts:
|
||
- edition.cnn.com
|
||
gateways:
|
||
- istio-egressgateway
|
||
- mesh
|
||
http:
|
||
- match:
|
||
- gateways:
|
||
- mesh
|
||
port: 80
|
||
route:
|
||
- destination:
|
||
host: istio-egressgateway.istio-system.svc.cluster.local
|
||
subset: cnn
|
||
port:
|
||
number: 443
|
||
weight: 100
|
||
- match:
|
||
- gateways:
|
||
- istio-egressgateway
|
||
port: 443
|
||
uri:
|
||
regex: &#34;/health|/sport&#34;
|
||
route:
|
||
- destination:
|
||
host: edition.cnn.com
|
||
port:
|
||
number: 443
|
||
weight: 100
|
||
EOF
|
||
</code></pre>
|
||
<p>Note that you added a <code>match</code> by <code>uri</code> condition that checks that the URL path is
|
||
either <em>/health</em> or <em>/sport</em>. Also note that this condition is added to the <code>istio-egressgateway</code>
|
||
section of the <code>VirtualService</code>, since the egress gateway is a hardened component in terms of security (see
|
||
<a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway/#additional-security-considerations">egress gateway security considerations</a>). You don&rsquo;t want any tampering
|
||
with your policies.</p></li>
|
||
<li><p>Send the previous three HTTP requests to <em>cnn.com</em>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c &#39;curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/politics; curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/sport; curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/health&#39;
|
||
404
|
||
200
|
||
200
|
||
</code></pre>
|
||
<p>The request to <a href="https://edition.cnn.com/politics">edition.cnn.com/politics</a> returned <em>404 Not Found</em>, while requests
|
||
to <a href="https://edition.cnn.com/sport">edition.cnn.com/sport</a> and
|
||
<a href="https://edition.cnn.com/health">edition.cnn.com/health</a> returned <em>200 OK</em>, as expected.</p>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">You may need to wait several seconds for the update of the <code>VirtualService</code> to propagate to the egress
|
||
gateway.</div>
|
||
</aside>
|
||
</div>
|
||
</li>
|
||
<li><p>Query the Mixer log and see that the information about the requests appears again in the log:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
|
||
{&#34;level&#34;:&#34;info&#34;,&#34;time&#34;:&#34;2019-01-29T07:55:59.686082Z&#34;,&#34;instance&#34;:&#34;egress-access.logentry.istio-system&#34;,&#34;destination&#34;:&#34;edition.cnn.com&#34;,&#34;path&#34;:&#34;/politics&#34;,&#34;reporterUID&#34;:&#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&#34;,&#34;responseCode&#34;:404,&#34;responseSize&#34;:0,&#34;sourcePrincipal&#34;:&#34;cluster.local/ns/default/sa/sleep&#34;}
|
||
{&#34;level&#34;:&#34;info&#34;,&#34;time&#34;:&#34;2019-01-29T07:55:59.697565Z&#34;,&#34;instance&#34;:&#34;egress-access.logentry.istio-system&#34;,&#34;destination&#34;:&#34;edition.cnn.com&#34;,&#34;path&#34;:&#34;/sport&#34;,&#34;reporterUID&#34;:&#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&#34;,&#34;responseCode&#34;:200,&#34;responseSize&#34;:2094561,&#34;sourcePrincipal&#34;:&#34;cluster.local/ns/default/sa/sleep&#34;}
|
||
{&#34;level&#34;:&#34;info&#34;,&#34;time&#34;:&#34;2019-01-29T07:56:00.264498Z&#34;,&#34;instance&#34;:&#34;egress-access.logentry.istio-system&#34;,&#34;destination&#34;:&#34;edition.cnn.com&#34;,&#34;path&#34;:&#34;/health&#34;,&#34;reporterUID&#34;:&#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&#34;,&#34;responseCode&#34;:200,&#34;responseSize&#34;:2157009,&#34;sourcePrincipal&#34;:&#34;cluster.local/ns/default/sa/sleep&#34;}
|
||
{&#34;level&#34;:&#34;error&#34;,&#34;time&#34;:&#34;2019-01-29T07:55:59.686082Z&#34;,&#34;instance&#34;:&#34;egress-access.logentry.istio-system&#34;,&#34;destination&#34;:&#34;edition.cnn.com&#34;,&#34;path&#34;:&#34;/politics&#34;,&#34;reporterUID&#34;:&#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&#34;,&#34;responseCode&#34;:404,&#34;responseSize&#34;:0,&#34;sourcePrincipal&#34;:&#34;cluster.local/ns/default/sa/sleep&#34;}
|
||
</code></pre>
|
||
<p>You still get info and error messages regarding accesses to
|
||
<a href="https://edition.cnn.com/politics">edition.cnn.com/politics</a>, however this time the <code>responseCode</code> is <code>404</code>, as
|
||
expected.</p></li>
|
||
</ol>
|
||
<p>While implementing access control using Istio routing worked for us in this simple case, it would not suffice for more
|
||
complex cases. For example, the organization may want to allow access to
|
||
<a href="https://edition.cnn.com/politics">edition.cnn.com/politics</a> under certain conditions, so more complex policy logic than
|
||
just filtering by URL paths will be required. You may want to apply <a href="/v1.12/blog/2017/adapter-model/">Istio Mixer Adapters</a>,
|
||
for example
|
||
<a href="https://istio.io/v1.6/docs/tasks/policy-enforcement/denial-and-list/#attribute-based-whitelists-or-blacklists">white lists or black lists</a>
|
||
of allowed/forbidden URL paths, respectively.
|
||
<a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/">Policy Rules</a> allow specifying complex conditions,
|
||
specified in a <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/expression-language/">rich expression language</a>, which
|
||
includes AND and OR logical operators. The rules can be reused for both logging and policy checks. More advanced users
|
||
may want to apply <a href="/v1.12/docs/concepts/security/#authorization">Istio Role-Based Access Control</a>.</p>
|
||
<p>An additional aspect is integration with remote access policy systems. If the organization in our use case operates some
|
||
<a href="https://en.wikipedia.org/wiki/Identity_management">Identity and Access Management</a> system, you may want to configure
|
||
Istio to use access policy information from such a system. You implement this integration by applying
|
||
<a href="/v1.12/blog/2017/adapter-model/">Istio Mixer Adapters</a>.</p>
|
||
<p>Cancel the access control by routing you used in this section and implement access control by Mixer policy checks
|
||
in the next section.</p>
|
||
<ol>
|
||
<li><p>Replace the <code>VirtualService</code> for <em>edition.cnn.com</em> with your previous version from the <a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/#perform-tls-origination-with-an-egress-gateway">Configure an Egress Gateway</a> example:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | kubectl apply -f -
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: direct-cnn-through-egress-gateway
|
||
spec:
|
||
hosts:
|
||
- edition.cnn.com
|
||
gateways:
|
||
- istio-egressgateway
|
||
- mesh
|
||
http:
|
||
- match:
|
||
- gateways:
|
||
- mesh
|
||
port: 80
|
||
route:
|
||
- destination:
|
||
host: istio-egressgateway.istio-system.svc.cluster.local
|
||
subset: cnn
|
||
port:
|
||
number: 443
|
||
weight: 100
|
||
- match:
|
||
- gateways:
|
||
- istio-egressgateway
|
||
port: 443
|
||
route:
|
||
- destination:
|
||
host: edition.cnn.com
|
||
port:
|
||
number: 443
|
||
weight: 100
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Send the previous three HTTP requests to <em>cnn.com</em>, this time you should get three <em>200 OK</em> responses as
|
||
previously:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c &#39;curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/politics; curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/sport; curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/health&#39;
|
||
200
|
||
200
|
||
200
|
||
</code></pre></li>
|
||
</ol>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">You may need to wait several seconds for the update of the <code>VirtualService</code> to propagate to the egress
|
||
gateway.</div>
|
||
</aside>
|
||
</div>
|
||
<h3 id="access-control-by-mixer-policy-checks">Access control by Mixer policy checks</h3>
|
||
<p>In this step you use a Mixer
|
||
<a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/adapters/list/"><code>Listchecker</code> adapter</a>, its whitelist
|
||
variety. You define a <code>listentry</code> with the URL path of the request and a <code>listchecker</code> to check the <code>listentry</code> using a
|
||
static list of allowed URL paths, specified by the <code>overrides</code> field. For an external <a href="https://en.wikipedia.org/wiki/Identity_management">Identity and Access Management</a> system, use the <code>providerurl</code> field instead. The updated
|
||
diagram of the instances, rules and handlers appears below. Note that you reuse the same policy rule, <code>handle-cnn-access</code>
|
||
both for logging and for access policy checks.</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:52.79420593027812%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring-policy.svg" title="Instances, rules and handlers for egress monitoring and access policies">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/egress-monitoring-access-control/egress-adapters-monitoring-policy.svg" alt="Instances, rules and handlers for egress monitoring and access policies" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Instances, rules and handlers for egress monitoring and access policies</figcaption>
|
||
</figure>
|
||
<ol>
|
||
<li><p>Define <code>path-checker</code> and <code>request-path</code>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | kubectl create -f -
|
||
apiVersion: &#34;config.istio.io/v1alpha2&#34;
|
||
kind: listchecker
|
||
metadata:
|
||
name: path-checker
|
||
namespace: istio-system
|
||
spec:
|
||
overrides: [&#34;/health&#34;, &#34;/sport&#34;] # overrides provide a static list
|
||
blacklist: false
|
||
---
|
||
apiVersion: &#34;config.istio.io/v1alpha2&#34;
|
||
kind: listentry
|
||
metadata:
|
||
name: request-path
|
||
namespace: istio-system
|
||
spec:
|
||
value: request.path
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Modify the <code>handle-cnn-access</code> policy rule to send <code>request-path</code> instances to the <code>path-checker</code>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | kubectl apply -f -
|
||
# Rule handle egress access to cnn.com
|
||
apiVersion: &#34;config.istio.io/v1alpha2&#34;
|
||
kind: rule
|
||
metadata:
|
||
name: handle-cnn-access
|
||
namespace: istio-system
|
||
spec:
|
||
match: request.host.endsWith(&#34;.cnn.com&#34;) &amp;&amp; context.reporter.uid.startsWith(&#34;kubernetes://istio-egressgateway&#34;)
|
||
actions:
|
||
- handler: egress-access-logger.stdio
|
||
instances:
|
||
- egress-access.logentry
|
||
- handler: path-checker.listchecker
|
||
instances:
|
||
- request-path.listentry
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Perform your usual test by sending HTTP requests to
|
||
<a href="https://edition.cnn.com/politics">edition.cnn.com/politics</a>, <a href="https://edition.cnn.com/sport">edition.cnn.com/sport</a>
|
||
and <a href="https://edition.cnn.com/health">edition.cnn.com/health</a>. As expected, the request to
|
||
<a href="https://edition.cnn.com/politics">edition.cnn.com/politics</a> returns <em>403</em> (Forbidden).</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c &#39;curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/politics; curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/sport; curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/health&#39;
|
||
403
|
||
200
|
||
200
|
||
</code></pre></li>
|
||
</ol>
|
||
<h3 id="access-control-by-mixer-policy-checks-part-2">Access control by Mixer policy checks, part 2</h3>
|
||
<p>After the organization in our use case managed to configure logging and access control, it decided to extend its access
|
||
policy by allowing the applications with a special
|
||
<a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/">Service Account</a> to access any topic of <em>cnn.com</em>, without being monitored. You&rsquo;ll see how this requirement can be configured in Istio.</p>
|
||
<ol>
|
||
<li><p>Start the <a href="https://github.com/istio/istio/tree/release-1.12/samples/sleep">sleep</a> sample with the <code>politics</code> service account.</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/sleep/sleep.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ sed &#39;s/: sleep/: politics/g&#39; @samples/sleep/sleep.yaml@ | kubectl create -f -
|
||
serviceaccount &#34;politics&#34; created
|
||
service &#34;politics&#34; created
|
||
deployment &#34;politics&#34; created
|
||
</code></pre></div></li>
|
||
<li><p>Define the <code>SOURCE_POD_POLITICS</code> shell variable to hold the name of the source pod with the <code>politics</code> service
|
||
account, for sending requests to external services.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export SOURCE_POD_POLITICS=$(kubectl get pod -l app=politics -o jsonpath={.items..metadata.name})
|
||
</code></pre></li>
|
||
<li><p>Perform your usual test of sending three HTTP requests this time from <code>SOURCE_POD_POLITICS</code>.
|
||
The request to <a href="https://edition.cnn.com/politics">edition.cnn.com/politics</a> returns <em>403</em>, since you did not configure
|
||
the exception for the <em>politics</em> namespace.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec -it $SOURCE_POD_POLITICS -c politics -- sh -c &#39;curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/politics; curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/sport; curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/health&#39;
|
||
403
|
||
200
|
||
200
|
||
</code></pre></li>
|
||
<li><p>Query the Mixer log and see that the information about the requests from the <em>politics</em> namespace appears in
|
||
the log:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
|
||
{&#34;level&#34;:&#34;info&#34;,&#34;time&#34;:&#34;2019-01-29T08:04:42.559812Z&#34;,&#34;instance&#34;:&#34;egress-access.logentry.istio-system&#34;,&#34;destination&#34;:&#34;edition.cnn.com&#34;,&#34;path&#34;:&#34;/politics&#34;,&#34;reporterUID&#34;:&#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&#34;,&#34;responseCode&#34;:403,&#34;responseSize&#34;:84,&#34;sourcePrincipal&#34;:&#34;cluster.local/ns/default/sa/politics&#34;}
|
||
{&#34;level&#34;:&#34;info&#34;,&#34;time&#34;:&#34;2019-01-29T08:04:42.568424Z&#34;,&#34;instance&#34;:&#34;egress-access.logentry.istio-system&#34;,&#34;destination&#34;:&#34;edition.cnn.com&#34;,&#34;path&#34;:&#34;/sport&#34;,&#34;reporterUID&#34;:&#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&#34;,&#34;responseCode&#34;:200,&#34;responseSize&#34;:2094561,&#34;sourcePrincipal&#34;:&#34;cluster.local/ns/default/sa/politics&#34;}
|
||
{&#34;level&#34;:&#34;error&#34;,&#34;time&#34;:&#34;2019-01-29T08:04:42.559812Z&#34;,&#34;instance&#34;:&#34;egress-access.logentry.istio-system&#34;,&#34;destination&#34;:&#34;edition.cnn.com&#34;,&#34;path&#34;:&#34;/politics&#34;,&#34;reporterUID&#34;:&#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&#34;,&#34;responseCode&#34;:403,&#34;responseSize&#34;:84,&#34;sourcePrincipal&#34;:&#34;cluster.local/ns/default/sa/politics&#34;}
|
||
{&#34;level&#34;:&#34;info&#34;,&#34;time&#34;:&#34;2019-01-29T08:04:42.615641Z&#34;,&#34;instance&#34;:&#34;egress-access.logentry.istio-system&#34;,&#34;destination&#34;:&#34;edition.cnn.com&#34;,&#34;path&#34;:&#34;/health&#34;,&#34;reporterUID&#34;:&#34;kubernetes://istio-egressgateway-747b6764b8-44rrh.istio-system&#34;,&#34;responseCode&#34;:200,&#34;responseSize&#34;:2157009,&#34;sourcePrincipal&#34;:&#34;cluster.local/ns/default/sa/politics&#34;}
|
||
</code></pre>
|
||
<p>Note that <code>sourcePrincipal</code> is <code>cluster.local/ns/default/sa/politics</code> which represents the <code>politics</code> service
|
||
account in the <code>default</code> namespace.</p></li>
|
||
<li><p>Redefine <code>handle-cnn-access</code> and <code>handle-politics</code> policy rules, to make the applications in the <em>politics</em>
|
||
namespace exempt from monitoring and policy enforcement.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat &lt;&lt;EOF | kubectl apply -f -
|
||
# Rule to handle access to *.cnn.com/politics
|
||
apiVersion: &#34;config.istio.io/v1alpha2&#34;
|
||
kind: rule
|
||
metadata:
|
||
name: handle-politics
|
||
namespace: istio-system
|
||
spec:
|
||
match: request.host.endsWith(&#34;cnn.com&#34;) &amp;&amp; context.reporter.uid.startsWith(&#34;kubernetes://istio-egressgateway&#34;) &amp;&amp; request.path.startsWith(&#34;/politics&#34;) &amp;&amp; source.principal != &#34;cluster.local/ns/default/sa/politics&#34;
|
||
actions:
|
||
- handler: egress-error-logger.stdio
|
||
instances:
|
||
- egress-access.logentry
|
||
---
|
||
# Rule handle egress access to cnn.com
|
||
apiVersion: &#34;config.istio.io/v1alpha2&#34;
|
||
kind: rule
|
||
metadata:
|
||
name: handle-cnn-access
|
||
namespace: istio-system
|
||
spec:
|
||
match: request.host.endsWith(&#34;.cnn.com&#34;) &amp;&amp; context.reporter.uid.startsWith(&#34;kubernetes://istio-egressgateway&#34;) &amp;&amp; source.principal != &#34;cluster.local/ns/default/sa/politics&#34;
|
||
actions:
|
||
- handler: egress-access-logger.stdio
|
||
instances:
|
||
- egress-access.logentry
|
||
- handler: path-checker.listchecker
|
||
instances:
|
||
- request-path.listentry
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Perform your usual test from <code>SOURCE_POD</code>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c &#39;curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/politics; curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/sport; curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/health&#39;
|
||
403
|
||
200
|
||
200
|
||
</code></pre>
|
||
<p>Since <code>SOURCE_POD</code> does not have <code>politics</code> service account, access to
|
||
<a href="https://edition.cnn.com/politics">edition.cnn.com/politics</a> is forbidden, as previously.</p></li>
|
||
<li><p>Perform the previous test from <code>SOURCE_POD_POLITICS</code>:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl exec -it $SOURCE_POD_POLITICS -c politics -- sh -c &#39;curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/politics; curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/sport; curl -sL -o /dev/null -w &#34;%{http_code}\n&#34; http://edition.cnn.com/health&#39;
|
||
200
|
||
200
|
||
200
|
||
</code></pre>
|
||
<p>Access to all the topics of <em>edition.cnn.com</em> is allowed.</p></li>
|
||
<li><p>Examine the Mixer log and see that no more requests with <code>sourcePrincipal</code> equal
|
||
<code>cluster.local/ns/default/sa/politics</code> appear in the log.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep egress-access | grep cnn | tail -4
|
||
</code></pre></li>
|
||
</ol>
|
||
<h2 id="comparison-with-https-egress-traffic-control">Comparison with HTTPS egress traffic control</h2>
|
||
<p>In this use case the applications use HTTP and Istio Egress Gateway performs TLS origination for them. Alternatively,
|
||
the applications could originate TLS themselves by issuing HTTPS requests to <em>edition.cnn.com</em>. In this section we
|
||
describe both approaches and their pros and cons.</p>
|
||
<p>In the HTTP approach, the requests are sent unencrypted on the local host, intercepted by the Istio sidecar proxy and
|
||
forwarded to the egress gateway. Since you configure Istio to use mutual TLS between the sidecar proxy and the egress
|
||
gateway, the traffic leaves the pod encrypted. The egress gateway decrypts the traffic, inspects the URL path, the
|
||
HTTP method and headers, reports telemetry and performs policy checks. If the request is not blocked by some policy
|
||
check, the egress gateway performs TLS origination to the external destination (<em>cnn.com</em> in our case), so the request
|
||
is encrypted again and sent encrypted to the external destination. The diagram below demonstrates the network flow of
|
||
this approach. The HTTP protocol inside the gateway designates the protocol as seen by the gateway after decryption.</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:64.81718469808756%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/egress-monitoring-access-control/http-to-gateway.svg" title="HTTP egress traffic through an egress gateway">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/egress-monitoring-access-control/http-to-gateway.svg" alt="HTTP egress traffic through an egress gateway" />
|
||
</a>
|
||
</div>
|
||
<figcaption>HTTP egress traffic through an egress gateway</figcaption>
|
||
</figure>
|
||
<p>The drawback of this approach is that the requests are sent unencrypted inside the pod, which may be against security
|
||
policies in some organizations. Also some SDKs have external service URLs hard-coded, including the protocol, so
|
||
sending HTTP requests could be impossible. The advantage of this approach is the ability to inspect HTTP methods,
|
||
headers and URL paths, and to apply policies based on them.</p>
|
||
<p>In the HTTPS approach, the requests are encrypted end-to-end, from the application to the external destination. The
|
||
diagram below demonstrates the network flow of this approach. The HTTPS protocol inside the gateway designates the
|
||
protocol as seen by the gateway.</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:64.81718469808756%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/egress-monitoring-access-control/https-to-gateway.svg" title="HTTPS egress traffic through an egress gateway">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/egress-monitoring-access-control/https-to-gateway.svg" alt="HTTPS egress traffic through an egress gateway" />
|
||
</a>
|
||
</div>
|
||
<figcaption>HTTPS egress traffic through an egress gateway</figcaption>
|
||
</figure>
|
||
<p>The end-to-end HTTPS is considered a better approach from the security point of view. However, since the traffic is
|
||
encrypted the Istio proxies and the egress gateway can only see the source and destination IPs and the <a href="https://en.wikipedia.org/wiki/Server_Name_Indication">SNI</a> of the destination. Since you configure Istio to use mutual TLS between the sidecar proxy
|
||
and the egress gateway, the <a href="/v1.12/docs/concepts/security/#istio-identity">identity of the source</a> is also known.
|
||
The gateway is unable to inspect the URL path, the HTTP method and the headers of the requests, so no monitoring and
|
||
policies based on the HTTP information can be possible.
|
||
In our use case, the organization would be able to allow access to <em>edition.cnn.com</em> and to specify which applications
|
||
are allowed to access <em>edition.cnn.com</em>.
|
||
However, it will not be possible to allow or block access to specific URL paths of <em>edition.cnn.com</em>.
|
||
Neither blocking access to <a href="https://edition.cnn.com/politics">edition.cnn.com/politics</a> nor monitoring such access are
|
||
possible with the HTTPS approach.</p>
|
||
<p>We guess that each organization will consider the pros and cons of the two approaches and choose the one most
|
||
appropriate to its needs.</p>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>In this blog post we showed how different monitoring and policy mechanisms of Istio can be applied to HTTP egress
|
||
traffic. Monitoring can be implemented by configuring a logging adapter. Access
|
||
policies can be implemented by configuring <code>VirtualServices</code> or by configuring various policy check adapters. We
|
||
demonstrated a simple policy that allowed certain URL paths only. We also showed a more complex policy that extended the
|
||
simple policy by making an exemption to the applications with a certain service account. Finally, we compared
|
||
HTTP-with-TLS-origination egress traffic with HTTPS egress traffic, in terms of control possibilities by Istio.</p>
|
||
<h2 id="cleanup">Cleanup</h2>
|
||
<ol>
|
||
<li><p>Perform the instructions in <a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway//#cleanup">Cleanup</a> section of the
|
||
<a href="/v1.12/docs/tasks/traffic-management/egress/egress-gateway/">Configure an Egress Gateway</a> example.</p></li>
|
||
<li><p>Delete the logging and policy checks configuration:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete logentry egress-access -n istio-system
|
||
$ kubectl delete stdio egress-error-logger -n istio-system
|
||
$ kubectl delete stdio egress-access-logger -n istio-system
|
||
$ kubectl delete rule handle-politics -n istio-system
|
||
$ kubectl delete rule handle-cnn-access -n istio-system
|
||
$ kubectl delete -n istio-system listchecker path-checker
|
||
$ kubectl delete -n istio-system listentry request-path
|
||
</code></pre></li>
|
||
<li><p>Delete the <em>politics</em> source pod:</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/sleep/sleep.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ sed &#39;s/: sleep/: politics/g&#39; @samples/sleep/sleep.yaml@ | kubectl delete -f -
|
||
serviceaccount &#34;politics&#34; deleted
|
||
service &#34;politics&#34; deleted
|
||
deployment &#34;politics&#34; deleted
|
||
</code></pre></div></li>
|
||
</ol></description><pubDate>Fri, 22 Jun 2018 00:00:00 +0000</pubDate><link>/v1.12/blog/2018/egress-monitoring-access-control/</link><author>Vadim Eisenberg and Ronen Schaffer (IBM)</author><guid isPermaLink="true">/v1.12/blog/2018/egress-monitoring-access-control/</guid><category>egress</category><category>traffic-management</category><category>access-control</category><category>monitoring</category></item><item><title>Introducing the Istio v1alpha3 routing API</title><description>
|
||
<p>Up until now, Istio has provided a simple API for traffic management using four configuration resources:
|
||
<code>RouteRule</code>, <code>DestinationPolicy</code>, <code>EgressRule</code>, and (Kubernetes) <code>Ingress</code>.
|
||
With this API, users have been able to easily manage the flow of traffic in an Istio service mesh.
|
||
The API has allowed users to route requests to specific versions of services, inject delays and failures for resilience
|
||
testing, add timeouts and circuit breakers, and more, all without changing the application code itself.</p>
|
||
<p>While this functionality has proven to be a very compelling part of Istio, user feedback has also shown that this API does
|
||
have some shortcomings, specifically when using it to manage very large applications containing thousands of services, and
|
||
when working with protocols other than HTTP. Furthermore, the use of Kubernetes <code>Ingress</code> resources to configure external
|
||
traffic has proven to be woefully insufficient for our needs.</p>
|
||
<p>To address these, and other concerns, a new traffic management API, a.k.a. <code>v1alpha3</code>, is being introduced, which will
|
||
completely replace the previous API going forward. Although the <code>v1alpha3</code> model is fundamentally the same, it is not
|
||
backward compatible and will require manual conversion from the old API.</p>
|
||
<p>To justify this disruption, the <code>v1alpha3</code> API has gone through a long and painstaking community
|
||
review process that has hopefully resulted in a greatly improved API that will stand the test of time. In this article,
|
||
we will introduce the new configuration model and attempt to explain some of the motivation and design principles that
|
||
influenced it.</p>
|
||
<h2 id="design-principles">Design principles</h2>
|
||
<p>A few key design principles played a role in the routing model redesign:</p>
|
||
<ul>
|
||
<li>Explicitly model infrastructure as well as intent. For example, in addition to configuring an ingress gateway, the
|
||
component (controller) implementing it can also be specified.</li>
|
||
<li>The authoring model should be &ldquo;producer oriented&rdquo; and &ldquo;host centric&rdquo; as opposed to compositional. For example, all
|
||
rules associated with a particular host are configured together, instead of individually.</li>
|
||
<li>Clear separation of routing from post-routing behaviors.</li>
|
||
</ul>
|
||
<h2 id="configuration-resources-in-v1alpha3">Configuration resources in v1alpha3</h2>
|
||
<p>A typical mesh will have one or more load balancers (we call them gateways)
|
||
that terminate TLS from external networks and allow traffic into the mesh.
|
||
Traffic then flows through internal services via sidecar gateways.
|
||
It is also common for applications to consume external
|
||
services (e.g., Google Maps API). These may be called directly or, in certain deployments, all traffic
|
||
exiting the mesh may be forced through dedicated egress gateways. The following diagram depicts
|
||
this mental model.</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:35.204472660409245%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/v1alpha3-routing/gateways.svg" title="Gateways in an Istio service mesh">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/v1alpha3-routing/gateways.svg" alt="Role of gateways in the mesh" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Gateways in an Istio service mesh</figcaption>
|
||
</figure>
|
||
<p>With the above setup in mind, <code>v1alpha3</code> introduces the following new
|
||
configuration resources to control traffic routing into, within, and out of the mesh.</p>
|
||
<ol>
|
||
<li><code>Gateway</code></li>
|
||
<li><code>VirtualService</code></li>
|
||
<li><code>DestinationRule</code></li>
|
||
<li><code>ServiceEntry</code></li>
|
||
</ol>
|
||
<p><code>VirtualService</code>, <code>DestinationRule</code>, and <code>ServiceEntry</code> replace <code>RouteRule</code>,
|
||
<code>DestinationPolicy</code>, and <code>EgressRule</code> respectively. The <code>Gateway</code> is a
|
||
platform independent abstraction to model the traffic flowing into
|
||
dedicated middleboxes.</p>
|
||
<p>The figure below depicts the flow of control across configuration
|
||
resources.</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:41.164966727369595%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/v1alpha3-routing/virtualservices-destrules.svg" title="Relationship between different v1alpha3 elements">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/v1alpha3-routing/virtualservices-destrules.svg" alt="Relationship between different v1alpha3 elements" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Relationship between different v1alpha3 elements</figcaption>
|
||
</figure>
|
||
<h3 id="gateway"><code>Gateway</code></h3>
|
||
<p>A <a href="/v1.12/docs/reference/config/networking/gateway/"><code>Gateway</code></a>
|
||
configures a load balancer for HTTP/TCP traffic, regardless of
|
||
where it will be running. Any number of gateways can exist within the mesh
|
||
and multiple different gateway implementations can co-exist. In fact, a
|
||
gateway configuration can be bound to a particular workload by specifying
|
||
the set of workload (pod) labels as part of the configuration, allowing
|
||
users to reuse off the shelf network appliances by writing a simple gateway
|
||
controller.</p>
|
||
<p>For ingress traffic management, you might ask: <em>Why not reuse Kubernetes Ingress APIs</em>?
|
||
The Ingress APIs proved to be incapable of expressing Istio&rsquo;s routing needs.
|
||
By trying to draw a common denominator across different HTTP proxies, the
|
||
Ingress is only able to support the most basic HTTP routing and ends up
|
||
pushing every other feature of modern proxies into non-portable
|
||
annotations.</p>
|
||
<p>Istio <code>Gateway</code> overcomes the <code>Ingress</code> shortcomings by separating the
|
||
L4-L6 spec from L7. It only configures the L4-L6 functions (e.g., ports to
|
||
expose, TLS configuration) that are uniformly implemented by all good L7
|
||
proxies. Users can then use standard Istio rules to control HTTP
|
||
requests as well as TCP traffic entering a <code>Gateway</code> by binding a
|
||
<code>VirtualService</code> to it.</p>
|
||
<p>For example, the following simple <code>Gateway</code> configures a load balancer
|
||
to allow external https traffic for host <code>bookinfo.com</code> into the mesh:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: Gateway
|
||
metadata:
|
||
name: bookinfo-gateway
|
||
spec:
|
||
servers:
|
||
- port:
|
||
number: 443
|
||
name: https
|
||
protocol: HTTPS
|
||
hosts:
|
||
- bookinfo.com
|
||
tls:
|
||
mode: SIMPLE
|
||
serverCertificate: /tmp/tls.crt
|
||
privateKey: /tmp/tls.key
|
||
</code></pre>
|
||
<p>To configure the corresponding routes, a <code>VirtualService</code> (described in the <a href="#virtualservice">following section</a>)
|
||
must be defined for the same host and bound to the <code>Gateway</code> using
|
||
the <code>gateways</code> field in the configuration:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: bookinfo
|
||
spec:
|
||
hosts:
|
||
- bookinfo.com
|
||
gateways:
|
||
- bookinfo-gateway # &lt;---- bind to gateway
|
||
http:
|
||
- match:
|
||
- uri:
|
||
prefix: /reviews
|
||
route:
|
||
...
|
||
</code></pre>
|
||
<p>The <code>Gateway</code> can be used to model an edge-proxy or a purely internal proxy
|
||
as shown in the first figure. Irrespective of the location, all gateways
|
||
can be configured and controlled in the same way.</p>
|
||
<h3 id="virtualservice"><code>VirtualService</code></h3>
|
||
<p>Replacing route rules with something called &ldquo;virtual services” might seem peculiar at first, but in reality it’s
|
||
fundamentally a much better name for what is being configured, especially after redesigning the API to address the
|
||
scalability issues with the previous model.</p>
|
||
<p>In effect, what has changed is that instead of configuring routing using a set of individual configuration resources
|
||
(rules) for a particular destination service, each containing a precedence field to control the order of evaluation, we
|
||
now configure the (virtual) destination itself, with all of its rules in an ordered list within a corresponding
|
||
<a href="/v1.12/docs/reference/config/networking/virtual-service/"><code>VirtualService</code></a> resource.
|
||
For example, where previously we had two <code>RouteRule</code> resources for the
|
||
<a href="/v1.12/docs/examples/bookinfo/">Bookinfo</a> application’s <code>reviews</code> service, like this:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: config.istio.io/v1alpha2
|
||
kind: RouteRule
|
||
metadata:
|
||
name: reviews-default
|
||
spec:
|
||
destination:
|
||
name: reviews
|
||
precedence: 1
|
||
route:
|
||
- labels:
|
||
version: v1
|
||
---
|
||
apiVersion: config.istio.io/v1alpha2
|
||
kind: RouteRule
|
||
metadata:
|
||
name: reviews-test-v2
|
||
spec:
|
||
destination:
|
||
name: reviews
|
||
precedence: 2
|
||
match:
|
||
request:
|
||
headers:
|
||
cookie:
|
||
regex: &#34;^(.*?;)?(user=jason)(;.*)?$&#34;
|
||
route:
|
||
- labels:
|
||
version: v2
|
||
</code></pre>
|
||
<p>In <code>v1alpha3</code>, we provide the same configuration in a single <code>VirtualService</code> resource:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: reviews
|
||
spec:
|
||
hosts:
|
||
- reviews
|
||
http:
|
||
- match:
|
||
- headers:
|
||
cookie:
|
||
regex: &#34;^(.*?;)?(user=jason)(;.*)?$&#34;
|
||
route:
|
||
- destination:
|
||
host: reviews
|
||
subset: v2
|
||
- route:
|
||
- destination:
|
||
host: reviews
|
||
subset: v1
|
||
</code></pre>
|
||
<p>As you can see, both of the rules for the <code>reviews</code> service are consolidated in one place, which at first may or may not
|
||
seem preferable. However, if you look closer at this new model, you’ll see there are fundamental differences that make
|
||
<code>v1alpha3</code> vastly more functional.</p>
|
||
<p>First of all, notice that the destination service for the <code>VirtualService</code> is specified using a <code>hosts</code> field (repeated field, in fact) and is then again specified in a <code>destination</code> field of each of the route specifications. This is a
|
||
very important difference from the previous model.</p>
|
||
<p>A <code>VirtualService</code> describes the mapping between one or more user-addressable destinations to the actual destination workloads inside the mesh. In our example, they are the same, however, the user-addressed hosts can be any DNS
|
||
names with optional wildcard prefix or CIDR prefix that will be used to address the service. This can be particularly
|
||
useful in facilitating turning monoliths into a composite service built out of distinct microservices without requiring the
|
||
consumers of the service to adapt to the transition.</p>
|
||
<p>For example, the following rule allows users to address both the <code>reviews</code> and <code>ratings</code> services of the Bookinfo application
|
||
as if they are parts of a bigger (virtual) service at <code>http://bookinfo.com/</code>:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: bookinfo
|
||
spec:
|
||
hosts:
|
||
- bookinfo.com
|
||
http:
|
||
- match:
|
||
- uri:
|
||
prefix: /reviews
|
||
route:
|
||
- destination:
|
||
host: reviews
|
||
- match:
|
||
- uri:
|
||
prefix: /ratings
|
||
route:
|
||
- destination:
|
||
host: ratings
|
||
...
|
||
</code></pre>
|
||
<p>The hosts of a <code>VirtualService</code> do not actually have to be part of the service registry, they are simply virtual
|
||
destinations. This allows users to model traffic for virtual hosts that do not have routable entries inside the mesh.
|
||
These hosts can be exposed outside the mesh by binding the <code>VirtualService</code> to a <code>Gateway</code> configuration for the same host
|
||
(as described in the <a href="#gateway">previous section</a>).</p>
|
||
<p>In addition to this fundamental restructuring, <code>VirtualService</code> includes several other important changes:</p>
|
||
<ol>
|
||
<li><p>Multiple match conditions can be expressed inside the <code>VirtualService</code> configuration, reducing the need for redundant
|
||
rules.</p></li>
|
||
<li><p>Each service version has a name (called a service subset). The set of pods/VMs belonging to a subset is defined in a
|
||
<code>DestinationRule</code>, described in the following section.</p></li>
|
||
<li><p><code>VirtualService</code> hosts can be specified using wildcard DNS prefixes to create a single rule for all matching services.
|
||
For example, in Kubernetes, to apply the same rewrite rule for all services in the <code>foo</code> namespace, the <code>VirtualService</code>
|
||
would use <code>*.foo.svc.cluster.local</code> as the host.</p></li>
|
||
</ol>
|
||
<h3 id="destinationrule"><code>DestinationRule</code></h3>
|
||
<p>A <a href="/v1.12/docs/reference/config/networking/destination-rule/"><code>DestinationRule</code></a>
|
||
configures the set of policies to be applied while forwarding traffic to a service. They are
|
||
intended to be authored by service owners, describing the circuit breakers, load balancer settings, TLS settings, etc..
|
||
<code>DestinationRule</code> is more or less the same as its predecessor, <code>DestinationPolicy</code>, with the following exceptions:</p>
|
||
<ol>
|
||
<li>The <code>host</code> of a <code>DestinationRule</code> can include wildcard prefixes, allowing a single rule to be specified for many actual
|
||
services.</li>
|
||
<li>A <code>DestinationRule</code> defines addressable <code>subsets</code> (i.e., named versions) of the corresponding destination host. These
|
||
subsets are used in <code>VirtualService</code> route specifications when sending traffic to specific versions of the service.
|
||
Naming versions this way allows us to cleanly refer to them across different virtual services, simplify the stats that
|
||
Istio proxies emit, and to encode subsets in SNI headers.</li>
|
||
</ol>
|
||
<p>A <code>DestinationRule</code> that configures policies and subsets for the reviews service might look something like this:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: reviews
|
||
spec:
|
||
host: reviews
|
||
trafficPolicy:
|
||
loadBalancer:
|
||
simple: RANDOM
|
||
subsets:
|
||
- name: v1
|
||
labels:
|
||
version: v1
|
||
- name: v2
|
||
labels:
|
||
version: v2
|
||
trafficPolicy:
|
||
loadBalancer:
|
||
simple: ROUND_ROBIN
|
||
- name: v3
|
||
labels:
|
||
version: v3
|
||
</code></pre>
|
||
<p>Notice that, unlike <code>DestinationPolicy</code>, multiple policies (e.g., default and v2-specific) are specified in a single
|
||
<code>DestinationRule</code> configuration.</p>
|
||
<h3 id="serviceentry"><code>ServiceEntry</code></h3>
|
||
<p><a href="/v1.12/docs/reference/config/networking/service-entry/"><code>ServiceEntry</code></a>
|
||
is used to add additional entries into the service registry that Istio maintains internally.
|
||
It is most commonly used to allow one to model traffic to external dependencies of the mesh
|
||
such as APIs consumed from the web or traffic to services in legacy infrastructure.</p>
|
||
<p>Everything you could previously configure using an <code>EgressRule</code> can just as easily be done with a <code>ServiceEntry</code>.
|
||
For example, access to a simple external service from inside the mesh can be enabled using a configuration
|
||
something like this:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: foo-ext
|
||
spec:
|
||
hosts:
|
||
- foo.com
|
||
ports:
|
||
- number: 80
|
||
name: http
|
||
protocol: HTTP
|
||
</code></pre>
|
||
<p>That said, <code>ServiceEntry</code> has significantly more functionality than its predecessor.
|
||
First of all, a <code>ServiceEntry</code> is not limited to external service configuration,
|
||
it can be of two types: mesh-internal or mesh-external.
|
||
Mesh-internal entries are like all other internal services but are used to explicitly add services
|
||
to the mesh. They can be used to add services as part of expanding the service mesh to include unmanaged infrastructure
|
||
(e.g., VMs added to a Kubernetes-based service mesh).
|
||
Mesh-external entries represent services external to the mesh.
|
||
For them, mutual TLS authentication is disabled and policy enforcement is performed on the client-side,
|
||
instead of on the usual server-side for internal service requests.</p>
|
||
<p>Because a <code>ServiceEntry</code> configuration simply adds a destination to the internal service registry, it can be
|
||
used in conjunction with a <code>VirtualService</code> and/or <code>DestinationRule</code>, just like any other service in the registry.
|
||
The following <code>DestinationRule</code>, for example, can be used to initiate mutual TLS connections for an external service:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: foo-ext
|
||
spec:
|
||
host: foo.com
|
||
trafficPolicy:
|
||
tls:
|
||
mode: MUTUAL
|
||
clientCertificate: /etc/certs/myclientcert.pem
|
||
privateKey: /etc/certs/client_private_key.pem
|
||
caCertificates: /etc/certs/rootcacerts.pem
|
||
</code></pre>
|
||
<p>In addition to its expanded generality, <code>ServiceEntry</code> provides several other improvements over <code>EgressRule</code>
|
||
including the following:</p>
|
||
<ol>
|
||
<li>A single <code>ServiceEntry</code> can configure multiple service endpoints, which previously would have required multiple
|
||
<code>EgressRules</code>.</li>
|
||
<li>The resolution mode for the endpoints is now configurable (<code>NONE</code>, <code>STATIC</code>, or <code>DNS</code>).</li>
|
||
<li>Additionally, we are working on addressing another pain point: the need to access secure external services over plain
|
||
text ports (e.g., <code>http://google.com:443</code>). This should be fixed in the coming weeks, allowing you to directly access
|
||
<code>https://google.com</code> from your application. Stay tuned for an Istio patch release (0.8.x) that addresses this limitation.</li>
|
||
</ol>
|
||
<h2 id="creating-and-deleting-v1alpha3-route-rules">Creating and deleting v1alpha3 route rules</h2>
|
||
<p>Because all route rules for a given destination are now stored together as an ordered
|
||
list in a single <code>VirtualService</code> resource, adding a second and subsequent rules for a particular destination
|
||
is no longer done by creating a new (<code>RouteRule</code>) resource, but instead by updating the one-and-only <code>VirtualService</code>
|
||
resource for the destination.</p>
|
||
<p>old routing rules:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f my-second-rule-for-destination-abc.yaml
|
||
</code></pre>
|
||
<p><code>v1alpha3</code> routing rules:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f my-updated-rules-for-destination-abc.yaml
|
||
</code></pre>
|
||
<p>Deleting route rules other than the last one for a particular destination is also done by updating
|
||
the existing resource using <code>kubectl apply</code>.</p>
|
||
<p>When adding or removing routes that refer to service versions, the <code>subsets</code> will need to be updated in
|
||
the service&rsquo;s corresponding <code>DestinationRule</code>.
|
||
As you might have guessed, this is also done using <code>kubectl apply</code>.</p>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>The Istio <code>v1alpha3</code> routing API has significantly more functionality than
|
||
its predecessor, but unfortunately is not backwards compatible, requiring a
|
||
one time manual conversion. The previous configuration resources,
|
||
<code>RouteRule</code>, <code>DesintationPolicy</code>, and <code>EgressRule</code>, will not be supported
|
||
from Istio 0.9 onwards. Kubernetes users can continue to use <code>Ingress</code> to
|
||
configure their edge load balancers for basic routing. However, advanced
|
||
routing features (e.g., traffic split across two versions) will require use
|
||
of <code>Gateway</code>, a significantly more functional and highly
|
||
recommended <code>Ingress</code> replacement.</p>
|
||
<h2 id="acknowledgments">Acknowledgments</h2>
|
||
<p>Credit for the routing model redesign and implementation work goes to the
|
||
following people (in alphabetical order):</p>
|
||
<ul>
|
||
<li>Frank Budinsky (IBM)</li>
|
||
<li>Zack Butcher (Google)</li>
|
||
<li>Greg Hanson (IBM)</li>
|
||
<li>Costin Manolache (Google)</li>
|
||
<li>Martin Ostrowski (Google)</li>
|
||
<li>Shriram Rajagopalan (VMware)</li>
|
||
<li>Louis Ryan (Google)</li>
|
||
<li>Isaiah Snell-Feikema (IBM)</li>
|
||
<li>Kuat Yessenov (Google)</li>
|
||
</ul></description><pubDate>Wed, 25 Apr 2018 00:00:00 +0000</pubDate><link>/v1.12/blog/2018/v1alpha3-routing/</link><author>Frank Budinsky (IBM) and Shriram Rajagopalan (VMware)</author><guid isPermaLink="true">/v1.12/blog/2018/v1alpha3-routing/</guid><category>traffic-management</category></item><item><title>Configuring Istio Ingress with AWS NLB</title><description>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">This post was updated on January 16, 2019 to include some usage warnings.</div>
|
||
</aside>
|
||
</div>
|
||
<p>This post provides instructions to use and configure ingress Istio with <a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html">AWS Network Load Balancer</a>.</p>
|
||
<p>Network load balancer (NLB) could be used instead of classical load balancer. You can see the <a href="https://aws.amazon.com/elasticloadbalancing/details/#Product_comparisons">comparison</a> between different AWS <code>loadbalancer</code> for more explanation.</p>
|
||
<h2 id="prerequisites">Prerequisites</h2>
|
||
<p>The following instructions require a Kubernetes <strong>1.9.0 or newer</strong> cluster.</p>
|
||
<div>
|
||
<aside class="callout warning">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-warning"/></svg>
|
||
</div>
|
||
<div class="content"><p>Usage of AWS <code>nlb</code> on Kubernetes is an Alpha feature and not recommended for production clusters.</p>
|
||
<p>Usage of AWS <code>nlb</code> does not support the creation of two or more Kubernetes clusters running Istio in the same zone as a result of <a href="https://github.com/kubernetes/kubernetes/issues/69264">Kubernetes Bug #69264</a>.</p>
|
||
</div>
|
||
</aside>
|
||
</div>
|
||
<h2 id="iam-policy">IAM policy</h2>
|
||
<p>You need to apply policy on the master role in order to be able to provision network load balancer.</p>
|
||
<ol>
|
||
<li><p>In AWS <code>iam</code> console click on policies and click on create a new one:</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:52.430278884462155%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/aws-nlb/createpolicystart.png" title="Create a new policy">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/aws-nlb/createpolicystart.png" alt="Create a new policy" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Create a new policy</figcaption>
|
||
</figure></li>
|
||
<li><p>Select <code>json</code>:</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:50.63492063492063%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/aws-nlb/createpolicyjson.png" title="Select json">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/aws-nlb/createpolicyjson.png" alt="Select json" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Select json</figcaption>
|
||
</figure></li>
|
||
<li><p>Copy/paste text below:</p>
|
||
<pre><code class='language-json' data-expandlinks='true' data-repo='istio' >{
|
||
&#34;Version&#34;: &#34;2012-10-17&#34;,
|
||
&#34;Statement&#34;: [
|
||
{
|
||
&#34;Sid&#34;: &#34;kopsK8sNLBMasterPermsRestrictive&#34;,
|
||
&#34;Effect&#34;: &#34;Allow&#34;,
|
||
&#34;Action&#34;: [
|
||
&#34;ec2:DescribeVpcs&#34;,
|
||
&#34;elasticloadbalancing:AddTags&#34;,
|
||
&#34;elasticloadbalancing:CreateListener&#34;,
|
||
&#34;elasticloadbalancing:CreateTargetGroup&#34;,
|
||
&#34;elasticloadbalancing:DeleteListener&#34;,
|
||
&#34;elasticloadbalancing:DeleteTargetGroup&#34;,
|
||
&#34;elasticloadbalancing:DescribeListeners&#34;,
|
||
&#34;elasticloadbalancing:DescribeLoadBalancerPolicies&#34;,
|
||
&#34;elasticloadbalancing:DescribeTargetGroups&#34;,
|
||
&#34;elasticloadbalancing:DescribeTargetHealth&#34;,
|
||
&#34;elasticloadbalancing:ModifyListener&#34;,
|
||
&#34;elasticloadbalancing:ModifyTargetGroup&#34;,
|
||
&#34;elasticloadbalancing:RegisterTargets&#34;,
|
||
&#34;elasticloadbalancing:SetLoadBalancerPoliciesOfListener&#34;
|
||
],
|
||
&#34;Resource&#34;: [
|
||
&#34;*&#34;
|
||
]
|
||
},
|
||
{
|
||
&#34;Effect&#34;: &#34;Allow&#34;,
|
||
&#34;Action&#34;: [
|
||
&#34;ec2:DescribeVpcs&#34;,
|
||
&#34;ec2:DescribeRegions&#34;
|
||
],
|
||
&#34;Resource&#34;: &#34;*&#34;
|
||
}
|
||
]
|
||
}
|
||
</code></pre></li>
|
||
<li><p>Click review policy, fill all fields and click create policy:</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:60.08097165991902%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/aws-nlb/create_policy.png" title="Validate policy">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/aws-nlb/create_policy.png" alt="Validate policy" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Validate policy</figcaption>
|
||
</figure></li>
|
||
<li><p>Click on roles, select you master role nodes, and click attach policy:</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:30.328324986087924%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/aws-nlb/roles_summary.png" title="Attach policy">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/aws-nlb/roles_summary.png" alt="Attach policy" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Attach policy</figcaption>
|
||
</figure></li>
|
||
<li><p>Your policy is now attach to your master node.</p></li>
|
||
</ol>
|
||
<h2 id="generate-the-istio-manifest">Generate the Istio manifest</h2>
|
||
<p>To use an AWS <code>nlb</code> load balancer, it is necessary to add an AWS specific
|
||
annotation to the Istio installation. These instructions explain how to
|
||
add the annotation.</p>
|
||
<p>Save this as the file <code>override.yaml</code>:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >gateways:
|
||
istio-ingressgateway:
|
||
serviceAnnotations:
|
||
service.beta.kubernetes.io/aws-load-balancer-type: &#34;nlb&#34;
|
||
</code></pre>
|
||
<p>Generate a manifest with Helm:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ helm template install/kubernetes/helm/istio --namespace istio -f override.yaml &gt; $HOME/istio.yaml
|
||
</code></pre></description><pubDate>Fri, 20 Apr 2018 00:00:00 +0000</pubDate><link>/v1.12/blog/2018/aws-nlb/</link><author>Julien SENON</author><guid isPermaLink="true">/v1.12/blog/2018/aws-nlb/</guid><category>ingress</category><category>traffic-management</category><category>aws</category></item><item><title>Istio Soft Multi-Tenancy Support</title><description>
|
||
<p>Multi-tenancy is commonly used in many environments across many different applications,
|
||
but the implementation details and functionality provided on a per tenant basis does not
|
||
follow one model in all environments. The <a href="https://github.com/kubernetes/community/blob/master/wg-multitenancy/README.md">Kubernetes multi-tenancy working group</a>
|
||
is working to define the multi-tenant use cases and functionality that should be available
|
||
within Kubernetes. However, from their work so far it is clear that only &ldquo;soft multi-tenancy&rdquo;
|
||
is possible due to the inability to fully protect against malicious containers or workloads
|
||
gaining access to other tenant&rsquo;s pods or kernel resources.</p>
|
||
<h2 id="soft-multi-tenancy">Soft multi-tenancy</h2>
|
||
<p>For this blog, &ldquo;soft multi-tenancy&rdquo; is defined as having a single Kubernetes control plane
|
||
with multiple Istio control planes and multiple meshes, one control plane and one mesh
|
||
per tenant. The cluster administrator gets control and visibility across all the Istio
|
||
control planes, while the tenant administrator only gets control of a specific Istio
|
||
instance. Separation between the tenants is provided by Kubernetes namespaces and RBAC.</p>
|
||
<p>One use case for this deployment model is a shared corporate infrastructure where malicious
|
||
actions are not expected, but a clean separation of the tenants is still required.</p>
|
||
<p>Potential future Istio multi-tenant deployment models are described at the bottom of this
|
||
blog.</p>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">This blog is a high-level description of how to deploy Istio in a
|
||
limited multi-tenancy environment. The <a href="/v1.12/docs/">docs</a> section will be updated
|
||
when official multi-tenancy support is provided.</div>
|
||
</aside>
|
||
</div>
|
||
<h2 id="deployment">Deployment</h2>
|
||
<h3 id="multiple-istio-control-planes">Multiple Istio control planes</h3>
|
||
<p>Deploying multiple Istio control planes starts by replacing all <code>namespace</code> references
|
||
in a manifest file with the desired namespace. Using <code>istio.yaml</code> as an example, if two tenant
|
||
level Istio control planes are required; the first can use the <code>istio.yaml</code> default name of
|
||
<code>istio-system</code> and a second control plane can be created by generating a new yaml file with
|
||
a different namespace. As an example, the following command creates a yaml file with
|
||
the Istio namespace of <code>istio-system1</code>.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ cat istio.yaml | sed s/istio-system/istio-system1/g &gt; istio-system1.yaml
|
||
</code></pre>
|
||
<p>The <code>istio.yaml</code> file contains the details of the Istio control plane deployment, including the
|
||
pods that make up the control plane (Mixer, Pilot, Ingress, Galley, CA). Deploying the two Istio
|
||
control plane yaml files:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f install/kubernetes/istio.yaml
|
||
$ kubectl apply -f install/kubernetes/istio-system1.yaml
|
||
</code></pre>
|
||
<p>Results in two Istio control planes running in two namespaces.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods --all-namespaces
|
||
NAMESPACE NAME READY STATUS RESTARTS AGE
|
||
istio-system istio-ca-ffbb75c6f-98w6x 1/1 Running 0 15d
|
||
istio-system istio-ingress-68d65fc5c6-dnvfl 1/1 Running 0 15d
|
||
istio-system istio-mixer-5b9f8dffb5-8875r 3/3 Running 0 15d
|
||
istio-system istio-pilot-678fc976c8-b8tv6 2/2 Running 0 15d
|
||
istio-system1 istio-ca-5f496fdbcd-lqhlk 1/1 Running 0 15d
|
||
istio-system1 istio-ingress-68d65fc5c6-2vldg 1/1 Running 0 15d
|
||
istio-system1 istio-mixer-7d4f7b9968-66z44 3/3 Running 0 15d
|
||
istio-system1 istio-pilot-5bb6b7669c-779vb 2/2 Running 0 15d
|
||
</code></pre>
|
||
<p>The Istio <a href="/v1.12/docs/setup/additional-setup/sidecar-injection/">sidecar</a>
|
||
and <a href="/v1.12/docs/tasks/observability/">addons</a>, if required, manifests must also be
|
||
deployed to match the configured <code>namespace</code> in use by the tenant&rsquo;s Istio
|
||
control plane.</p>
|
||
<p>The execution of these two yaml files is the responsibility of the cluster
|
||
administrator, not the tenant level administrator. Additional RBAC restrictions will also
|
||
need to be configured and applied by the cluster administrator, limiting the tenant
|
||
administrator to only the assigned namespace.</p>
|
||
<h3 id="split-common-and-namespace-specific-resources">Split common and namespace specific resources</h3>
|
||
<p>The manifest files in the Istio repositories create both common resources that would
|
||
be used by all Istio control planes as well as resources that are replicated per control
|
||
plane. Although it is a simple matter to deploy multiple control planes by replacing the
|
||
<code>istio-system</code> namespace references as described above, a better approach is to split the
|
||
manifests into a common part that is deployed once for all tenants and a tenant
|
||
specific part. For the <a href="https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/#customresourcedefinitions">Custom Resource Definitions</a>, the roles and the role
|
||
bindings should be separated out from the provided Istio manifests. Additionally, the
|
||
roles and role bindings in the provided Istio manifests are probably unsuitable for a
|
||
multi-tenant environment and should be modified or augmented as described in the next
|
||
section.</p>
|
||
<h3 id="kubernetes-rbac-for-istio-control-plane-resources">Kubernetes RBAC for Istio control plane resources</h3>
|
||
<p>To restrict a tenant administrator to a single Istio namespace, the cluster
|
||
administrator would create a manifest containing, at a minimum, a <code>Role</code> and <code>RoleBinding</code>
|
||
similar to the one below. In this example, a tenant administrator named <em>sales-admin</em>
|
||
is limited to the namespace <code>istio-system1</code>. A completed manifest would contain many
|
||
more <code>apiGroups</code> under the <code>Role</code> providing resource access to the tenant administrator.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >kind: Role
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
metadata:
|
||
namespace: istio-system1
|
||
name: ns-access-for-sales-admin-istio-system1
|
||
rules:
|
||
- apiGroups: [&#34;&#34;] # &#34;&#34; indicates the core API group
|
||
resources: [&#34;*&#34;]
|
||
verbs: [&#34;*&#34;]
|
||
---
|
||
kind: RoleBinding
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
metadata:
|
||
name: access-all-istio-system1
|
||
namespace: istio-system1
|
||
subjects:
|
||
- kind: User
|
||
name: sales-admin
|
||
apiGroup: rbac.authorization.k8s.io
|
||
roleRef:
|
||
kind: Role
|
||
name: ns-access-for-sales-admin-istio-system1
|
||
apiGroup: rbac.authorization.k8s.io
|
||
</code></pre>
|
||
<h3 id="watching-specific-namespaces-for-service-discovery">Watching specific namespaces for service discovery</h3>
|
||
<p>In addition to creating RBAC rules limiting the tenant administrator&rsquo;s access to a specific
|
||
Istio control plane, the Istio manifest must be updated to specify the application namespace
|
||
that Pilot should watch for creation of its xDS cache. This is done by starting the Pilot
|
||
component with the additional command line arguments <code>--appNamespace, ns-1</code>. Where <em>ns-1</em>
|
||
is the namespace that the tenant’s application will be deployed in. An example snippet from
|
||
the <code>istio-system1.yaml</code> file is shown below.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: extensions/v1beta1
|
||
kind: Deployment
|
||
metadata:
|
||
name: istio-pilot
|
||
namespace: istio-system1
|
||
annotations:
|
||
sidecar.istio.io/inject: &#34;false&#34;
|
||
spec:
|
||
replicas: 1
|
||
template:
|
||
metadata:
|
||
labels:
|
||
istio: pilot
|
||
spec:
|
||
serviceAccountName: istio-pilot-service-account
|
||
containers:
|
||
- name: discovery
|
||
image: docker.io/&lt;user ID&gt;/pilot:&lt;tag&gt;
|
||
imagePullPolicy: IfNotPresent
|
||
args: [&#34;discovery&#34;, &#34;-v&#34;, &#34;2&#34;, &#34;--admission-service&#34;, &#34;istio-pilot&#34;, &#34;--appNamespace&#34;, &#34;ns-1&#34;]
|
||
ports:
|
||
- containerPort: 8080
|
||
- containerPort: 443
|
||
</code></pre>
|
||
<h3 id="deploying-the-tenant-application-in-a-namespace">Deploying the tenant application in a namespace</h3>
|
||
<p>Now that the cluster administrator has created the tenant&rsquo;s namespace (ex. <code>istio-system1</code>) and
|
||
Pilot&rsquo;s service discovery has been configured to watch for a specific application
|
||
namespace (ex. <em>ns-1</em>), create the application manifests to deploy in that tenant&rsquo;s specific
|
||
namespace. For example:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
|
||
kind: Namespace
|
||
metadata:
|
||
name: ns-1
|
||
</code></pre>
|
||
<p>And add the namespace reference to each resource type included in the application&rsquo;s manifest
|
||
file. For example:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: details
|
||
labels:
|
||
app: details
|
||
namespace: ns-1
|
||
</code></pre>
|
||
<p>Although not shown, the application namespaces will also have RBAC settings limiting access
|
||
to certain resources. These RBAC settings could be set by the cluster administrator and/or
|
||
the tenant administrator.</p>
|
||
<h3 id="using-kubectl-in-a-multi-tenant-environment">Using <code>kubectl</code> in a multi-tenant environment</h3>
|
||
<p>When defining <a href="https://archive.istio.io/v0.7/docs/reference/config/istio.routing.v1alpha1/#RouteRule">route rules</a>
|
||
or <a href="https://archive.istio.io/v0.7/docs/reference/config/istio.routing.v1alpha1/#DestinationPolicy">destination policies</a>,
|
||
it is necessary to ensure that the <code>kubectl</code> command is scoped to
|
||
the namespace the Istio control plane is running in to ensure the resource is created
|
||
in the proper namespace. Additionally, the rule itself must be scoped to the tenant&rsquo;s namespace
|
||
so that it will be applied properly to that tenant&rsquo;s mesh. The <em>-i</em> option is used to create
|
||
(or get or describe) the rule in the namespace that the Istio control plane is deployed in.
|
||
The <em>-n</em> option will scope the rule to the tenant&rsquo;s mesh and should be set to the namespace that
|
||
the tenant&rsquo;s app is deployed in. Note that the <em>-n</em> option can be skipped on the command line if
|
||
the .yaml file for the resource scopes it properly instead.</p>
|
||
<p>For example, the following command would be required to add a route rule to the <code>istio-system1</code>
|
||
namespace:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl –i istio-system1 apply -n ns-1 -f route_rule_v2.yaml
|
||
</code></pre>
|
||
<p>And can be displayed using the command:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl -i istio-system1 -n ns-1 get routerule
|
||
NAME KIND NAMESPACE
|
||
details-Default RouteRule.v1alpha2.config.istio.io ns-1
|
||
productpage-default RouteRule.v1alpha2.config.istio.io ns-1
|
||
ratings-default RouteRule.v1alpha2.config.istio.io ns-1
|
||
reviews-default RouteRule.v1alpha2.config.istio.io ns-1
|
||
</code></pre>
|
||
<p>See the <a href="/v1.12/blog/2018/soft-multitenancy/#multiple-istio-control-planes">Multiple Istio control planes</a> section of this document for more details on <code>namespace</code> requirements in a
|
||
multi-tenant environment.</p>
|
||
<h3 id="test-results">Test results</h3>
|
||
<p>Following the instructions above, a cluster administrator can create an environment limiting,
|
||
via RBAC and namespaces, what a tenant administrator can deploy.</p>
|
||
<p>After deployment, accessing the Istio control plane pods assigned to a specific tenant
|
||
administrator is permitted:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods -n istio-system
|
||
NAME READY STATUS RESTARTS AGE
|
||
grafana-78d649479f-8pqk9 1/1 Running 0 1d
|
||
istio-ca-ffbb75c6f-98w6x 1/1 Running 0 1d
|
||
istio-ingress-68d65fc5c6-dnvfl 1/1 Running 0 1d
|
||
istio-mixer-5b9f8dffb5-8875r 3/3 Running 0 1d
|
||
istio-pilot-678fc976c8-b8tv6 2/2 Running 0 1d
|
||
istio-sidecar-injector-7587bd559d-5tgk6 1/1 Running 0 1d
|
||
prometheus-cf8456855-hdcq7 1/1 Running 0 1d
|
||
</code></pre>
|
||
<p>However, accessing all the cluster&rsquo;s pods is not permitted:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods --all-namespaces
|
||
Error from server (Forbidden): pods is forbidden: User &#34;dev-admin&#34; cannot list pods at the cluster scope
|
||
</code></pre>
|
||
<p>And neither is accessing another tenant&rsquo;s namespace:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods -n istio-system1
|
||
Error from server (Forbidden): pods is forbidden: User &#34;dev-admin&#34; cannot list pods in the namespace &#34;istio-system1&#34;
|
||
</code></pre>
|
||
<p>The tenant administrator can deploy applications in the application namespace configured for
|
||
that tenant. As an example, updating the <a href="/v1.12/docs/examples/bookinfo/">Bookinfo</a>
|
||
manifests and then deploying under the tenant&rsquo;s application namespace of <em>ns-0</em>, listing the
|
||
pods in use by this tenant&rsquo;s namespace is permitted:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods -n ns-0
|
||
NAME READY STATUS RESTARTS AGE
|
||
details-v1-64b86cd49-b7rkr 2/2 Running 0 1d
|
||
productpage-v1-84f77f8747-rf2mt 2/2 Running 0 1d
|
||
ratings-v1-5f46655b57-5b4c5 2/2 Running 0 1d
|
||
reviews-v1-ff6bdb95b-pm5lb 2/2 Running 0 1d
|
||
reviews-v2-5799558d68-b989t 2/2 Running 0 1d
|
||
reviews-v3-58ff7d665b-lw5j9 2/2 Running 0 1d
|
||
</code></pre>
|
||
<p>But accessing another tenant&rsquo;s application namespace is not:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods -n ns-1
|
||
Error from server (Forbidden): pods is forbidden: User &#34;dev-admin&#34; cannot list pods in the namespace &#34;ns-1&#34;
|
||
</code></pre>
|
||
<p>If the <a href="/v1.12/docs/tasks/observability/">add-on tools</a>, example
|
||
<a href="/v1.12/docs/tasks/observability/metrics/querying-metrics/">Prometheus</a>, are deployed
|
||
(also limited by an Istio <code>namespace</code>) the statistical results returned would represent only
|
||
that traffic seen from that tenant&rsquo;s application namespace.</p>
|
||
<h2 id="conclusion">Conclusion</h2>
|
||
<p>The evaluation performed indicates Istio has sufficient capabilities and security to meet a
|
||
small number of multi-tenant use cases. It also shows that Istio and Kubernetes <strong>cannot</strong>
|
||
provide sufficient capabilities and security for other use cases, especially those use
|
||
cases that require complete security and isolation between untrusted tenants. The improvements
|
||
required to reach a more secure model of security and isolation require work in container
|
||
technology, ex. Kubernetes, rather than improvements in Istio capabilities.</p>
|
||
<h2 id="issues">Issues</h2>
|
||
<ul>
|
||
<li>The CA (Certificate Authority) and Mixer pod logs from one tenant&rsquo;s Istio control
|
||
plane (e.g. <code>istio-system</code> namespace) contained &lsquo;info&rsquo; messages from a second tenant&rsquo;s
|
||
Istio control plane (e.g. <code>istio-system1</code> namespace).</li>
|
||
</ul>
|
||
<h2 id="challenges-with-other-multi-tenancy-models">Challenges with other multi-tenancy models</h2>
|
||
<p>Other multi-tenancy deployment models were considered:</p>
|
||
<ol>
|
||
<li><p>A single mesh with multiple applications, one for each tenant on the mesh. The cluster
|
||
administrator gets control and visibility mesh wide and across all applications, while the
|
||
tenant administrator only gets control of a specific application.</p></li>
|
||
<li><p>A single Istio control plane with multiple meshes, one mesh per tenant. The cluster
|
||
administrator gets control and visibility across the entire Istio control plane and all
|
||
meshes, while the tenant administrator only gets control of a specific mesh.</p></li>
|
||
<li><p>A single cloud environment (cluster controlled), but multiple Kubernetes control planes
|
||
(tenant controlled).</p></li>
|
||
</ol>
|
||
<p>These options either can&rsquo;t be properly supported without code changes or don&rsquo;t fully
|
||
address the use cases.</p>
|
||
<p>Current Istio capabilities are poorly suited to support the first model as it lacks
|
||
sufficient RBAC capabilities to support cluster versus tenant operations. Additionally,
|
||
having multiple tenants under one mesh is too insecure with the current mesh model and the
|
||
way Istio drives configuration to the Envoy proxies.</p>
|
||
<p>Regarding the second option, the current Istio paradigm assumes a single mesh per Istio control
|
||
plane. The needed changes to support this model are substantial. They would require
|
||
finer grained scoping of resources and security domains based on namespaces, as well as,
|
||
additional Istio RBAC changes. This model will likely be addressed by future work, but not
|
||
currently possible.</p>
|
||
<p>The third model doesn’t satisfy most use cases, as most cluster administrators prefer
|
||
a common Kubernetes control plane which they provide as a
|
||
<a href="https://en.wikipedia.org/wiki/Platform_as_a_service">PaaS</a> to their tenants.</p>
|
||
<h2 id="future-work">Future work</h2>
|
||
<p>Allowing a single Istio control plane to control multiple meshes would be an obvious next
|
||
feature. An additional improvement is to provide a single mesh that can host different
|
||
tenants with some level of isolation and security between the tenants. This could be done
|
||
by partitioning within a single control plane using the same logical notion of namespace as
|
||
Kubernetes. A <a href="https://docs.google.com/document/d/14Hb07gSrfVt5KX9qNi7FzzGwB_6WBpAnDpPG6QEEd9Q">document</a>
|
||
has been started within the Istio community to define additional use cases and the
|
||
Istio functionality required to support those use cases.</p>
|
||
<h2 id="references">References</h2>
|
||
<ul>
|
||
<li>Video on Kubernetes multi-tenancy support, <a href="https://www.youtube.com/watch?v=ahwCkJGItkU">Multi-Tenancy Support &amp; Security Modeling with RBAC and Namespaces</a>, and the <a href="https://schd.ws/hosted_files/kccncna17/21/Multi-tenancy%20Support%20%26%20Security%20Modeling%20with%20RBAC%20and%20Namespaces.pdf">supporting slide deck</a>.</li>
|
||
<li>KubeCon talk on security that discusses Kubernetes support for &ldquo;Cooperative soft multi-tenancy&rdquo;, <a href="https://www.youtube.com/watch?v=YRR-kZub0cA">Building for Trust: How to Secure Your Kubernetes</a>.</li>
|
||
<li>Kubernetes documentation on <a href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/">RBAC</a> and <a href="https://kubernetes.io/docs/tasks/administer-cluster/namespaces-walkthrough/">namespaces</a>.</li>
|
||
<li>KubeCon slide deck on <a href="https://schd.ws/hosted_files/kccncna17/a9/kubecon-multitenancy.pdf">Multi-tenancy Deep Dive</a>.</li>
|
||
<li>Google document on <a href="https://docs.google.com/document/d/15w1_fesSUZHv-vwjiYa9vN_uyc--PySRoLKTuDhimjc">Multi-tenancy models for Kubernetes</a>. (Requires permission)</li>
|
||
<li>Cloud Foundry WIP document, <a href="https://docs.google.com/document/d/14Hb07gSrfVt5KX9qNi7FzzGwB_6WBpAnDpPG6QEEd9Q">Multi-cloud and Multi-tenancy</a></li>
|
||
<li><a href="https://docs.google.com/document/d/12F183NIRAwj2hprx-a-51ByLeNqbJxK16X06vwH5OWE">Istio Auto Multi-Tenancy 101</a></li>
|
||
</ul></description><pubDate>Thu, 19 Apr 2018 00:00:00 +0000</pubDate><link>/v1.12/blog/2018/soft-multitenancy/</link><author>John Joyce and Rich Curran</author><guid isPermaLink="true">/v1.12/blog/2018/soft-multitenancy/</guid><category>tenancy</category></item><item><title>Traffic Mirroring with Istio for Testing in Production</title><description><p>Trying to enumerate all the possible combinations of test cases for testing services in non-production/test environments can be daunting. In some cases, you&rsquo;ll find that all of the effort that goes into cataloging these use cases doesn&rsquo;t match up to real production use cases. Ideally, we could use live production use cases and traffic to help illuminate all of the feature areas of the service under test that we might miss in more contrived testing environments.</p>
|
||
<p>Istio can help here. With the release of <a href="/v1.12/news/releases/0.x/announcing-0.5">Istio 0.5</a>, Istio can mirror traffic to help test your services. You can write route rules similar to the following to enable traffic mirroring:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: config.istio.io/v1alpha2
|
||
kind: RouteRule
|
||
metadata:
|
||
name: mirror-traffic-to-httbin-v2
|
||
spec:
|
||
destination:
|
||
name: httpbin
|
||
precedence: 11
|
||
route:
|
||
- labels:
|
||
version: v1
|
||
weight: 100
|
||
- labels:
|
||
version: v2
|
||
weight: 0
|
||
mirror:
|
||
name: httpbin
|
||
labels:
|
||
version: v2
|
||
</code></pre>
|
||
<p>A few things to note here:</p>
|
||
<ul>
|
||
<li>When traffic gets mirrored to a different service, that happens outside the critical path of the request</li>
|
||
<li>Responses to any mirrored traffic is ignored; traffic is mirrored as &ldquo;fire-and-forget&rdquo;</li>
|
||
<li>You&rsquo;ll need to have the 0-weighted route to hint to Istio to create the proper Envoy cluster under the covers; <a href="https://github.com/istio/istio/issues/3270">this should be ironed out in future releases</a>.</li>
|
||
</ul>
|
||
<p>Learn more about mirroring by visiting the <a href="/v1.12/docs/tasks/traffic-management/mirroring/">Mirroring Task</a> and see a more
|
||
<a href="https://dzone.com/articles/traffic-shadowing-with-istio-reducing-the-risk-of">comprehensive treatment of this scenario on my blog</a>.</p></description><pubDate>Thu, 08 Feb 2018 00:00:00 +0000</pubDate><link>/v1.12/blog/2018/traffic-mirroring/</link><author>Christian Posta</author><guid isPermaLink="true">/v1.12/blog/2018/traffic-mirroring/</guid><category>traffic-management</category><category>mirroring</category></item><item><title>Consuming External TCP Services</title><description>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">This blog post was updated on July 23, 2018 to use the new
|
||
<a href="/v1.12/blog/2018/v1alpha3-routing/">v1alpha3 traffic management API</a>. If you need to use the old version, follow these <a href="https://archive.istio.io/v0.7/blog/2018/egress-tcp.html">docs</a>.</div>
|
||
</aside>
|
||
</div>
|
||
<p>In my previous blog post, <a href="/v1.12/blog/2018/egress-https/">Consuming External Web Services</a>, I described how external services
|
||
can be consumed by in-mesh Istio applications via HTTPS. In this post, I demonstrate consuming external services
|
||
over TCP. You will use the <a href="/v1.12/docs/examples/bookinfo/">Istio Bookinfo sample application</a>, the version in which the book
|
||
ratings data is persisted in a MySQL database. You deploy this database outside the cluster and configure the
|
||
<em>ratings</em> microservice to use it. You define a
|
||
<a href="/v1.12/docs/reference/config/networking/service-entry/">Service Entry</a> to allow the in-mesh applications to
|
||
access the external database.</p>
|
||
<h2 id="bookinfo-sample-application-with-external-ratings-database">Bookinfo sample application with external ratings database</h2>
|
||
<p>First, you set up a MySQL database instance to hold book ratings data outside of your Kubernetes cluster. Then you
|
||
modify the <a href="/v1.12/docs/examples/bookinfo/">Bookinfo sample application</a> to use your database.</p>
|
||
<h3 id="setting-up-the-database-for-ratings-data">Setting up the database for ratings data</h3>
|
||
<p>For this task you set up an instance of <a href="https://www.mysql.com">MySQL</a>. You can use any MySQL instance; I used
|
||
<a href="https://www.ibm.com/cloud/compose/mysql">Compose for MySQL</a>. I used <code>mysqlsh</code>
|
||
(<a href="https://dev.mysql.com/doc/mysql-shell/en/">MySQL Shell</a>) as a MySQL client to feed the ratings data.</p>
|
||
<ol>
|
||
<li><p>Set the <code>MYSQL_DB_HOST</code> and <code>MYSQL_DB_PORT</code> environment variables:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export MYSQL_DB_HOST=&lt;your MySQL database host&gt;
|
||
$ export MYSQL_DB_PORT=&lt;your MySQL database port&gt;
|
||
</code></pre>
|
||
<p>In case of a local MySQL database with the default port, the values are <code>localhost</code> and <code>3306</code>, respectively.</p></li>
|
||
<li><p>To initialize the database, run the following command entering the password when prompted. The command is
|
||
performed with the credentials of the <code>admin</code> user, created by default by
|
||
<a href="https://www.ibm.com/cloud/compose/mysql">Compose for MySQL</a>.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl -s https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/src/mysql/mysqldb-init.sql | mysqlsh --sql --ssl-mode=REQUIRED -u admin -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT
|
||
</code></pre>
|
||
<p><em><strong>OR</strong></em></p>
|
||
<p>When using the <code>mysql</code> client and a local MySQL database, run:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ curl -s https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/src/mysql/mysqldb-init.sql | mysql -u root -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT
|
||
</code></pre></li>
|
||
<li><p>Create a user with the name <code>bookinfo</code> and grant it <em>SELECT</em> privilege on the <code>test.ratings</code> table:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ mysqlsh --sql --ssl-mode=REQUIRED -u admin -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e &#34;CREATE USER &#39;bookinfo&#39; IDENTIFIED BY &#39;&lt;password you choose&gt;&#39;; GRANT SELECT ON test.ratings to &#39;bookinfo&#39;;&#34;
|
||
</code></pre>
|
||
<p><em><strong>OR</strong></em></p>
|
||
<p>For <code>mysql</code> and the local database, the command is:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ mysql -u root -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e &#34;CREATE USER &#39;bookinfo&#39; IDENTIFIED BY &#39;&lt;password you choose&gt;&#39;; GRANT SELECT ON test.ratings to &#39;bookinfo&#39;;&#34;
|
||
</code></pre>
|
||
<p>Here you apply the <a href="https://en.wikipedia.org/wiki/Principle_of_least_privilege">principle of least privilege</a>. This
|
||
means that you do not use your <code>admin</code> user in the Bookinfo application. Instead, you create a special user for the
|
||
Bookinfo application , <code>bookinfo</code>, with minimal privileges. In this case, the <em>bookinfo</em> user only has the <code>SELECT</code>
|
||
privilege on a single table.</p>
|
||
<p>After running the command to create the user, you may want to clean your bash history by checking the number of the last
|
||
command and running <code>history -d &lt;the number of the command that created the user&gt;</code>. You don&rsquo;t want the password of the
|
||
new user to be stored in the bash history. If you&rsquo;re using <code>mysql</code>, remove the last command from
|
||
<code>~/.mysql_history</code> file as well. Read more about password protection of the newly created user in <a href="https://dev.mysql.com/doc/refman/5.5/en/create-user.html">MySQL documentation</a>.</p></li>
|
||
<li><p>Inspect the created ratings to see that everything worked as expected:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ mysqlsh --sql --ssl-mode=REQUIRED -u bookinfo -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e &#34;select * from test.ratings;&#34;
|
||
Enter password:
|
||
+----------+--------+
|
||
| ReviewID | Rating |
|
||
+----------+--------+
|
||
| 1 | 5 |
|
||
| 2 | 4 |
|
||
+----------+--------+
|
||
</code></pre>
|
||
<p><em><strong>OR</strong></em></p>
|
||
<p>For <code>mysql</code> and the local database:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ mysql -u bookinfo -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e &#34;select * from test.ratings;&#34;
|
||
Enter password:
|
||
+----------+--------+
|
||
| ReviewID | Rating |
|
||
+----------+--------+
|
||
| 1 | 5 |
|
||
| 2 | 4 |
|
||
+----------+--------+
|
||
</code></pre></li>
|
||
<li><p>Set the ratings temporarily to <code>1</code> to provide a visual clue when our database is used by the Bookinfo <em>ratings</em>
|
||
service:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ mysqlsh --sql --ssl-mode=REQUIRED -u admin -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e &#34;update test.ratings set rating=1; select * from test.ratings;&#34;
|
||
Enter password:
|
||
Rows matched: 2 Changed: 2 Warnings: 0
|
||
+----------+--------+
|
||
| ReviewID | Rating |
|
||
+----------+--------+
|
||
| 1 | 1 |
|
||
| 2 | 1 |
|
||
+----------+--------+
|
||
</code></pre>
|
||
<p><em><strong>OR</strong></em></p>
|
||
<p>For <code>mysql</code> and the local database:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ mysql -u root -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e &#34;update test.ratings set rating=1; select * from test.ratings;&#34;
|
||
Enter password:
|
||
+----------+--------+
|
||
| ReviewID | Rating |
|
||
+----------+--------+
|
||
| 1 | 1 |
|
||
| 2 | 1 |
|
||
+----------+--------+
|
||
</code></pre>
|
||
<p>You used the <code>admin</code> user (and <code>root</code> for the local database) in the last command since the <code>bookinfo</code> user does not
|
||
have the <code>UPDATE</code> privilege on the <code>test.ratings</code> table.</p></li>
|
||
</ol>
|
||
<p>Now you are ready to deploy a version of the Bookinfo application that will use your database.</p>
|
||
<h3 id="initial-setting-of-bookinfo-application">Initial setting of Bookinfo application</h3>
|
||
<p>To demonstrate the scenario of using an external database, you start with a Kubernetes cluster with <a href="/v1.12/docs/setup/getting-started/">Istio installed</a>. Then you deploy the
|
||
<a href="/v1.12/docs/examples/bookinfo/">Istio Bookinfo sample application</a>, <a href="/v1.12/docs/examples/bookinfo/#apply-default-destination-rules">apply the default destination rules</a>, and <a href="/v1.12/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy">change Istio to the blocking-egress-by-default policy</a>.</p>
|
||
<p>This application uses the <code>ratings</code> microservice to fetch
|
||
book ratings, a number between 1 and 5. The ratings are displayed as stars for each review. There are several versions
|
||
of the <code>ratings</code> microservice. Some use <a href="https://www.mongodb.com">MongoDB</a>, others use <a href="https://www.mysql.com">MySQL</a>
|
||
as their database.</p>
|
||
<p>The example commands in this blog post work with Istio 0.8+, with or without
|
||
<a href="/v1.12/docs/concepts/security/#mutual-tls-authentication">mutual TLS</a> enabled.</p>
|
||
<p>As a reminder, here is the end-to-end architecture of the application from the
|
||
<a href="/v1.12/docs/examples/bookinfo/">Bookinfo sample application</a>.</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:59.086918235567985%">
|
||
<a data-skipendnotes="true" href="/v1.12/docs/examples/bookinfo/withistio.svg" title="The original Bookinfo application">
|
||
<img class="element-to-stretch" src="/v1.12/docs/examples/bookinfo/withistio.svg" alt="The original Bookinfo application" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The original Bookinfo application</figcaption>
|
||
</figure>
|
||
<h3 id="use-the-database-for-ratings-data-in-bookinfo-application">Use the database for ratings data in Bookinfo application</h3>
|
||
<ol>
|
||
<li><p>Modify the deployment spec of a version of the <em>ratings</em> microservice that uses a MySQL database, to use your
|
||
database instance. The spec is in <a href="https://github.com/istio/istio/blob/release-1.12/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml"><code>samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml</code></a>
|
||
of an Istio release archive. Edit the following lines:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >- name: MYSQL_DB_HOST
|
||
value: mysqldb
|
||
- name: MYSQL_DB_PORT
|
||
value: &#34;3306&#34;
|
||
- name: MYSQL_DB_USER
|
||
value: root
|
||
- name: MYSQL_DB_PASSWORD
|
||
value: password
|
||
</code></pre>
|
||
<p>Replace the values in the snippet above, specifying the database host, port, user, and password. Note that the
|
||
correct way to work with passwords in container&rsquo;s environment variables in Kubernetes is <a href="https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables">to use secrets</a>. For this
|
||
example task only, you may want to write the password directly in the deployment spec. <strong>Do not do it</strong> in a real
|
||
environment! I also assume everyone realizes that <code>&quot;password&quot;</code> should not be used as a password&hellip;</p></li>
|
||
<li><p>Apply the modified spec to deploy the version of the <em>ratings</em> microservice, <em>v2-mysql</em>, that will use your
|
||
database.</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml@
|
||
deployment &#34;ratings-v2-mysql&#34; created
|
||
</code></pre></div></li>
|
||
<li><p>Route all the traffic destined to the <em>reviews</em> service to its <em>v3</em> version. You do this to ensure that the
|
||
<em>reviews</em> service always calls the <em>ratings</em> service. In addition, route all the traffic destined to the <em>ratings</em>
|
||
service to <em>ratings v2-mysql</em> that uses your database.</p>
|
||
<p>Specify the routing for both services above by adding two
|
||
<a href="/v1.12/docs/reference/config/networking/virtual-service/">virtual services</a>. These virtual services are
|
||
specified in <code>samples/bookinfo/networking/virtual-service-ratings-mysql.yaml</code> of an Istio release archive.
|
||
<strong><em>Important:</em></strong> make sure you
|
||
<a href="/v1.12/docs/examples/bookinfo/#apply-default-destination-rules">applied the default destination rules</a> before running the
|
||
following command.</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/networking/virtual-service-ratings-mysql.yaml@
|
||
</code></pre></div></li>
|
||
</ol>
|
||
<p>The updated architecture appears below. Note that the blue arrows inside the mesh mark the traffic configured according
|
||
to the virtual services we added. According to the virtual services, the traffic is sent to <em>reviews v3</em> and
|
||
<em>ratings v2-mysql</em>.</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:59.314858206480224%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/egress-tcp/bookinfo-ratings-v2-mysql-external.svg" title="The Bookinfo application with ratings v2-mysql and an external MySQL database">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/egress-tcp/bookinfo-ratings-v2-mysql-external.svg" alt="The Bookinfo application with ratings v2-mysql and an external MySQL database" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The Bookinfo application with ratings v2-mysql and an external MySQL database</figcaption>
|
||
</figure>
|
||
<p>Note that the MySQL database is outside the Istio service mesh, or more precisely outside the Kubernetes cluster. The
|
||
boundary of the service mesh is marked by a dashed line.</p>
|
||
<h3 id="access-the-webpage">Access the webpage</h3>
|
||
<p>Access the webpage of the application, after
|
||
<a href="/v1.12/docs/examples/bookinfo/#determine-the-ingress-ip-and-port">determining the ingress IP and port</a>.</p>
|
||
<p>You have a problem&hellip; Instead of the rating stars, the message <em>&ldquo;Ratings service is currently unavailable&rdquo;</em> is currently
|
||
displayed below each review:</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:36.18705035971223%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/egress-tcp/errorFetchingBookRating.png" title="The Ratings service error messages">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/egress-tcp/errorFetchingBookRating.png" alt="The Ratings service error messages" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The Ratings service error messages</figcaption>
|
||
</figure>
|
||
<p>As in <a href="/v1.12/blog/2018/egress-https/">Consuming External Web Services</a>, you experience <strong>graceful service degradation</strong>,
|
||
which is good. The application did not crash due to the error in the <em>ratings</em> microservice. The webpage of the
|
||
application correctly displayed the book information, the details, and the reviews, just without the rating stars.</p>
|
||
<p>You have the same problem as in <a href="/v1.12/blog/2018/egress-https/">Consuming External Web Services</a>, namely all the traffic
|
||
outside the Kubernetes cluster, both TCP and HTTP, is blocked by default by the sidecar proxies. To enable such traffic
|
||
for TCP, a mesh-external service entry for TCP must be defined.</p>
|
||
<h3 id="mesh-external-service-entry-for-an-external-mysql-instance">Mesh-external service entry for an external MySQL instance</h3>
|
||
<p>TCP mesh-external service entries come to our rescue.</p>
|
||
<ol>
|
||
<li><p>Get the IP address of your MySQL database instance. As an option, you can use the
|
||
<a href="https://linux.die.net/man/1/host">host</a> command:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ export MYSQL_DB_IP=$(host $MYSQL_DB_HOST | grep &#34; has address &#34; | cut -d&#34; &#34; -f4)
|
||
</code></pre>
|
||
<p>For a local database, set <code>MYSQL_DB_IP</code> to contain the IP of your machine, accessible from your cluster.</p></li>
|
||
<li><p>Define a TCP mesh-external service entry:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: mysql-external
|
||
spec:
|
||
hosts:
|
||
- $MYSQL_DB_HOST
|
||
addresses:
|
||
- $MYSQL_DB_IP/32
|
||
ports:
|
||
- name: tcp
|
||
number: $MYSQL_DB_PORT
|
||
protocol: tcp
|
||
location: MESH_EXTERNAL
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Review the service entry you just created and check that it contains the correct values:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get serviceentry mysql-external -o yaml
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
...
|
||
</code></pre></li>
|
||
</ol>
|
||
<p>Note that for a TCP service entry, you specify <code>tcp</code> as the protocol of a port of the entry. Also note that you have to
|
||
specify the IP of the external service in the list of addresses, as a <a href="https://tools.ietf.org/html/rfc2317">CIDR</a> block
|
||
with suffix <code>32</code>.</p>
|
||
<p>I will talk more about TCP service entries
|
||
<a href="#service-entries-for-tcp-traffic">below</a>. For now, verify that the service entry we added fixed the problem. Access the
|
||
webpage and see if the stars are back.</p>
|
||
<p>It worked! Accessing the web page of the application displays the ratings without error:</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:36.69064748201439%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/egress-tcp/externalMySQLRatings.png" title="Book Ratings Displayed Correctly">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/egress-tcp/externalMySQLRatings.png" alt="Book Ratings Displayed Correctly" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Book Ratings Displayed Correctly</figcaption>
|
||
</figure>
|
||
<p>Note that you see a one-star rating for both displayed reviews, as expected. You changed the ratings to be one star to
|
||
provide us with a visual clue that our external database is indeed being used.</p>
|
||
<p>As with service entries for HTTP/HTTPS, you can delete and create service entries for TCP using <code>kubectl</code>, dynamically.</p>
|
||
<h2 id="motivation-for-egress-tcp-traffic-control">Motivation for egress TCP traffic control</h2>
|
||
<p>Some in-mesh Istio applications must access external services, for example legacy systems. In many cases, the access is
|
||
not performed over HTTP or HTTPS protocols. Other TCP protocols are used, such as database-specific protocols like
|
||
<a href="https://docs.mongodb.com/manual/reference/mongodb-wire-protocol/">MongoDB Wire Protocol</a> and <a href="https://dev.mysql.com/doc/internals/en/client-server-protocol.html">MySQL Client/Server Protocol</a> to communicate with external databases.</p>
|
||
<p>Next let me provide more details about the service entries for TCP traffic.</p>
|
||
<h2 id="service-entries-for-tcp-traffic">Service entries for TCP traffic</h2>
|
||
<p>The service entries for enabling TCP traffic to a specific port must specify <code>TCP</code> as the protocol of the port.
|
||
Additionally, for the <a href="https://docs.mongodb.com/manual/reference/mongodb-wire-protocol/">MongoDB Wire Protocol</a>, the
|
||
protocol can be specified as <code>MONGO</code>, instead of <code>TCP</code>.</p>
|
||
<p>For the <code>addresses</code> field of the entry, a block of IPs in <a href="https://tools.ietf.org/html/rfc2317">CIDR</a>
|
||
notation must be used. Note that the <code>hosts</code> field is ignored for TCP service entries.</p>
|
||
<p>To enable TCP traffic to an external service by its hostname, all the IPs of the hostname must be specified. Each IP
|
||
must be specified by a CIDR block.</p>
|
||
<p>Note that all the IPs of an external service are not always known. To enable egress TCP traffic, only the IPs that are
|
||
used by the applications must be specified.</p>
|
||
<p>Also note that the IPs of an external service are not always static, for example in the case of
|
||
<a href="https://en.wikipedia.org/wiki/Content_delivery_network">CDNs</a>. Sometimes the IPs are static most of the time, but can
|
||
be changed from time to time, for example due to infrastructure changes. In these cases, if the range of the possible
|
||
IPs is known, you should specify the range by CIDR blocks. If the range of the possible IPs is not known, service
|
||
entries for TCP cannot be used and
|
||
<a href="/v1.12/docs/tasks/traffic-management/egress/egress-control/#direct-access-to-external-services">the external services must be called directly</a>,
|
||
bypassing the sidecar proxies.</p>
|
||
<h2 id="relation-to-virtual-machines-support">Relation to virtual machines support</h2>
|
||
<p>Note that the scenario described in this post is different from the
|
||
<a href="/v1.12/docs/examples/virtual-machines/">Bookinfo with Virtual Machines</a> example. In that scenario, a MySQL instance runs on an
|
||
external
|
||
(outside the cluster) machine (a bare metal or a VM), integrated with the Istio service mesh. The MySQL service becomes
|
||
a first-class citizen of the mesh with all the beneficial features of Istio applicable. Among other things, the service
|
||
becomes addressable by a local cluster domain name, for example by <code>mysqldb.vm.svc.cluster.local</code>, and the communication
|
||
to it can be secured by
|
||
<a href="/v1.12/docs/concepts/security/#mutual-tls-authentication">mutual TLS authentication</a>. There is no need to create a service
|
||
entry to access this service; however, the service must be registered with Istio. To enable such integration, Istio
|
||
components (<em>Envoy proxy</em>, <em>node-agent</em>, <code>_istio-agent_</code>) must be installed on the machine and the Istio control plane
|
||
(<em>Pilot</em>, <em>Mixer</em>, <em>Citadel</em>) must be accessible from it. See the
|
||
<a href="/v1.12/docs/examples/virtual-machines/">Istio VM-related</a> tasks for more details.</p>
|
||
<p>In our case, the MySQL instance can run on any machine or can be provisioned as a service by a cloud provider. There is
|
||
no requirement to integrate the machine with Istio. The Istio control plane does not have to be accessible from the
|
||
machine. In the case of MySQL as a service, the machine which MySQL runs on may be not accessible and installing on it
|
||
the required components may be impossible. In our case, the MySQL instance is addressable by its global domain name,
|
||
which could be beneficial if the consuming applications expect to use that domain name. This is especially relevant when
|
||
that expected domain name cannot be changed in the deployment configuration of the consuming applications.</p>
|
||
<h2 id="cleanup">Cleanup</h2>
|
||
<ol>
|
||
<li><p>Drop the <code>test</code> database and the <code>bookinfo</code> user:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ mysqlsh --sql --ssl-mode=REQUIRED -u admin -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e &#34;drop database test; drop user bookinfo;&#34;
|
||
</code></pre>
|
||
<p><em><strong>OR</strong></em></p>
|
||
<p>For <code>mysql</code> and the local database:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ mysql -u root -p --host $MYSQL_DB_HOST --port $MYSQL_DB_PORT -e &#34;drop database test; drop user bookinfo;&#34;
|
||
</code></pre></li>
|
||
<li><p>Remove the virtual services:</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/networking/virtual-service-ratings-mysql.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete -f @samples/bookinfo/networking/virtual-service-ratings-mysql.yaml@
|
||
Deleted config: virtual-service/default/reviews
|
||
Deleted config: virtual-service/default/ratings
|
||
</code></pre></div></li>
|
||
<li><p>Undeploy <em>ratings v2-mysql</em>:</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2-mysql.yaml@
|
||
deployment &#34;ratings-v2-mysql&#34; deleted
|
||
</code></pre></div></li>
|
||
<li><p>Delete the service entry:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry mysql-external -n default
|
||
Deleted config: serviceentry mysql-external
|
||
</code></pre></li>
|
||
</ol>
|
||
<h2 id="conclusion">Conclusion</h2>
|
||
<p>In this blog post, I demonstrated how the microservices in an Istio service mesh can consume external services via TCP.
|
||
By default, Istio blocks all the traffic, TCP and HTTP, to the hosts outside the cluster. To enable such traffic for
|
||
TCP, TCP mesh-external service entries must be created for the service mesh.</p></description><pubDate>Tue, 06 Feb 2018 00:00:00 +0000</pubDate><link>/v1.12/blog/2018/egress-tcp/</link><author>Vadim Eisenberg</author><guid isPermaLink="true">/v1.12/blog/2018/egress-tcp/</guid><category>traffic-management</category><category>egress</category><category>tcp</category></item><item><title>Consuming External Web Services</title><description>
|
||
<p>In many cases, not all the parts of a microservices-based application reside in a <em>service mesh</em>. Sometimes, the
|
||
microservices-based applications use functionality provided by legacy systems that reside outside the mesh. You may want
|
||
to migrate these systems to the service mesh gradually. Until these systems are migrated, they must be accessed by the
|
||
applications inside the mesh. In other cases, the applications use web services provided by third parties.</p>
|
||
<p>In this blog post, I modify the <a href="/v1.12/docs/examples/bookinfo/">Istio Bookinfo Sample Application</a> to fetch book details from
|
||
an external web service (<a href="https://developers.google.com/books/docs/v1/getting_started">Google Books APIs</a>). I show how
|
||
to enable egress HTTPS traffic in Istio by using <em>mesh-external service entries</em>. I provide two options for egress
|
||
HTTPS traffic and describe the pros and cons of each of the options.</p>
|
||
<h2 id="initial-setting">Initial setting</h2>
|
||
<p>To demonstrate the scenario of consuming an external web service, I start with a Kubernetes cluster with <a href="/v1.12/docs/setup/getting-started/">Istio installed</a>. Then I deploy
|
||
<a href="/v1.12/docs/examples/bookinfo/">Istio Bookinfo Sample Application</a>. This application uses the <em>details</em> microservice to fetch
|
||
book details, such as the number of pages and the publisher. The original <em>details</em> microservice provides the book
|
||
details without consulting any external service.</p>
|
||
<p>The example commands in this blog post work with Istio 1.0+, with or without
|
||
<a href="/v1.12/docs/concepts/security/#mutual-tls-authentication">mutual TLS</a> enabled. The Bookinfo configuration files reside in the
|
||
<code>samples/bookinfo</code> directory of the Istio release archive.</p>
|
||
<p>Here is a copy of the end-to-end architecture of the application from the original
|
||
<a href="/v1.12/docs/examples/bookinfo/">Bookinfo sample application</a>.</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:59.086918235567985%">
|
||
<a data-skipendnotes="true" href="/v1.12/docs/examples/bookinfo/withistio.svg" title="The Original Bookinfo Application">
|
||
<img class="element-to-stretch" src="/v1.12/docs/examples/bookinfo/withistio.svg" alt="The Original Bookinfo Application" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The Original Bookinfo Application</figcaption>
|
||
</figure>
|
||
<p>Perform the steps in the
|
||
<a href="/v1.12/docs/examples/bookinfo/#deploying-the-application">Deploying the application</a>,
|
||
<a href="/v1.12/docs/examples/bookinfo/#confirm-the-app-is-accessible-from-outside-the-cluster">Confirm the app is running</a>,
|
||
<a href="/v1.12/docs/examples/bookinfo/#apply-default-destination-rules">Apply default destination rules</a>
|
||
sections, and
|
||
<a href="/v1.12/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy">change Istio to the blocking-egress-by-default policy</a>.</p>
|
||
<h2 id="bookinfo-with-https-access-to-a-google-books-web-service">Bookinfo with HTTPS access to a Google Books web service</h2>
|
||
<p>Deploy a new version of the <em>details</em> microservice, <em>v2</em>, that fetches the book details from <a href="https://developers.google.com/books/docs/v1/getting_started">Google Books APIs</a>. Run the following command; it sets the
|
||
<code>DO_NOT_ENCRYPT</code> environment variable of the service&rsquo;s container to <code>false</code>. This setting will instruct the deployed
|
||
service to use HTTPS (instead of HTTP) to access to the external service.</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-details-v2.yaml@ --dry-run -o yaml | kubectl set env --local -f - &#39;DO_NOT_ENCRYPT=false&#39; -o yaml | kubectl apply -f -
|
||
</code></pre></div>
|
||
<p>The updated architecture of the application now looks as follows:</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:65.1654485092242%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/egress-https/bookinfo-details-v2.svg" title="The Bookinfo Application with details V2">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/egress-https/bookinfo-details-v2.svg" alt="The Bookinfo Application with details V2" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The Bookinfo Application with details V2</figcaption>
|
||
</figure>
|
||
<p>Note that the Google Books web service is outside the Istio service mesh, the boundary of which is marked by a dashed
|
||
line.</p>
|
||
<p>Now direct all the traffic destined to the <em>details</em> microservice, to <em>details version v2</em>.</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/networking/virtual-service-details-v2.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/networking/virtual-service-details-v2.yaml@
|
||
</code></pre></div>
|
||
<p>Note that the virtual service relies on a destination rule that you created in the <a href="/v1.12/docs/examples/bookinfo/#apply-default-destination-rules">Apply default destination rules</a> section.</p>
|
||
<p>Access the web page of the application, after
|
||
<a href="/v1.12/docs/examples/bookinfo/#determine-the-ingress-ip-and-port">determining the ingress IP and port</a>.</p>
|
||
<p>Oops&hellip; Instead of the book details you have the <em>Error fetching product details</em> message displayed:</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:36.18649965205289%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/egress-https/errorFetchingBookDetails.png" title="The Error Fetching Product Details Message">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/egress-https/errorFetchingBookDetails.png" alt="The Error Fetching Product Details Message" />
|
||
</a>
|
||
</div>
|
||
<figcaption>The Error Fetching Product Details Message</figcaption>
|
||
</figure>
|
||
<p>The good news is that your application did not crash. With a good microservice design, you do not have <strong>failure
|
||
propagation</strong>. In your case, the failing <em>details</em> microservice does not cause the <code>productpage</code> microservice to fail.
|
||
Most of the functionality of the application is still provided, despite the failure in the <em>details</em> microservice. You
|
||
have <strong>graceful service degradation</strong>: as you can see, the reviews and the ratings are displayed correctly, and the
|
||
application is still useful.</p>
|
||
<p>So what might have gone wrong? Ah&hellip; The answer is that I forgot to tell you to enable traffic from inside the mesh to
|
||
an external service, in this case to the Google Books web service. By default, the Istio sidecar proxies
|
||
(<a href="https://www.envoyproxy.io">Envoy proxies</a>) <strong>block all the traffic to destinations outside the cluster</strong>. To enable
|
||
such traffic, you must define a
|
||
<a href="/v1.12/docs/reference/config/networking/service-entry/">mesh-external service entry</a>.</p>
|
||
<h3 id="enable-https-access-to-a-google-books-web-service">Enable HTTPS access to a Google Books web service</h3>
|
||
<p>No worries, define a <strong>mesh-external service entry</strong> and fix your application. You must also define a <em>virtual
|
||
service</em> to perform routing by <a href="https://en.wikipedia.org/wiki/Server_Name_Indication">SNI</a> to the external service.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: googleapis
|
||
spec:
|
||
hosts:
|
||
- www.googleapis.com
|
||
ports:
|
||
- number: 443
|
||
name: https
|
||
protocol: HTTPS
|
||
location: MESH_EXTERNAL
|
||
resolution: DNS
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: googleapis
|
||
spec:
|
||
hosts:
|
||
- www.googleapis.com
|
||
tls:
|
||
- match:
|
||
- port: 443
|
||
sni_hosts:
|
||
- www.googleapis.com
|
||
route:
|
||
- destination:
|
||
host: www.googleapis.com
|
||
port:
|
||
number: 443
|
||
weight: 100
|
||
EOF
|
||
</code></pre>
|
||
<p>Now accessing the web page of the application displays the book details without error:</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:34.82831114225648%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/egress-https/externalBookDetails.png" title="Book Details Displayed Correctly">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/egress-https/externalBookDetails.png" alt="Book Details Displayed Correctly" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Book Details Displayed Correctly</figcaption>
|
||
</figure>
|
||
<p>You can query your service entries:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get serviceentries
|
||
NAME AGE
|
||
googleapis 8m
|
||
</code></pre>
|
||
<p>You can delete your service entry:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry googleapis
|
||
serviceentry &#34;googleapis&#34; deleted
|
||
</code></pre>
|
||
<p>and see in the output that the service entry is deleted.</p>
|
||
<p>Accessing the web page after deleting the service entry produces the same error that you experienced before, namely
|
||
<em>Error fetching product details</em>. As you can see, the service entries are defined <strong>dynamically</strong>, as are many other
|
||
Istio configuration artifacts. The Istio operators can decide dynamically which domains they allow the microservices to
|
||
access. They can enable and disable traffic to the external domains on the fly, without redeploying the microservices.</p>
|
||
<h3 id="cleanup-of-https-access-to-a-google-books-web-service">Cleanup of HTTPS access to a Google Books web service</h3>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml'>Zip</a><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/networking/virtual-service-details-v2.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry googleapis
|
||
$ kubectl delete virtualservice googleapis
|
||
$ kubectl delete -f @samples/bookinfo/networking/virtual-service-details-v2.yaml@
|
||
$ kubectl delete -f @samples/bookinfo/platform/kube/bookinfo-details-v2.yaml@
|
||
</code></pre></div>
|
||
<h2 id="tls-origination-by-istio">TLS origination by Istio</h2>
|
||
<p>There is a caveat to this story. Suppose you want to monitor which specific set of
|
||
<a href="https://developers.google.com/apis-explorer/">Google APIs</a> your microservices use
|
||
(<a href="https://developers.google.com/books/docs/v1/getting_started">Books</a>,
|
||
<a href="https://developers.google.com/calendar/">Calendar</a>, <a href="https://developers.google.com/tasks/">Tasks</a> etc.)
|
||
Suppose you want to enforce a policy that using only
|
||
<a href="https://developers.google.com/books/docs/v1/getting_started">Books APIs</a> is allowed. Suppose you want to monitor the
|
||
book identifiers that your microservices access. For these monitoring and policy tasks you need to know the URL path.
|
||
Consider for example the URL
|
||
<a href="https://www.googleapis.com/books/v1/volumes?q=isbn:0486424618"><code>www.googleapis.com/books/v1/volumes?q=isbn:0486424618</code></a>.
|
||
In that URL, <a href="https://developers.google.com/books/docs/v1/getting_started">Books APIs</a> is specified by the path segment
|
||
<code>/books</code>, and the <a href="https://en.wikipedia.org/wiki/International_Standard_Book_Number">ISBN</a> number by the path segment
|
||
<code>/volumes?q=isbn:0486424618</code>. However, in HTTPS, all the HTTP details (hostname, path, headers etc.) are encrypted and
|
||
such monitoring and policy enforcement by the sidecar proxies is not possible. Istio can only know the server name of
|
||
the encrypted requests by the <a href="https://tools.ietf.org/html/rfc3546#section-3.1">SNI</a> (<em>Server Name Indication</em>) field,
|
||
in this case <code>www.googleapis.com</code>.</p>
|
||
<p>To allow Istio to perform monitoring and policy enforcement of egress requests based on HTTP details, the microservices
|
||
must issue HTTP requests. Istio then opens an HTTPS connection to the destination (performs TLS origination). The code
|
||
of the microservices must be written differently or configured differently, according to whether the microservice runs
|
||
inside or outside an Istio service mesh. This contradicts the Istio design goal of <a href="/v1.12/docs/ops/deployment/architecture/#design-goals">maximizing transparency</a>. Sometimes you need to compromise&hellip;</p>
|
||
<p>The diagram below shows two options for sending HTTPS traffic to external services. On the top, a microservice sends
|
||
regular HTTPS requests, encrypted end-to-end. On the bottom, the same microservice sends unencrypted HTTP requests
|
||
inside a pod, which are intercepted by the sidecar Envoy proxy. The sidecar proxy performs TLS origination, so the
|
||
traffic between the pod and the external service is encrypted.</p>
|
||
<figure style="width:60%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:95.1355088590701%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2018/egress-https/https_from_the_app.svg" title="HTTPS traffic to external services, with TLS originated by the microservice vs. by the sidecar proxy">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2018/egress-https/https_from_the_app.svg" alt="HTTPS traffic to external services, with TLS originated by the microservice vs. by the sidecar proxy" />
|
||
</a>
|
||
</div>
|
||
<figcaption>HTTPS traffic to external services, with TLS originated by the microservice vs. by the sidecar proxy</figcaption>
|
||
</figure>
|
||
<p>Here is how both patterns are supported in the
|
||
<a href="https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/src/details/details.rb">Bookinfo details microservice code</a>, using the Ruby
|
||
<a href="https://docs.ruby-lang.org/en/2.0.0/Net/HTTP.html">net/http module</a>:</p>
|
||
<pre><code class='language-ruby' data-expandlinks='true' data-repo='istio' >uri = URI.parse(&#39;https://www.googleapis.com/books/v1/volumes?q=isbn:&#39; + isbn)
|
||
http = Net::HTTP.new(uri.host, ENV[&#39;DO_NOT_ENCRYPT&#39;] === &#39;true&#39; ? 80:443)
|
||
...
|
||
unless ENV[&#39;DO_NOT_ENCRYPT&#39;] === &#39;true&#39; then
|
||
http.use_ssl = true
|
||
end
|
||
</code></pre>
|
||
<p>When the <code>DO_NOT_ENCRYPT</code> environment variable is defined, the request is performed without SSL (plain HTTP) to port 80.</p>
|
||
<p>You can set the <code>DO_NOT_ENCRYPT</code> environment variable to <em>&ldquo;true&rdquo;</em> in the
|
||
<a href="https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml">Kubernetes deployment spec of details v2</a>,
|
||
the <code>container</code> section:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >env:
|
||
- name: DO_NOT_ENCRYPT
|
||
value: &#34;true&#34;
|
||
</code></pre>
|
||
<p>In the next section you will configure TLS origination for accessing an external web service.</p>
|
||
<h2 id="bookinfo-with-tls-origination-to-a-google-books-web-service">Bookinfo with TLS origination to a Google Books web service</h2>
|
||
<ol>
|
||
<li><p>Deploy a version of <em>details v2</em> that sends an HTTP request to
|
||
<a href="https://developers.google.com/books/docs/v1/getting_started">Google Books APIs</a>. The <code>DO_NOT_ENCRYPT</code> variable
|
||
is set to true in
|
||
<a href="https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml"><code>bookinfo-details-v2.yaml</code></a>.</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-details-v2.yaml@
|
||
</code></pre></div></li>
|
||
<li><p>Direct the traffic destined to the <em>details</em> microservice, to <em>details version v2</em>.</p>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/networking/virtual-service-details-v2.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f @samples/bookinfo/networking/virtual-service-details-v2.yaml@
|
||
</code></pre></div></li>
|
||
<li><p>Create a mesh-external service entry for <code>www.google.apis</code> , a virtual service to rewrite the destination port from
|
||
80 to 443, and a destination rule to perform TLS origination.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: ServiceEntry
|
||
metadata:
|
||
name: googleapis
|
||
spec:
|
||
hosts:
|
||
- www.googleapis.com
|
||
ports:
|
||
- number: 80
|
||
name: http
|
||
protocol: HTTP
|
||
- number: 443
|
||
name: https
|
||
protocol: HTTPS
|
||
resolution: DNS
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: rewrite-port-for-googleapis
|
||
spec:
|
||
hosts:
|
||
- www.googleapis.com
|
||
http:
|
||
- match:
|
||
- port: 80
|
||
route:
|
||
- destination:
|
||
host: www.googleapis.com
|
||
port:
|
||
number: 443
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: originate-tls-for-googleapis
|
||
spec:
|
||
host: www.googleapis.com
|
||
trafficPolicy:
|
||
loadBalancer:
|
||
simple: ROUND_ROBIN
|
||
portLevelSettings:
|
||
- port:
|
||
number: 443
|
||
tls:
|
||
mode: SIMPLE # initiates HTTPS when accessing www.googleapis.com
|
||
EOF
|
||
</code></pre></li>
|
||
<li><p>Access the web page of the application and verify that the book details are displayed without errors.</p></li>
|
||
<li><p><a href="/v1.12/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging">Enable Envoy’s access logging</a></p></li>
|
||
<li><p>Check the log of of the sidecar proxy of <em>details v2</em> and see the HTTP request.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl logs $(kubectl get pods -l app=details -l version=v2 -o jsonpath=&#39;{.items[0].metadata.name}&#39;) istio-proxy | grep googleapis
|
||
[2018-08-09T11:32:58.171Z] &#34;GET /books/v1/volumes?q=isbn:0486424618 HTTP/1.1&#34; 200 - 0 1050 264 264 &#34;-&#34; &#34;Ruby&#34; &#34;b993bae7-4288-9241-81a5-4cde93b2e3a6&#34; &#34;www.googleapis.com:80&#34; &#34;172.217.20.74:80&#34;
|
||
EOF
|
||
</code></pre>
|
||
<p>Note the URL path in the log, the path can be monitored and access policies can be applied based on it. To read more
|
||
about monitoring and access policies for HTTP egress traffic, check out <a href="https://archive.istio.io/v0.8/blog/2018/egress-monitoring-access-control/#logging">this blog post</a>.</p></li>
|
||
</ol>
|
||
<h3 id="cleanup-of-tls-origination-to-a-google-books-web-service">Cleanup of TLS origination to a Google Books web service</h3>
|
||
<div><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/platform/kube/bookinfo-details-v2.yaml'>Zip</a><a data-skipendnotes='true' style='display:none' href='https://raw.githubusercontent.com/istio/istio/release-1.12/samples/bookinfo/networking/virtual-service-details-v2.yaml'>Zip</a><pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl delete serviceentry googleapis
|
||
$ kubectl delete virtualservice rewrite-port-for-googleapis
|
||
$ kubectl delete destinationrule originate-tls-for-googleapis
|
||
$ kubectl delete -f @samples/bookinfo/networking/virtual-service-details-v2.yaml@
|
||
$ kubectl delete -f @samples/bookinfo/platform/kube/bookinfo-details-v2.yaml@
|
||
</code></pre></div>
|
||
<h3 id="relation-to-istio-mutual-tls">Relation to Istio mutual TLS</h3>
|
||
<p>Note that the TLS origination in this case is unrelated to
|
||
<a href="/v1.12/docs/concepts/security/#mutual-tls-authentication">the mutual TLS</a> applied by Istio. The TLS origination for the
|
||
external services will work, whether the Istio mutual TLS is enabled or not. The <strong>mutual</strong> TLS secures
|
||
service-to-service communication <strong>inside</strong> the service mesh and provides each service with a strong identity. The
|
||
<strong>external services</strong> in this blog post were accessed using <strong>one-way TLS</strong>, the same mechanism used to secure communication between a
|
||
web browser and a web server. TLS is applied to the communication with external services to verify the identity of the
|
||
external server and to encrypt the traffic.</p>
|
||
<h2 id="conclusion">Conclusion</h2>
|
||
<p>In this blog post I demonstrated how microservices in an Istio service mesh can consume external web services by
|
||
HTTPS. By default, Istio blocks all the traffic to the hosts outside the cluster. To enable such traffic, mesh-external
|
||
service entries must be created for the service mesh. It is possible to access the external sites either by
|
||
issuing HTTPS requests, or by issuing HTTP requests with Istio performing TLS origination. When the microservices issue
|
||
HTTPS requests, the traffic is encrypted end-to-end, however Istio cannot monitor HTTP details like the URL paths of the
|
||
requests. When the microservices issue HTTP requests, Istio can monitor the HTTP details of the requests and enforce
|
||
HTTP-based access policies. However, in that case the traffic between microservice and the sidecar proxy is unencrypted.
|
||
Having part of the traffic unencrypted can be forbidden in organizations with very strict security requirements.</p></description><pubDate>Wed, 31 Jan 2018 00:00:00 +0000</pubDate><link>/v1.12/blog/2018/egress-https/</link><author>Vadim Eisenberg</author><guid isPermaLink="true">/v1.12/blog/2018/egress-https/</guid><category>traffic-management</category><category>egress</category><category>https</category></item><item><title>Mixer and the SPOF Myth</title><description>
|
||
<p>As <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/">Mixer</a> is in the request path, it is natural to question how it impacts
|
||
overall system availability and latency. A common refrain we hear when people first glance at Istio architecture diagrams is
|
||
&ldquo;Isn&rsquo;t this just introducing a single point of failure?&rdquo;</p>
|
||
<p>In this post, we’ll dig deeper and cover the design principles that underpin Mixer and the surprising fact Mixer actually
|
||
increases overall mesh availability and reduces average request latency.</p>
|
||
<p>Istio&rsquo;s use of Mixer has two main benefits in terms of overall system availability and latency:</p>
|
||
<ul>
|
||
<li><p><strong>Increased SLO</strong>. Mixer insulates proxies and services from infrastructure backend failures, enabling higher effective mesh availability. The mesh as a whole tends to experience a lower rate of failure when interacting with the infrastructure backends than if Mixer were not present.</p></li>
|
||
<li><p><strong>Reduced Latency</strong>. Through aggressive use of shared multi-level caches and sharding, Mixer reduces average observed latencies across the mesh.</p></li>
|
||
</ul>
|
||
<p>We&rsquo;ll explain this in more detail below.</p>
|
||
<h2 id="how-we-got-here">How we got here</h2>
|
||
<p>For many years at Google, we’ve been using an internal API &amp; service management system to handle the many APIs exposed by Google. This system has been fronting the world’s biggest services (Google Maps, YouTube, Gmail, etc) and sustains a peak rate of hundreds of millions of QPS. Although this system has served us well, it had problems keeping up with Google’s rapid growth, and it became clear that a new architecture was needed in order to tamp down ballooning operational costs.</p>
|
||
<p>In 2014, we started an initiative to create a replacement architecture that would scale better. The result has proven extremely successful and has been gradually deployed throughout Google, saving in the process millions of dollars a month in ops costs.</p>
|
||
<p>The older system was built around a centralized fleet of fairly heavy proxies into which all incoming traffic would flow, before being forwarded to the services where the real work was done. The newer architecture jettisons the shared proxy design and instead consists of a very lean and efficient distributed sidecar proxy sitting next to service instances, along with a shared fleet of sharded control plane intermediaries:</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:74.79295535770372%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2017/mixer-spof-myth/mixer-spof-myth-1.svg" title="Google System Topology">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2017/mixer-spof-myth/mixer-spof-myth-1.svg" alt="Google System Topology" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Google&#39;s API &amp; Service Management System</figcaption>
|
||
</figure>
|
||
<p>Look familiar? Of course: it’s just like Istio! Istio was conceived as a second generation of this distributed proxy architecture. We took the core lessons from this internal system, generalized many of the concepts by working with our partners, and created Istio.</p>
|
||
<h2 id="architecture-recap">Architecture recap</h2>
|
||
<p>As shown in the diagram below, Mixer sits between the mesh and the infrastructure backends that support it:</p>
|
||
<figure style="width:75%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:65.89948886170049%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2017/mixer-spof-myth/mixer-spof-myth-2.svg" title="Istio Topology">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2017/mixer-spof-myth/mixer-spof-myth-2.svg" alt="Istio Topology" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Istio Topology</figcaption>
|
||
</figure>
|
||
<p>The Envoy sidecar logically calls Mixer before each request to perform precondition checks, and after each request to report telemetry.
|
||
The sidecar has local caching such that a relatively large percentage of precondition checks can be performed from cache. Additionally, the
|
||
sidecar buffers outgoing telemetry such that it only actually needs to call Mixer once for every several thousands requests. Whereas precondition
|
||
checks are synchronous to request processing, telemetry reports are done asynchronously with a fire-and-forget pattern.</p>
|
||
<p>At a high level, Mixer provides:</p>
|
||
<ul>
|
||
<li><p><strong>Backend Abstraction</strong>. Mixer insulates the Istio components and services within the mesh from the implementation details of individual infrastructure backends.</p></li>
|
||
<li><p><strong>Intermediation</strong>. Mixer allows operators to have fine-grained control over all interactions between the mesh and the infrastructure backends.</p></li>
|
||
</ul>
|
||
<p>However, even beyond these purely functional aspects, Mixer has other characteristics that provide the system with additional benefits.</p>
|
||
<h2 id="mixer-slo-booster">Mixer: SLO booster</h2>
|
||
<p>Contrary to the claim that Mixer is a SPOF and can therefore lead to mesh outages, we believe it in fact improves the effective availability of a mesh. How can that be? There are three basic characteristics at play:</p>
|
||
<ul>
|
||
<li><p><strong>Statelessness</strong>. Mixer is stateless in that it doesn’t manage any persistent storage of its own.</p></li>
|
||
<li><p><strong>Hardening</strong>. Mixer proper is designed to be a highly reliable component. The design intent is to achieve &gt; 99.999% uptime for any individual Mixer instance.</p></li>
|
||
<li><p><strong>Caching and Buffering</strong>. Mixer is designed to accumulate a large amount of transient ephemeral state.</p></li>
|
||
</ul>
|
||
<p>The sidecar proxies that sit next to each service instance in the mesh must necessarily be frugal in terms of memory consumption, which constrains the possible amount of local caching and buffering. Mixer, however, lives independently and can use considerably larger caches and output buffers. Mixer thus acts as a highly-scaled and highly-available second-level cache for the sidecars.</p>
|
||
<p>Mixer’s expected availability is considerably higher than most infrastructure backends (those often have availability of perhaps 99.9%). Its local caches and buffers help mask infrastructure backend failures by being able to continue operating even when a backend has become unresponsive.</p>
|
||
<h2 id="mixer-latency-slasher">Mixer: Latency slasher</h2>
|
||
<p>As we explained above, the Istio sidecars generally have fairly effective first-level caching. They can serve the majority of their traffic from cache. Mixer provides a much greater shared pool of second-level cache, which helps Mixer contribute to a lower average per-request latency.</p>
|
||
<p>While it’s busy cutting down latency, Mixer is also inherently cutting down the number of calls your mesh makes to infrastructure backends. Depending on how you’re paying for these backends, this might end up saving you some cash by cutting down the effective QPS to the backends.</p>
|
||
<h2 id="work-ahead">Work ahead</h2>
|
||
<p>We have opportunities ahead to continue improving the system in many ways.</p>
|
||
<h3 id="configuration-canaries">Configuration canaries</h3>
|
||
<p>Mixer is highly scaled so it is generally resistant to individual instance failures. However, Mixer is still susceptible to cascading
|
||
failures in the case when a poison configuration is deployed which causes all Mixer instances to crash basically at the same time
|
||
(yeah, that would be a bad day). To prevent this from happening, configuration changes can be canaried to a small set of Mixer instances,
|
||
and then more broadly rolled out.</p>
|
||
<p>Mixer doesn’t yet do canarying of configuration changes, but we expect this to come online as part of Istio’s ongoing work on reliable
|
||
configuration distribution.</p>
|
||
<h3 id="cache-tuning">Cache tuning</h3>
|
||
<p>We have yet to fine-tune the sizes of the sidecar and Mixer caches. This work will focus on achieving the highest performance possible using the least amount of resources.</p>
|
||
<h3 id="cache-sharing">Cache sharing</h3>
|
||
<p>At the moment, each Mixer instance operates independently of all other instances. A request handled by one Mixer instance will not leverage data cached in a different instance. We will eventually experiment with a distributed cache such as memcached or Redis in order to provide a much larger mesh-wide shared cache, and further reduce the number of calls to infrastructure backends.</p>
|
||
<h3 id="sharding">Sharding</h3>
|
||
<p>In very large meshes, the load on Mixer can be great. There can be a large number of Mixer instances, each straining to keep caches primed to
|
||
satisfy incoming traffic. We expect to eventually introduce intelligent sharding such that Mixer instances become slightly specialized in
|
||
handling particular data streams in order to increase the likelihood of cache hits. In other words, sharding helps improve cache
|
||
efficiency by routing related traffic to the same Mixer instance over time, rather than randomly dispatching to
|
||
any available Mixer instance.</p>
|
||
<h2 id="conclusion">Conclusion</h2>
|
||
<p>Practical experience at Google showed that the model of a slim sidecar proxy and a large shared caching control plane intermediary hits a sweet
|
||
spot, delivering excellent perceived availability and latency. We’ve taken the lessons learned there and applied them to create more sophisticated and
|
||
effective caching, prefetching, and buffering strategies in Istio. We’ve also optimized the communication protocols to reduce overhead when a cache miss does occur.</p>
|
||
<p>Mixer is still young. As of Istio 0.3, we haven’t really done significant performance work within Mixer itself. This means when a request misses the sidecar
|
||
cache, we spend more time in Mixer to respond to requests than we should. We’re doing a lot of work to improve this in coming months to reduce the overhead
|
||
that Mixer imparts in the synchronous precondition check case.</p>
|
||
<p>We hope this post makes you appreciate the inherent benefits that Mixer brings to Istio.
|
||
Don’t hesitate to post comments or questions to <a href="https://groups.google.com/forum/#!forum/istio-policies-and-telemetry">istio-policies-and-telemetry@</a>.</p></description><pubDate>Thu, 07 Dec 2017 00:00:00 +0000</pubDate><link>/v1.12/blog/2017/mixer-spof-myth/</link><author>Martin Taillefer</author><guid isPermaLink="true">/v1.12/blog/2017/mixer-spof-myth/</guid><category>adapters</category><category>mixer</category><category>policies</category><category>telemetry</category><category>availability</category><category>latency</category></item><item><title>Mixer Adapter Model</title><description>
|
||
<p>Istio 0.2 introduced a new Mixer adapter model which is intended to increase Mixer’s flexibility to address a varied set of infrastructure backends. This post intends to put the adapter model in context and explain how it works.</p>
|
||
<h2 id="why-adapters">Why adapters?</h2>
|
||
<p>Infrastructure backends provide support functionality used to build services. They include such things as access control systems, telemetry capturing systems, quota enforcement systems, billing systems, and so forth. Services traditionally directly integrate with these backend systems, creating a hard coupling and baking-in specific semantics and usage options.</p>
|
||
<p>Mixer serves as an abstraction layer between Istio and an open-ended set of infrastructure backends. The Istio components and services that run within the mesh can interact with these backends, while not being coupled to the backends’ specific interfaces.</p>
|
||
<p>In addition to insulating application-level code from the details of infrastructure backends, Mixer provides an intermediation model that allows operators to inject and control policies between application code and backends. Operators can control which data is reported to which backend, which backend to consult for authorization, and much more.</p>
|
||
<p>Given that individual infrastructure backends each have different interfaces and operational models, Mixer needs custom
|
||
code to deal with each and we call these custom bundles of code <a href="https://github.com/istio/istio/wiki/Mixer-Compiled-In-Adapter-Dev-Guide"><em>adapters</em></a>.</p>
|
||
<p>Adapters are Go packages that are directly linked into the Mixer binary. It’s fairly simple to create custom Mixer binaries linked with specialized sets of adapters, in case the default set of adapters is not sufficient for specific use cases.</p>
|
||
<h2 id="philosophy">Philosophy</h2>
|
||
<p>Mixer is essentially an attribute processing and routing machine. The proxy sends it <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/mixer-overview/#attributes">attributes</a> as part of doing precondition checks and telemetry reports, which it turns into a series of calls into adapters. The operator supplies configuration which describes how to map incoming attributes to inputs for the adapters.</p>
|
||
<figure style="width:60%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:42.60859894197215%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2017/adapter-model/machine.svg" title="Attribute Machine">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2017/adapter-model/machine.svg" alt="Attribute Machine" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Attribute Machine</figcaption>
|
||
</figure>
|
||
<p>Configuration is a complex task. In fact, evidence shows that the overwhelming majority of service outages are caused by configuration errors. To help combat this, Mixer’s configuration model enforces a number of constraints designed to avoid errors. For example, the configuration model uses strong typing to ensure that only meaningful attributes or attribute expressions are used in any given context.</p>
|
||
<h2 id="handlers-configuring-adapters">Handlers: configuring adapters</h2>
|
||
<p>Each adapter that Mixer uses requires some configuration to operate. Typically, adapters need things like the URL to their backend, credentials, caching options, and so forth. Each adapter defines the exact configuration data it needs via a <a href="https://developers.google.com/protocol-buffers/">protobuf</a> message.</p>
|
||
<p>You configure each adapter by creating <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/mixer-overview/#handlers"><em>handlers</em></a> for them. A handler is a
|
||
configuration resource which represents a fully configured adapter ready for use. There can be any number of handlers for a single adapter, making it possible to reuse an adapter in different scenarios.</p>
|
||
<h2 id="templates-adapter-input-schema">Templates: adapter input schema</h2>
|
||
<p>Mixer is typically invoked twice for every incoming request to a mesh service, once for precondition checks and once for telemetry reporting. For every such call, Mixer invokes one or more adapters. Different adapters need different pieces of data as input in order to do their work. A logging adapter needs a log entry, a metric adapter needs a metric, an authorization adapter needs credentials, etc.
|
||
Mixer <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/templates/"><em>templates</em></a> are used to describe the exact data that an adapter consumes at request time.</p>
|
||
<p>Each template is specified as a <a href="https://developers.google.com/protocol-buffers/">protobuf</a> message. A single template describes a bundle of data that is delivered to one or more adapters at runtime. Any given adapter can be designed to support any number of templates, the specific templates the adapter supports is determined by the adapter developer.</p>
|
||
<p><a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/templates/metric/"><code>metric</code></a> and <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/templates/logentry/"><code>logentry</code></a> are two of the most essential templates used within Istio. They represent respectively the payload to report a single metric and a single log entry to appropriate backends.</p>
|
||
<h2 id="instances-attribute-mapping">Instances: attribute mapping</h2>
|
||
<p>You control which data is delivered to individual adapters by creating
|
||
<a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/mixer-overview/#instances"><em>instances</em></a>.
|
||
Instances control how Mixer uses the <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/mixer-overview/#attributes">attributes</a> delivered
|
||
by the proxy into individual bundles of data that can be routed to different adapters.</p>
|
||
<p>Creating instances generally requires using <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/expression-language/">attribute expressions</a>. The point of these expressions is to use any attribute or literal value in order to produce a result that can be assigned to an instance’s field.</p>
|
||
<p>Every instance field has a type, as defined in the template, every attribute has a
|
||
<a href="https://github.com/istio/api/blob/release-1.12/policy/v1beta1/value_type.proto">type</a>, and every attribute expression has a type.
|
||
You can only assign type-compatible expressions to any given instance fields. For example, you can’t assign an integer expression
|
||
to a string field. This kind of strong typing is designed to minimize the risk of creating bogus configurations.</p>
|
||
<h2 id="rules-delivering-data-to-adapters">Rules: delivering data to adapters</h2>
|
||
<p>The last piece to the puzzle is telling Mixer which instances to send to which handler and when. This is done by
|
||
creating <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/mixer-overview/#rules"><em>rules</em></a>. Each rule identifies a specific handler and the set of
|
||
instances to send to that handler. Whenever Mixer processes an incoming call, it invokes the indicated handler and gives it the specific set of instances for processing.</p>
|
||
<p>Rules contain matching predicates. A predicate is an attribute expression which returns a true/false value. A rule only takes effect if its predicate expression returns true. Otherwise, it’s like the rule didn’t exist and the indicated handler isn’t invoked.</p>
|
||
<h2 id="future">Future</h2>
|
||
<p>We are working to improve the end to end experience of using and developing adapters. For example, several new features are planned to make templates more expressive. Additionally, the expression language is being substantially enhanced to be more powerful and well-rounded.</p>
|
||
<p>Longer term, we are evaluating ways to support adapters which aren’t directly linked into the main Mixer binary. This would simplify deployment and composition.</p>
|
||
<h2 id="conclusion">Conclusion</h2>
|
||
<p>The refreshed Mixer adapter model is designed to provide a flexible framework to support an open-ended set of infrastructure backends.</p>
|
||
<p>Handlers provide configuration data for individual adapters, templates determine exactly what kind of data different adapters want to consume at runtime, instances let operators prepare this data, rules direct the data to one or more handlers.</p>
|
||
<p>You can learn more about Mixer&rsquo;s overall architecture <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry/mixer-overview/">here</a>, and learn the specifics of templates, handlers,
|
||
and rules <a href="https://istio.io/v1.6/docs/reference/config/policy-and-telemetry">here</a>. You can find many examples of Mixer configuration resources in the Bookinfo sample
|
||
<a href="https://github.com/istio/istio/tree/release-1.12/samples/bookinfo">here</a>.</p></description><pubDate>Fri, 03 Nov 2017 00:00:00 +0000</pubDate><link>/v1.12/blog/2017/adapter-model/</link><author>Martin Taillefer</author><guid isPermaLink="true">/v1.12/blog/2017/adapter-model/</guid><category>adapters</category><category>mixer</category><category>policies</category><category>telemetry</category></item><item><title>Using Network Policy with Istio</title><description>
|
||
<p>The use of Network Policy to secure applications running on Kubernetes is a now a widely accepted industry best practice. Given that Istio also supports policy, we want to spend some time explaining how Istio policy and Kubernetes Network Policy interact and support each other to deliver your application securely.</p>
|
||
<p>Let’s start with the basics: why might you want to use both Istio and Kubernetes Network Policy? The short answer is that they are good at different things. Consider the main differences between Istio and Network Policy (we will describe &ldquo;typical” implementations, e.g. Calico, but implementation details can vary with different network providers):</p>
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
<th></th>
|
||
<th>Istio Policy</th>
|
||
<th>Network Policy</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td><strong>Layer</strong></td>
|
||
<td>&ldquo;Service&rdquo; &mdash; L7</td>
|
||
<td>&ldquo;Network&rdquo; &mdash; L3-4</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>Implementation</strong></td>
|
||
<td>User space</td>
|
||
<td>Kernel</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>Enforcement Point</strong></td>
|
||
<td>Pod</td>
|
||
<td>Node</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<h2 id="layer">Layer</h2>
|
||
<p>Istio policy operates at the &ldquo;service” layer of your network application. This is Layer 7 (Application) from the perspective of the OSI model, but the de facto model of cloud native applications is that Layer 7 actually consists of at least two layers: a service layer and a content layer. The service layer is typically HTTP, which encapsulates the actual application data (the content layer). It is at this service layer of HTTP that the Istio’s Envoy proxy operates. In contrast, Network Policy operates at Layers 3 (Network) and 4 (Transport) in the OSI model.</p>
|
||
<p>Operating at the service layer gives the Envoy proxy a rich set of attributes to base policy decisions on, for protocols it understands, which at present includes HTTP/1.1 &amp; HTTP/2 (gRPC operates over HTTP/2). So, you can apply policy based on virtual host, URL, or other HTTP headers. In the future, Istio will support a wide range of Layer 7 protocols, as well as generic TCP and UDP transport.</p>
|
||
<p>In contrast, operating at the network layer has the advantage of being universal, since all network applications use IP. At the network layer you can apply policy regardless of the layer 7 protocol: DNS, SQL databases, real-time streaming, and a plethora of other services that do not use HTTP can be secured. Network Policy isn’t limited to a classic firewall’s tuple of IP addresses, proto, and ports. Both Istio and Network Policy are aware of rich Kubernetes labels to describe pod endpoints.</p>
|
||
<h2 id="implementation">Implementation</h2>
|
||
<p>The Istio’s proxy is based on <a href="https://envoyproxy.github.io/envoy/">Envoy</a>, which is implemented as a user space daemon in the data plane that
|
||
interacts with the network layer using standard sockets. This gives it a large amount of flexibility in processing, and allows it to be
|
||
distributed (and upgraded!) in a container.</p>
|
||
<p>Network Policy data plane is typically implemented in kernel space (e.g. using iptables, eBPF filters, or even custom kernel modules). Being in kernel space
|
||
allows them to be extremely fast, but not as flexible as the Envoy proxy.</p>
|
||
<h2 id="enforcement-point">Enforcement point</h2>
|
||
<p>Policy enforcement using the Envoy proxy is implemented inside the pod, as a sidecar container in the same network namespace. This allows a simple deployment model. Some containers are given permission to reconfigure the networking inside their pod (<code>CAP_NET_ADMIN</code>). If such a service instance is compromised, or misbehaves (as in a malicious tenant) the proxy can be bypassed.</p>
|
||
<p>While this won’t let an attacker access other Istio-enabled pods, so long as they are correctly configured, it opens several attack vectors:</p>
|
||
<ul>
|
||
<li>Attacking unprotected pods</li>
|
||
<li>Attempting to deny service to protected pods by sending lots of traffic</li>
|
||
<li>Exfiltrating data collected in the pod</li>
|
||
<li>Attacking the cluster infrastructure (servers or Kubernetes services)</li>
|
||
<li>Attacking services outside the mesh, like databases, storage arrays, or legacy systems.</li>
|
||
</ul>
|
||
<p>Network Policy is typically enforced at the host node, outside the network namespace of the guest pods. This means that compromised or misbehaving pods must break into the root namespace to avoid enforcement. With the addition of egress policy due in Kubernetes 1.8, this difference makes Network Policy a key part of protecting your infrastructure from compromised workloads.</p>
|
||
<h2 id="examples">Examples</h2>
|
||
<p>Let’s walk through a few examples of what you might want to do with Kubernetes Network Policy for an Istio-enabled application. Consider the Bookinfo sample application. We’re going to cover the following use cases for Network Policy:</p>
|
||
<ul>
|
||
<li>Reduce attack surface of the application ingress</li>
|
||
<li>Enforce fine-grained isolation within the application</li>
|
||
</ul>
|
||
<h3 id="reduce-attack-surface-of-the-application-ingress">Reduce attack surface of the application ingress</h3>
|
||
<p>Our application ingress controller is the main entry-point to our application from the outside world. A quick peek at <code>istio.yaml</code> (used to install Istio) defines the Istio ingress like this:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: istio-ingress
|
||
labels:
|
||
istio: ingress
|
||
spec:
|
||
type: LoadBalancer
|
||
ports:
|
||
- port: 80
|
||
name: http
|
||
- port: 443
|
||
name: https
|
||
selector:
|
||
istio: ingress
|
||
</code></pre>
|
||
<p>The <code>istio-ingress</code> exposes ports 80 and 443. Let’s limit incoming traffic to just these two ports. Envoy has a <a href="https://www.envoyproxy.io/docs/envoy/latest/operations/admin.html#operations-admin-interface">built-in administrative interface</a>, and we don’t want a misconfigured <code>istio-ingress</code> image to accidentally expose our admin interface to the outside world. This is an example of defense in depth: a properly configured image should not expose the interface, and a properly configured Network Policy will prevent anyone from connecting to it. Either can fail or be misconfigured and we are still protected.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.k8s.io/v1
|
||
kind: NetworkPolicy
|
||
metadata:
|
||
name: istio-ingress-lockdown
|
||
namespace: default
|
||
spec:
|
||
podSelector:
|
||
matchLabels:
|
||
istio: ingress
|
||
ingress:
|
||
- ports:
|
||
- protocol: TCP
|
||
port: 80
|
||
- protocol: TCP
|
||
port: 443
|
||
</code></pre>
|
||
<h3 id="enforce-fine-grained-isolation-within-the-application">Enforce fine-grained isolation within the application</h3>
|
||
<p>Here is the service graph for the Bookinfo application.</p>
|
||
<figure style="width:80%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:59.086918235567985%">
|
||
<a data-skipendnotes="true" href="/v1.12/docs/examples/bookinfo/withistio.svg" title="Bookinfo Service Graph">
|
||
<img class="element-to-stretch" src="/v1.12/docs/examples/bookinfo/withistio.svg" alt="Bookinfo Service Graph" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Bookinfo Service Graph</figcaption>
|
||
</figure>
|
||
<p>This graph shows every connection that a correctly functioning application should be allowed to make. All other connections, say from the Istio Ingress directly to the Rating service, are not part of the application. Let’s lock out those extraneous connections so they cannot be used by an attacker. Imagine, for example, that the Ingress pod is compromised by an exploit that allows an attacker to run arbitrary code. If we only allow connections to the Product Page pods using Network Policy, the attacker has gained no more access to my application backends <em>even though they have compromised a member of the service mesh</em>.</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: networking.k8s.io/v1
|
||
kind: NetworkPolicy
|
||
metadata:
|
||
name: product-page-ingress
|
||
namespace: default
|
||
spec:
|
||
podSelector:
|
||
matchLabels:
|
||
app: productpage
|
||
ingress:
|
||
- ports:
|
||
- protocol: TCP
|
||
port: 9080
|
||
from:
|
||
- podSelector:
|
||
matchLabels:
|
||
istio: ingress
|
||
</code></pre>
|
||
<p>You can and should write a similar policy for each service to enforce which other pods are allowed to access each.</p>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>Our take is that Istio and Network Policy have different strengths in applying policy. Istio is application-protocol aware and highly flexible, making it ideal for applying policy in support of operational goals, like service routing, retries, circuit-breaking, etc, and for security that operates at the application layer, such as token validation. Network Policy is universal, highly efficient, and isolated from the pods, making it ideal for applying policy in support of network security goals. Furthermore, having policy that operates at different layers of the network stack is a really good thing as it gives each layer specific context without commingling of state and allows separation of responsibility.</p>
|
||
<p>This post is based on the three part blog series by Spike Curtis, one of the Istio team members at Tigera. The full series can be found here: <a href="https://www.projectcalico.org/using-network-policy-in-concert-with-istio/">https://www.projectcalico.org/using-network-policy-in-concert-with-istio/</a></p></description><pubDate>Thu, 10 Aug 2017 00:00:00 +0000</pubDate><link>/v1.12/blog/2017/0.1-using-network-policy/</link><author>Spike Curtis</author><guid isPermaLink="true">/v1.12/blog/2017/0.1-using-network-policy/</guid></item><item><title>Canary Deployments using Istio</title><description>
|
||
<div>
|
||
<aside class="callout tip">
|
||
<div class="type">
|
||
<svg class="large-icon"><use xlink:href="/v1.12/img/icons.svg#callout-tip"/></svg>
|
||
</div>
|
||
<div class="content">This post was updated on May 16, 2018 to use the latest version of the traffic management model.</div>
|
||
</aside>
|
||
</div>
|
||
<p>One of the benefits of the <a href="/v1.12/">Istio</a> project is that it provides the control needed to deploy canary services. The idea behind
|
||
canary deployment (or rollout) is to introduce a new version of a service by first testing it using a small percentage of user
|
||
traffic, and then if all goes well, increase, possibly gradually in increments, the percentage while simultaneously phasing out
|
||
the old version. If anything goes wrong along the way, we abort and roll back to the previous version. In its simplest form,
|
||
the traffic sent to the canary version is a randomly selected percentage of requests, but in more sophisticated schemes it
|
||
can be based on the region, user, or other properties of the request.</p>
|
||
<p>Depending on your level of expertise in this area, you may wonder why Istio&rsquo;s support for canary deployment is even needed, given that platforms like Kubernetes already provide a way to do <a href="https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#updating-a-deployment">version rollout</a> and <a href="https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/#canary-deployments">canary deployment</a>. Problem solved, right? Well, not exactly. Although doing a rollout this way works in simple cases, it’s very limited, especially in large scale cloud environments receiving lots of (and especially varying amounts of) traffic, where autoscaling is needed.</p>
|
||
<h2 id="canary-deployment-in-kubernetes">Canary deployment in Kubernetes</h2>
|
||
<p>As an example, let&rsquo;s say we have a deployed service, <strong>helloworld</strong> version <strong>v1</strong>, for which we would like to test (or simply roll out) a new version, <strong>v2</strong>. Using Kubernetes, you can roll out a new version of the <strong>helloworld</strong> service by simply updating the image in the service’s corresponding <a href="https://kubernetes.io/docs/concepts/workloads/controllers/deployment/">Deployment</a> and letting the <a href="https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#updating-a-deployment">rollout</a> happen automatically. If we take particular care to ensure that there are enough <strong>v1</strong> replicas running when we start and <a href="https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#pausing-and-resuming-a-deployment">pause</a> the rollout after only one or two <strong>v2</strong> replicas have been started, we can keep the canary’s effect on the system very small. We can then observe the effect before deciding to proceed or, if necessary, <a href="https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-back-a-deployment">roll back</a>. Best of all, we can even attach a <a href="https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#scaling-a-deployment">horizontal pod autoscaler</a> to the Deployment and it will keep the replica ratios consistent if, during the rollout process, it also needs to scale replicas up or down to handle traffic load.</p>
|
||
<p>Although fine for what it does, this approach is only useful when we have a properly tested version that we want to deploy, i.e., more of a blue/green, a.k.a. red/black, kind of upgrade than a &ldquo;dip your feet in the water&rdquo; kind of canary deployment. In fact, for the latter (for example, testing a canary version that may not even be ready or intended for wider exposure), the canary deployment in Kubernetes would be done using two Deployments with <a href="https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/#using-labels-effectively">common pod labels</a>. In this case, we can’t use autoscaling anymore because it’s now being done by two independent autoscalers, one for each Deployment, so the replica ratios (percentages) may vary from the desired ratio, depending purely on load.</p>
|
||
<p>Whether we use one deployment or two, canary management using deployment features of container orchestration platforms like Docker, Mesos/Marathon, or Kubernetes has a fundamental problem: the use of instance scaling to manage the traffic; traffic version distribution and replica deployment are not independent in these systems. All replica pods, regardless of version, are treated the same in the <code>kube-proxy</code> round-robin pool, so the only way to manage the amount of traffic that a particular version receives is by controlling the replica ratio. Maintaining canary traffic at small percentages requires many replicas (e.g., 1% would require a minimum of 100 replicas). Even if we ignore this problem, the deployment approach is still very limited in that it only supports the simple (random percentage) canary approach. If, instead, we wanted to limit the visibility of the canary to requests based on some specific criteria, we still need another solution.</p>
|
||
<h2 id="enter-istio">Enter Istio</h2>
|
||
<p>With Istio, traffic routing and replica deployment are two completely independent functions. The number of pods implementing services are free to scale up and down based on traffic load, completely orthogonal to the control of version traffic routing. This makes managing a canary version in the presence of autoscaling a much simpler problem. Autoscalers may, in fact, respond to load variations resulting from traffic routing changes, but they are nevertheless functioning independently and no differently than when loads change for other reasons.</p>
|
||
<p>Istio’s <a href="/v1.12/docs/concepts/traffic-management/#routing-rules">routing rules</a> also provide other important advantages; you can easily control
|
||
fine-grained traffic percentages (e.g., route 1% of traffic without requiring 100 pods) and you can control traffic using other criteria (e.g., route traffic for specific users to the canary version). To illustrate, let’s look at deploying the <strong>helloworld</strong> service and see how simple the problem becomes.</p>
|
||
<p>We begin by defining the <strong>helloworld</strong> Service, just like any other Kubernetes service, something like this:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: v1
|
||
kind: Service
|
||
metadata:
|
||
name: helloworld
|
||
labels:
|
||
app: helloworld
|
||
spec:
|
||
selector:
|
||
app: helloworld
|
||
...
|
||
</code></pre>
|
||
<p>We then add 2 Deployments, one for each version (<strong>v1</strong> and <strong>v2</strong>), both of which include the service selector’s <code>app: helloworld</code> label:</p>
|
||
<pre><code class='language-yaml' data-expandlinks='true' data-repo='istio' >apiVersion: apps/v1
|
||
kind: Deployment
|
||
metadata:
|
||
name: helloworld-v1
|
||
spec:
|
||
replicas: 1
|
||
template:
|
||
metadata:
|
||
labels:
|
||
app: helloworld
|
||
version: v1
|
||
spec:
|
||
containers:
|
||
- image: helloworld-v1
|
||
...
|
||
---
|
||
apiVersion: apps/v1
|
||
kind: Deployment
|
||
metadata:
|
||
name: helloworld-v2
|
||
spec:
|
||
replicas: 1
|
||
template:
|
||
metadata:
|
||
labels:
|
||
app: helloworld
|
||
version: v2
|
||
spec:
|
||
containers:
|
||
- image: helloworld-v2
|
||
...
|
||
</code></pre>
|
||
<p>Note that this is exactly the same way we would do a <a href="https://kubernetes.io/docs/concepts/cluster-administration/manage-deployment/#canary-deployments">canary deployment</a> using plain Kubernetes, but in that case we would need to adjust the number of replicas of each Deployment to control the distribution of traffic. For example, to send 10% of the traffic to the canary version (<strong>v2</strong>), the replicas for <strong>v1</strong> and <strong>v2</strong> could be set to 9 and 1, respectively.</p>
|
||
<p>However, since we are going to deploy the service in an <a href="/v1.12/docs/setup/">Istio enabled</a> cluster, all we need to do is set a routing
|
||
rule to control the traffic distribution. For example if we want to send 10% of the traffic to the canary, we could use <code>kubectl</code>
|
||
to set a routing rule something like this:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: helloworld
|
||
spec:
|
||
hosts:
|
||
- helloworld
|
||
http:
|
||
- route:
|
||
- destination:
|
||
host: helloworld
|
||
subset: v1
|
||
weight: 90
|
||
- destination:
|
||
host: helloworld
|
||
subset: v2
|
||
weight: 10
|
||
---
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: DestinationRule
|
||
metadata:
|
||
name: helloworld
|
||
spec:
|
||
host: helloworld
|
||
subsets:
|
||
- name: v1
|
||
labels:
|
||
version: v1
|
||
- name: v2
|
||
labels:
|
||
version: v2
|
||
EOF
|
||
</code></pre>
|
||
<p>After setting this rule, Istio will ensure that only one tenth of the requests will be sent to the canary version, regardless of how many replicas of each version are running.</p>
|
||
<h2 id="autoscaling-the-deployments">Autoscaling the deployments</h2>
|
||
<p>Because we don’t need to maintain replica ratios anymore, we can safely add Kubernetes <a href="https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/">horizontal pod autoscalers</a> to manage the replicas for both version Deployments:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl autoscale deployment helloworld-v1 --cpu-percent=50 --min=1 --max=10
|
||
deployment &#34;helloworld-v1&#34; autoscaled
|
||
</code></pre>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl autoscale deployment helloworld-v2 --cpu-percent=50 --min=1 --max=10
|
||
deployment &#34;helloworld-v2&#34; autoscaled
|
||
</code></pre>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get hpa
|
||
NAME REFERENCE TARGET CURRENT MINPODS MAXPODS AGE
|
||
Helloworld-v1 Deployment/helloworld-v1 50% 47% 1 10 17s
|
||
Helloworld-v2 Deployment/helloworld-v2 50% 40% 1 10 15s
|
||
</code></pre>
|
||
<p>If we now generate some load on the <strong>helloworld</strong> service, we would notice that when scaling begins, the <strong>v1</strong> autoscaler will scale up its replicas significantly higher than the <strong>v2</strong> autoscaler will for its replicas because <strong>v1</strong> pods are handling 90% of the load.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods | grep helloworld
|
||
helloworld-v1-3523621687-3q5wh 0/2 Pending 0 15m
|
||
helloworld-v1-3523621687-73642 2/2 Running 0 11m
|
||
helloworld-v1-3523621687-7hs31 2/2 Running 0 19m
|
||
helloworld-v1-3523621687-dt7n7 2/2 Running 0 50m
|
||
helloworld-v1-3523621687-gdhq9 2/2 Running 0 11m
|
||
helloworld-v1-3523621687-jxs4t 0/2 Pending 0 15m
|
||
helloworld-v1-3523621687-l8rjn 2/2 Running 0 19m
|
||
helloworld-v1-3523621687-wwddw 2/2 Running 0 15m
|
||
helloworld-v1-3523621687-xlt26 0/2 Pending 0 19m
|
||
helloworld-v2-4095161145-963wt 2/2 Running 0 50m
|
||
</code></pre>
|
||
<p>If we then change the routing rule to send 50% of the traffic to <strong>v2</strong>, we should, after a short delay, notice that the <strong>v1</strong> autoscaler will scale down the replicas of <strong>v1</strong> while the <strong>v2</strong> autoscaler will perform a corresponding scale up.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods | grep helloworld
|
||
helloworld-v1-3523621687-73642 2/2 Running 0 35m
|
||
helloworld-v1-3523621687-7hs31 2/2 Running 0 43m
|
||
helloworld-v1-3523621687-dt7n7 2/2 Running 0 1h
|
||
helloworld-v1-3523621687-gdhq9 2/2 Running 0 35m
|
||
helloworld-v1-3523621687-l8rjn 2/2 Running 0 43m
|
||
helloworld-v2-4095161145-57537 0/2 Pending 0 21m
|
||
helloworld-v2-4095161145-9322m 2/2 Running 0 21m
|
||
helloworld-v2-4095161145-963wt 2/2 Running 0 1h
|
||
helloworld-v2-4095161145-c3dpj 0/2 Pending 0 21m
|
||
helloworld-v2-4095161145-t2ccm 0/2 Pending 0 17m
|
||
helloworld-v2-4095161145-v3v9n 0/2 Pending 0 13m
|
||
</code></pre>
|
||
<p>The end result is very similar to the simple Kubernetes Deployment rollout, only now the whole process is not being orchestrated and managed in one place. Instead, we’re seeing several components doing their jobs independently, albeit in a cause and effect manner.
|
||
What&rsquo;s different, however, is that if we now stop generating load, the replicas of both versions will eventually scale down to their minimum (1), regardless of what routing rule we set.</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl get pods | grep helloworld
|
||
helloworld-v1-3523621687-dt7n7 2/2 Running 0 1h
|
||
helloworld-v2-4095161145-963wt 2/2 Running 0 1h
|
||
</code></pre>
|
||
<h2 id="focused-canary-testing">Focused canary testing</h2>
|
||
<p>As mentioned above, the Istio routing rules can be used to route traffic based on specific criteria, allowing more sophisticated canary deployment scenarios. Say, for example, instead of exposing the canary to an arbitrary percentage of users, we want to try it out on internal users, maybe even just a percentage of them. The following command could be used to send 50% of traffic from users at <em>some-company-name.com</em> to the canary version, leaving all other users unaffected:</p>
|
||
<pre><code class='language-bash' data-expandlinks='true' data-repo='istio' >$ kubectl apply -f - &lt;&lt;EOF
|
||
apiVersion: networking.istio.io/v1alpha3
|
||
kind: VirtualService
|
||
metadata:
|
||
name: helloworld
|
||
spec:
|
||
hosts:
|
||
- helloworld
|
||
http:
|
||
- match:
|
||
- headers:
|
||
cookie:
|
||
regex: &#34;^(.*?;)?(email=[^;]*@some-company-name.com)(;.*)?$&#34;
|
||
route:
|
||
- destination:
|
||
host: helloworld
|
||
subset: v1
|
||
weight: 50
|
||
- destination:
|
||
host: helloworld
|
||
subset: v2
|
||
weight: 50
|
||
- route:
|
||
- destination:
|
||
host: helloworld
|
||
subset: v1
|
||
EOF
|
||
</code></pre>
|
||
<p>As before, the autoscalers bound to the 2 version Deployments will automatically scale the replicas accordingly, but that will have no affect on the traffic distribution.</p>
|
||
<h2 id="summary">Summary</h2>
|
||
<p>In this article we’ve seen how Istio supports general scalable canary deployments, and how this differs from the basic deployment support in Kubernetes. Istio’s service mesh provides the control necessary to manage traffic distribution with complete independence from deployment scaling. This allows for a simpler, yet significantly more functional, way to do canary test and rollout.</p>
|
||
<p>Intelligent routing in support of canary deployment is just one of the many features of Istio that will make the production deployment of large-scale microservices-based applications much simpler. Check out <a href="/v1.12/">istio.io</a> for more information and to try it out.
|
||
The sample code used in this article can be found <a href="https://github.com/istio/istio/tree/release-1.12/samples/helloworld">here</a>.</p></description><pubDate>Wed, 14 Jun 2017 00:00:00 +0000</pubDate><link>/v1.12/blog/2017/0.1-canary/</link><author>Frank Budinsky</author><guid isPermaLink="true">/v1.12/blog/2017/0.1-canary/</guid><category>traffic-management</category><category>canary</category></item><item><title>Using Istio to Improve End-to-End Security</title><description>
|
||
<p>Conventional network security approaches fail to address security threats to distributed applications deployed in dynamic production environments. Today, we describe how Istio authentication enables enterprises to transform their security posture from just protecting the edge to consistently securing all inter-service communications deep within their applications. With Istio authentication, developers and operators can protect services with sensitive data against unauthorized insider access and they can achieve this without any changes to the application code!</p>
|
||
<p>Istio authentication is the security component of the broader Istio platform. It incorporates the learnings of securing millions of microservice
|
||
endpoints in Google’s production environment.</p>
|
||
<h2 id="background">Background</h2>
|
||
<p>Modern application architectures are increasingly based on shared services that are deployed and scaled dynamically on cloud platforms. Traditional network edge security (e.g. firewall) is too coarse-grained and allows access from unintended clients. An example of a security risk is stolen authentication tokens that can be replayed from another client. This is a major risk for companies with sensitive data that are concerned about insider threats. Other network security approaches like IP whitelists have to be statically defined, are hard to manage at scale, and are unsuitable for dynamic production environments.</p>
|
||
<p>Thus, security administrators need a tool that enables them to consistently, and by default, secure all communication between services across diverse production environments.</p>
|
||
<h2 id="solution-strong-service-identity-and-authentication">Solution: strong service identity and authentication</h2>
|
||
<p>Google has, over the years, developed architecture and technology to uniformly secure millions of microservice endpoints in its production environment against
|
||
external
|
||
attacks and insider threats. Key security principles include trusting the endpoints and not the network, strong mutual authentication based on service identity and service level authorization. Istio authentication is based on the same principles.</p>
|
||
<p>The version 0.1 release of Istio authentication runs on Kubernetes and provides the following features:</p>
|
||
<ul>
|
||
<li><p>Strong identity assertion between services</p></li>
|
||
<li><p>Access control to limit the identities that can access a service (and its data)</p></li>
|
||
<li><p>Automatic encryption of data in transit</p></li>
|
||
<li><p>Management of keys and certificates at scale</p></li>
|
||
</ul>
|
||
<p>Istio authentication is based on industry standards like mutual TLS and X.509. Furthermore, Google is actively contributing to an open, community-driven service security framework called <a href="https://spiffe.io/">SPIFFE</a>. As the <a href="https://spiffe.io/">SPIFFE</a> specifications mature, we intend for Istio authentication to become a reference implementation of the same.</p>
|
||
<p>The diagram below provides an overview of the Istio&rsquo;s service authentication architecture on Kubernetes.</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:56.25%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2017/0.1-auth/istio_auth_overview.svg" title="Istio Authentication Overview">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2017/0.1-auth/istio_auth_overview.svg" alt="Istio Authentication Overview" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Istio Authentication Overview</figcaption>
|
||
</figure>
|
||
<p>The above diagram illustrates three key security features:</p>
|
||
<h3 id="strong-identity">Strong identity</h3>
|
||
<p>Istio authentication uses <a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/">Kubernetes service accounts</a> to identify who the service runs as. The identity is used to establish trust and define service level access policies. The identity is assigned at service deployment time and encoded in the SAN (Subject Alternative Name) field of an X.509 certificate. Using a service account as the identity has the following advantages:</p>
|
||
<ul>
|
||
<li><p>Administrators can configure who has access to a Service Account by using the <a href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/">RBAC</a> feature introduced in Kubernetes 1.6</p></li>
|
||
<li><p>Flexibility to identify a human user, a service, or a group of services</p></li>
|
||
<li><p>Stability of the service identity for dynamically placed and auto-scaled workloads</p></li>
|
||
</ul>
|
||
<h3 id="communication-security">Communication security</h3>
|
||
<p>Service-to-service communication is tunneled through high performance client side and server side <a href="https://envoyproxy.github.io/envoy/">Envoy</a> proxies. The communication between the proxies is secured using mutual TLS. The benefit of using mutual TLS is that the service identity is not expressed as a bearer token that can be stolen or replayed from another source. Istio authentication also introduces the concept of Secure Naming to protect from a server spoofing attacks - the client side proxy verifies that the authenticated server&rsquo;s service account is allowed to run the named service.</p>
|
||
<h3 id="key-management-and-distribution">Key management and distribution</h3>
|
||
<p>Istio authentication provides a per-cluster CA (Certificate Authority) and automated key &amp; certificate management. In this context, Istio authentication:</p>
|
||
<ul>
|
||
<li><p>Generates a key and certificate pair for each service account.</p></li>
|
||
<li><p>Distributes keys and certificates to the appropriate pods using <a href="https://kubernetes.io/docs/concepts/configuration/secret/">Kubernetes Secrets</a>.</p></li>
|
||
<li><p>Rotates keys and certificates periodically.</p></li>
|
||
<li><p>Revokes a specific key and certificate pair when necessary (future).</p></li>
|
||
</ul>
|
||
<p>The following diagram explains the end to end Istio authentication workflow on Kubernetes:</p>
|
||
<figure style="width:100%">
|
||
<div class="wrapper-with-intrinsic-ratio" style="padding-bottom:56.25%">
|
||
<a data-skipendnotes="true" href="/v1.12/blog/2017/0.1-auth/istio_auth_workflow.svg" title="Istio Authentication Workflow">
|
||
<img class="element-to-stretch" src="/v1.12/blog/2017/0.1-auth/istio_auth_workflow.svg" alt="Istio Authentication Workflow" />
|
||
</a>
|
||
</div>
|
||
<figcaption>Istio Authentication Workflow</figcaption>
|
||
</figure>
|
||
<p>Istio authentication is part of the broader security story for containers. Red Hat, a partner on the development of Kubernetes, has identified <a href="https://www.redhat.com/en/resources/container-security-openshift-cloud-devops-whitepaper">10 Layers</a> of container security. Istio addresses two of these layers: &ldquo;Network Isolation&rdquo; and &ldquo;API and Service Endpoint Management&rdquo;. As cluster federation evolves on Kubernetes and other platforms, our intent is for Istio to secure communications across services spanning multiple federated clusters.</p>
|
||
<h2 id="benefits-of-istio-authentication">Benefits of Istio authentication</h2>
|
||
<p><strong>Defense in depth</strong>: When used in conjunction with Kubernetes (or infrastructure) network policies, users achieve higher levels of confidence, knowing that pod-to-pod or service-to-service communication is secured both at network and application layers.</p>
|
||
<p><strong>Secure by default</strong>: When used with Istio’s proxy and centralized policy engine, Istio authentication can be configured during deployment with minimal or no application change. Administrators and operators can thus ensure that service communications are secured by default and that they can enforce these policies consistently across diverse protocols and runtimes.</p>
|
||
<p><strong>Strong service authentication</strong>: Istio authentication secures service communication using mutual TLS to ensure that the service identity is not expressed as a bearer token that can be stolen or replayed from another source. This ensures that services with sensitive data can only be accessed from strongly authenticated and authorized clients.</p>
|
||
<h2 id="join-us-in-this-journey">Join us in this journey</h2>
|
||
<p>Istio authentication is the first step towards providing a full stack of capabilities to protect services with sensitive data from external attacks and insider
|
||
threats. While the initial version runs on Kubernetes, our goal is to enable Istio authentication to secure services across diverse production environments. We encourage the
|
||
community to <a href="https://github.com/istio/istio/tree/release-1.12/security">join us</a> in making robust service security easy and ubiquitous across different application
|
||
stacks and runtime platforms.</p></description><pubDate>Thu, 25 May 2017 00:00:00 +0000</pubDate><link>/v1.12/blog/2017/0.1-auth/</link><author>The Istio Team</author><guid isPermaLink="true">/v1.12/blog/2017/0.1-auth/</guid></item></channel></rss> |