Monitoring and Policies for TLS Egress

Setup Istio by following the instructions in the Installation guide.
Deploy the sample app to use as a test source for sending requests.If you haveautomatic sidecar injectionenabled, run the following command to deploy the sample app:

Otherwise, manually inject the sidecar before deploying the sleep application with the following command:

$ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@)

You can use any pod with curl installed as a test source.

Set the SOURCE_POD environment variable to the name of your source pod:

$ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})

.
Enable Envoy’s access logging
Configure traffic to .wikipedia.org by following inConfigure Egress Traffic using Wildcard Hosts example,*with mutual TLS enabled.

Policy enforcement must be enabled in your cluster for this task. Follow the steps in to ensure that policy enforcement is enabled.

Since you configured the egress traffic to flow through the egress gateway, you can apply monitoring and access policyenforcement on the egress traffic, securely. In this section you will define a log entry and an access policy forthe egress traffic to *.wikipedia.org.

Create logging configuration:

Zip

$ kubectl apply -f @samples/sleep/telemetry/sni-logging.yaml@

Send HTTPS requests to and https://de.wikipedia.org:

$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -s https://en.wikipedia.org/wiki/Main_Page | grep -o "<title>.*</title>"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o "<title>.*</title>"'
<title>Wikipedia, the free encyclopedia</title>
<title>Wikipedia – Die freie Enzyklopädie</title>

$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep 'egress-access'

Define a policy that allows access to the hostnames matching *.wikipedia.org except for Wikipedia inEnglish:

Send an HTTPS request to the blacklisted :

$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -v https://en.wikipedia.org/wiki/Main_Page'
...
curl: (35) Unknown SSL protocol error in connection to en.wikipedia.org:443
command terminated with exit code 35

Access to Wikipedia in English is blocked according to the policy you defined.

Send HTTPS requests to some other Wikipedia sites, for example https://es.wikipedia.org and:

$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -s https://es.wikipedia.org/wiki/Wikipedia:Portada | grep -o "<title>.*</title>"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o "<title>.*</title>"'
<title>Wikipedia, la enciclopedia libre</title>
<title>Wikipedia – Die freie Enzyklopädie</title>

Access to Wikipedia sites in other languages is allowed, as expected.

Zip

$ kubectl delete -f @samples/sleep/telemetry/sni-logging.yaml@

Since you enabled mutual TLS between the sidecar proxies and the egress gateway, you can monitor the service identity of the applications that access external services, and enforce policiesbased on the identities of the traffic source.In Istio on Kubernetes, the identities are based on. In thissubsection, you deploy two sleep containers, sleep-us and sleep-canada under two service accounts,sleep-us and sleep-canada, respectively. Then you define a policy that allows applications with the sleep-usidentity to access the English and the Spanish versions of Wikipedia, and services with sleep-canada identity toaccess the English and the French versions.

Deploy two sleep containers, sleep-us and sleep-canada, with sleep-us and sleep-canada serviceaccounts, respectively:

Zip

$ sed 's/: sleep/: sleep-us/g' @samples/sleep/sleep.yaml@ | kubectl apply -f -
$ sed 's/: sleep/: sleep-canada/g' @samples/sleep/sleep.yaml@ | kubectl apply -f -
serviceaccount "sleep-us" created
service "sleep-us" created
deployment "sleep-us" created
serviceaccount "sleep-canada" created
service "sleep-canada" created

Create logging configuration:

Zip

$ kubectl apply -f @samples/sleep/telemetry/sni-logging.yaml@

Send HTTPS requests to Wikipedia sites in English, German, Spanish and French, from sleep-us:

Check the mixer log. If Istio is deployed in the istio-system namespace, the command to print the log is:


{"level":"info","time":"2019-01-10T17:33:55.559093Z","instance":"egress-access.instance.istio-system","connectionEvent":"open","destinationApp":"","requestedServerName":"en.wikipedia.org","source":"istio-egressgateway-with-sni-proxy","sourceNamespace":"default","sourcePrincipal":"cluster.local/ns/default/sa/sleep-us","sourceWorkload":"istio-egressgateway-with-sni-proxy"}
{"level":"info","time":"2019-01-10T17:33:56.166227Z","instance":"egress-access.instance.istio-system","connectionEvent":"open","destinationApp":"","requestedServerName":"de.wikipedia.org","source":"istio-egressgateway-with-sni-proxy","sourceNamespace":"default","sourcePrincipal":"cluster.local/ns/default/sa/sleep-us","sourceWorkload":"istio-egressgateway-with-sni-proxy"}
{"level":"info","time":"2019-01-10T17:33:56.779842Z","instance":"egress-access.instance.istio-system","connectionEvent":"open","destinationApp":"","requestedServerName":"es.wikipedia.org","source":"istio-egressgateway-with-sni-proxy","sourceNamespace":"default","sourcePrincipal":"cluster.local/ns/default/sa/sleep-us","sourceWorkload":"istio-egressgateway-with-sni-proxy"}
{"level":"info","time":"2019-01-10T17:33:57.413908Z","instance":"egress-access.instance.istio-system","connectionEvent":"open","destinationApp":"","requestedServerName":"fr.wikipedia.org","source":"istio-egressgateway-with-sni-proxy","sourceNamespace":"default","sourcePrincipal":"cluster.local/ns/default/sa/sleep-us","sourceWorkload":"istio-egressgateway-with-sni-proxy"}

Note the requestedServerName attribute, and sourcePrincipal, it must be cluster.local/ns/default/sa/sleep-us.

Define a policy that will allow access to Wikipedia in English and Spanish for applications with the sleep-usservice account and to Wikipedia in English and French for applications with the sleep-canada service account.Access to other Wikipedia sites will be blocked.

$ kubectl apply -f @samples/sleep/policy/sni-serviceaccount.yaml@

Resend HTTPS requests to Wikipedia sites in English, German, Spanish and French, from sleep-us:

$ kubectl exec -it $(kubectl get pod -l app=sleep-us -o jsonpath='{.items[0].metadata.name}') -c sleep-us -- sh -c 'curl -s https://en.wikipedia.org/wiki/Main_Page | grep -o "<title>.*</title>"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o "<title>.*</title>"; curl -s https://es.wikipedia.org/wiki/Wikipedia:Portada | grep -o "<title>.*</title>"; curl -s https://fr.wikipedia.org/wiki/Wikip%C3%A9dia:Accueil_principal | grep -o "<title>.*</title>";:'
<title>Wikipedia, the free encyclopedia</title>
<title>Wikipedia, la enciclopedia libre</title>

Note that only the allowed Wikipedia sites for sleep-us service account are allowed, namely Wikipedia in Englishand Spanish.

It may take several minutes for the Mixer policy components to synchronize on the new policy. In case you want toquickly demonstrate the new policy without waiting until the synchronization is complete, delete the Mixer policy pods:

$ kubectl delete pod -n istio-system -l istio-mixer-type=policy

Resend HTTPS requests to Wikipedia sites in English, German, Spanish and French, from sleep-canada:

$ kubectl exec -it $(kubectl get pod -l app=sleep-canada -o jsonpath='{.items[0].metadata.name}') -c sleep-canada -- sh -c 'curl -s https://en.wikipedia.org/wiki/Main_Page | grep -o "<title>.*</title>"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o "<title>.*</title>"; curl -s https://es.wikipedia.org/wiki/Wikipedia:Portada | grep -o "<title>.*</title>"; curl -s https://fr.wikipedia.org/wiki/Wikip%C3%A9dia:Accueil_principal | grep -o "<title>.*</title>";:'
<title>Wikipedia, the free encyclopedia</title>
<title>Wikipédia, l'encyclopédie libre</title>

Note that only the allowed Wikipedia sites for sleep-canada service account are allowed, namely Wikipedia inEnglish and French.

Cleanup of monitoring and policy enforcement of SNI and source identity

Zip

Secure Control of Egress Traffic in Istio, part 3

Comparison of alternative solutions to control egress traffic including performance considerations.

Use Istio Egress Traffic Control to prevent attacks involving egress traffic.

Secure Control of Egress Traffic in Istio, part 1

Attacks involving egress traffic and requirements for egress traffic control.

Verifies the performance impact of adding an egress gateway.

Consuming External MongoDB Services

Describes a simple scenario based on Istio's Bookinfo example.

Describes how to configure Istio for monitoring and access policies of HTTP egress traffic.