我的书签
添加书签
移除书签Security Problems
If isn’t set, make sure the JWT issuer is of url format and
url + /.well-known/openid-configurationcan be opened in browser; for example, if the JWT issuer ishttps://accounts.google.com, make surehttps://accounts.google.com/.well-known/openid-configurationis a valid url and can be opened in a browser.If the JWT token is placed in the Authorization header in http requests, make sure the JWT token is valid (not expired, etc). The fields in a JWT token can be decoded by using online JWT parsing tools, e.g., jwt.io.
Verify the Envoy proxy configuration of the target workload using
istioctl proxy-configcommand.With the example policy above applied, use the following command to check the
listenerconfiguration on the inbound port80. You should seeenvoy.filters.http.jwt_authnfilter with settings matching the issuer and JWKS as specified in the policy.$ POD=$(kubectl get pod -l app=httpbin -n foo -o jsonpath={.items..metadata.name})$ istioctl proxy-config listener ${POD} -n foo --port 80 --type HTTP -o json<redacted>{"name": "envoy.filters.http.jwt_authn","typedConfig": {"@type": "type.googleapis.com/envoy.config.filter.http.jwt_authn.v2alpha.JwtAuthentication","providers": {"origins-0": {"issuer": "testing@secure.istio.io","localJwks": {"inlineString": "*redacted*"},"payloadInMetadata": "testing@secure.istio.io"}},"rules": [{"match": {"prefix": "/"},"requires": {"requiresAny": {"requirements": [{"providerName": "origins-0"},{"allowMissing": {}}]}}}]}},<redacted>
Authorization is too restrictive or permissive
One common mistake is specifying multiple items unintentionally in the YAML. Take the following policy as an example:
apiVersion: security.istio.io/v1beta1kind: AuthorizationPolicymetadata:name: examplenamespace: foospec:action: ALLOWrules:- to:- operation:paths:- /foo- from:- source:namespaces:- foo
You may expect the policy to allow requests if the path is /foo and the source namespace is foo. However, the policy actually allows requests if the path is /foo or the source namespace is foo, which is more permissive.
In the YAML syntax, the - in front of the from: means it’s a new element in the list. This creates 2 rules in the policy instead of 1. In authorization policy, multiple rules have the semantics of OR.
To fix the problem, just remove the extra - to make the policy have only 1 rule that allows requests if the path is /foo and the source namespace is foo, which is more restrictive.
The authorization policy will be more restrictive because HTTP-only fields (e.g. host, path, headers, JWT, etc.) do not exist in the raw TCP connections.
In the case of ALLOW policy, these fields are never matched. In the case of DENY and CUSTOM action, these fields are considered always matched. The final effect is a more restrictive policy that could cause unexpected denies.
Check the Kubernetes service definition to verify that the port is named with the correct protocol properly. If you are using HTTP-only fields on the port, make sure the port name has the http- prefix.
Check the workload selector and namespace to confirm it’s applied to the correct targets. You can determine the authorization policy in effect by running istioctl x authz check POD-NAME.POD-NAMESPACE.
If not specified, the policy defaults to use action
ALLOW.When a workload has multiple actions (,
ALLOWandDENY) applied at the same time, all actions must be satisfied to allow a request. In other words, a request is denied if any of the action denies and is allowed only if all actions allow.The
AUDITaction does not enforce access control and will not deny the request at any cases.
Istiod converts and distributes your authorization policies to the proxies. The following steps help you ensure Istiod is working as expected:
Run the following command to open the Istiod
ControlZUI Page:$ istioctl dashboard controlz $(kubectl -n istio-system get pods -l app=istiod -o jsonpath='{.items[0].metadata.name}').istio-system
Change the
authorizationOutput Level todebug.Print the log of Istiod and search for
authorizationwith the following command:You probably need to first delete and then re-apply your authorization policies so that the debug output is generated for these policies.
Check the output and verify:
- There are no errors.
- There is a
building v1beta1 policymessage which indicates the filter was generated for the target workload.
For example, you might see something similar to the following:
2020-03-05T23:43:21.621339Z debug authorization found authorization allow policies for workload [app=ext-authz-server,pod-template-hash=5fd587cc9d,security.istio.io/tlsMode=istio,service.istio.io/canonical-name=ext-authz-server,service.istio.io/canonical-revision=latest] in foo2020-03-05T23:43:21.621348Z debug authorization building filter for HTTP listener protocol2020-03-05T23:43:21.621351Z debug authorization building v1beta1 policy2020-03-05T23:43:21.621399Z debug authorization constructed internal model: &{Permissions:[{Services:[] Hosts:[] NotHosts:[] Paths:[] NotPaths:[] Methods:[] NotMethods:[] Ports:[] NotPorts:[] Constraints:[] AllowAll:true v1beta1:true}] Principals:[{Users:[] Names:[cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account] NotNames:[] Group: Groups:[] NotGroups:[] Namespaces:[] NotNamespaces:[] IPs:[] NotIPs:[] RequestPrincipals:[] NotRequestPrincipals:[] Properties:[] AllowAll:false v1beta1:true}]}2020-03-05T23:43:21.621528Z info ads LDS: PUSH for node:sleep-6bdb595bcb-vmchz.foo listeners:382020-03-05T23:43:21.621997Z debug authorization generated policy ns[foo]-policy[ext-authz-server]-rule[0]: permissions:<and_rules:<rules:<any:true > > > principals:<and_ids:<ids:<or_ids:<ids:<metadata:<filter:"istio_authn" path:<key:"source.principal" > value:<string_match:<exact:"cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account" > > > > > > > >2020-03-05T23:43:21.622052Z debug authorization added HTTP filter to filter chain 02020-03-05T23:43:21.623532Z debug authorization found authorization allow policies for workload [app=ext-authz-server,pod-template-hash=5fd587cc9d,security.istio.io/tlsMode=istio,service.istio.io/canonical-name=ext-authz-server,service.istio.io/canonical-revision=latest] in foo2020-03-05T23:43:21.623543Z debug authorization building filter for TCP listener protocol2020-03-05T23:43:21.623546Z debug authorization building v1beta1 policy2020-03-05T23:43:21.623572Z debug authorization constructed internal model: &{Permissions:[{Services:[] Hosts:[] NotHosts:[] Paths:[] NotPaths:[] Methods:[] NotMethods:[] Ports:[] NotPorts:[] Constraints:[] AllowAll:true v1beta1:true}] Principals:[{Users:[] Names:[cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account] NotNames:[] Group: Groups:[] NotGroups:[] Namespaces:[] NotNamespaces:[] IPs:[] NotIPs:[] RequestPrincipals:[] NotRequestPrincipals:[] Properties:[] AllowAll:false v1beta1:true}]}2020-03-05T23:43:21.623625Z debug authorization generated policy ns[foo]-policy[ext-authz-server]-rule[0]: permissions:<and_rules:<rules:<any:true > > > principals:<and_ids:<ids:<or_ids:<ids:<authenticated:<principal_name:<exact:"spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account" > > > > > > >2020-03-05T23:43:21.623645Z debug authorization added TCP filter to filter chain 02020-03-05T23:43:21.623648Z debug authorization added TCP filter to filter chain 1
This shows that Istiod generated:
An HTTP filter config with policy
ns[foo]-policy[ext-authz-server]-rule[0]for workload with labelsapp=ext-authz-server,....A TCP filter config with policy
ns[foo]-policy[ext-authz-server]-rule[0]for workload with labelsapp=ext-authz-server,....
Ensure Istiod distributes policies to proxies correctly
Pilot distributes the authorization policies to proxies. The following steps help you ensure Pilot is working as expected:
The command used in this section assumes you have deployed Bookinfo application, otherwise you should replace "-l app=productpage" with your actual pod.
Run the following command to get the proxy configuration dump for the
productpageservice:$ kubectl exec $(kubectl get pods -l app=productpage -o jsonpath='{.items[0].metadata.name}') -c istio-proxy -- pilot-agent request GET config_dump
Check the log and verify:
- The log includes an
envoy.filters.http.rbacfilter to enforce the authorization policy on each incoming request. - Istio updates the filter accordingly after you update your authorization policy.
- The log includes an
The following output means the proxy of
productpagehas enabled theenvoy.filters.http.rbacfilter with rules that allows anyone to access it viaGETmethod. Theshadow_rulesare not used and you can ignored them safely.{"name": "envoy.filters.http.rbac","config": {"rules": {"policies": {"productpage-viewer": {"permissions": [{"and_rules": {"rules": [{"or_rules": {"rules": [{"header": {"exact_match": "GET","name": ":method"}}]}}]}}],"principals": [{"and_ids": {"ids": [{"any": true}]}}]}}},"shadow_rules": {"policies": {}}},
Proxies eventually enforce the authorization policies. The following steps help you ensure the proxy is working as expected:
The command used in this section assumes you have deployed . otherwise you should replace "-l app=productpage" with your actual pod.
Verify you see the following output:
active loggers:... ...rbac: debug... ...
Visit the
productpagein your browser to generate some logs.Print the proxy logs with the following command:
$ kubectl logs $(kubectl get pods -l app=productpage -o jsonpath='{.items[0].metadata.name}') -c istio-proxy
Check the output and verify:
Your authorization policy expects the data extracted from the request.
The following output means there is a
GETrequest at path/productpageand the policy allows the request. Theshadow deniedhas no effect and you can ignore it safely....[2018-07-26 20:39:18.060][152][debug][rbac] external/envoy/source/extensions/filters/http/rbac/rbac_filter.cc:79] checking request: remoteAddress: 10.60.0.139:51158, localAddress: 10.60.0.93:9080, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account, subjectPeerCertificate: O=, headers: ':authority', '35.238.0.62'':path', '/productpage'':method', 'GET''upgrade-insecure-requests', '1''user-agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36''dnt', '1''accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8''accept-encoding', 'gzip, deflate''accept-language', 'en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7''x-forwarded-for', '10.60.0.1''x-forwarded-proto', 'http''x-request-id', 'e23ea62d-b25d-91be-857c-80a058d746d4''x-b3-traceid', '5983108bf6d05603''x-b3-spanid', '5983108bf6d05603''x-b3-sampled', '1''x-istio-attributes', 'CikKGGRlc3RpbmF0aW9uLnNlcnZpY2UubmFtZRINEgtwcm9kdWN0cGFnZQoqCh1kZXN0aW5hdGlvbi5zZXJ2aWNlLm5hbWVzcGFjZRIJEgdkZWZhdWx0Ck8KCnNvdXJjZS51aWQSQRI/a3ViZXJuZXRlczovL2lzdGlvLWluZ3Jlc3NnYXRld2F5LTc2NjY0Y2NmY2Ytd3hjcjQuaXN0aW8tc3lzdGVtCj4KE2Rlc3RpbmF0aW9uLnNlcnZpY2USJxIlcHJvZHVjdHBhZ2UuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbApDChhkZXN0aW5hdGlvbi5zZXJ2aWNlLmhvc3QSJxIlcHJvZHVjdHBhZ2UuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbApBChdkZXN0aW5hdGlvbi5zZXJ2aWNlLnVpZBImEiRpc3RpbzovL2RlZmF1bHQvc2VydmljZXMvcHJvZHVjdHBhZ2U=''content-length', '0''x-envoy-internal', 'true''sec-istio-authn-payload', 'CkVjbHVzdGVyLmxvY2FsL25zL2lzdGlvLXN5c3RlbS9zYS9pc3Rpby1pbmdyZXNzZ2F0ZXdheS1zZXJ2aWNlLWFjY291bnQSRWNsdXN0ZXIubG9jYWwvbnMvaXN0aW8tc3lzdGVtL3NhL2lzdGlvLWluZ3Jlc3NnYXRld2F5LXNlcnZpY2UtYWNjb3VudA==', dynamicMetadata: filter_metadata {key: "istio_authn"value {fields {key: "request.auth.principal"value {string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"}}fields {key: "source.principal"value {string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"}}}}[2018-07-26 20:39:18.060][152][debug][rbac] external/envoy/source/extensions/filters/http/rbac/rbac_filter.cc:88] shadow denied[2018-07-26 20:39:18.060][152][debug][rbac] external/envoy/source/extensions/filters/http/rbac/rbac_filter.cc:98] enforced allowed...
Keys and certificates errors
If you suspect that some of the keys and/or certificates used by Istio aren’t correct, you can inspect the contents from any pod:
By passing the -o json flag, you can pass the full certificate content to openssl to analyze its contents:
$ istioctl proxy-config secret sleep-8f795f47d-4s4t7 -o json | jq '[.dynamicActiveSecrets[] | select(.name == "default")][0].secret.tlsCertificate.certificateChain.inlineBytes' -r | base64 -d | openssl x509 -noout -textCertificate:Data:Version: 3 (0x2)Serial Number:99:59:6b:a2:5a:f4:20:f4:03:d7:f0:bc:59:f5:d8:40Signature Algorithm: sha256WithRSAEncryptionIssuer: O = k8s.cluster.localValidityNot Before: Jun 4 20:38:20 2018 GMTNot After : Sep 2 20:38:20 2018 GMT...X509v3 extensions:X509v3 Key Usage: criticalDigital Signature, Key EnciphermentX509v3 Extended Key Usage:TLS Web Server Authentication, TLS Web Client AuthenticationX509v3 Basic Constraints: criticalCA:FALSEX509v3 Subject Alternative Name:URI:spiffe://cluster.local/ns/my-ns/sa/my-sa
Make sure the displayed certificate contains valid information. In particular, the Subject Alternative Name field should be URI:spiffe://cluster.local/ns/my-ns/sa/my-sa.
If you suspect problems with mutual TLS, first ensure that , and second ensure that keys and certificates are being delivered to sidecars properly.
If everything appears to be working so far, the next step is to verify that the right is applied and the right destination rules are in place.
See also
A tutorial to help customers migrate from the deprecated v1alpha1 security policy to the supported v1beta1 version.
Istio in 2020 - Following the Trade Winds
A vision statement and roadmap for Istio in 2020.
A more secure way to manage secrets.
Provision and manage DNS certificates in Istio.
Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy.
A more secure way to manage Istio webhooks.
