Showcase mTLS and ACL of Istio with Thorntail applications
- Docker installed and running
- OpenShift and Istio environment up and running with mTLS enabled.
See https://github.com/openshift-istio/istio-docs/blob/master/content/rhoar-workflow.adoc for details about the Launcher workflows and setting up the docker insecure registry required to run the istiooc.
Here is the sequence showing how to get up and running with the latest OpenShift 3.11 based istiooc release.
- Download the latest istiooc release, for example:
mkdir istiooc && cd istiooc
wget -O oc https://github.com/Maistra/origin/releases/download/v3.11.0%2Bmaistra-0.9.0/istiooc_linux
chmod +x oc
export PATH=/path/to/istiooc:$PATH
Note in this case it is based on Maistra 0.9.0 openshift-ansible release: https://github.com/Maistra/openshift-ansible/releases/tag/maistra-0.9.0
- Start the cluster:
oc cluster up
Note this will apply the the istio-operator described here: https://github.com/Maistra/openshift-ansible/blob/maistra-0.9.0/istio/Installation.md#installing-the-istio-operator
- Login as system:admin, create an admin user and relogin as admin:admin
oc create user admin
oc adm policy add-cluster-role-to-user cluster-admin admin
oc login
- Apply
anyuid
andprivileged
permissions to the service account of the project you are going to use to test the booster services, by default it will be adefault
account in the projectMyProject
:
oc adm policy add-scc-to-user anyuid system:serviceaccount:myproject:default
oc adm policy add-scc-to-user privileged system:serviceaccount:myproject:default
and only for the istio-security booster:
oc adm policy add-scc-to-user anyuid system:serviceaccount:myproject:sa-greeting
oc adm policy add-scc-to-user privileged system:serviceaccount:myproject:sa-greeting
oc adm policy add-scc-to-user anyuid system:serviceaccount:myproject:sa-name
oc adm policy add-scc-to-user privileged system:serviceaccount:myproject:sa-name
- Deploy the Istio control plane and the Fabric8 launcher:
oc create -f istio-installation-full.yaml
where istio-installation-full.yaml
should look like this:
apiVersion: "istio.openshift.com/v1alpha1"
kind: "Installation"
metadata:
name: "istio-installation"
namespace: istio-operator
spec:
deployment_type: openshift
istio:
authentication: true
community: false
prefix: registry.access.redhat.com/openshift-istio-tech-preview/
version: 0.9.0
jaeger:
prefix: registry.access.redhat.com/distributed-tracing-tech-preview/
version: 1.11.0
elasticsearch_memory: 1Gi
launcher:
openshift:
user: admin
password: admin
github:
username: YOUR_GIT_ACCOUNT_ID
token: YOUR_GIT_ACCOUNT_TOKEN
where the GIT token should have public_repo
, read:org
, and admin:repo_hook
permissions.
The more complete version may look like this: https://github.com/Maistra/openshift-ansible/blob/maistra-0.9.0/istio/istio-installation-full.yaml
but the one above is sufficient for testing the boosters. Note, setting istio.authentication
to true
enables MTLS.
- Verify the Istio Control Plane and Launcher deployments:
Now proceed to testing the booster.
If the Booster is installed through the Launcher and the Continuous Delivery flow, no additional steps are necessary.
Skip to the Use Cases section.
Create a new namespace/project:
oc new-project <whatever valid project name you want>
Run the following commands to apply and execute the OpenShift templates that will configure and deploy the applications:
find . | grep openshiftio | grep application | xargs -n 1 oc apply -f
oc new-app --template=thorntail-istio-security-greeting-service -p SOURCE_REPOSITORY_URL=https://github.com/thorntail-examples/istio-security -p SOURCE_REPOSITORY_REF=master -p SOURCE_REPOSITORY_DIR=greeting
oc new-app --template=thorntail-istio-security-name-service -p SOURCE_REPOSITORY_URL=https://github.com/thorntail-examples/istio-security -p SOURCE_REPOSITORY_REF=master -p SOURCE_REPOSITORY_DIR=name
Any steps issuing oc
commands require the user to have run oc login
first and switched to the appropriate project with oc project <project name>
.
This scenario demonstrates mutual transport level security between services within a mesh.
- Create a Gateway and Virtual Service in Istio so that we can access the service within the Mesh:
oc apply -f istio-config/gateway.yaml
- Retrieve the URL for the Istio Ingress Gateway route, with the below command, and open it in a web browser.
echo http://$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}{"\n"}' -n istio-system)/thorntail-istio-security/
- The user will be presented with the web page of the Booster
- Click the "Invoke" button. You should see "Hello World" message in a result box.
- Modify the Greeting Service Deployment Config to disable Istio sidecar injection by setting
sidecar.istio.io/inject
tofalse
. This can be done through the OpenShift Console UI or on the command line with:oc edit deploymentconfigs/thorntail-istio-security-greeting
- In the OpenShift Console UI the thorntail-istio-security-greeting deployment will restarted with the changes
- Refreshing the browser page opened at the Istio Ingress Gateway URL will now show the error:
This is because the Greeting Service is no longer part of the Istio Mesh, and can not be loaded by the Ingress service, even though the Ingress rule is still present.
upstream connect error or disconnect/reset before headers
- From the OpenShift Console UI, click on the URL route for the Greeting service and it will load the web page for the Booster.
- Clicking "Invoke" will result in an error appearing in the result box that looks like
This is because the Greeting service is outside Istio, and the Name service is inside. mTLS prevents services outside and inside the mesh from communicating with each other.
HTTP Response Code `500` with cause: Failed to communicate with `thorntail-istio-security-name` due to: RESTEASY004655: Unable to invoke request
- Now re-enable Istio sidecar injection by setting
sidecar.istio.io/inject
totrue
and verify that once the deployment has restarted, the Istio Ingress Gateway URL is able to load the webpage again. You will also notice that the external route URL for the Greeting service returns a blank page as the route URL is outside Istio, and the service is now back inside, and is therefore inaccesible to the route.
This scenario demonstrates access control between services when mTLS is enabled.
- Retrieve the URL for the Istio Ingress Gateway route, with the below command, and open it in a web browser.
echo http://$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}{"\n"}' -n istio-system)/thorntail-istio-security/
- The user will be presented with the web page of the Booster
- Click the "Invoke" button. You should see "Hello World" message in a result box.
- Configure the Istio Mixer to block the greeting service from accessing the name service by label:
oc apply -f istio-config/block-greeting-service.yaml
- In the Booster webpage clicking "Invoke" will now return an error that contains a message such as:
PERMISSION_DENIED:denynameservicelabelhandler.denier.my-security:Not allowed
- We can remove the rule and see "Invoke" work as before by running:
oc delete -f istio-config/block-greeting-service.yaml
- Now configure the Istio Mixer to only allow requests to the name service when the caller has the
sa-greeting
service account:oc apply -f <(sed -e "s/TARGET_NAMESPACE/$(oc project -q)/g" istio-config/require-service-account-and-label.yaml)
- Clicking "Invoke" will now show "Hello World", as the caller has the needed service account.
- Remove the rule by running:
oc delete -f <(sed -e "s/TARGET_NAMESPACE/$(oc project -q)/g" istio-config/require-service-account-and-label.yaml)