Tuesday, April 13, 2021

Zero trust architecture with Istio

Disabling access to services outside the mesh

The following command will restrict all outbound traffic to services defined in the service registry as well as those defined through ServiceEntries:

istioctl install --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY. 

Enabling access to an URL outside the mesh

apiVersionnetworking.istio.io/v1beta1
kindServiceEntry
metadata:
  namemoneta-egress
spec:
  hosts:
  - '*.microsoft.com'
  - '*.microsoftonline.com'
  - '*.windows.net'
  locationMESH_EXTERNAL
  ports:
  - namehttps
    number443
    protocolHTTPS
  resolutionNONE

Set up the namespace to be secure by default

Enable mTLS in strict mode for a specific namespace

apiVersion"security.istio.io/v1beta1"
kind"PeerAuthentication"
metadata:
  name"default"
spec:
  mtls:
    modeSTRICT


Apply ALLOW NOTHING policy

apiVersionsecurity.istio.io/v1beta1
kindAuthorizationPolicy
metadata:
  nameallow-nothing
spec:
  {}

Creating allow rules for the different components

Create allow rule for the frontend

apiVersionsecurity.istio.io/v1beta1
kindAuthorizationPolicy
metadata:
  namefrontend
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ include "web.name" . }}
  actionALLOW
  rules:
   - {}

Create allow rule for accounts service

apiVersionsecurity.istio.io/v1beta1
kindAuthorizationPolicy
metadata:
  name: {{ include "accounts.name" . }}
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ include "accounts.name" . }}
  actionALLOW
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/moneta/sa/frontend-web"]
    to:
    - operation:
        paths: ["/accounts/*"]

check policies applied 

istioctl x authz check $(kubectl get pods -l app=mssql -n moneta -o jsonpath="{.items[0].metadata.name}").moneta

No comments:

Post a Comment