Disabling access to services outside the mesh
The following command will restrict all outbound traffic to services defined in the service registry as well as those defined through ServiceEntries:
istioctl install --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY.
Enabling access to an URL outside the mesh
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: moneta-egress
spec:
hosts:
- '*.microsoft.com'
- '*.microsoftonline.com'
- '*.windows.net'
location: MESH_EXTERNAL
ports:
- name: https
number: 443
protocol: HTTPS
resolution: NONE
Set up the namespace to be secure by default
Enable mTLS in strict mode for a specific namespace
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
spec:
mtls:
mode: STRICT
Apply ALLOW NOTHING policy
apiVersion: security.istio.io/v1beta1kind: AuthorizationPolicymetadata:name: allow-nothingspec:{}
Creating allow rules for the different components
Create allow rule for the frontend
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: frontend
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ include "web.name" . }}
action: ALLOW
rules:
- {}
Create allow rule for accounts service
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ include "accounts.name" . }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ include "accounts.name" . }}
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/moneta/sa/frontend-web"]
to:
- operation:
paths: ["/accounts/*"]
check policies applied
istioctl x authz check $(kubectl get pods -l app=mssql -n moneta -o jsonpath="{.items[0].metadata.name}").moneta
No comments:
Post a Comment