Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/debianmaster/istio-test1

Generated by the Red Hat Developer Launch (https://developers.redhat.com/launch)
https://github.com/debianmaster/istio-test1

Last synced: 12 months ago
JSON representation

Generated by the Red Hat Developer Launch (https://developers.redhat.com/launch)

Awesome Lists containing this project

README 

          
= Istio Security Mission



== Purpose

Showcase Istio TLS and ACL via a set of Spring Boot applications.



== Prerequisites

. Openshift 3.9 cluster

. Istio 0.7.1 with authentication installed on the aforementioned cluster. To install Istio simply follow one of the following docs:

.. https://istio.io/docs/setup/kubernetes/quick-start.html

.. https://istio.io/docs/setup/kubernetes/ansible-install.html

. Enable automatic sidecar injection for Istio (See https://istio.io/docs/setup/kubernetes/sidecar-injection.html[this] for details)

+

In order for Istio automatic sidecar injection to work properly, the following Istio configuration needs to be in place:

+

.. The `policy` field is set to `disabled` in the `istio-inject` configmap  of the `istio-system` namespace.

   This can be checked by inspecting the output of



   oc get configmap istio-inject -o jsonpath='{.data.config}' -n istio-system | grep policy

   

.. The `istio-sidecar-injector` `MutatingWebhookConfiguration` should not limit the injection to properly labeled namespaces.

   If Istio was installed using the default settings, then make sure the output of



   oc get MutatingWebhookConfiguration istio-sidecar-injector -o jsonpath='{.webhooks[0].namespaceSelector}' -n istio-system`

+

is empty. It is advised however that you inspect the output of



   oc get MutatingWebhookConfiguration istio-sidecar-injector -o yaml

+

to make sure that no other "filters" have been applied.



. Expose services and Istio ingress:

+

```

oc expose svc istio-ingress -n istio-system

```

. Login to the cluster with the admin user



== Environment preparation



Create a new project/namespace on the cluster. This is where your application will be deployed.



```bash

oc new-project 

```



== Build and deploy the application

=== With Fabric8 Maven Plugin (FMP)

Execute the following command to build the project and deploy it to OpenShift:

```bash

mvn clean package fabric8:deploy -Popenshift

```

Configuration for FMP may be found both in pom.xml and `src/main/fabric8` files/folders.



This configuration is used to define service names and deployments that control how pods are labeled/versioned on the OpenShift cluster.



=== With Source to Image build (S2I)

Run the following commands to apply and execute the OpenShift templates that will configure and deploy the applications:

```bash

find . | grep openshiftio | grep application | xargs -n 1 oc apply -f



oc new-app --template=spring-boot-istio-security-name -p SOURCE_REPOSITORY_URL=https://github.com/snowdrop/spring-boot-istio-security-booster -p SOURCE_REPOSITORY_REF=master -p SOURCE_REPOSITORY_DIR=spring-boot-istio-security-name

oc new-app --template=spring-boot-istio-security-greeting -p SOURCE_REPOSITORY_URL=https://github.com/snowdrop/spring-boot-istio-security-booster -p SOURCE_REPOSITORY_REF=master -p SOURCE_REPOSITORY_DIR=spring-boot-istio-security-greeting

```



= Use Cases

== Scenario #1. Mutual TLS



This scenario demonstrates a mutual transport level security between the services.



1. Open the booster’s web page via Istio ingress route

+

```bash

echo http://$(oc get route istio-ingress -o jsonpath='{.spec.host}{"\n"}' -n istio-system)/

```

1. "Hello, World!" should be returned after invoking `greeting` service.

1. Now modify greeting deployment to disable sidecar injection by replacing all `sidecar.istio.io/inject` values to `false`

+

```bash

oc edit deploymentconfigs/spring-boot-istio-security-greeting

```

1. Open the booster’s web page via `greeting` service’s route

+

```bash

echo http://$(oc get route spring-boot-istio-security-greeting -o jsonpath='{.spec.host}{"\n"}' -n $(oc project -q))/

```

1. `Greeting` service invocation will fail with a reset connection, because the `greeting` service has to be inside a service mesh in order to access the `name` service.

1. Cleanup by setting `sidecar.istio.io/inject` values to true

+

```bash

oc edit deploymentconfigs/spring-boot-istio-security-greeting

```



== Scenario #2. Access control



This scenario demonstrates access control when using mutual TLS. In order to access a name service, calling service has to have a specific label and service account name.



1. Open the booster’s web page via Istio ingress route

+

```bash

echo http://$(oc get route istio-ingress -o jsonpath='{.spec.host}{"\n"}' -n istio-system)/

```

1. "Hello, World!" should be returned after invoking `greeting` service.

1. Configure Istio Mixer to block `greeting` service from accessing `name` service

+

```bash

oc apply -f rules/block-greeting-service.yml

```

1. `Greeting` service invocations to the `name` service will be forbidden.

1. Configure Istio Mixer to only allow requests from `greeting` service and with `sa-greeting` service account to access `name` service

+

```bash

oc apply -f <(sed -e "s/TARGET_NAMESPACE/$(oc project -q)/g" rules/require-service-account-and-label.yml)

```

1. "Hello, World!" should be returned after invoking `greeting` service.

1. Cleanup

+

```bash

oc delete -f rules/require-service-account-and-label.yml

```



== Undeploy the application



=== With Fabric8 Maven Plugin (FMP)

```bash

mvn fabric8:undeploy

```



=== With Source to Image build (S2I)

```bash

oc delete all --all

find . | grep openshiftio | grep application | xargs -n 1 oc delete -f

```



=== Remove the namespace

This will delete the project from the OpenShift cluster

```bash

oc delete project 

```