SNI Monitoring and Policies for TLS Egress Traffic
The Configure Egress Traffic using Wildcard Hosts example
describes how to enable TLS egress traffic for a set of hosts in a common domain, in that case *.wikipedia.org
. This
example extends that example to show how to configure SNI monitoring and apply policies on TLS egress traffic.
Before you begin
Setup Istio by following the instructions in the Installation guide.
Deploy the sleep sample app to use as a test source for sending requests. If you have automatic sidecar injection enabled, run the following command to deploy the sample app:
$ kubectl apply -f @samples/sleep/sleep.yaml@
Otherwise, manually inject the sidecar before deploying the
sleep
application with the following command:$ kubectl apply -f <(istioctl kube-inject -f @samples/sleep/sleep.yaml@)
Set the
SOURCE_POD
environment variable to the name of your source pod:$ export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
Configure traffic to
*.wikipedia.org
by following the steps in Configure Egress Traffic using Wildcard Hosts example, with mutual TLS enabled.
SNI monitoring and access policies
Since you configured the egress traffic to flow through the egress gateway, you can apply monitoring and access policy enforcement on the egress traffic, securely. In this section you will define a log entry and an access policy for the egress traffic to *.wikipedia.org.
Create logging configuration:
$ kubectl apply -f @samples/sleep/telemetry/sni-logging.yaml@
Send HTTPS requests to https://en.wikipedia.org and https://de.wikipedia.org:
$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -s https://en.wikipedia.org/wiki/Main_Page | grep -o "<title>.*</title>"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o "<title>.*</title>"' <title>Wikipedia, the free encyclopedia</title> <title>Wikipedia – Die freie Enzyklopädie</title>
Check the mixer log. If Istio is deployed in the
istio-system
namespace, the command to print the log is:$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep 'egress-access'
Define a policy that allows access to the hostnames matching
*.wikipedia.org
except for Wikipedia in English:$ kubectl apply -f @samples/sleep/policy/sni-wikipedia.yaml@
Send an HTTPS request to the blacklisted Wikipedia in English:
$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -v https://en.wikipedia.org/wiki/Main_Page' ... curl: (35) Unknown SSL protocol error in connection to en.wikipedia.org:443 command terminated with exit code 35
Access to Wikipedia in English is blocked according to the policy you defined.
Send HTTPS requests to some other Wikipedia sites, for example https://es.wikipedia.org and https://de.wikipedia.org:
$ kubectl exec -it $SOURCE_POD -c sleep -- sh -c 'curl -s https://es.wikipedia.org/wiki/Wikipedia:Portada | grep -o "<title>.*</title>"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o "<title>.*</title>"' <title>Wikipedia, la enciclopedia libre</title> <title>Wikipedia – Die freie Enzyklopädie</title>
Access to Wikipedia sites in other languages is allowed, as expected.
Cleanup of monitoring and policy enforcement
$ kubectl delete -f @samples/sleep/telemetry/sni-logging.yaml@
$ kubectl delete -f @samples/sleep/policy/sni-wikipedia.yaml@
Monitor the SNI and the source identity, and enforce access policies based on them
Since you enabled mutual TLS between the sidecar proxies and the egress gateway, you can monitor the service identity of the applications that access external services, and enforce policies
based on the identities of the traffic source.
In Istio on Kubernetes, the identities are based on
Service Accounts. In this
subsection, you deploy two sleep containers, sleep-us
and sleep-canada
under two service accounts,
sleep-us
and sleep-canada
, respectively. Then you define a policy that allows applications with the sleep-us
identity to access the English and the Spanish versions of Wikipedia, and services with sleep-canada
identity to
access the English and the French versions.
Deploy two sleep containers,
sleep-us
andsleep-canada
, withsleep-us
andsleep-canada
service accounts, respectively:$ sed 's/: sleep/: sleep-us/g' @samples/sleep/sleep.yaml@ | kubectl apply -f - $ sed 's/: sleep/: sleep-canada/g' @samples/sleep/sleep.yaml@ | kubectl apply -f - serviceaccount "sleep-us" created service "sleep-us" created deployment "sleep-us" created serviceaccount "sleep-canada" created service "sleep-canada" created deployment "sleep-canada" created
Create logging configuration:
$ kubectl apply -f @samples/sleep/telemetry/sni-logging.yaml@
Send HTTPS requests to Wikipedia sites in English, German, Spanish and French, from
sleep-us
:$ kubectl exec -it $(kubectl get pod -l app=sleep-us -o jsonpath='{.items[0].metadata.name}') -c sleep-us -- sh -c 'curl -s https://en.wikipedia.org/wiki/Main_Page | grep -o "<title>.*</title>"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o "<title>.*</title>"; curl -s https://es.wikipedia.org/wiki/Wikipedia:Portada | grep -o "<title>.*</title>"; curl -s https://fr.wikipedia.org/wiki/Wikip%C3%A9dia:Accueil_principal | grep -o "<title>.*</title>"' <title>Wikipedia, the free encyclopedia</title> <title>Wikipedia – Die freie Enzyklopädie</title> <title>Wikipedia, la enciclopedia libre</title> <title>Wikipédia, l'encyclopédie libre</title>
Check the mixer log. If Istio is deployed in the
istio-system
namespace, the command to print the log is:$ kubectl -n istio-system logs -l istio-mixer-type=telemetry -c mixer | grep 'egress-access' {"level":"info","time":"2019-01-10T17:33:55.559093Z","instance":"egress-access.instance.istio-system","connectionEvent":"open","destinationApp":"","requestedServerName":"en.wikipedia.org","source":"istio-egressgateway-with-sni-proxy","sourceNamespace":"default","sourcePrincipal":"cluster.local/ns/default/sa/sleep-us","sourceWorkload":"istio-egressgateway-with-sni-proxy"} {"level":"info","time":"2019-01-10T17:33:56.166227Z","instance":"egress-access.instance.istio-system","connectionEvent":"open","destinationApp":"","requestedServerName":"de.wikipedia.org","source":"istio-egressgateway-with-sni-proxy","sourceNamespace":"default","sourcePrincipal":"cluster.local/ns/default/sa/sleep-us","sourceWorkload":"istio-egressgateway-with-sni-proxy"} {"level":"info","time":"2019-01-10T17:33:56.779842Z","instance":"egress-access.instance.istio-system","connectionEvent":"open","destinationApp":"","requestedServerName":"es.wikipedia.org","source":"istio-egressgateway-with-sni-proxy","sourceNamespace":"default","sourcePrincipal":"cluster.local/ns/default/sa/sleep-us","sourceWorkload":"istio-egressgateway-with-sni-proxy"} {"level":"info","time":"2019-01-10T17:33:57.413908Z","instance":"egress-access.instance.istio-system","connectionEvent":"open","destinationApp":"","requestedServerName":"fr.wikipedia.org","source":"istio-egressgateway-with-sni-proxy","sourceNamespace":"default","sourcePrincipal":"cluster.local/ns/default/sa/sleep-us","sourceWorkload":"istio-egressgateway-with-sni-proxy"}
Note the
requestedServerName
attribute, andsourcePrincipal
, it must becluster.local/ns/default/sa/sleep-us
.Define a policy that will allow access to Wikipedia in English and Spanish for applications with the
sleep-us
service account and to Wikipedia in English and French for applications with thesleep-canada
service account. Access to other Wikipedia sites will be blocked.$ kubectl apply -f @samples/sleep/policy/sni-serviceaccount.yaml@
Resend HTTPS requests to Wikipedia sites in English, German, Spanish and French, from
sleep-us
:$ kubectl exec -it $(kubectl get pod -l app=sleep-us -o jsonpath='{.items[0].metadata.name}') -c sleep-us -- sh -c 'curl -s https://en.wikipedia.org/wiki/Main_Page | grep -o "<title>.*</title>"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o "<title>.*</title>"; curl -s https://es.wikipedia.org/wiki/Wikipedia:Portada | grep -o "<title>.*</title>"; curl -s https://fr.wikipedia.org/wiki/Wikip%C3%A9dia:Accueil_principal | grep -o "<title>.*</title>";:' <title>Wikipedia, the free encyclopedia</title> <title>Wikipedia, la enciclopedia libre</title>
Note that only the allowed Wikipedia sites for
sleep-us
service account are allowed, namely Wikipedia in English and Spanish.$ kubectl delete pod -n istio-system -l istio-mixer-type=policy
Resend HTTPS requests to Wikipedia sites in English, German, Spanish and French, from
sleep-canada
:$ kubectl exec -it $(kubectl get pod -l app=sleep-canada -o jsonpath='{.items[0].metadata.name}') -c sleep-canada -- sh -c 'curl -s https://en.wikipedia.org/wiki/Main_Page | grep -o "<title>.*</title>"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o "<title>.*</title>"; curl -s https://es.wikipedia.org/wiki/Wikipedia:Portada | grep -o "<title>.*</title>"; curl -s https://fr.wikipedia.org/wiki/Wikip%C3%A9dia:Accueil_principal | grep -o "<title>.*</title>";:' <title>Wikipedia, the free encyclopedia</title> <title>Wikipédia, l'encyclopédie libre</title>
Note that only the allowed Wikipedia sites for
sleep-canada
service account are allowed, namely Wikipedia in English and French.
Cleanup of monitoring and policy enforcement of SNI and source identity
$ kubectl delete service sleep-us sleep-canada
$ kubectl delete deployment sleep-us sleep-canada
$ kubectl delete serviceaccount sleep-us sleep-canada
$ kubectl delete -f @samples/sleep/telemetry/sni-logging.yaml@
$ kubectl delete -f @samples/sleep/policy/sni-serviceaccount.yaml@
Cleanup
Perform the cleanup steps from Configure Egress Traffic using Wildcard Hosts example.
Shutdown the sleep service:
$ kubectl delete -f @samples/sleep/sleep.yaml@