Trust Domain Migration
This task shows you how to migrate from one trust domain to another without changing authorization policy.
In Istio 1.4, we introduce an alpha feature to support trust domain migration for authorization policy. This means if an Istio mesh needs to change its
trust domain, the authorization policy doesn’t need to be changed manually. In Istio, if a workload is running in namespacefoo
with the service account bar
, and the trust domain of the system is my-td
,
the identity of said workload is spiffe://my-td/ns/foo/sa/bar
. By default, the Istio mesh trust domain is cluster.local
,
unless you specify it during the installation.Before you begin
Before you begin this task, do the following:
Read the Istio authorization concepts.
Install Istio with a custom trust domain and mutual TLS enabled.
Deploy the httpbin6 sample in the
default
namespace and the sleep7 sample in thedefault
andsleep-allow
namespaces:Apply the authorization policy below to deny all requests to
httpbin
except fromsleep
in thesleep-allow
namespace.
Notice that it may take tens of seconds for the authorization policy to be propagated to the sidecars.
Verify that requests to
httpbin
from:sleep
in thedefault
namespace are denied.
sleep
in thesleep-allow
namespace are allowed.
Migrate trust domain without trust domain aliases
Install Istio with a new trust domain.
Redeploy istiod to pick up the trust domain changes.
Istio mesh is now running with a new trust domain,
new-td
.Redeploy the
httpbin
andsleep
applications to pick up changes from the new Istio control plane.Verify that requests to
httpbin
from bothsleep
indefault
namespace andsleep-allow
namespace are denied.This is because we specified an authorization policy that deny all requests to
httpbin
, except the ones theold-td/ns/sleep-allow/sa/sleep
identity, which is the old identity of thesleep
application insleep-allow
namespace. When we migrated to a new trust domain above, i.e.new-td
, the identity of thissleep
application is nownew-td/ns/sleep-allow/sa/sleep
, which is not the same asold-td/ns/sleep-allow/sa/sleep
. Therefore, requests from thesleep
application insleep-allow
namespace tohttpbin
were allowed before are now being denied. Prior to Istio 1.4, the only way to make this work is to change the authorization policy manually. In Istio 1.4, we introduce an easy way, as shown below.
Migrate trust domain with trust domain aliases
Install Istio with a new trust domain and trust domain aliases.
Without changing the authorization policy, verify that requests to
httpbin
from:sleep
in thedefault
namespace are denied.
sleep
in thesleep-allow
namespace are allowed.
Best practices
Starting from Istio 1.4, when writing authorization policy, you should consider using the value cluster.local
as the
trust domain part in the policy. For example, instead of old-td/ns/sleep-allow/sa/sleep
, it should be cluster.local/ns/sleep-allow/sa/sleep
.
Notice that in this case, cluster.local
is not the Istio mesh trust domain (the trust domain is still old-td
). However,
in authorization policy, cluster.local
is a pointer that points to the current trust domain, i.e. old-td
(and later new-td
), as well as its aliases.
By using cluster.local
in the authorization policy, when you migrate to a new trust domain, Istio will detect this and treat the new trust domain
as the old trust domain without you having to include the aliases.