Authorization for TCP Services

This task covers the activities you might need to perform to set up Istio authorization, also known as Istio Role Based Access Control (RBAC), for TCP services in an Istio mesh. You can learn more about the Istio authorization in the authorization concept page.

Before you begin

The activities in this task assume that you:

• Read the authorization concept.

• Follow the Kubernetes quick start to install Istio using the strict mutual TLS profile.

• Deploy the Bookinfo sample application.

After deploying the Bookinfo application, go to the Bookinfo product page at http://$GATEWAY_URL/productpage. On the product page, you can see the following sections:

• Book Details on the lower left side, which includes: book type, number of pages, publisher, etc.
• Book Reviews on the lower right of the page.

When you refresh the page, the app shows different versions of reviews in the product page. The app presents the reviews in a round robin style: red stars, black stars, or no stars.

Installing and configuring a TCP service

By default, the Bookinfo example application only includes HTTP services. To show how Istio handles the authorization of TCP services, we must update the application to use a TCP service. Follow this procedure to deploy the Bookinfo example app and update its ratings service to the v2 version, which talks to a MongoDB backend using TCP.

1. Install v2 of the ratings service with service account bookinfo-ratings-v2:

   • To create the service account and configure the new version of the service for a cluster with automatic sidecar injection enabled:

     Zip

     $ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml@
     

   • To create the service account and configure the new version of the service for a cluster without automatic sidecar injection enabled:

     Zip

     $ kubectl apply -f <(istioctl kube-inject -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml@)
     

2. Create the appropriate destination rules:

   Zip

   $ kubectl apply -f @samples/bookinfo/networking/destination-rule-all-mtls.yaml@
   

   Since the subset referenced in the virtual service rules relies on the destination rules, wait a few seconds for the destination rules to propagate before adding the virtual service rules.

3. After the destination rules propagate, update the reviews service to only use the v2 of the ratings service:

   Zip

   $ kubectl apply -f @samples/bookinfo/networking/virtual-service-ratings-db.yaml@
   

4. Go to the Bookinfo product page at (http://$GATEWAY_URL/productpage).

   On the product page, you can see an error message on the Book Reviews section. The message reads: “Ratings service is currently unavailable.”. The message appears because we switched to use the v2 subset of the ratings service without deploying the MongoDB service.

5. Deploy the MongoDB service:

   • To deploy MongoDB in a cluster with automatic sidecar injection enabled:

     Zip

     $ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-db.yaml@
     

   • To deploy MongoDB in a cluster without automatic sidecar injection enabled:

     Zip

     $ kubectl apply -f <(istioctl kube-inject -f @samples/bookinfo/platform/kube/bookinfo-db.yaml@)
     

6. Go to the Bookinfo product page at http://$GATEWAY_URL/productpage.

7. Verify that the Book Reviews section shows the reviews.

Enabling Istio authorization

Run the following command to enable Istio authorization for the MongoDB service:

$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-config-on-mongodb.yaml@

Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). You should see:

• The Book Details section on the lower left of the page includes book type, number of pages, publisher, etc.
• The Book Reviews section on the lower right of the page includes an error message “Ratings service is currently unavailable”.

This is because Istio authorization is “deny by default”, which means that you need to explicitly define access control policies to grant access to the MongoDB service.

Enforcing access control on TCP service

Now let’s set up service-level access control using Istio authorization to allow v2 of ratings to access the MongoDB service.

Run the following command to apply the authorization policy:

$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/mongodb-policy.yaml@

Once applied, the policy has the following effects:

• Creates the following mongodb-viewer service role, which allows access to the MongoDB service on port 27017.

  apiVersion: "rbac.istio.io/v1alpha1"
  kind: ServiceRole
  metadata:
    name: mongodb-viewer
    namespace: default
  spec:
    rules:
    - services: ["mongodb.default.svc.cluster.local"]
      constraints:
      - key: "destination.port"
        values: ["27017"]
  

• Creates the following bind-mongodb-viewer service role binding, which assigns the mongodb-viewer role to the bookinfo-ratings-v2 service.

  apiVersion: "rbac.istio.io/v1alpha1"
  kind: ServiceRoleBinding
  metadata:
    name: bind-mongodb-viewer
    namespace: default
  spec:
    subjects:
    - user: "cluster.local/ns/default/sa/bookinfo-ratings-v2"
    roleRef:
      kind: ServiceRole
      name: "mongodb-viewer"
  

Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). You should see the following sections:

• Book Details on the lower left side, which includes: book type, number of pages, publisher, etc.
• Book Reviews on the lower right side, which includes: red stars.

Cleanup

• Remove Istio authorization policy configuration:

  Zip

  $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/mongodb-policy.yaml@
  

  Alternatively, you can delete all service role and service role binding resources by running the following commands:

  $ kubectl delete servicerole --all
  $ kubectl delete servicerolebinding --all
  

• Disable Istio authorization:

  Zip

  $ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-config-on-mongodb.yaml@