...
Important Info - cert-chain.pem is Envoy’s cert that needs to be presented to the other side. key.pem is Envoy’s private key paired with Envoy’s cert in cert-chain.pem. root-cert.pem is the root cert to verify the peer’s cert. In this example, we only have one Citadel in a cluster, so all Envoys have the same root-cert.pem.
Add Inbound service1 01
POST - traffic intent for the inbound service (service hosted behind the cluster)
...
Add Security details for clients of inbound service 01
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | GET |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/status"],
"cluster.local/ns/default/sa/sleep" : ["GET": "/headers"]}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rules created"
}
|
...
Add Security details for client 01
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | GET |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/static"],
"cluster.local/ns/default/sa/sleep" : ["GET": "/api/v1/products"]}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rules created"
}
|
...
Add Security details for client 02
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
| Code Block |
|---|
| language | js |
|---|
| theme | Midnight |
|---|
| title | GET |
|---|
| linenumbers | true |
|---|
|
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/api/v1/products"],
"cluster.local/ns/default/sa/sleep" : ["GET": "/static"]}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rules created"
}
|
...
| Name of the Cluster | Microservice | Istio Configuration | Comments |
|---|
| Cluster01 | - sleep
|
| Microservice | Resource |
|---|
| common | serviceEntry (httpbin) | | sleep | destinationRule for TLS | | bookinfo-productpage | destinationRule for simple TLS, Loadbalancing and circuit breaking AuthorizationPolicy for Access Control |
|
|
|
|
| Cluster02 | httpbin |
| Microservice | Resource |
|---|
| httpbin | destinationRule for simple TLS, Loadbalancing and circuit breaking AuthorizationPolicy for Access Control | | sleep | destinationRule for TLS | | bookinfo-user | destinationRule for TLS | | common | serviceEntry (bookinfo-productpage) |
|
|
Cluster01 Resources
1. ServiceEntry - To enable access to httpbin
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | ServiceEntry |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: servicename-httpbin
spec:
hosts:
- httpbin.default.global
# template for the remote service name - <servicename.namespace.global>
# Treat remote cluster services as part of the service mesh
# as all clusters in the service mesh share the same root of trust.
location: MESH_INTERNAL
ports:
- name: http1
number: 8000
protocol: http
resolution: DNS
addresses:
# the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to
# must be unique for each remote service, within a given cluster.
# This address need not be routable. Traffic for this IP will be captured
# by the sidecar and routed appropriately.
- 240.0.0.2
endpoints:
# This is the routable address of the istio ingress gateway in cluster02
# routed to this address.
- address: 172.25.55.50
ports:
http1: 15443 //Sni. Do not change this
|
2. DestinationRule for
...
TLS, Loadbalancing and circuit
...
breaking - productpage
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | DestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: bookinfo-productpage-dr
namespace: default
spec:
host: "productpage.default.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
loadbalancer:
consistentHash:
httpCookie: "user2"
connectionPool:
tcp:
maxConnections: 10
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 100
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
|
...
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | AuthorizationPolicy |
|---|
| linenumbers | true |
|---|
|
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: default
spec:
selector:
matchLabels:
app: productpage
rules:
- from:
- source:
principals: ["cluster.global/ns/default/sa/sleep", "cluster.global/ns/default/sa/bookinfo-user" ]
to:
- operation:
methods: ["GET"]
paths: ["/static*"]
- operation:
methods: ["GET"]
paths: ["/api/v1/products"]
|
Cluster 02 Resources
...
4. DestinationRule for TLS - sleep
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | ServiceEntryDestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntryDestinationRule
metadata:
name: servicename-bookinfo-productpage
specsleep-dr
namespace: default
hostsspec:
-host: productpage.default.global"sleep.default.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
|
Cluster 02 Resources
1. ServiceEntry - To enable access to bookinfo-productpage
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | ServiceEntry |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: servicename-bookinfo-productpage
spec:
hosts:
- productpage.default.global
# template for the remote service name - <servicename.namespace.global>
# Treat remote cluster services as part of the service mesh
# as all clusters in the service mesh share the same root of trust.
location: MESH_INTERNAL
ports:
- name: http1
number: 8000
protocol: http
resolution: DNS
addresses:
# the IP address to which httpbin.<namespace>.<logicalcloudname> will resolve to
# must be unique for each remote service, within a given cluster.
# This address need not be routable. Traffic for this IP will be captured
# by the sidecar and routed appropriately.
- 240.0.0.3
endpoints:
# This is the routable address of the istio ingress gateway in cluster02
# routed to this address.
- address: 172.25.55.210
ports:
http1: 15443 //Sni. Do not change this
|
2. DestinationRule for simple TLS, Loadbalancing and circuit breaking
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | DestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: httpbin-dr
namespace: default
spec:
host: "httpbin.default.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
loadbalancer:
consistentHash:
httpCookie: "user1"
connectionPool:
tcp:
maxConnections: 10
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 100
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
|
...
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | AuthorizationPolicy |
|---|
| linenumbers | true |
|---|
|
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: default
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/sleep"]
to:
- operation:
matchLabels: app: httpbinmethods: ["GET"]
rules: - frompaths: ["/status*"]
- sourceoperation:
principalsmethods: ["cluster.local/ns/default/sa/sleepPOST"]
to: paths: - operation:
methods: ["GET"]
paths: ["/status*"]
- operation["/headers"]
|
3. DestinationRule for TLS - sleep
| Code Block |
|---|
| language | yml |
|---|
| theme | Eclipse |
|---|
| title | DestinationRule |
|---|
| linenumbers | true |
|---|
|
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: sleep-dr
namespace: default
spec:
host: "sleep.default.svc.cluster.local"
trafficPolicy:
methodstls:
["POST"] mode: paths: ["/headers"]ISTIO_MUTUAL
|