Table of Contents
...
Important Info - cert-chain.pem is Envoy’s cert that needs to be presented to the other side. key.pem is Envoy’s private key paired with Envoy’s cert in cert-chain.pem. root-cert.pem is the root cert to verify the peer’s cert. In this example, we only have one Citadel in a cluster, so all Envoys have the same root-cert.pem.
Add Inbound service1 01
POST - traffic intent for the inbound service (service hosted behind the cluster)
...
Add Security details for clients of inbound service 01
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/status"],
"cluster.local/ns/default/sa/sleep" : ["GET": "/headers"]}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rules created"
}
|
...
Add Security details for client 01
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/sleep/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/static"],
"cluster.local/ns/default/sa/sleep" : ["GET": "/api/v1/products"]}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rules created"
}
|
...
Add Security details for client 02
WARNING - This task requires mutual TLS enabled because the following examples use principal and namespace in the policies
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
URL: /v2/projects/{project-name}/composite-apps/{composite-app-name}/{version}/traffic-group-intent/uservice-to-uservice-intent/clients/bookinfo-user/security/security-intent
{
"metadata": {
"name": "<name>" // unique name for each intent
"description": "Security intent"
"application": "<app1>",
"userdata1": <>,
"userdata2": <>
}
spec:{
serviceAccountAccess : {[ "cluster.local/ns/default/sa/sleep": ["GET": "/api/v1/products"],
"cluster.local/ns/default/sa/sleep" : ["GET": "/static"]}
}
}
RETURN STATUS: 201
RETURN BODY:
{
"name": "<name>"
"Message": "Security Rules created"
}
|
...
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: httpbin-dr
namespace: default
spec:
host: "httpbin.default.svc.cluster.local"
trafficPolicy:
tls:
mode: SIMPLE
loadbalancer:
consistentHash:
httpCookie: "user1"
connectionPool:
tcp:
maxConnections: 10
http:
http2MaxRequests: 1000
maxRequestsPerConnection: 100
outlierDetection:
consecutiveErrors: 7
interval: 5m
baseEjectionTime: 15m
|
...
3. AuthorizationPolicy (httpbin)
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-all
namespace: default
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/sleep"]
to:
- operation:
methods: ["GET"]
paths: ["/status*"]
- operation:
methods: ["POST"]
paths: ["/headers"]
|
...