Authorization for TCP Services

6 minute read

This task covers the activities you might need to perform to set up Istio authorization, also known as Istio Role Based Access Control (RBAC), for TCP services in an Istio mesh. You can learn more about the Istio authorization in the authorization concept page.

Before you begin

The activities in this task assume that you:

Read the authorization concept.
Follow the instructions in the quick start to install Istio on Kubernetes with authentication enabled.
Enable mutual TLS authentication when running the installation steps.

The commands used in this task assume the Bookinfo example application is deployed in the default namespace. To specify a namespace other than the default namespace, use the -n option in the command.

Installing and configuring a TCP service

By default, the Bookinfo example application only includes HTTP services. To show how Istio handles the authorization of TCP services, we must update the application to use a TCP service. Follow this procedure to deploy the Bookinfo example app and update its ratings service to the v2 version, which talks to a MongoDB backend using TCP.

Prerequisites

Deploy the Bookinfo sample application.

After deploying the Bookinfo application, go to the Bookinfo product page at http://$GATEWAY_URL/productpage. On the product page, you can see:

The Book Details section on the lower left of the page includes book type, number of pages, publisher, etc.
The Book Reviews section on the lower right of the page.

When you refresh the page, the app shows different versions of reviews in the product page. The app presents the reviews in a round robin style: red stars, black stars, or no stars.

Installing a service using a service account

Install v2 of the ratings service with service account bookinfo-ratings-v2:
Istio cryptographically authenticates service accounts in the mesh. To give different services different access privileges, we must create a v2 version of the ratings service using the bookinfo-ratings-v2 service account. Other services use the default service account.
- To create the service account and configure the new version of the service for a cluster with automatic sidecar injection enabled:
  Zip
```
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/ratings-v2-add-serviceaccount.yaml@
```
- To create the service account and configure the new version of the service for a cluster without automatic sidecar injection enabled:
  Zip
```
$ kubectl apply -f <(istioctl kube-inject -f @samples/bookinfo/platform/kube/rbac/ratings-v2-add-serviceaccount.yaml@)
```

Configure the application to use the new version of the service

The Bookinfo application can use multiple versions of each service. Istio requires you to define a service subset for each version. You must also define the load balancing policy for each subset. To define the subsets and their load balancing policies, you must create appropriate destination rules.

Create the appropriate destination rules:
Zip
```
$ kubectl apply -f @samples/bookinfo/networking/destination-rule-all-mtls.yaml@
```
Since the subset referenced in the virtual service rules relies on the destination rules, wait a few seconds for the destination rules to propagate before adding the virtual service rules.
After the destination rules propagate, update the reviews service to only use the v2 of the ratings service:
Zip
```
$ kubectl apply -f @samples/bookinfo/networking/virtual-service-ratings-db.yaml@
```
Go to the Bookinfo product page at (http://$GATEWAY_URL/productpage).
On the product page, you can see an error message on the Book Reviews section. The message reads: “Ratings service is currently unavailable.”. The message appears because we switched to use the v2 subset of the ratings service without deploying the MongoDB service.
Deploy the MongoDB service:
- To deploy MongoDB in a cluster with automatic sidecar injection enabled:
  Zip
```
$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-db.yaml@
```
- To deploy MongoDB in a cluster without automatic sidecar injection enabled:
  Zip
```
$ kubectl apply -f <(istioctl kube-inject -f @samples/bookinfo/platform/kube/bookinfo-db.yaml@)
```
Go to the Bookinfo product page at http://$GATEWAY_URL/productpage.
Verify that the Book Reviews section shows the reviews.

Enabling Istio authorization

Run the following command to enable Istio authorization for the MongoDB service:

$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/rbac-config-on-mongodb.yaml@

Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). You should see:

The Book Details section on the lower left of the page includes book type, number of pages, publisher, etc.
The Book Reviews section on the lower right of the page includes an error message “Ratings service is currently unavailable”.

This is because Istio authorization is “deny by default”, which means that you need to explicitly define access control policies to grant access to the MongoDB service.

Enforcing Service-level access control

Now let’s set up service-level access control using Istio authorization to allow v2 of ratings to access the MongoDB service.

Run the following command to apply the authorization policy:
Zip
```
$ kubectl apply -f @samples/bookinfo/platform/kube/rbac/mongodb-policy.yaml@
```
The step above does the following:
- Creates a service role “mongodb-viewer” which allows access to the port 27017 of the MongoDB service.
```
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
  name: mongodb-viewer
  namespace: default
spec:
  rules:
  - services: ["mongodb.default.svc.cluster.local"]
    constraints:
    - key: "destination.port"
      values: ["27017"]
```
- Creates a service role binding bind-mongodb-viewer which assigns the “mongodb-viewer” role to “bookinfo-ratings-v2”.
```
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
  name: bind-mongodb-viewer
  namespace: default
spec:
  subjects:
  - user: "cluster.local/ns/default/sa/bookinfo-ratings-v2"
  roleRef:
    kind: ServiceRole
    name: "mongodb-viewer"
```
Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). You should see:
- The Book Details section on the lower left of the page includes book type, number of pages, publisher, etc.
- The Book Reviews section on the lower right of the page includes red stars.
There may be some delays due to caching and other propagation overhead.
To confirm the MongoDB service can only be accessed by service account bookinfo-ratings-v2:
Run the following command to delete the ratings deployment with service account bookinfo-ratings-v2:
Zip
```
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/ratings-v2-add-serviceaccount.yaml@
```
Run the following command to deploy the ratings deployment with service account default:
- To deploy in a cluster with automatic sidecar injection enabled:
  Zip
```
$ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml@
```
- To deploy in a cluster without automatic sidecar injection enabled:
  Zip
```
$ kubectl apply -f <(istioctl kube-inject -f @samples/bookinfo/platform/kube/bookinfo-ratings-v2.yaml@)
```
Point your browser at the Bookinfo productpage (http://$GATEWAY_URL/productpage). You should see:
- The Book Details section on the lower left of the page includes book type, number of pages, publisher, etc.
- The Book Reviews section on the lower right of the page includes an error message “Ratings service is currently unavailable”.
There may be some delays due to caching and other propagation overhead.

Cleanup

Remove Istio authorization policy configuration:
Zip
```
$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/mongodb-policy.yaml@
```
Alternatively, you can delete all service role and service role binding resources by running the following commands:
```
$ kubectl delete servicerole --all
$ kubectl delete servicerolebinding --all
```

Disable Istio authorization:

$ kubectl delete -f @samples/bookinfo/platform/kube/rbac/rbac-config-on-mongodb.yaml@