ofilter/Istio_Examples
1
0
Fork 0
Code Issues 26 Pull Requests Packages Projects 1 Releases Wiki Activity

Documented the example

Browse Source
This commit is contained in:
savagebidoof 2023-04-28 04:11:49 +02:00
parent 828c3beb11
commit a5c1039583
2 changed files with 94 additions and 190 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

283
Istio/10-PeerAuthentication/02-portLevelMtls/README.md
View File

@ -20,7 +20,7 @@ Through this, we can apply multiple `mTLS` behaviors under a single deployment,
## Gateway
Listens for `HTTP` traffic without limiting any host.
Listens for `HTTP` traffic without limiting to any host.
```yaml
apiVersion: networking.istio.io/v1alpha3
@ -43,15 +43,10 @@ spec:
Without limiting to any host, listens for traffic at port 80, and only has a very specific URL paths available to match.
- /http-mTLS
- /https-mTLS
- /http-no-mTLS
- /https-no-mTLS
The path `/http` will be routed to the `HTTP` service set in our backend.
Depending on the path used, the traffic will be distributed between 2 subsets from the same service:
The path `/http` will be routed to the `HTTPS` service set in our backend.
- mtls
- nomtls
```yaml
apiVersion: networking.istio.io/v1alpha3
@ -68,64 +63,31 @@ spec:
match:
- port: 80
uri:
exact: "/http-mTLS"
exact: "/http"
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8080
subset: mtls
rewrite:
uri: "/"
- name: https-mTLS
match:
- port: 80
uri:
exact: "/https-mTLS"
exact: "/https"
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8443
subset: mtls
rewrite:
uri: "/"
- name: http-no-mTLS
match:
- port: 80
uri:
exact: "/http-no-mTLS"
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8080
subset: nomtls
rewrite:
uri: "/"
- name: https-no-mTLS
match:
- port: 80
uri:
exact: "/https-no-mTLS"
route:
- destination:
host: helloworld.default.svc.cluster.local
port:
number: 8443
subset: nomtls
rewrite:
uri: "/"
```
## Destination Rule
Interfering with the service URL `helloworld.default.svc.cluster.local`, it specifies 2 subsets:
- mtls
- nomtls
Additionally, specifies that the traffic with port destination 8443, will attempt to proceed with TLS termination, as it is required to connect with an `HTTPS` backend.
Interfering with the service URL `helloworld.default.svc.cluster.local`, the traffic with port destination `8443`, will attempt to proceed with TLS termination, as it is required to connect with an `HTTPS` backend.
```yaml
apiVersion: networking.istio.io/v1alpha3
@ -134,15 +96,6 @@ metadata:
name: helloworld.default.svc.cluster.local
spec:
host: helloworld.default.svc.cluster.local
subsets:
- name: mtls
labels:
mtls: "true"
- name: nomtls
labels:
mtls: "false"
trafficPolicy:
portLevelSettings:
- port:
@ -182,36 +135,29 @@ spec:
app: helloworld
```
## Deployments
## Deployment
There's been configured 2 deployments with the same service and settings, besides the label `mtls`, which will contain `true` or `false` based on the deployment.
This label is used for the [Destination Rule](#destination-rule) to distribute the traffic between the 2 deployments under the same service.
The deployment listen to the port `80` and `443`, hosting an `HTTP` and `HTTPS` service respectively to the aforementioned ports.
> **Note:**\
> For more information about the image used refer to [here](https://hub.docker.com/r/oriolfilter/https-nginx-demo)
### helloworld-mtls
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-mtls
name: helloworld
labels:
app: helloworld
mtls: "true"
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
mtls: "true"
template:
metadata:
labels:
app: helloworld
mtls: "true"
spec:
containers:
- name: helloworld
@ -225,84 +171,34 @@ spec:
- containerPort: 443
```
### helloworld-nomtls
## PeerAuthentication
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld-nomtls
labels:
app: helloworld
mtls: "false"
spec:
replicas: 1
selector:
matchLabels:
app: helloworld
mtls: "false"
template:
metadata:
labels:
app: helloworld
mtls: "false"
spec:
containers:
- name: helloworld-nomtls
image: oriolfilter/https-nginx-demo
resources:
requests:
cpu: "100m"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
- containerPort: 443
```
## PeerAuthentications
Deployed a rule that sets a "global" mTLS mode to `STRICT`, meaning that the traffic require mTLS termination in order to proceed further with the request.
Deployed 2 Peer Authentication rules, which use the `selector` field to target the deployments.
Also, at a specific port configuration, the port `443` has the mTLS mode disabled, as the deployment contains an `HTTPS` service we required to disable it in order of the request to be successful.
Both point to the same application, yet also specify the `mtls` label set in the deployments above, allowing the rules to target each deployment individually.
Through the use of the `selector.matchLabels` field, we targeted our deployment pods, limiting the target of this rule.
These rules are deployed in the `default` namespace.
### disable-mtls
This rule will disable `mTLS` for that deployment.
> **Note**:\
> In order to use the `portLevelMtls` field, the selector field is required, otherwise it won't take effect.\
> For more information regarding this behavior, refer to the [official Istio documentation regarding PeerAuthentication](https://istio.io/latest/docs/reference/config/security/peer_authentication/#PeerAuthentication)
```yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: disable-mtls
name: helloworld-mtls
namespace: default
spec:
selector:
matchLabels:
app: helloworld
mtls: "false"
mtls:
mode: DISABLE
```
### force-mtls
This rule forces the deployment to communicate exclusively through `mTLS`, in case this rule is not endorsed, the traffic won't be allowed to proceed further.
```yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: force-mtls
namespace: default
spec:
selector:
matchLabels:
app: helloworld
mtls: "true"
mtls:
mode: STRICT
portLevelMtls:
443:
mode: DISABLE
```
# Walkthrough
@ -333,9 +229,13 @@ istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/
## Test resources and analyze behaviors
> **DISCLAIMER**:\
> For some reason, during the packet captures, I required to execute the curl 2 times in order for the output to be updated.\
> During the tests, feel free to perform the curl twice in a row.
[//]: # (> **DISCLAIMER**:\)
[//]: # (> For some reason, during the packet captures, I required to execute the curl 2 times in order for the output to be updated.\)
[//]: # (> During the tests, feel free to perform the curl twice in a row.)
### HTTP
@ -344,7 +244,7 @@ istio-ingressgateway LoadBalancer 10.97.47.216 192.168.1.50 15021:31316/
Start the packet capture and proceed with another shell or browser to send traffic requests to the right destination.
```shell
PORT=80 && MTLS="false" && kubectl exec -n default "$(kubectl get pod -n default -l app=helloworld -l mtls=${MTLS} -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port ${PORT} -A
PORT=80 && kubectl exec -n default "$(kubectl get pod -n default -l app=helloworld -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port ${PORT} -A
```
```text
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
@ -356,7 +256,7 @@ listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
Nothing to higlight so far, we can access the service.
```shell
curl 192.168.1.50/http-no-mTLS
curl 192.168.1.50/http
```
```text
<h2>Howdy</h2>
@ -364,29 +264,37 @@ curl 192.168.1.50/http-no-mTLS
##### Reviewing pcap output
Due to having the mTLS disabled, the traffic is not encrypted, and for such we can see its context in plain text.
This scenario should be avoided unless it is required due the application being used, as mTLS allows an extra layer of security.
As we can observe, the traffic is encrypted, proving that the mTLS is taking effect terminating the connection with the `HTTP` backend.
```text
04:25:47.757900 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.60966 > helloworld-nomtls-66d8499c5c-298vw.http: Flags [P.], seq 3134140617:3134142280, ack 2649160847, win 501, options [nop,nop,TS val 1425864700 ecr 2534833629], length 1663: HTTP: GET / HTTP/1.1
E....t@.?.....yX..yx.&.P..0.........Q......
T.....}.GET / HTTP/1.1
host: 192.168.1.50
user-agent: curl/8.0.1
accept: */*
x-forwarded-for: 192.168.1.10
x-forwarded-proto: http
x-envoy-internal: true
x-request-id: 65b60be7-da98-48f3-9ed6-13112cdd14f0
x-envoy-decorator-operation: helloworld.default.svc.cluster.local:8080/http-no-mTLS
x-envoy-peer-metadata: ChQKDkFQUF9DT05UQUlORVJTEgIaAAoaCgpDTFVTVEVSX0lEEgwaCkt1YmVybmV0ZXMKHwoMSU5TVEFOQ0VfSVBTEg8aDTE3Mi4xNy4xMjEuODgKGQoNSVNUSU9fVkVSU0lPThIIGgYxLjE3LjIKnAMKBkxBQkVMUxKRAyqOAwodCgNhcHASFhoUaXN0aW8taW5ncmVzc2dhdGV3YXkKEwoFY2hhcnQSChoIZ2F0ZXdheXMKFAoIaGVyaXRhZ2USCBoGVGlsbGVyCjYKKWluc3RhbGwub3BlcmF0b3IuaXN0aW8uaW8vb3duaW5nLXJlc291cmNlEgkaB3Vua25vd24KGQoFaXN0aW8SEBoOaW5ncmVzc2dhdGV3YXkKGQoMaXN0aW8uaW8vcmV2EgkaB2RlZmF1bHQKMAobb3BlcmF0b3IuaXN0aW8uaW8vY29tcG9uZW50EhEaD0luZ3Jlc3NHYXRld2F5cwoSCgdyZWxlYXNlEgcaBWlzdGlvCjkKH3NlcnZpY2UuaXN0aW8uaW8vY2Fub25pY2FsLW5hbWUSFhoUaXN0aW8taW5ncmVzc2dhdGV3YXkKLwojc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtcmV2aXNpb24SCBoGbGF0ZXN0CiIKF3NpZGVjYXIuaXN0aW8uaW8vaW5qZWN0EgcaBWZhbHNlChoKB01FU0hfSUQSDxoNY2x1c3Rlci5sb2NhbAovCgROQU1FEicaJWlzdGlvLWluZ3Jlc3NnYXRld2F5LTg2NGRiOTZjNDctZjZscWQKGwoJTkFNRVNQQUNFEg4aDGlzdGlvLXN5c3RlbQpdCgVPV05FUhJUGlJrdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvaXN0aW8tc3lzdGVtL2RlcGxveW1lbnRzL2lzdGlvLWluZ3Jlc3NnYXRld2F5ChcKEVBMQVRGT1JNX01FVEFEQVRBEgIqAAonCg1XT1JLTE9BRF9OQU1FEhYaFGlzdGlvLWluZ3Jlc3NnYXRld2F5
x-envoy-peer-metadata-id: router~172.17.121.88~istio-ingressgateway-864db96c47-f6lqd.istio-system~istio-system.svc.cluster.local
x-envoy-attempt-count: 1
x-envoy-original-path: /http-no-mTLS
x-b3-traceid: 36e7d48757f2ce26eaa6e1959f3b1221
x-b3-spanid: eaa6e1959f3b1221
x-b3-sampled: 0
02:00:10.511593 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.54396 > helloworld-6798765f88-76r6c.http: Flags [S], seq 3999274711, win 64800, options [mss 1440,sackOK,TS val 2646430461 ecr 0,nop,wscale 7], length 0
E..<..@.>..I..yX...=.|.P.`......... .z.........
..R.........
02:00:10.512773 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.54396 > helloworld-6798765f88-76r6c.http: Flags [.], ack 134781521, win 507, options [nop,nop,TS val 2646430462 ecr 2887117842], length 0
E..4..@.>..P..yX...=.|.P.`.....Q...........
..R.....
02:00:10.512988 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.54396 > helloworld-6798765f88-76r6c.http: Flags [P.], seq 0:517, ack 1, win 507, options [nop,nop,TS val 2646430462 ecr 2887117842], length 517: HTTP
E..9..@.>..J..yX...=.|.P.`.....Q...........
..R.................a7.i..v{
.Nr.0.Yex..C7..k.6...d .......z._ikW3.C.H.....5..Yk.&.c.........+.../...,.0.......;.9..6outbound_.8080_._.helloworld.default.svc.cluster.local..........
...............#..... ...istio-http/1.1.istio.http/1.1.........................3.&.$... .....M4...^9V........d_..+J."..Z.-.....+.......................................................................................................................................................................................................................
02:00:10.530088 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.54396 > helloworld-6798765f88-76r6c.http: Flags [.], ack 2164, win 499, options [nop,nop,TS val 2646430479 ecr 2887117859], length 0
E..4..@.>..N..yX...=.|.P.`...........3.....
..S....#
02:00:10.551166 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.54396 > helloworld-6798765f88-76r6c.http: Flags [P.], seq 517:2501, ack 2164, win 501, options [nop,nop,TS val 2646430500 ecr 2887117859], length 1984: HTTP
E.....@.>.....yX...=.|.P.`.................
..S$...#...........D.W_....+..v{..Q.3....^..m~..aU.+~t..%b....O.X|.).....=.w.z...'....`.2._...7.N..9.y..V.y.&..*vBx..z)B.g.D...1...x....V.J.*!....5.......#.......9.....V.Y..kes.&:+..j;.X5C.I...h+.SO0V....A..b,?.d.@YOy.`x.......o.EcTf}n.0....!N..Qh?.uK#?.Nx..q.&..9|?.)".qpg.]..O2.;O.x...J...$0.......I......1.X2.......2..=.UG.h'pA.CKX........
. . 7W.v...q..?IW.M:..'d....!2..Y......I.P..).Y..~..>.:k..y..Z?....w.D.Y<s. 3tg.wv...(.8.'.Nd..T...U...\.L.rM9..v........b...d..3...`..2....*. ...Qh...5.J
]. G...3..s..9.4....M..J..s..u.n..j....@.;.8.-LZD#t...z.;..2..M+.2.#.......E.....F.+.u.1.... l4..`......@..{......[.{
%[.R.e.v........@V....1...f*O$..V
pu........Zl...@.%......b..................}.J.....H...h?@[...T>..M.B.MXH.HDa...(.].B......k...{..c&.0...S3..]..2.a\.......?.#..........]3...~...Q|w...l."Z;.4..!.1..,X.>YE..3Yw..9.....#|.....[`...qq..@v.m..1.|V.j$t.C..&.Ww...5e....?.|Q."..obR.a...^...D8;...=.1.....S[.90...ss....-.@..q.JI........$.8..)skW.....G....3:.qb..#/....#...'/n.~F...(Y[.k..EEz}...cgR..6...P..)'.X..e..z....Tv0>....l.t.O=D.vc..}.a.ct.....E/.*..]-`.....O.hY..j..u...."(QZ.^.......f.1.LZ.O.L.9}..m.1_sC....x.*`D..ny.......):.V.."n..t.0....T.S..u[._v%...q`._.....W.w_.q...........O.:J.....[S.a$...l.[. ..cP..zF..~..+..|.....l.. [.l.."/
.....D6f....9:..i............N........o.....;...%v.0@...n^..."OSN.o*.:ap.C#C.Hc..r..MD.
.-..2....
..`...."..I...Wh9.L...r:.4M...b+q
...8f...*.^.K.k.?7:.\..O... ..cD.<t.%$.U..^(..............J.Y..0.[..Z..g.Ok..6/.{.-zjY.K2.Z...)\..RH..*i...=d..z....Dk.n7.0S.).6..D!Y... 2.DnP.9...Gz.:)..D.1.......*...(+...+G)...e.......].qi..eFO..h[.`..4..uk..%..U.........F.......-X.)g..w.=..Q/.f...?+.[\..9.......UW.]..y...e.....ENDG....M.K......~.-.'.....&.-7...k...M..y.8..&.yq.m...`.E...X..67}..L.........Y,F.iS...X.f..Fa.l.'.u.&.x.....2...c.....aw
......}..~.!....pj....m
....5.V......o....{U..M.......q.%.E..$j......Fo.|m......pR...r...v.P<V.!....;.... ...r....&....D...,{.U...?,F..(........y}..G......sfFE....9o...q>.c........jM....;......k....
02:00:10.551752 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.54396 > helloworld-6798765f88-76r6c.http: Flags [P.], seq 2501:4170, ack 2164, wi
```
#### HTTPS
@ -394,7 +302,7 @@ x-b3-sampled: 0
##### Start the packet capture for the port 443
```shell
PORT=443 && MTLS="false" && kubectl exec -n default "$(kubectl get pod -n default -l app=helloworld -l mtls=${MTLS} -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port ${PORT} -A
PORT=443 && kubectl exec -n default "$(kubectl get pod -n default -l app=helloworld -o jsonpath={.items..metadata.name})" -c istio-proxy -- sudo tcpdump dst port ${PORT} -A
```
```text
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
@ -404,10 +312,10 @@ listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
##### Curl
So good so far.
Even tho, we have set in the [PeerAuthentication configuration](#peerauthentication) mode to `STRICT`, unlike in the [previous example](../01-disable-mTLS/#https-1), where the mode was also set to `STRICT`, in this example we configured the `portLevelMtls` field for the port `443`, successfully disabling `mTLS` for this port, and allowing to proceed with the request towards the `HTTPS` backend; which was performed without the need of disabling `mTLS` for the whole deployment.
```shell
curl 192.168.1.50/https-no-mTLS
curl 192.168.1.50/https
```
```text
<h2>Howdy</h2>
@ -422,34 +330,38 @@ For such, the traffic captured is encrypted, even tho we displayed the `mTLS` co
Yet, there are still a couple readable lines, where we can see that the request was initialized by the host `stio-ingressgateway.istio-system.svc.cluster.local`, through the egress port `39884`, using as destination `helloworld-nomtls-66d8499c5c-298vw`, and the port defined with name `https`, which, if we reviewed the configuration from the [Service](#service), we would observe that it was the port `8443`.
```text
k 496, win 505, options [nop,nop,TS val 1425943341 ecr 2534945802], length 0
E..4..@.?.....yX..yx.......;........K......
T.+-..4
04:27:06.400101 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.39884 > helloworld-nomtls-66d8499c5c-298vw.https: Flags [.], ack 809, win 503, options [nop,nop,TS val 1425943342 ecr 2534945803], length 0
E..4..@.?.....yX..yx.......;........K......
T.+...4.
04:27:13.439290 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.39826 > helloworld-nomtls-66d8499c5c-298vw.https: Flags [P.], seq 1997:3684, ack 2200, win 501, options [nop,nop,TS val 1425950381 ecr 2534942622], length 1687
E.....@.?..+..yX..yx....pI.+,U+.....Q......
T.F...'......,.SuD..a....`..]....j..v[tF$y.<......&..m.E.p.Y.-....w..V..T.....g..a~$.Q'.c#......qj..8.|......M.J.....\".>...R...M..k|..f^,.....E.....+.Y.6..].u.g<r...0.eE...QSM 0Q...05......y......h6fbW.HdFp....../..(F\.U.pSn...2 .-.X/.8...P....~4anH.h....e....../.3@(....x...{.4.j@[.....P.6.......%.M.EGo.Q~@.
Z............/$..@....&.8..... f...ip.z]....p..}.....f.=......'......Koz.3..d.@..;....)}...>.m....Z..~o.IL.......D.]h.G.... .....F/..V......}.v.^N.P.C.G.......1..T.....w....?..]:........D...;q?...W..cI.).O......3..X14P..B.).',.N...B.../q..)\.. GW.".... .`.....[9.IS......1y.J]...d..}...B.n...C.........e6..B..[w.\.3.l.HU....5%......p.irW.@s..!1\u./.~..[.g..W.........'W..,m};._../S2\..c.9..8..rg"f..35a.A.;..T....>`..Zv.L.8....hZ".*r...0..*.%K.?.. .P]DKve/E.J.....\....t.e.9#-..3.$).....Q.Z.....m].". q. *.OW...f.=l...K.o:.D.......+.a..h?{h.?..T.....7\N.....M.`..Ob1`.....3d.aq..0...q.r.*j....KE./.O...T%..r.......'..9.W1J^^TU8.$...Y."~..~ZH.......G..?......Q4..=|.{.d/..^_....`.pjJ+p.........R."..Y-.`1....{....k...]ib.+m.....6..k...U.P.T........wU...}......`.z..#..[1.@9.z+R.3pAW).......m...Px4..9^ X..ux.EVO.o.%./+.....|4..!s......g.1...9%.... B.....{.6..].-?.../..n..y...2..sLc..|x.
,.t..'...7.............|...........?..&}........@...=.|#.+...........u.3....m.X..... QrW?............u`-k....Q.o^{........$..h.....R.#...k...o.7~.*.tE.C...I<"......k..czN.DJ.y...R.....hx.he.r}0.82....6.J...)..3.f.G=Ky|f.L.).=.hlN!..D..J..g.V.?.......#...fQ..d.......9.9.-....j..O...Pd..E.da/..b} .}.Qx.......I..[+....>.5....p.9....K2M s(.a..K6.]..m.?...%..</.S.9......[.P./.1.I. ...k.'.`V........^O.....q.. <...H..=mZZ...........@.VR..x.....U..t....s!.......M.m.........u...:.....V.1X...2.T..~...
04:27:13.440468 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.39826 > helloworld-nomtls-66d8499c5c-298vw.https: Flags [.], ack 2513, win 501, options [nop,nop,TS val 1425950382 ecr 2534952843], length 0
E..4..@.?.....yX..yx....pI..,U,.....K......
T.F...O.
04:27:20.932653 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.40126 > helloworld-nomtls-66d8499c5c-298vw.https: Flags [S], seq 3645561416, win 64800, options [mss 1440,sackOK,TS val 1425957874 ecr 0,nop,wscale 7], length 0
E..<..@.?.f>..yX..yx.....J.H....... K".........
T.c.........
04:27:20.933038 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.40126 > helloworld-nomtls-66d8499c5c-298vw.https: Flags [.], ack 840930767, win 507, options [nop,nop,TS val 1425957875 ecr 2534960336], length 0
E..4..@.?.fE..yX..yx.....J.I2.......K......
T.c...l.
04:27:20.933916 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.40126 > helloworld-nomtls-66d8499c5c-298vw.https: Flags [P.], seq 0:517, ack 1, win 507, options [nop,nop,TS val 1425957876 ecr 2534960336], length 517
E..9..@.?.d?..yX..yx.....J.I2.......M......
T.c...l..............#.."H..\..\A*...5.../m.....wV. ;.......>..`..k.t.b.O.U
e(?.X...........+.../...,.0..............
...............#..... ...istio-http/1.1.istio.http/1.1.........................3.&.$... J7.y.............
..<.Ma.v}.*3LI.-.....+........................)......./.....`.............3.. .[....N.,......i.9;.9V9A..1..J.......W.....o.%.%.<uep.Z"X...6...;|.........f.5AyieJ...+..q...T......x....jO.T$.D!x.pe.....D,.P1.. .a..t..r.x#.J.z...y.q...i:....43..3[/;..P0..\*>#ev..f.....! ........FHc..r...6...e.'J.&..T.p
04:27:20.937464 IP 172-17-1
02:02:41.616839 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.58752 > helloworld-6798765f88-76r6c.https: Flags [S], seq 1052122243, win 64800, options [mss 1440,sackOK,TS val 2646581565 ecr 0,nop,wscale 7], length 0
E..<.y@.>.....yX...=....>.......... ...........
...=........
02:02:41.618256 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.58752 > helloworld-6798765f88-76r6c.https: Flags [.], ack 1254443190, win 507, options [nop,nop,TS val 2646581567 ecr 2887268947], length 0
E..4.z@.>.....yX...=....>...J.H............
...?..:S
02:02:41.618902 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.58752 > helloworld-6798765f88-76r6c.https: Flags [P.], seq 0:246, ack 1, win 507, options [nop,nop,TS val 2646581568 ecr 2887268947], length 246
E..*.{@.>.....yX...=....>...J.H.....T......
...@..:S............
.B.L(....I....`O.#.$-..f..y.'. :.&.....1oX.i.J.W.CD.-.l.|...y...........+.../...,.0..............
...............#..... ...istio-http/1.1.istio.http/1.1.........................3.&.$... .vw..q|H[6.HQp.zn[. m...M0yL..]g.-.....+.......
02:02:41.637813 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.58752 > helloworld-6798765f88-76r6c.https: Flags [.], ack 1377, win 501, options [nop,nop,TS val 2646581587 ecr 2887268967], length 0
E..4.|@.>.....yX...=....>..zJ.N......4.....
...S..:g
02:02:41.641084 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.58752 > helloworld-6798765f88-76r6c.https: Flags [P.], seq 246:310, ack 1377, win 501, options [nop,nop,TS val 2646581590 ecr 2887268967], length 64
E..t.}@.>..M..yX...=....>..zJ.N............
...V..:g..........5D\..yfI.....]iyu.:........m!Ev.....*..-..`.'*.......g
02:02:41.642627 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.58752 > helloworld-6798765f88-76r6c.https: Flags [.], ack 1632, win 501, options [nop,nop,TS val 2646581592 ecr 2887268972], length 0
E..4.~@.>.....yX...=....>...J.O............
...X..:l
02:02:41.642884 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.58752 > helloworld-6798765f88-76r6c.https: Flags [.], ack 1887, win 501, options [nop,nop,TS val 2646581592 ecr 2887268972], length 0
E..4..@.>.....yX...=....>...J.P............
...X..:l
02:02:41.643146 IP 172-17-121-88.istio-ingressgateway.istio-system.svc.cluster.local.58752 > helloworld-6798765f88-76r6c.https: Flags [P.], seq 310:1981, ack 1887, win 501, options [nop,nop,TS val 2646581592 ecr 2887268972], length 1671
E.....@.>.....yX...=....>...J.P......f.....
...X..:l...............*t\o.....z^=.=\....cq..../.9eKL..`.C....."....q{...*..0;^n7.o:,...a..-.W8:.1..c........Z..b.......i...4....B.. .-2...+3$i.!.......7..._.T..G`...Ar.D.a.....U..^....^.Q.h.._.p.H..9.*O.5)-T_....7}8.>."...j..)e.^..-.'.L....Y9.6d...Z...<.....hygo.z\H.11...q{.*T....V.>K.9\HJ...7.....m.r:.(...s.'5|_...F..X&..>#(..]...H.6.V....(.4z..3,...e.P.r..H..A<a*:&..".7)......$.kv...y.....;....#.b.3.8....dVQ....]*Nk{.....T...o. .../...o5......=.!_..:....L.......S.J..u)\.*....$...I..-...!...kAK%.s.t.*.<.j.......w.z.'.7t....K-:.....:.?....GmA$.j.....@D...q.wE]..').........J.'....
..).p.[..._..6.'Dg.h..,(8:...%_.%....ES_.g.O.Q{.*...=..6{.Tx_.[..d.g...?# .Yk./..Zl.hX.....T....R...z.Y..A/.,......p<G..L'.FN.....O.n...Fz.7Tl}.%0`....].;<.-.$S..#...r.7..7b.0v.>.[...[....S.YNp......C..LN.....z.r.....6.J..".H...%=T.f.O...84........(..r@O#.3C...9.G..m.D.J...a.w....).GuC?.,.].9a..4...1....MoG8l..u..hV.h.6....Z`....+..9.aAW.]..,_7.@...y..._{.....buwy).q.\L.L....E2..~....',.J............Z.._...G......4,....o.w2
...`....qp.. .g..iP.Vdw...W9.B...q..<...F...j..-G.!\..3r+\.T....{d$....Ys..4.J....D.["..-
(E.l..H7.iw.....?....?p..cI#qu...mK.T...qp.[g..%.2...|....7O...u.K..........?....s.......J.#%...;._.....>..Z......7DA...P.fg.......N..Oz..+....3........y..+...r..*.....[...xT...J...}..n...n...V ..P...<..y..U.^.....90.......4..'..p.E..F2.....~.GBG.....@v<....;m dd..z~..>\..T$.i..Da...M.!xR......x6.h...l...m.I.Zl ..t
.g..c..w...EEtq.s.......8...x.E.|..%e..n..b.FA'..w..
..
.H.d... ...H>K.......O..#'.`....q..0.K>...".c.~.\.......N..$.
```
@ -468,13 +380,6 @@ virtualservice.networking.istio.io "helloworld-vs" deleted
destinationrule.networking.istio.io "helloworld.default.svc.cluster.local" deleted
```
# Links of Interest
- https://istio.io/latest/docs/reference/config/security/peer_authentication/#PeerAuthentication-MutualTLS-Mode
- https://istio.io/latest/docs/tasks/security/authentication/mtls-migration/
- https://istio.io/latest/docs/concepts/security/#mutual-tls-authentication
- https://istio.io/latest/docs/reference/config/security/peer_authentication/
- https://istio.io/latest/docs/reference/config/security/peer_authentication/#PeerAuthentication

1
Istio/10-PeerAuthentication/02-portLevelMtls/authentication.yaml
View File

@ -7,7 +7,6 @@ spec:
selector:
matchLabels:
app: helloworld
mtls: "false"
mtls:
mode: STRICT
portLevelMtls: