如何在 AWS EKS 中使用 istio 网格启用自动 mTLS?
How to enable automatic mTLS using istio mesh in AWS EKS?
我最近开始在 AWS EKS 集群中学习和实施 istio。为了为入口网关配置 TLS,我遵循了 this guide,它只是要求您将 AWS ACM ARN id 作为注释添加到 istio-ingressgateway。因此,我既不必使用证书来创建 secret,也不必使用 envoyproxy 的 SDS。
此设置在网关处终止 TLS,但我还想在网格内启用 mTLS 以保护服务间通信。通过遵循 their documentation,我创建了此策略以在命名空间内强制执行 mTLS:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: xyz-mtls-policy
namespace: xyz-dev
spec:
mtls:
mode: STRICT
但即使在应用此之后,我也看到一项服务能够使用 http 调用另一项服务。
所以我的问题是:如何使用 ACM 证书在我的命名空间中实施 mTLS?
如果您从网格内部调用我会说它工作正常,请看一下 here and here。
Istio 中的双向 TLS
Istio offers mutual TLS as a solution for service-to-service authentication.
Istio uses the sidecar pattern, meaning that each application container has a sidecar Envoy proxy container running beside it in the same pod.
When a service receives or sends network traffic, the traffic always
goes through the Envoy proxies first.
When mTLS is enabled between two services, the client side and server side Envoy proxies verify each other’s identities before sending requests.
If the verification is successful, then the client-side proxy encrypts the traffic, and sends it to the server-side proxy.
The server-side proxy decrypts the traffic and forwards it locally to the actual destination service.
I am on istio 1.6.8, think it enables mTLS by default.
是的,从 istio 1.5 版本开始默认启用。关于这个有相关的docs
Automatic mutual TLS is now enabled by default. Traffic between sidecars is automatically configured as mutual TLS. You can disable this explicitly if you worry about the encryption overhead by adding the option -- set values.global.mtls.auto=false during install. For more details, refer to automatic mutual TLS.
Is there any clear process to prove that it is indeed using mTLS?
我会说有3种方法
- 测试pods
您可以将它从严格更改为宽松并从网格外部调用它,它应该可以工作。然后改成strict再调用,应该不行。在这两种方式中,您都应该能够从网格内的 pod 调用它。
- 基亚利
如果你想以视觉方式看到它,当启用 mtls 时,kiali 应该有一个类似挂锁的东西,github issue 关于那个。
- 普罗米修斯
banzaicloud中已经提到了,您在评论中提到,您可以查看Connection Security Policy指标标签。如果请求实际上已经加密,Istio 将此标签设置为 mutual_tls。
如果有任何问题,请告诉我。
我最近开始在 AWS EKS 集群中学习和实施 istio。为了为入口网关配置 TLS,我遵循了 this guide,它只是要求您将 AWS ACM ARN id 作为注释添加到 istio-ingressgateway。因此,我既不必使用证书来创建 secret,也不必使用 envoyproxy 的 SDS。
此设置在网关处终止 TLS,但我还想在网格内启用 mTLS 以保护服务间通信。通过遵循 their documentation,我创建了此策略以在命名空间内强制执行 mTLS:
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: xyz-mtls-policy
namespace: xyz-dev
spec:
mtls:
mode: STRICT
但即使在应用此之后,我也看到一项服务能够使用 http 调用另一项服务。
所以我的问题是:如何使用 ACM 证书在我的命名空间中实施 mTLS?
如果您从网格内部调用我会说它工作正常,请看一下 here and here。
Istio 中的双向 TLS
Istio offers mutual TLS as a solution for service-to-service authentication.
Istio uses the sidecar pattern, meaning that each application container has a sidecar Envoy proxy container running beside it in the same pod.
When a service receives or sends network traffic, the traffic always goes through the Envoy proxies first.
When mTLS is enabled between two services, the client side and server side Envoy proxies verify each other’s identities before sending requests.
If the verification is successful, then the client-side proxy encrypts the traffic, and sends it to the server-side proxy.
The server-side proxy decrypts the traffic and forwards it locally to the actual destination service.
I am on istio 1.6.8, think it enables mTLS by default.
是的,从 istio 1.5 版本开始默认启用。关于这个有相关的docs
Automatic mutual TLS is now enabled by default. Traffic between sidecars is automatically configured as mutual TLS. You can disable this explicitly if you worry about the encryption overhead by adding the option -- set values.global.mtls.auto=false during install. For more details, refer to automatic mutual TLS.
Is there any clear process to prove that it is indeed using mTLS?
我会说有3种方法
- 测试pods
您可以将它从严格更改为宽松并从网格外部调用它,它应该可以工作。然后改成strict再调用,应该不行。在这两种方式中,您都应该能够从网格内的 pod 调用它。
- 基亚利
如果你想以视觉方式看到它,当启用 mtls 时,kiali 应该有一个类似挂锁的东西,github issue 关于那个。
- 普罗米修斯
banzaicloud中已经提到了,您在评论中提到,您可以查看Connection Security Policy指标标签。如果请求实际上已经加密,Istio 将此标签设置为 mutual_tls。
如果有任何问题,请告诉我。