Policy:
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "default"
labels:
app: {{ template "application.name" . }}
chart: {{ template "application.chart" . }}
heritage: {{ .Release.Service }}
release: {{ template "system.name" . }}
environment: {{ .Values.global.environment }}
spec:
peers:
- mtls: {}
Destination Rule
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: {{ template "application.name" . }}
labels:
app: {{ template "application.name" . }}
chart: {{ template "application.chart" . }}
heritage: {{ .Release.Service }}
release: {{ template "system.name" . }}
environment: {{ .Values.global.environment }}
spec:
host: "{{ template "application.name" . }}.{{ template "system.name" . }}.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
subsets:
- name: {{ .Values.global.environment }}
labels:
main: "true"
Virtual Service:
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: {{ template "application.name" . }}
labels:
app: {{ template "application.name" . }}
chart: {{ template "application.chart" . }}
heritage: {{ .Release.Service }}
release: {{ template "system.name" . }}
environment: {{ .Values.global.environment }}
spec:
{{ include "application.hosts" . }}
{{ include "application.gateways" . }}
http:
- match:
- uri:
prefix: /
route:
- destination:
host: "{{ template "application.name" . }}.{{ template "system.name" . }}.svc.cluster.local"
subset: {{ .Values.global.environment }}
port:
number: {{ template "application.service.port" . }}
headers:
response:
add:
x-app-dedicated: "app"
retries:
attempts: 3
perTryTimeout: 2s
Authorization Policy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: {{ template "application.name" . }}
labels:
app: {{ template "application.name" . }}
chart: {{ template "application.chart" . }}
heritage: {{ .Release.Service }}
release: {{ template "system.name" . }}
environment: {{ .Values.global.environment }}
spec:
selector:
matchLabels:
app: {{ template "application.name" . }}
rules:
- to:
- operation:
methods: ["GET"]
After apply the AuthorizationPolicy, the istio-proxy starts to show the next:
│ [2019-11-28T16:01:29.946Z] "- - -" 0 - "-" "-" 0 0 0 - "-" "-" "-" "-" "10.40.10.156:15090" InboundPassthroughClusterIpv4 127.0.0.6:40873 10.40.10.156:15090 10.40.11.143:46502 - - │
│ [2019-11-28T16:01:44.947Z] "- - -" 0 - "-" "-" 0 0 0 - "-" "-" "-" "-" "10.40.10.156:15090" InboundPassthroughClusterIpv4 127.0.0.6:48599 10.40.10.156:15090 10.40.11.143:46702 - - │
│ [2019-11-28T16:01:59.946Z] "- - -" 0 - "-" "-" 0 0 0 - "-" "-" "-" "-" "10.40.10.156:15090" InboundPassthroughClusterIpv4 127.0.0.6:36675 10.40.10.156:15090 10.40.11.143:46896 - - │
│ [2019-11-28T16:02:14.946Z] "- - -" 0 - "-" "-" 0 0 0 - "-" "-" "-" "-" "10.40.10.156:15090" InboundPassthroughClusterIpv4 127.0.0.6:55289 10.40.10.156:15090 10.40.11.143:47090 - - │
│ [2019-11-28T16:02:29.946Z] "- - -" 0 - "-" "-" 0 0 0 - "-" "-" "-" "-" "10.40.10.156:15090" InboundPassthroughClusterIpv4 127.0.0.6:45871 10.40.10.156:15090 10.40.11.143:47284 - - │
│ [2019-11-28T16:02:44.946Z] "- - -" 0 - "-" "-" 0 0 0 - "-" "-" "-" "-" "10.40.10.156:15090" InboundPassthroughClusterIpv4 127.0.0.6:40379 10.40.10.156:15090 10.40.11.143:47494 - - │
│ [2019-11-28T16:02:59.946Z] "- - -" 0 - "-" "-" 0 0 0 - "-" "-" "-" "-" "10.40.10.156:15090" InboundPassthroughClusterIpv4 127.0.0.6:33319 10.40.10.156:15090 10.40.11.143:47686 - - │
│ [2019-11-28T16:03:14.946Z] "- - -" 0 - "-" "-" 0 0 0 - "-" "-" "-" "-" "10.40.10.156:15090" InboundPassthroughClusterIpv4 127.0.0.6:57011 10.40.10.156:15090 10.40.11.143:47886 - - │
│ [2019-11-28T16:03:29.946Z] "- - -" 0 - "-" "-" 0 0 0 - "-" "-" "-" "-" "10.40.10.156:15090" InboundPassthroughClusterIpv4 127.0.0.6:59227 10.40.10.156:15090 10.40.11.143:48078 - - │
│ [2019-11-28T16:03:44.946Z] "- - -" 0 - "-" "-" 0 0 0 - "-" "-" "-" "-" "10.40.10.156:15090" InboundPassthroughClusterIpv4 127.0.0.6:52511 10.40.10.156:15090 10.40.11.143:48280 - -
I still do not understand why im getting this kind of error:
curl -X GET \
https://mysystem.com/healthz \
-H 'Accept: */*' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Host: mysystem.com' \
-H 'Postman-Token: f4455c4e-34bb-41d2-8a0d-d219e5def917,b35173cb-8334-4c82-9003-e0b044e0fdc9' \
-H 'User-Agent: PostmanRuntime/7.20.1' \
-H 'cache-control: no-cache'
503 - upstream connect error or disconnect/reset before headers. reset reason: connection termination
This AuthorizationPolicy should work without mTLS enabled?
Thanks