Destination rule to set mTLS ignores port specification

idan_frimark · November 26, 2019, 12:41pm

Hi All,

I have two services on test namespace, one on port 26500 and one on port 80

nc-pod-svc ClusterIP 10.15.241.111 26500/TCP 82d
backend LoadBalancer 10.15.244.7 34.73.179.226 80:30295/TCP 89d

When I’m applying the following destination rule I would expect that only traffic to *.test.svc.cluster.local on port 80 will be encrypted.

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: test-test-istio-mtls
  namespace: test
spec:
  host: "*.test.svc.cluster.local"
  trafficPolicy:
    port: 
      number: 80
    tls:
      mode: ISTIO_MUTUAL

But it applied to nc-pod-svc service on port 26500

{
 "version_info": "2019-11-26T12:35:06Z/39",
 "cluster": {
  "name": "outbound|26500||nc-pod-svc.test.svc.cluster.local",
  "type": "EDS",
  "eds_cluster_config": {
   "eds_config": {
    "ads": {},
    "initial_fetch_timeout": "0s"
   },
   "service_name": "outbound|26500||nc-pod-svc.test.svc.cluster.local"
  },
  "connect_timeout": "10s",
  "circuit_breakers": {
   "thresholds": [
    {
     "max_retries": 1024
    }
   ]
  },
  "tls_context": {
   "common_tls_context": {
    "tls_certificates": [
     {
      "certificate_chain": {
       "filename": "/etc/certs/cert-chain.pem"
      },
      "private_key": {
       "filename": "/etc/certs/key.pem"
      }
     }
    ],
    "validation_context": {
     "trusted_ca": {
      "filename": "/etc/certs/root-cert.pem"
     },
     "verify_subject_alt_name": [
      "spiffe://cluster.local/ns/test/sa/default"
     ]
    },
    "alpn_protocols": [
     "istio"
    ]
   },
   "sni": "outbound_.26500_._.nc-pod-svc.test.svc.cluster.local"
  },
  "metadata": {
   "filter_metadata": {
    "istio": {
     "config": "/apis/networking/v1alpha3/namespaces/test/destination-rule/test-test-istio-mtls"
    }
   }
  }
 },
 "last_updated": "2019-11-26T12:35:06.730Z"
},

Is this the expected behavior?

incfly · November 26, 2019, 6:47pm

Maybe you have DestinationRule defined in higher level with “*.cluster.local”?

idan_frimark · November 27, 2019, 6:35am

Found the problem, it was a misconfiguration, the destinationRule should look like:

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: test-test-istio-mtls
  namespace: test
spec:
  host: "*.test.svc.cluster.local"
  trafficPolicy:
    portLevelSettings:
    - port: 
        number: 80
      tls:
        mode: ISTIO_MUTUAL

incfly · November 27, 2019, 7:16pm

So it’s just YAML level indent syntax issue.

@idan_frimark have you ever considered auto mTLS? This can remove all the need to figure out DestinationRule for mTLS purpose.

idan_frimark · November 28, 2019, 12:24pm

@incfly Thanks, I want the ability to decide which in-cluster traffic will be encrypted and which not, so I’m not sure auto mTLS will be good for me currently.

incfly · December 2, 2019, 11:16pm

You still have fully control over the mTLS enabled on which namespace/service. It’s only about removing extra step of configuring DestinationRule, which will be automatically configured.

idan_frimark · December 4, 2019, 4:11am

@incfly thanks! I will give it a try.

Topic		Replies	Views
Destination rule to set mTLS ignores specific host Security	5	839	December 8, 2019
DestinationRule mTLS is not applied correctly when client & service are in the same namespace Security	4	488	June 5, 2019
Understanding security in Istio Networking	4	1008	October 17, 2019
DestinationRule with subsets for selecting TLS mode? Security	2	660	June 11, 2019
Headless service with one port forcing MTLS	0	988	November 25, 2019

Destination rule to set mTLS ignores port specification

Related Topics