How to secure against traffic interception by VirtualService “merging”

Hey guys!

I’ve just spent a few hours unwinding a problem of my own making - I use a single ingressgateway in the istio-system namespace, and then I publish virtualservices in each namespace (dev, prod, test, etc), to direct traffic to services in these namespaces.

I created virtualservices in two namespaces, using the identical hostname. Since both are bound to my gateway, I ended up with traffic ingressing the gateway for the hostname randomly (or was it random?) hitting each service.

Other than being rather confusing, it occurs to me that this behaviour would be a handy way to “intercept” production traffic, simply by deploying a virtualservice with the hostname “prod-auth-server.example.com” into a test/dev namespace.

What’s the recommended way to avoid this vulnerability/misconfiguration?

Thanks!
D

(cross-posted from How to secure against traffic interception by VirtualService "merging")

Recent versions of Istio have introduced VirtualService delegation – maybe that will solve your problem.

Previously to VS delegation we started writing a validatingwebhook to put some safety rails on the VirtualService collision problem.