Hi.
I have a setup, where I would like to run MTLS between services in my kubernetes cluster. However, since I have setup an Istio External Authorization service as a pod running inside the cluster, it seems like the MTLS is blocking traffic between the two services.
Should it not be possible to use MTLS to the auth-service as well as between services?
Thanks
/Mikkel
Is your external authz service behind istio proxy? If so the mTLS should work.
Also see Istio / External authorization with custom action for an example.
Yes, my authz service is behind an istio proxy. Actually my setup was based on the example you linked to. However if I setup PeerAuthentication like this:
apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" metadata: name: "default" namespace: default spec: mtls: mode: STRICT
no requests get through to my auth service.
If I then add
apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" metadata: name: "default2" namespace: default spec: selector: matchLabels: app: auth mtls: mode: PERMISSIVE
I get the expected calls to the auth servce
That’s really strange, I tested STRICT and it just works for me, and even if you use PERMISSIVE, by default the client will already be using mTLS.
Could you enable the debug logging of the istio-proxy in your ext-authz pod?
The following is some example log I get that shows the mTLS is working correctly:
Note the source.principal is cluster.local/ns/default/sa/httpbin as my deploy has: sleep → httpbin → opa (ext-authz):
2021-02-26T06:26:41.245496Z debug envoy http [C3089] new stream
2021-02-26T06:26:41.245647Z debug envoy http [C3089][S11358309468056985832] request headers complete (end_stream=false):
':method', 'POST'
':path', '/envoy.service.auth.v3.Authorization/Check'
':authority', 'outbound_.9191_._.opa.default.svc.cluster.local'
':scheme', 'https'
'te', 'trailers'
'grpc-timeout', '200m'
'content-type', 'application/grpc'
'x-b3-traceid', 'eb13d7238e891852c6e1d1331501ee8b'
'x-b3-spanid', '0c2029e22ed57680'
'x-b3-parentspanid', 'efaaf96497e86b4d'
'x-b3-sampled', '0'
'x-envoy-internal', 'true'
'x-forwarded-for', '10.8.1.6'
'x-envoy-expected-rq-timeout-ms', '200'
2021-02-26T06:26:41.245791Z debug envoy filter AuthenticationFilter::decodeHeaders with config
policy {
peers {
mtls {
}
}
}
skip_validate_trust_domain: true
2021-02-26T06:26:41.245924Z debug envoy filter [C3089] validateX509 mode STRICT: ssl=true, has_user=true
2021-02-26T06:26:41.245936Z debug envoy filter [C3089] trust domain validation skipped
2021-02-26T06:26:41.245940Z debug envoy filter Set peer from X509: cluster.local/ns/default/sa/httpbin
2021-02-26T06:26:41.245947Z debug envoy filter Set principal from peer: cluster.local/ns/default/sa/httpbin
2021-02-26T06:26:41.245950Z debug envoy filter Origin authenticator succeeded
2021-02-26T06:26:41.246010Z debug envoy filter Saved Dynamic Metadata:
fields {
key: "request.auth.principal"
value {
string_value: "cluster.local/ns/default/sa/httpbin"
}
}
fields {
key: "source.namespace"
value {
string_value: "default"
}
}
fields {
key: "source.principal"
value {
string_value: "cluster.local/ns/default/sa/httpbin"
}
}
fields {
key: "source.user"
value {
string_value: "cluster.local/ns/default/sa/httpbin"
}
}