Istio Namespace isolation

1

Hello,

I’m running Istio 1.5.0 in Azure AKS 1.16.7

What I want to achieve full namespace isolation and it seems something is missing or not working as it should…

My question is, shouldn’t Istio “block” all my requests to other namespace including curl or this Sidecar implementation isn’t what I’m looking for?

The example below declares a global default Sidecar configuration in the root namespace called istio-config , that configures sidecars in all namespaces to allow egress traffic only to other workloads in the same namespace, and to services in the istio-system namespace.

Google doesn’t offer much help and from first perspective Sidecar documenation is clear and should solve my problem. Any ideas appreciated.

Here are my logs and some information on what I have for Sidecar implementation

I have kubectl -n istio-system get sidecar

NAME      AGE
default   28d

Which is kubectl -n istio-system get sidecar default -oyaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"networking.istio.io/v1beta1","kind":"Sidecar","metadata":{"annotations":{},"labels":{"operator.istio.io/component":"IngressGateways","operator.istio.io/managed":"Reconcile","operator.istio.io/version":"1.5.0","release":"istio"},"name":"default","namespace":"istio-system"},"spec":{"egress":[{"hosts":["./*","istio-system/*"]}]}}
  creationTimestamp: "2020-03-24T10:44:46Z"
  generation: 2
  labels:
    operator.istio.io/component: IngressGateways
    operator.istio.io/managed: Reconcile
    operator.istio.io/version: 1.5.0
    release: istio
  name: default
  namespace: istio-system
  resourceVersion: "13450584"
  selfLink: /apis/networking.istio.io/v1beta1/namespaces/istio-system/sidecars/default
  uid: ede2c603-4ecf-45db-b90e-6a473c886241
spec:
  egress:
  - hosts:
    - ./*
    - istio-system/*

I have also a namespace kubectl describe ns jenkins

Name:         jenkins
Labels:     
              istio-injection=enabled
Annotations:  <none>
Status:       Active

No resource quota.

No resource limits.

Documention says that you need default sidecar in istio-system and ALL istio-injected namespaces inherits it. Or I am reading this wrong?

Anyway, I have created a namespace sidecar kubectl -n jenkins get sidecar

NAME      AGE
default   68m

Which is the same, because I want to isolate the namespace and allow only Istio resources, as documented!

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"networking.istio.io/v1beta1","kind":"Sidecar","metadata":{"annotations":{},"name":"default","namespace":"jenkins"},"spec":{"egress":[{"hosts":["./*","istio-system/*"]}]}}
  creationTimestamp: "2020-04-21T11:25:30Z"
  generation: 1
  name: default
  namespace: jenkins
  resourceVersion: "13457630"
  selfLink: /apis/networking.istio.io/v1beta1/namespaces/jenkins/sidecars/default
  uid: 60bfccd6-dfbc-4332-ab8f-bece9cd8f468
spec:
  egress:
  - hosts:
    - ./*
    - istio-system/*

So I have restarted (scaled down and up) my debug image deployment and I still can curl everywhere I want, my image is k8s.gcr.io/echoserver:1.10
So if I kubectl -n jenkins exec -it src-ip-5c4cb58f45-g4pj9 curl src-ip.default.svc to echoserver in default namespace, I get this result. I’d expect probably 503 or a timeout…

Defaulting container name to src-ip.
Use 'kubectl describe pod/src-ip-599d5988d5-w8xkn -n jenkins' to see all of the containers in this pod.

Hostname: src-ip-5c4cb58f45-g4pj9

Pod Information:
	-no pod information available-

Server values:
	server_version=nginx: 1.13.3 - lua: 10008

Request Information:
	client_address=10.100.8.19
	method=GET
	real path=/
	query=
	request_version=1.1
	request_scheme=http
	request_uri=http://src-ip.default.svc:8080/

Request Headers:
	accept=*/*
	content-length=0
	host=src-ip.default.svc
	user-agent=curl/7.47.0
	x-b3-sampled=0
	x-b3-spanid=ccdd8eb9a8a9848c
	x-b3-traceid=47eca771d4821b47ccdd8eb9a8a9848c
	x-envoy-peer-metadata=Ch0KDElOU1RBTkNFX0lQUxINGgsxMC4xMDAuOC4xOQrGAQoGTEFCRUxTErsBKrgBCg8KA2FwcBIIGgZzcmMtaXAKIQoRcG9kLXRlbXBsYXRlLWhhc2gSDBoKNTk5ZDU5ODhkNQokChlzZWN1cml0eS5pc3Rpby5pby90bHNNb2RlEgcaBWlzdGlvCisKH3NlcnZpY2UuaXN0aW8uaW8vY2Fub25pY2FsLW5hbWUSCBoGc3JjLWlwCi8KI3NlcnZpY2UuaXN0aW8uaW8vY2Fub25pY2FsLXJldmlzaW9uEggaBmxhdGVzdAoaCgdNRVNIX0lEEg8aDWNsdXN0ZXIubG9jYWwKIQoETkFNRRIZGhdzcmMtaXAtNTk5ZDU5ODhkNS13OHhrbgoWCglOQU1FU1BBQ0USCRoHamVua2lucwpKCgVPV05FUhJBGj9rdWJlcm5ldGVzOi8vYXBpcy9hcHBzL3YxL25hbWVzcGFjZXMvamVua2lucy9kZXBsb3ltZW50cy9zcmMtaXAKIgoPU0VSVklDRV9BQ0NPVU5UEg8aDWplbmtpbnMtY2ktc2EKGQoNV09SS0xPQURfTkFNRRIIGgZzcmMtaXA=
	x-envoy-peer-metadata-id=sidecar~10.100.8.19~src-ip-599d5988d5-w8xkn.jenkins~jenkins.svc.cluster.local
	x-forwarded-proto=http
	x-request-id=5c2cb3ec-2fa0-47a3-87ec-9b0b3bca2477

Request Body:
	-no body in request-

#
2

Responding to your query re my blog post at https://www.funkypenguin.co.nz/note/istio-namespace-isolation-tricks/, have you examined the logs of the istio-proxy sidecar on each end of this test? I.e., do you actually see Istio passing the traffic between namespaces, or are the pods somehow able to bypass mTLS and send the traffic directly to each other?

3

Thanks for your reply.

EDIT:

https://github.com/istio/istio/issues/15329 here is the solution, you need to change outbound traffic policy from ALLOW_ANY to REGISTRY_ONLY :slight_smile:

1 Like