Principle of least privilege for external service access

Hi all.

I’m trying to design an architecture where only certain pods have for example access to S3 and other pods have access to archive.ubuntu.com.

What I’ve designed so far is:

istio 1.6.7

Use Calico NetworkPolicies to deny all outward traffic fro the application except for DNS and to istio-system.

Created gateways and VirtualServices for archive.ubuntu.com to direct to an egress gateway.

Set STRICT peer authentication policies in the application namespace.

At this point traffic to archive.ubuntu.com is flowing nicely, but for all pods.

So I attempted an AuthorizationPolicy like this:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: ubuntu-archive   
 namespace: istio-system
spec:
 selector:
   matchLabels:
     app: istio-egressgateway
 action: ALLOW
 rules:
 - from:
   - source:
       principals: ["cluster.local/ns/default/sa/httpbin"]

But now I get RBAC access denied.

Then I tried adding this:

  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

To the destination rule, and now get a “upstream connect error or disconnect/reset before headers. reset reason: connection failure”

Any suggestions?

You need to use Gateway config to enable the gateway to accept mTLS first. This can be done via set Gateway’s mTLS mode to ISTIO_MUTUAL as well.

Thanks for the reply, sorry for being pretty new to istio but can you point me in the right direction for how to set that? (I don’t see anything I can set in the IstioOperator spec)

Try out this guide- https://preliminary.istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway-tls-origination-sds/

Hmm… looking through, I don’t see the similarity… I’m looking to have MUTUAL_TLS between the sidcar and the egress… archive.ubuntu.com is actually on port 80. Does that example still apply here?

I’m not sure what similarity you are looking for. You can change ports as you want- the idea should be the same. This task setup is similar to what you desire

Hmm OK, I’ll give it a go, thanks. Just to be clear, this should work on 1.6.7? That documentation is for 1.7…

Do these look correct?

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: istio-egressgateway-archive
spec:
  selector:
    istio: egressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTPS
    hosts:
    - archive.ubuntu.com
    tls:
      mode: ISTIO_MUTUAL
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: ubuntu-archive
spec:
  host: istio-egressgateway.istio-system.svc.cluster.local
  subsets:
  - name: ubuntu-archive
  trafficPolicy:
    portLevelSettings:
     - port:
         number: 80
       tls:
         mode: ISTIO_MUTUAL

 curl http://archive.ubuntu.com
upstream connect error or disconnect/reset before headers. reset reason: connection failureroot@httpbin-9d7cdcff6-j5497:/#

This was with 1.7 by the way, can anyone spot what I’m doing wrong or is this a bug?

Do you want to check this --> https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/

It seems my ultimate goal of using AuthorizationPolicy to limit access to certain egress external services via egress gateway isn’t possible at the moment so I’ll design something else. Thanks for the replies anyway!