Questions about istio (security-review)

#1

Hello users and contributors,

We have a security review going on for bringing istio to production, there are few question I dont have full understanding on:

  1. Does istio-enabled make calls other than intended application calls ?
  2. Will envoy also log API calls made to kubernetes cluster editing a deploymnet or configmap ?
  3. What new calls will be introduced which wont be there if Istio is added to cluster ?
0 Likes

#2
  1. Does istio-enabled make calls other than intended application calls ?

No, Istio sidecar only intercepts traffic as a proxy. It does not start any call. The traditional “clientApp -> serverApp” flow becomes “clientApp -> clientSidecar -> serverSidecar -> serverApp” now.

  1. Will envoy also log API calls made to kubernetes cluster editing a deploymnet or configmap ?

No, i don’t think so.

  1. What new calls will be introduced which wont be there if Istio is added to cluster ?

Not sure what you mean, envoy does not start call, as mentioned in above.

0 Likes

#3

Thanks a lot for answers @Tao_Li.

Can you also tell me what are the iptables rule run ? what does they do so that a call going to port 80 of an application container and calls go to envoy first before reaching to that 80 port.

What if I run “apt-get update” or "apt-get install " inside container. Will that call be intercepted by envoy ?

0 Likes

#4

iptables is setup by istio-init container, please refer here for more info: https://istio.io/blog/2019/data-plane-setup/

We only intercept the traffic on ports declared by containerPort, https://istio.io/docs/setup/kubernetes/prepare/requirements/ (see Pod ports section).

0 Likes

#5

Hey @Tao_Li Thanks for your reply.

Can someone help me with thus query…

In GKE, all the container logs are given to stackdriver using fluentd. Are these calls to fluentd also intercepted by envoy ?

if not, why ?

0 Likes