The ratings-v2 service fails to work for MongoDB

anabas · April 30, 2019, 5:34pm

I am following example for TCP authorization for MongoDB https://istio.io/docs/tasks/security/authz-tcp/

I carefully followed each step but even after defining Destination Rules, VS, Service Role and Service Role binding, the productpage still shows Rating service is currently unavailable.

The output from istioctl authn tls-check for ratings-v2 is as follows - which shows OK.

# istioctl authn tls-check ratings-v2-54f78f7c8c-2b22l | grep -i ratings
ratings.istio-lab.svc.cluster.local:9080                            OK           mTLS          mTLS       default/istio-lab                            ratings/istio-lab

But when I try to see ratings-v2 relationship with mongodb.

istioctl authn tls-check ratings-v2-54f78f7c8c-2b22l | grep -i mongodb
mongodb.istio-lab.svc.cluster.local:27017                           CONFLICT     mTLS          HTTP       default/istio-lab                            -

What is the reason that mongodb service is at conflict with ratings-v2 and how could I correct this? This looks like a possible case as why Ratings does not show on the roductpage.

Help is appreciated.

wenchenglu · May 4, 2019, 12:24am

@YangminZhu
could you help take a look?

YangminZhu · May 4, 2019, 3:07am

I just tried the task and didn’t encounter any problems. Could you clarify after which step you find unexpected result?

From your istioctl authn tls-check output, The word HTTP means you didn’t enable mTLS for the MongoDB service, this shouldn’t happen for this task as it requires to enable mTLS in the beginning of the task.

Could you double check whether you have enabled mTLS in the cluster as required in the Before you begin, Thanks.

anabas · May 4, 2019, 2:48pm

Hi Yangmin - Thanks for your reply. Actually - istioctl authn tls-check was the clue why it did not work. I noticed that the example did not have mongodb destination rule defined - or if it was there - I might have missed it.

After I defined the destination rule for MongoDB - it then worked fine.

apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: mongodb
spec:
  host: mongodb.istio-lab.svc.cluster.local
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

YangminZhu · May 6, 2019, 6:20pm

Glad it works. The task shouldn’t need the dedicated destination rule for MongoDB as is uses the default destination rule when mTLS is enabled in the cluster, you might need this destination rule when it’s not the default setting.

Topic		Replies	Views
Authorization polices issue Security	1	168	November 15, 2023
Authorization Policy issue with 503 Networking	12	3653	June 15, 2020
Istio 1.6.4: Authorisation policy ALLOW is denying Security	9	962	August 10, 2020
AuthorizationPolicy support cluster/ service Security	1	417	January 22, 2021
Istio Authorization Policy not triggering checks - rbac_access_denied_matched_policy[default-deny-all-due-to-bad-CUSTOM-action] Security security	0	3497	September 13, 2022

The ratings-v2 service fails to work for MongoDB

Related Topics