Urgent - How to verify mTLS communication between services with traffic dump

Security
1

Hi All,

I have setup a K8s (v1.13.1) cluster and installed Istio on it. When i have not enabled mTLS yet, if I run istioctl authn tls-check in the default state, I see the below results.

~ $istioctl version

client version: 1.4.0-beta.0

control plane version: 1.5-alpha.4c98e70fc4bdbcc3dfdd5c5527a48cb5a4f4f047

data plane version: 1.5-alpha.4c98e70fc4bdbcc3dfdd5c5527a48cb5a4f4f047 (4 proxies), 1.3.1 (1 proxies)



istioctl authn tls-check giftshopui-v1-ccb98fd97-rspgk.microservices giftshopapi.microservices.svc.cluster.local
HOST:PORT                                          STATUS     SERVER         CLIENT     AUTHN POLICY     DESTINATION RULE
giftshopapi.microservices.svc.cluster.local:80     OK         PERMISSIVE     -          /default         -

istioctl authn tls-check giftshopapi-v1-7554fc7cf9-p6jwn.microservices giftshopui.microservices.svc.cluster.local
HOST:PORT                                         STATUS     SERVER         CLIENT     AUTHN POLICY     DESTINATION RULE
giftshopui.microservices.svc.cluster.local:80     OK         PERMISSIVE     -          /default         -

If you see above, there is no conflict and my services work as expected.

However I have a doubt.

As per (https://redhat-developer-demos.github.io/istio-tutorial/istio-tutorial/1.3.x/8mTLS.html) , the default state is supposed to be

istioctl authn tls-check $(kubectl get pods -n tutorial{namespace-suffix}|grep customer|awk '{ print $1 }'|head -1) customer.tutorial.svc.cluster.local

HOST:PORT                                  STATUS     SERVER     CLIENT     AUTHN POLICY        DESTINATION RULE
customer.tutorial.svc.cluster.local:8000     OK         mTLS      HTTP       default/            default/

The Server has mTLS value. In my case I never get mTLS, I always get PERMISSIVE by default.

I am I doing anything wrong with my Istio installation? I have tried this with previous versions of Istio too.

Now if I apply mTLS at individual service level or at namespace level, I see a different behavior than what is documented in istio docs.

This is what I see in my cluster.


~ $istioctl authn tls-check giftshopui-v1-ccb98fd97-rspgk.microservices giftshopapi.microservices.svc.cluster.local
HOST:PORT                                          STATUS     SERVER     CLIENT           AUTHN POLICY                              DESTINATION RULE
giftshopapi.microservices.svc.cluster.local:80     OK         STRICT     ISTIO_MUTUAL     microservices/giftshopapi-receive-tls     microservices/giftshopapi-clients-destinationrule

However as per istio docs (https://istio.io/faq/security/#enabling-disabling-mtls) I should see mTLS for SERVER and CLIENT.

$ istioctl authn tls-check $CLIENT_POD httpbin.default.svc.cluster.local
HOST:PORT                                  STATUS     SERVER     CLIENT     AUTHN POLICY        DESTINATION RULE
httpbin.default.svc.cluster.local:8000     OK         mTLS       mTLS       default/            default/istio-system

Even if I follow this (https://istio.io/docs/tasks/security/mutual-tls/), I do not see what is documented thereā€¦

HOST:PORT                                  STATUS     SERVER     CLIENT     AUTHN POLICY        DESTINATION RULE
httpbin.default.svc.cluster.local:8000     OK         mTLS       mTLS       default/            default/istio-system

> What am I doing wrong? Is the documentation not updated?

I ignored this mismatch for a moment and tried to inspect the traffic between my pod Envoy side cars as mentioned here (https://blog.getambassador.io/verifying-service-mesh-tls-in-kubernetes-using-ksniff-and-wireshark-454b1e3f4dc9) using ksniff. I do not see any TLS traffic.

However my sidecars have the certs as mentioned here (https://istio.io/docs/tasks/security/mutual-tls/)

istio-1.3.3 $kubectl exec giftshopui-v6-66fbd6b784-qcb6s -c istio-proxy -- ls /etc/certs

cert-chain.pem
key.pem
root-cert.pem

istio-1.3.3 $kubectl get pods

NAME                              READY   STATUS    RESTARTS   AGE
giftshopapi-v2-6ddd8b6668-gst48   2/2     Running   0          3h
giftshopui-v6-66fbd6b784-qcb6s    2/2     Running   0          3h

istio-1.3.3 $kubectl exec giftshopapi-v2-6ddd8b6668-gst48 -c istio-proxy -- ls /etc/certs

cert-chain.pem
key.pem
root-cert.pem


istio-1.3.3 $kubectl exec giftshopui-v6-66fbd6b784-qcb6s -c istio-proxy -- cat /etc/certs/cert-chain.pem | openssl x509 -text -noout  | grep Validity -A 2
        Validity
            Not Before: Oct 13 15:29:15 2019 GMT
            Not After : Jan 11 15:29:15 2020 GMT
istio-1.3.3 $kubectl exec giftshopapi-v2-6ddd8b6668-gst48 -c istio-proxy -- cat /etc/certs/cert-chain.pem | openssl x509 -text -noout  | grep Validity -A 2
        Validity
            Not Before: Oct 13 15:29:15 2019 GMT
            Not After : Jan 11 15:29:15 2020 GMT

There is something wrong with my Istio mTLS setup, which I am not able to figure out.

Any help is much appreciated.

2

istio default installation use PERMISSIVE by default. Redhat website may refer to their own distro of Istio which might have different Istio mTLS configuration.