...
x-request-idx-b3-traceidx-b3-spanidx-b3-parentspanidx-b3-sampledx-b3-flagsx-ot-span-context
With Istio Authentication and Authorization
In addition to the port name format and http header propagation, the followings need to be done to leverage Istio auth.
Liveness probe
Mutual TLS can't work with 8Shttp/tcp liveness probe. If mutual TLS is enabled, http and tcp health checks from the kubelet will not work since they do not have Istio-issued certs. The workaround is using liveness command instead or disabling http and tcp liveness probe for the time being.
Allow both Mutual TLS and Plain Traffic
During the migration, we can use “PERMISSIVE” mode of Istio Auth policy to allow both TLS and plain traffic. After migration is done, the mode can be switched to "STRICT" mode so only TLS traffics are permitted to access services.
| Code Block |
|---|
cat <<EOF | kubectl apply -n onap -f -
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "default"
namespace: onap
spec:
peers:
- mtls:
mode: PERMISSIVE
EOF |
In that case, the RBAC should be set to allow all users, including the unauthenticated users, to access the services.
| Code Block |
|---|
cat <<EOF | kubectl apply -n onap -f -
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: onap-default
namespace: onap
spec:
rules:
- services: ["*"]
methods: ["*"]
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: bind-service-default
namespace: onap
spec:
subjects:
- user: "*"
roleRef:
kind: ServiceRole
name: "onap-default"
EOF |
By this approach, ONAP can be smoothly migrated to Istio with auth enabled. After every ONAP microservice adopts Istio auth, then we can set the authentication to "STRICT" mode and enforce strict access control per the needs of each service.
What's the next? we will provide a user-friendly Istio UI to manage Istio rules and policies. Comment here to leave your thoughts or join our weekly project meeting if you're interested.