In the ever-evolving landscape of cloud-native architecture, security remains a paramount concern. With the proliferation of microservices and containerization, ensuring the integrity and confidentiality of data in transit has become increasingly challenging. Enter Istio Service Mesh, a powerful tool for managing and securing microservices-based applications. One of its key features which we’ll delve into is traffic management, which provides granular control over communication between individual pods, bolstering security in distributed environments.
Understanding Istio Service Mesh
Before delving into service isolation, let’s grasp the essence of Istio Service Mesh. Istio is an open-source service mesh that facilitates communication, monitoring, and security between microservices. It abstracts away the complexities of networking.
An Istio service mesh comprises two key components: the data plane and the control plane. Data Plane, at its core, employs a sidecar proxy model, where each microservice is accompanied by a lightweight proxy called Envoy. Control Plane manages these proxies to intercept all inbound and outbound traffic, allowing Istio to exert fine-grained control over communication between services.
The Significance of Service-to-Service Isolation
Service-to-Service isolation, facilitated by Istio’s traffic management, is crucial for maintaining a secure and reliable service environment. Unauthorized access or malicious activity from one pod could compromise the entire cluster. Service isolation mitigates this risk by segmenting communication channels between pods, enforcing routing rules that dictate flow of traffic and API calls between services.
Implementing Pod-to-Pod Isolation using Istio traffic management
Traffic Encryption
For securing service-to-service communication, Istio facilitates encryption of traffic between pods using mutual TLS (mTLS). At core, Citadel is responsible for traffic encryption. Peer authentication policies define the mutual TLS mode enforced by Istio on target workloads ensuring secure communication within the service mesh.
Following policy allow mTLS strict for all workload under namespace dev but leaving mTLs optional (both mTLS & plaintext) for connection to port 8080 for workload loki
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: dev
spec:
mtls:
mode: STRICT
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: loki
namespace: dev
spec:
mtls:
mode: STRICT
portLevelMtls:
"8080":
mode: PERMISSIVE
selector:
matchLabels:
app: loki
Istio’s traffic management model depends on the Envoy proxies that get deployed along with services. Injection of Envoy proxy instances to pods in namespace is done using below command –
kubectl label namespace ${ENV_NAME} istio-injection=enabled –overwrite
Once Istio-proxy sidecar container is deployed in the Istio enabled pods, Istio configures iptables rules in the pod’s network namespace to redirect traffic to sidecar proxies which implements mutual TLS.
Leveraging Istio’s inbuilt capabilities we can introduce tailored traffic configurations through its traffic management API. At core, component of Control Plane, Pilot is responsible for traffic management which uses the Envoy API to communicate with the Envoy sidecar.
With Istio Traffic Management there are infinite scenarios and use cases. Below emphasize n/w isolation for outbound traffic & external facing endpoints i.e.: controlling egress HTTPS traffic from Istio enabled K8s workloads and securing service-to-service communication using Istio traffic management API resources mainly focusing on the Sidecar and Service Entry.
Also read: Explore DDoS Attack Mitigation Techniques: Safeguard Your Network
Sidecar – [Pod Level Isolation]
By default, Istio configures envoy proxies to accept all incoming and outgoing traffic between pods. Sidecar configuration limits the reachability of services and fine-tune the set of ports and protocols that an Envoy proxy can accept. Sidecar configuration can be applied to all workloads in a particular namespace or to specific workloads using a workload Selector.
In the Following example Isolation is applied to pod level based on workload selector labels specifying which hosts the services within the selected workloads are allowed to communicate with.
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: service-sidecar
namespace: dev
spec:
workloadSelector:
labels:
app: serviceName
egress:
- hosts:
- "./aws.amazon.com"
- "./*.organization.com"
outboundTrafficPolicy:
mode: REGISTRY_ONLY
Adding “./*.<<namespace>>.svc.cluster.local” in hosts section will allow the pod to access any services within its own namespace in the Kubernetes cluster.
Modifying Outbound traffic policy to REGISTRY_ONLY, further enforces that only hosts defined with ServiceEntry resources are part of the mesh service registry and can be accessed to by sidecars of the mesh (pod)
ServiceEntry – [Service Mesh Level Isolation]
Istio maintains a service registry where all endpoint data is stored. Using this service registry, the Envoy proxies redirect traffic to the relevant services. ServiceEntry is used to add entry to the service registry. Configuring ServiceEntry allows us to manage traffic for services that are running outside of the mesh i.e.: whitelisting external endpoints.
With meshConfig.outboundTrafficPolicy.mode flag set to REGISTRY_ONLY requiring external resources that pods should be able to access, are configured as ServiceEntry Objects which will control the outbound traffic i.e APIs that can be accessed by pods over HTTPS.
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: ext-svc
namespace: dev
spec:
hosts:
- aws.amazon.com
- *.atlassian.net
location: MESH_EXTERNAL
ports:
- name: https
number: 443
protocol: HTTPS
resolution: DNS
The above configuration ensures that services labeled with “app: serviceName” restricting egress HTTPS traffic and allowing outbound communication only to predetermined hosts. With DNS resolution, the sidecar proxy will ignore the original destination IP address and direct the traffic to specified hosts only after performing a DNS query to get an IP address of the host providing controlled access to external services.
When trying to access service which are not configured as ServiceEntry Objects will prohibit outbound traffic as shown below
kubectl exec -it pod-serviceName-bff85 -n dev --stdin --tty -- /bin/sh
$ curl https://polaris.synopsys.com
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to polaris.synopsys.com:443
In summary, the Sidecar configuration defines egress rules for outbound traffic, while the Service Entry configuration defines external services accessibility within the mesh. Both configurations play a vital role in controlling traffic within the Istio service mesh.
Conclusion
The setup provides a good defense mechanism by limiting traffic from pods to internal Kubernetes infrastructure and other Kubernetes workloads, thereby preventing lateral movement. Augmenting this with container hardening further strengthens security and minimizes potential breaches. Additionally, using Istio’s Virtual Service, Destination Rule, and Gateway together can effectively manage traffic i.e,: Virtual Service to control request routing along with Destination Rule to define policies for traffic to a service, and a Gateway to manage inbound traffic.
Nonetheless, it’s essential to acknowledge that every setup has its own limitations, so it’s important to choose the best security measures to safeguard applications and mitigate the risk of security breaches in distributed environments based on architectural requirement.