Skip links

Enhancing security with Istio Service Mesh: Isolating Pod-to-Pod Communication

Jump To Section

Enhance pod-to-pod security with Istio Service Mesh through effective isolation strategies and advanced traffic management techniques.
Istio Service Mesh

In the ever-evolving landscape of cloud-native architecture, security remains a paramount concern. With the proliferation of microservices and containerization, ensuring the integrity and confidentiality of data in transit has become increasingly challenging. Enter Istio Service Mesh, a powerful tool for managing and securing microservices-based applications. One of its key features which we’ll delve into is traffic management, which provides granular control over communication between individual pods, bolstering security in distributed environments.

Understanding Istio Service Mesh

Before delving into service isolation, let’s grasp the essence of Istio Service Mesh. Istio is an open-source service mesh that facilitates communication, monitoring, and security between microservices. It abstracts away the complexities of networking.

An Istio service mesh comprises two key components: the data plane and the control plane. Data Plane, at its core, employs a sidecar proxy model, where each microservice is accompanied by a lightweight proxy called Envoy. Control Plane manages these proxies to intercept all inbound and outbound traffic, allowing Istio to exert fine-grained control over communication between services.          

         

Istio Service Mesh Security

The Significance of Service-to-Service Isolation 

Service-to-Service isolation, facilitated by Istio’s traffic management, is crucial for maintaining a secure and reliable service environment. Unauthorized access or malicious activity from one pod could compromise the entire cluster. Service isolation mitigates this risk by segmenting communication channels between pods, enforcing routing rules that dictate flow of traffic and API calls between services.

Implementing Pod-to-Pod Isolation using Istio traffic management 

Traffic Encryption

For securing service-to-service communication, Istio facilitates encryption of traffic between pods using mutual TLS (mTLS). At core, Citadel is responsible for traffic encryption. Peer authentication policies define the mutual TLS mode enforced by Istio on target workloads ensuring secure communication within the service mesh. 

Following policy allow mTLS strict for all workload under namespace dev but leaving mTLs optional (both mTLS & plaintext) for connection to port 8080 for workload loki

apiVersion: security.istio.io/v1beta1 
kind: PeerAuthentication 
metadata: 
  name: default 
  namespace: dev 
spec: 
  mtls: 
    mode: STRICT 
--- 
apiVersion: security.istio.io/v1beta1 
kind: PeerAuthentication 
metadata: 
  name: loki 
  namespace: dev 
spec: 
  mtls: 
    mode: STRICT 
  portLevelMtls: 
    "8080": 
      mode: PERMISSIVE 
  selector: 
    matchLabels: 
      app: loki


Istio’s traffic management model depends on the Envoy proxies that get deployed along with services. Injection of Envoy proxy instances to pods in namespace is done using below command –

kubectl label namespace ${ENV_NAME} istio-injection=enabled –overwrite

Once Istio-proxy sidecar container is deployed in the Istio enabled pods, Istio configures iptables rules in the pod’s network namespace to redirect traffic to sidecar proxies which implements mutual TLS.

Leveraging Istio’s inbuilt capabilities we can introduce tailored traffic configurations through its traffic management API. At core, component of Control Plane, Pilot is responsible for traffic management which uses the Envoy API to communicate with the Envoy sidecar.

With Istio Traffic Management there are infinite scenarios and use cases. Below emphasize n/w isolation for outbound traffic & external facing endpoints i.e.: controlling egress HTTPS traffic from Istio enabled K8s workloads and securing service-to-service communication using Istio traffic management API resources mainly focusing on the Sidecar and Service Entry. 

Also read: Explore DDoS Attack Mitigation Techniques: Safeguard Your Network

Sidecar – [Pod Level Isolation] 

By default, Istio configures envoy proxies to accept all incoming and outgoing traffic between pods. Sidecar configuration limits the reachability of services and fine-tune the set of ports and protocols that an Envoy proxy can accept. Sidecar configuration can be applied to all workloads in a particular namespace or to specific workloads using a workload Selector. 

In the Following example Isolation is applied to pod level based on workload selector labels specifying which hosts the services within the selected workloads are allowed to communicate with. 

apiVersion: networking.istio.io/v1alpha3 
kind: Sidecar 
metadata: 
  name: service-sidecar 
  namespace: dev 
spec: 
  workloadSelector: 
    labels: 
     app: serviceName   
  egress: 
  - hosts: 
    - "./aws.amazon.com" 
    - "./*.organization.com" 
  outboundTrafficPolicy: 
    mode: REGISTRY_ONLY

Adding “./*.<<namespace>>.svc.cluster.local” in hosts section will allow the pod to access any services within its own namespace in the Kubernetes cluster.

Modifying Outbound traffic policy to REGISTRY_ONLY, further enforces that only hosts defined with ServiceEntry resources are part of the mesh service registry and can be accessed to by sidecars of the mesh (pod)

ServiceEntry – [Service Mesh Level Isolation]

Istio maintains a service registry where all endpoint data is stored. Using this service registry, the Envoy proxies redirect traffic to the relevant services. ServiceEntry is used to add entry to the service registry. Configuring ServiceEntry allows us to manage traffic for services that are running outside of the mesh i.e.: whitelisting external endpoints. 

With meshConfig.outboundTrafficPolicy.mode flag set to REGISTRY_ONLY requiring external resources that pods should be able to access, are configured as ServiceEntry Objects which will control the outbound traffic i.e APIs that can be accessed by pods over HTTPS.

apiVersion: networking.istio.io/v1alpha3 
kind: ServiceEntry 
metadata: 
  name: ext-svc 
  namespace: dev 
spec: 
  hosts: 
  - aws.amazon.com 
  - *.atlassian.net 
  location: MESH_EXTERNAL 
  ports: 
  - name: https 
    number: 443 
    protocol: HTTPS 
  resolution: DNS

The above configuration ensures that services labeled with “app: serviceName” restricting egress HTTPS traffic and allowing outbound communication only to predetermined hosts. With DNS resolution, the sidecar proxy will ignore the original destination IP address and direct the traffic to specified hosts only after performing a DNS query to get an IP address of the host providing controlled access to external services.

When trying to access service which are not configured as ServiceEntry Objects will prohibit outbound traffic as shown below

kubectl exec -it pod-serviceName-bff85 -n dev --stdin --tty -- /bin/sh
$ curl https://polaris.synopsys.com
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to polaris.synopsys.com:443

In summary, the Sidecar configuration defines egress rules for outbound traffic, while the Service Entry configuration defines external services accessibility within the mesh. Both configurations play a vital role in controlling traffic within the Istio service mesh.

Conclusion

The setup provides a good defense mechanism by limiting traffic from pods to internal Kubernetes infrastructure and other Kubernetes workloads, thereby preventing lateral movement. Augmenting this with container hardening further strengthens security and minimizes potential breaches. Additionally, using Istio’s Virtual Service, Destination Rule, and Gateway together can effectively manage traffic i.e,: Virtual Service to control request routing along with Destination Rule to define policies for traffic to a service, and a Gateway to manage inbound traffic. 

Nonetheless, it’s essential to acknowledge that every setup has its own limitations, so it’s important to choose the best security measures to safeguard applications and mitigate the risk of security breaches in distributed environments based on architectural requirement.

Picture of Priyanka Baruah

Priyanka Baruah

Subscribe

Suggested Reading

Ready to Unlock Your Enterprise's Full Potential?