Using Istio to block incoming connections from ANY to a service

1.6k views Asked by At

Trying to find the best way for blocking any connection from the internet to a k8s service using Istio.

What would be the best choice from Istio's policies?

Mixer - denials or lists Pilot - route-rules - such as injecting abort fault (400) OR destination-policy - such as circuit-breaking (max connection 0???)

Tried all the above but nothing is working and few of them are not very intuitive to configure (and not well-documented).

Appreciate if a working example will be attached

The following is an example for Injecting HTTP fault policy.

destination: "ratings.default.svc.cluster.local"
route:
- tags:
    version:
httpFault:
  abort:
    percent: 100
    httpStatus: 400
httpStatus: 400

First, Istio asks for a "type":

Error: Istio doesn't have configuration type , the types are destination-policy, ingress-rule, route-rule

After adding the type manually:

type: route-rule
destination: "ratings.default.svc.cluster.local"
route:
- tags:
    version:
httpFault:
  abort:
    percent: 100
    httpStatus: 400

It shouts about the method:

I0914 17:44:32.417839 1003 request.go:991] Response Body: 405: Method Not Allowed Error: the server does not allow this method on the requested resource

Thanks

4

There are 4 answers

0
Zvika On BEST ANSWER

Found out that Istio's route-rules apply only when the two connection's endpoints (client pod and server pod), are equipped with Envoys.

This is by itself something that should be further investigated as it doesn't make any sense.

Traffic coming from outside of the cluster indeed needs to be controlled by ingress.

3
Laurent Demailly On

The easiest way should be to just have istio auth on and no ingress in your configuration.

That way you get 2 layers of protection:

  1. your services are not routable (no external IPs)

and

  1. even if internet traffic does somehow manage to hit your services, the traffic will get rejected as it doesn't provide the istio service CERT/signed by your istio CA
0
Frank B On

If you are just trying to block external traffic to your service, then route rules (fault injection) is not the right way. You should instead block it by not exposing it in your ingress. https://istio.io/v-0.1/docs/tasks/ingress.html

That said, the reason you were getting errors when trying to set a route-rule, is because your yaml format is wrong. Something like this is what the istioctl coammand expects:

type: route-rule
name: ratings-block
spec:
  destination: "ratings.default.svc.cluster.local"
  route:
  - tags:
      version: v1
  httpFault:
    abort:
      percent: 100
      httpStatus: 400

See examples here: https://istio.io/v-0.1/docs/tasks/request-routing.html

0
Joy Zhang On

Istio has a concept of inside/outside of mesh. Every service inside of mesh has a sidecar proxy, and their traffic is subject to route-rules. Every thing coming from the outside of mesh needs to go through Ingress. Ingress itself is a mesh service (a proxy).