-
Openshift 3.10 cluster
-
Istio 1.0.x installed on the aforementioned cluster using the Istio Operator.
-
Follow these instructions for more information about the Operator
-
-
Login to the cluster with the admin user
Create a new project/namespace on the cluster. This is where your application will be deployed.
oc new-project <whatever valid project name you want>
In OpenShift each service account must be granted permissions with the anyuid and privileged Security Context Constraints (SCC) to enable the sidecars to run correctly.
oc adm policy add-scc-to-user anyuid -z default -n <whatever valid project name you want>
oc adm policy add-scc-to-user privileged -z default -n <whatever valid project name you want>
Istio security greeting service runs with sa-greeting
account.
oc adm policy add-scc-to-user anyuid -z sa-greeting -n <whatever valid project name you want>
oc adm policy add-scc-to-user privileged -z sa-greeting -n <whatever valid project name you want>
Execute the following command to build the project and deploy it to OpenShift:
mvn clean fabric8:deploy -Popenshift
Configuration for FMP may be found both in pom.xml and src/main/fabric8
files/folders.
This configuration is used to define service names and deployments that control how pods are labeled/versioned on the OpenShift cluster.
Run the following commands to apply and execute the OpenShift templates that will configure and deploy the applications:
find . | grep openshiftio | grep application | xargs -n 1 oc apply -f
oc new-app --template=spring-boot-istio-security-name -p SOURCE_REPOSITORY_URL=https://github.com/snowdrop/istio-security-example -p SOURCE_REPOSITORY_REF=master -p SOURCE_REPOSITORY_DIR=spring-boot-istio-security-name
oc new-app --template=spring-boot-istio-security-greeting -p SOURCE_REPOSITORY_URL=https://github.com/snowdrop/istio-security-example -p SOURCE_REPOSITORY_REF=master -p SOURCE_REPOSITORY_DIR=spring-boot-istio-security-greeting
This application uses v1alpha3 routing API. Execute the following command to configure gateway and virtual service:
oc apply -f rules/gateway.yml
This scenario demonstrates a mutual transport level security between the services.
-
Open the example’s web page via Istio gateway route
echo http://$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}{"\n"}' -n istio-system)/
-
"Hello, World!" should be returned after invoking
greeting
service. -
Now modify greeting deployment to disable sidecar injection by replacing both
sidecar.istio.io/inject
values tofalse
oc edit deploymentconfigs/spring-boot-istio-security-greeting
-
Open the example’s web page via
greeting
service’s routeecho http://$(oc get route spring-boot-istio-security-greeting -o jsonpath='{.spec.host}{"\n"}' -n $(oc project -q))/
-
Greeting
service invocation will fail with a reset connection, because thegreeting
service has to be inside a service mesh in order to access thename
service. -
Cleanup by setting
sidecar.istio.io/inject
values to trueoc edit deploymentconfigs/spring-boot-istio-security-greeting
This scenario demonstrates access control when using mutual TLS. In order to access a name service, calling service has to have a specific label and service account name.
-
Open the example’s web page via Istio gateway route
echo http://$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}{"\n"}' -n istio-system)/
-
"Hello, World!" should be returned after invoking
greeting
service. -
Configure Istio Mixer to block
greeting
service from accessingname
serviceoc apply -f rules/block-greeting-service.yml
-
Greeting
service invocations to thename
service will be forbidden. -
Configure Istio Mixer to only allow requests from
greeting
service and withsa-greeting
service account to accessname
serviceoc apply -f <(sed -e "s/TARGET_NAMESPACE/$(oc project -q)/g" rules/require-service-account-and-label.yml)
-
"Hello, World!" should be returned after invoking
greeting
service. -
Cleanup
oc delete -f rules/require-service-account-and-label.yml