Kubernetes allows you to use a NetworkPolicy object in a Kubernetes cluster to deny or allow access traffic from services in specific namespaces to specific external websites. However, the method of using a NetworkPolicy object implements only coarse-grained network isolation and cannot ensure application security or business security. The zero-trust security system of Service Mesh (ASM) allows you to dynamically configure authorization policies to control access traffic from services in a namespace to an external website. This helps reduce risks. This topic describes how to use an authorization policy to deny access traffic from all services in a namespace to an external website. The demo-frontend namespace and the aliyun.com external website are used in the example.
Prerequisites
The cluster is added to the ASM instance. For more information, see Add a cluster to an ASM instance.
A namespace named demo-frontend is created and automatic sidecar proxy injection is enabled for the namespace. For more information, see Manage global namespaces.
Step 1: Create a test service
Obtain the kubeconfig file of the cluster and use kubectl to connect to the cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
Create a service named sleep in the demo-frontend namespace.
Create a sleep.yaml file that contains the following content:
Run the following commands to create the sleep service:
kubectl apply -f sleep.yaml -n demo-frontend
Verify that a sidecar proxy is injected into the sleep service.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose
in the left-side navigation pane.In the upper part of the Pods page, select demo-frontend from the Namespace drop-down list and click the pod name of the sleep service.
On the Container tab, a sidecar proxy named istio-proxy is displayed. This indicates that a sidecar proxy is injected into the sleep service.
Step 2: Create an egress gateway
You can use an egress gateway to control access traffic from services in a Service Mesh instance to an external website. After you configure an authorization policy for an egress gateway, you can also specify conditions to control whether to allow access to an external website. In this example, the name of the egress gateway is set to egressgateway. For more information, see Create an egress gateway.
Step 3: Configure a policy for accessing external services
By default, services in an ASM instance are allowed to access all external services. To control access to a specific external website, set the Outbound Traffic Policy parameter to REGISTRY_ONLY for an ASM instance in the ASM console. In this case, external services that are not registered as service entries cannot be accessed by services in the Service Mesh instance.
Configure a policy for accessing external services.
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
On the global tab, click Outbound Traffic Policy, set the Outbound Traffic Policy parameter to REGISTEY_ONLY, and then click Update Settings.
Register the aliyun.com external website as a service entry.
On the details page of the ASM instance, choose in the left-side navigation pane. On the page that appears, click Create from YAML.
On the Create page, select istio-system from the Namespace drop-down list and copy the following content to the code editor. Then, click Create.
apiVersion: networking.istio.io/v1beta1 kind: ServiceEntry metadata: name: aliyuncom-ext namespace: istio-system spec: hosts: - www.aliyun.com location: MESH_EXTERNAL ports: - name: http number: 80 protocol: HTTP - name: tls number: 443 protocol: TLS resolution: DNS
Step 4: Create a traffic policy
Create an Istio gateway, a destination rule, and a virtual service to route traffic from the demo-frontend namespace to the egress gateway and then to the specific external website.
Create an Istio gateway in the istio-system namespace by using the following YAML code. For more information, see Manage Istio gateways.
apiVersion: networking.istio.io/v1beta1 kind: Gateway metadata: name: istio-egressgateway namespace: istio-system spec: selector: istio: egressgateway servers: - port: number: 80 name: http protocol: HTTPS tls: mode: ISTIO_MUTUAL hosts: - '*'
In the preceding code, the
mode
parameter is set toISTIO_MUTUAL
. This means that mutual Transport Layer Security (mTLS) authentication is enabled. In this case, services in an ASM instance must pass TLS authentication before they can access external websites.Create a destination rule in the demo-frontend namespace by using the following YAML code. For more information, see Manage destination rules.
apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: target-egress-gateway namespace: demo-frontend spec: host: istio-egressgateway.istio-system.svc.cluster.local subsets: - name: target-egress-gateway-mTLS trafficPolicy: loadBalancer: simple: ROUND_ROBIN tls: mode: ISTIO_MUTUAL
In the preceding code, the
mode
parameter is set toISTIO_MUTUAL
. This means that mTLS authentication is enabled. In this case, services in an ASM instance must pass TLS authentication before they can access external websites.Create a virtual service in the demo-frontend namespace by using the following YAML code. For more information, see Manage virtual services.
In the
http
section in the preceding code, two matching rules are configured.In the first matching rule, the
gateways
parameter is set tomesh
. This indicates that the first matching rule applies to the sidecar proxy injected into the demo-frontend namespace and the first matching rule is used to route traffic from the demo-frontend namespace to the egress gateway.In the second matching rule, the
gateways
parameter is set toistio-system/istio-egressgateway
. This indicates that the second matching rule is used to route traffic from the egress gateway to the external services that are registered.
Step 5: Create an authorization policy
In the demo-frontend namespace, create an authorization policy that allows the egressgateway egress gateway to deny access traffic from the demo-frontend namespace.
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose . On the page that appears, click Create.
On the Create page, set the parameters described in the following table, and then click Create.
Parameter
Description
Name
The name of the authorization policy.
Policy Type
The authorization action. In this example, this parameter is set to DENY.
ASM Gateway
The gateway on which the authorization policy takes effect. In this example, the ASM Gateway parameter on the Gateway Scope tab is set to egressgateway.
Request Matching Rules
In this example, Namespaces is turned on in the Add Request Source section and the value is set to demo-frontend.
Step 6: Verify that the authorization policy can be used to deny access traffic from services in the demo-frontend namespace to the external website
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster that you want to manage and choose
in the left-side navigation pane.In the upper part of the Pods page, select demo-frontend from the Namespace drop-down list. Find the pod name of the sleep service and click in the Actions column.
Run the following command to access the aliyun.com external website:
curl -I http://www.aliyun.com
Expected output:
HTTP/1.1 403 Forbidden content-length: 19 content-type: text/plain date: Thu, 12 Oct 2023 07:14:09 GMT server: envoy x-envoy-upstream-service-time: 4
The
403
error is returned, which indicates that services in the demo-frontend namespace fail to access the aliyun.com external website. The test results indicate that the authorization policy can be used to deny access traffic from services in the demo-frontend namespace to the external website.