All Products
Search
Document Center

Alibaba Cloud Service Mesh:Use an authorization policy to control access traffic from services in an ASM instance to an external website

更新時間:Jan 05, 2024

Kubernetes allows you to use a NetworkPolicy object in a Kubernetes cluster to deny or allow access traffic from services in specific namespaces to specific external websites. However, the method of using a NetworkPolicy object implements only coarse-grained network isolation and cannot ensure application security or business security. The zero-trust security system of Service Mesh (ASM) allows you to dynamically configure authorization policies to control access traffic from services in a namespace to an external website. This helps reduce risks. This topic describes how to use an authorization policy to deny access traffic from all services in a namespace to an external website. The demo-frontend namespace and the aliyun.com external website are used in the example.

Prerequisites

Step 1: Create a test service

  1. Obtain the kubeconfig file of the cluster and use kubectl to connect to the cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

  2. Create a service named sleep in the demo-frontend namespace.

    1. Create a sleep.yaml file that contains the following content:

      Show the sleep.yaml file

      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: sleep
      ---
      apiVersion: v1
      kind: Service
      metadata:
        name: sleep
        labels:
          app: sleep
          service: sleep
      spec:
        ports:
        - port: 80
          name: http
        selector:
          app: sleep
      ---
      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: sleep
      spec:
        replicas: 1
        selector:
          matchLabels:
            app: sleep
        template:
          metadata:
            labels:
              app: sleep
          spec:
            terminationGracePeriodSeconds: 0
            serviceAccountName: sleep
            containers:
            - name: sleep
              image: curlimages/curl
              command: ["/bin/sleep", "3650d"]
              imagePullPolicy: IfNotPresent
              volumeMounts:
              - mountPath: /etc/sleep/tls
                name: secret-volume
            volumes:
            - name: secret-volume
              secret:
                secretName: sleep-secret
                optional: true
      ---
    2. Run the following commands to create the sleep service:

      kubectl apply -f sleep.yaml -n demo-frontend
  3. Verify that a sidecar proxy is injected into the sleep service.

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Pods in the left-side navigation pane.

    3. In the upper part of the Pods page, select demo-frontend from the Namespace drop-down list and click the pod name of the sleep service.

      On the Container tab, a sidecar proxy named istio-proxy is displayed. This indicates that a sidecar proxy is injected into the sleep service.

Step 2: Create an egress gateway

You can use an egress gateway to control access traffic from services in a Service Mesh instance to an external website. After you configure an authorization policy for an egress gateway, you can also specify conditions to control whether to allow access to an external website. In this example, the name of the egress gateway is set to egressgateway. For more information, see Create an egress gateway.

Step 3: Configure a policy for accessing external services

By default, services in an ASM instance are allowed to access all external services. To control access to a specific external website, set the Outbound Traffic Policy parameter to REGISTRY_ONLY for an ASM instance in the ASM console. In this case, external services that are not registered as service entries cannot be accessed by services in the Service Mesh instance.

  1. Configure a policy for accessing external services.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Dataplane Component Management > Sidecar Proxy Setting.

    3. On the global tab, click Outbound Traffic Policy, set the Outbound Traffic Policy parameter to REGISTEY_ONLY, and then click Update Settings.

  2. Register the aliyun.com external website as a service entry.

    1. On the details page of the ASM instance, choose Cluster & Workload Management > External Service(ServiceEntry) in the left-side navigation pane. On the page that appears, click Create from YAML.

    2. On the Create page, select istio-system from the Namespace drop-down list and copy the following content to the code editor. Then, click Create.

      apiVersion: networking.istio.io/v1beta1
      kind: ServiceEntry
      metadata:
        name: aliyuncom-ext
        namespace: istio-system
      spec:
        hosts:
          - www.aliyun.com  
        location: MESH_EXTERNAL
        ports:
          - name: http
            number: 80
            protocol: HTTP
          - name: tls
            number: 443
            protocol: TLS
        resolution: DNS

Step 4: Create a traffic policy

Create an Istio gateway, a destination rule, and a virtual service to route traffic from the demo-frontend namespace to the egress gateway and then to the specific external website.

  1. Create an Istio gateway in the istio-system namespace by using the following YAML code. For more information, see Manage Istio gateways.

    apiVersion: networking.istio.io/v1beta1
    kind: Gateway
    metadata:
      name: istio-egressgateway
      namespace: istio-system
    spec:
      selector:
        istio: egressgateway
      servers:
        - port:
            number: 80
            name: http
            protocol: HTTPS
          tls:
            mode: ISTIO_MUTUAL
          hosts:
            - '*'

    In the preceding code, the mode parameter is set to ISTIO_MUTUAL. This means that mutual Transport Layer Security (mTLS) authentication is enabled. In this case, services in an ASM instance must pass TLS authentication before they can access external websites.

  2. Create a destination rule in the demo-frontend namespace by using the following YAML code. For more information, see Manage destination rules.

    apiVersion: networking.istio.io/v1beta1
    kind: DestinationRule
    metadata:
      name: target-egress-gateway
      namespace: demo-frontend
    spec:
      host: istio-egressgateway.istio-system.svc.cluster.local
      subsets:
        - name: target-egress-gateway-mTLS
          trafficPolicy:
            loadBalancer:
              simple: ROUND_ROBIN
            tls:
              mode: ISTIO_MUTUAL

    In the preceding code, the mode parameter is set to ISTIO_MUTUAL. This means that mTLS authentication is enabled. In this case, services in an ASM instance must pass TLS authentication before they can access external websites.

  3. Create a virtual service in the demo-frontend namespace by using the following YAML code. For more information, see Manage virtual services.

    Show the YAML code of the virtual service

    apiVersion: networking.istio.io/v1beta1
    kind: VirtualService
    metadata:
      name: example-com-through-egress-gateway
      namespace: demo-frontend
    spec:
      exportTo:
        - istio-system
        - demo-frontend
      gateways:
        - mesh
        - istio-system/istio-egressgateway
      hosts:
        - www.aliyun.com
      http:
        - match:
            - gateways:
                - mesh
              port: 80
          route:
            - destination:
                host: istio-egressgateway.istio-system.svc.cluster.local
                port:
                  number: 80
                subset: target-egress-gateway-mTLS
              weight: 100
        - match:
            - gateways:
                - istio-system/istio-egressgateway
              port: 80
          route:
            - destination:
                host: www.aliyun.com
                port:
                  number: 80
              weight: 100

    In the http section in the preceding code, two matching rules are configured.

    • In the first matching rule, the gateways parameter is set to mesh. This indicates that the first matching rule applies to the sidecar proxy injected into the demo-frontend namespace and the first matching rule is used to route traffic from the demo-frontend namespace to the egress gateway.

    • In the second matching rule, the gateways parameter is set to istio-system/istio-egressgateway. This indicates that the second matching rule is used to route traffic from the egress gateway to the external services that are registered.

Step 5: Create an authorization policy

In the demo-frontend namespace, create an authorization policy that allows the egressgateway egress gateway to deny access traffic from the demo-frontend namespace.

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Mesh Security Center > AuthorizationPolicy. On the page that appears, click Create.

  3. On the Create page, set the parameters described in the following table, and then click Create.

    Parameter

    Description

    Name

    The name of the authorization policy.

    Policy Type

    The authorization action. In this example, this parameter is set to DENY.

    ASM Gateway

    The gateway on which the authorization policy takes effect. In this example, the ASM Gateway parameter on the Gateway Scope tab is set to egressgateway.

    Request Matching Rules

    In this example, Namespaces is turned on in the Add Request Source section and the value is set to demo-frontend.

Step 6: Verify that the authorization policy can be used to deny access traffic from services in the demo-frontend namespace to the external website

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click the name of the cluster that you want to manage and choose Workloads > Pods in the left-side navigation pane.

  3. In the upper part of the Pods page, select demo-frontend from the Namespace drop-down list. Find the pod name of the sleep service and click Terminal > sleep in the Actions column.

  4. Run the following command to access the aliyun.com external website:

    curl -I http://www.aliyun.com

    Expected output:

    HTTP/1.1 403 Forbidden
    content-length: 19
    content-type: text/plain
    date: Thu, 12 Oct 2023 07:14:09 GMT
    server: envoy
    x-envoy-upstream-service-time: 4

    The 403 error is returned, which indicates that services in the demo-frontend namespace fail to access the aliyun.com external website. The test results indicate that the authorization policy can be used to deny access traffic from services in the demo-frontend namespace to the external website.