To implement fine-grained control over service-to-service TCP requests, you can configure authorization policies for TCP requests to manage service interaction permissions. This guarantees that only authorized requests can access a specific service and improves service security and reliability.
Prerequisites
Istio resources are defined. For more information, see Use Istio resources to route traffic to different versions of a service.
The foo namespace is created and sidecar proxies are injected. For more information, see Create a namespace and Enable automatic sidecar proxy injection.
Step 1: Deploy sample applications
Deploy the tcp-echo application as the TCP service that receives requests and the sleep application as the TCP service that sends requests.
Deploy a TCP service to receive requests.
Create a tcp-echo.yaml file that contains the following content.
After tcp-echo receives a request, tcp-echo prefixes the request content with
hello
and returns the prefixed content as the response. For example, if tcp-echo receivesworld
,hello world
is returned.Use kubectl to connect to the cluster. Run the following command to deploy the tcp-echo service as a TCP service to receive requests in the foo namespace.
For more information about how to use kubectl to connect to the cluster, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
kubectl apply -f tcp-echo.yaml -n foo
Deploy a TCP service to send requests.
Create a sleep.yaml file that contains the following content:
Run the following command to deploy the sleep service in the foo namespace to send TCP requests:
kubectl apply -f sleep.yaml -n foo
Step 2: Check whether the tcp-echo service can be requested as expected before an authorization policy is configured
Run the following command to check whether a request from the sleep service can access the tcp-echo service over port 9000:
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
Expected output:
hello port 9000 connection succeeded
The output indicates that the request from the sleep service can access the tcp-echo service over port 9000.
Run the following command to check whether a request from the sleep service can access the tcp-echo service over port 9001:
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
Expected output:
hello port 9001 connection succeeded
The output indicates that the request from the sleep service can access the tcp-echo service over port 9001.
Step 3: Configure an authorization policy
Perform the following steps to configure an authorization policy to allow TCP requests to access the tcp-echo service over port 9000:
Log on to the ASM console. In the left-side navigation pane, choose .
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose .
Create an authorization policy by using one of the following methods:
ImportantWhen you configure an authorization policy for TCP requests, do not turn on the Methods switch in the Add Request Target section. This switch is suitable only for HTTP requests but not for TCP requests. An ALLOW rule that is set by using this switch for TCP requests is invalid. Service Mesh ignores invalid ALLOW rules. Therefore, if you turn on this switch for TCP requests, the TCP requests will be rejected and
connection rejected
will be returned.Method 1: Use YAML to create an authorization policy
On the AuthorizationPolicy page, click Create from YAML.
On the Create page, select foo from the Namespace drop-down list, select a template, copy the following content to the YAML code editor, and then click Create.
kind: AuthorizationPolicy apiVersion: security.istio.io/v1beta1 metadata: name: demo namespace: foo spec: action: ALLOW rules: - to: - operation: ports: - '9000'
Method 2: Use the graphical user interface (GUI) to create an authorization policy
On the AuthorizationPolicy page, click Create.
On the Create page, set the parameters and click Create.
Parameter
Description
Name
The name of the authorization policy. In this example, the value is set to demo.
Policy Type
The authorization action. In this example, the value is set to ALLOW.
Namespace
The namespace in which you want to create the authorization policy. In this example, the Namespace parameter on the Workload Scope tab is set to foo.
Effective Scope
The effective scope of the authorization policy. In this example, the value is set to Namespace Scope.
Request Matching Rules
The request matching rule of the authorization policy. In this example, Ports is turned on in the Add Request Target section and the value is set to 9000.
Step 4: Check whether the authorization policy that you created takes effect
Run the following command to check whether a request from the sleep service can access the tcp-echo service over port 9001:
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9001" | nc tcp-echo 9001' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
Expected output:
connection rejected
The output indicates that the request from the sleep service fails to access the tcp-echo service over port 9001.
Run the following command to check whether a request from the sleep service can access the tcp-echo service over port 9000:
kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- sh -c 'echo "port 9000" | nc tcp-echo 9000' | grep "hello" && echo 'connection succeeded' || echo 'connection rejected'
Expected output:
hello port 9000 connection succeeded
The output indicates that the request from the sleep service can access the tcp-echo service over port 9000.
References
Improper configurations of authorization policies may cause unexpected access to be denied or allowed. You can use ASM authorization policies in trial mode to check whether the execution results of the authorization policies meet your expectations based on logs. If not, you can adjust the authorization policies until the execution results meet your expectations. Then, you can disable the trial mode to make the authorization policies take effect. For more information, see Run an ASM authorization policy in trial mode.
For more information about how to implement fine-grained control over service-to-service HTTP requests, see Configure authorization policies for HTTP requests.
For more information about how to control access traffic from services in an ASM instance to external services, see Use an authorization policy to control access traffic from services in an ASM instance to an external website and Use an authorization policy to control access traffic from services in an ASM instance to an external database.
You can customize the content of access logs of an ASM gateway to detect potential security risks in a timely manner. For more information, see Configure the features of generating and collecting the access logs of an ASM gateway.
You can enable the mesh audit feature to record or trace the daily operations of different users. You can also configure audit alerts for operations on ASM resources and send alert notifications to alert contacts in a timely manner when important resources change. For more information, see Use the KubeAPI operation audit feature in ASM and Configure audit alerts for operations on ASM resources.