Skip to content

Instantly share code, notes, and snippets.

@danehans

danehans/CT640.md

Last active August 1, 2018 19:01
Show Gist options
  • Save danehans/5641f47c9e06c01e3e5775e0f5f80e27 to your computer and use it in GitHub Desktop.
Save danehans/5641f47c9e06c01e3e5775e0f5f80e27 to your computer and use it in GitHub Desktop.
Download ZIP
CT640: SEC-HTP-SSL3-3: Support TLS for HTTP
Raw
CT640.md

Introduction

Istio supports Mutual TLS (mTLS), which is documented here. This document provides instructions for testing Istio mTLS. The document will use the bookinfo application and ssldump to verify mTLS is being used for network communication between application services. The bookinfo application consists of multiple services, please review this diagram to better understand the service<>service communication used for Istio mTLS validation.

Prerequisites

  1. Access to a v1.9 or newer Kubernetes cluster for running Istio.
  2. Install ssldump, kubectl, helm and a credential file for accessing the Kubernetes cluster where Istio will run.
  3. Install Istio v1.0 using Helm.
  4. Customize the installation to enable control-plane mTLS by setting the following Helm parameter: 
    --set global.controlPlaneSecurityEnabled=true
  5. Customize the installation to enable data-plane mTLS by setting the following Helm parameter: 
    --set global.mtls.enabled=true

You can verify control-plane and data-plane mTLS is enabled by viewing the istio configmap details:

$ kubectl get cm/istio -n istio-system -o yaml | grep MUTUAL_TLS
    authPolicy: MUTUAL_TLS
      controlPlaneAuthPolicy: MUTUAL_TLS

mTLS Validation

Get the Host IP of the Istio Ingress Gateway:

$ export INGRESS_HOST=$(kubectl get po -l istio=ingressgateway -n istio-system -o 'jsonpath={.items[0].status.hostIP}')

$ echo $INGRESS_HOST
10.10.159.95

Get the port number used to expose the bookinfo productpage outside of the Istio mesh:

$ export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')

$ echo $INGRESS_PORT
31380

Test conectivity from a host outside of the Istio mesh to the productpage gateway:

$ curl -I http://$INGRESS_HOST:$INGRESS_PORT/productpage
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 5719
server: envoy
date: Wed, 01 Aug 2018 16:10:48 GMT
x-envoy-upstream-service-time: 71

You should receive a 200 HTTP status code. This indicates that the bookinfo application is operating properly.

As depicted in this diagram, the productpage pod communicates with the details pod. From a separate terminal, get the IP's of both pods that will be used in the ssldump decode:

# productpage pod
$ kubectl get po -l app=productpage -o 'jsonpath={.items[0].status.podIP}'
192.168.2.140

# details pod
$ kubectl get po -l app=details -o 'jsonpath={.items[0].status.podIP}'
192.168.3.102

Run ssldump on the host of the productpage pod to verify that network traffic between the productpage pod and the details pod uses TLS. First, get the IP of the host running the productpage pod:

$ kubectl get po -l app=productpage -o 'jsonpath={.items[0].status.hostIP}'
10.10.159.82

SSH to the host:

ssh [email protected]

Verify that the productpage pod and it's associated Istio sidecard proxy is running:

sudo docker ps | grep productpage
b7f4f40ea3f2        f2e16d78e5ee                 "/usr/local/bin/pi..."   19 hours ago        Up 19 hours                             k8s_istio-proxy_productpage-v1-f8c8fb8-g5ddj_default_b3c84127-9505-11e8-9b06-00505693d532_0
02c1cd5da20d        a151027e867a                 "/bin/sh -c 'pytho..."   19 hours ago        Up 19 hours                             k8s_productpage_productpage-v1-f8c8fb8-g5ddj_default_b3c84127-9505-11e8-9b06-00505693d532_0
a7beca04cd8e        k8s.gcr.io/pause-amd64:3.1   "/pause"                 19 hours ago        Up 19 hours                             k8s_POD_productpage-v1-f8c8fb8-g5ddj_default_b3c84127-9505-11e8-9b06-00505693d532_0

Note: Container a7beca04cd8e is instantiated by Kubernetes to setup pod networking.

Run ssldump and observe the productpage pod to the details pod:

$ sudo ssldump port 9080

Return to the terminal used to initially verify operation of the bookinfo application and rerun the curl command:

$ curl -I http://$INGRESS_HOST:$INGRESS_PORT/productpage
HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 5719
server: envoy
date: Wed, 01 Aug 2018 16:10:48 GMT
x-envoy-upstream-service-time: 71

Go back to the terminal running the ssldump command and view the TLS handshake between the productpage and details pods.

New TCP connection #1: 192.168.2.140(43240) <-> 192.168.3.102(9080)
1 1  0.0003 (0.0003)  C>S  Handshake
      ClientHello
        Version 3.3 
        cipher suites
        Unknown value 0xc02b
        Unknown value 0xcca9
        Unknown value 0xc02f
        Unknown value 0xcca8
        Unknown value 0xc009
        Unknown value 0xc013
        Unknown value 0x9c
        TLS_RSA_WITH_AES_128_CBC_SHA
        Unknown value 0xc02c
        Unknown value 0xc030
        Unknown value 0xc00a
        Unknown value 0xc014
        Unknown value 0x9d
        TLS_RSA_WITH_AES_256_CBC_SHA
        compression methods
                  NULL
1 2  0.0021 (0.0017)  S>C  Handshake
      ServerHello
        Version 3.3 
        session_id[0]=

        cipherSuite         Unknown value 0xc02f
        compressionMethod                   NULL
1 3  0.0021 (0.0000)  S>C  Handshake
      Certificate
1 4  0.0021 (0.0000)  S>C  Handshake
      ServerKeyExchange
1 5  0.0021 (0.0000)  S>C  Handshake
      CertificateRequest
        certificate_types                   rsa_sign
Segmentation fault (core dumped)

You can repeat these steps to verify TLS between other bookinfo pods or between Istio control-plane components.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment