K
Q

Istio MultiCluster Network Policy

2/5/2020

I have an ISTIO on my two kubernetes clusters as a replicated control plane. In my case, some networking policies that restricting labeled deployment object access , but these are working on the only one cluster .

How I can implement domain and service restriction between two clusters on Istio ? Have you got any suggestion ?

Thanks

Sample Network Policy :

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: policy-new
  namespace: point-1
spec:
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: app2
  podSelector:
    matchLabels:
      run: app
-- Ayhan Balik
devops
istio
kubernetes
networking
security

Similar Questions

How Can I Expose to Outside My Services on Azure?
CrashLoopBackOff - Back-off restarting failed container
How add nginx-ingress custom health check behind a nginx reverse proxy
Convert CreationTimeStamp type to string

1 Answer

2/5/2020

Kubernetes NetworkPolicy might have limited use for multicluster.

It is better to use Istio's AuthorizationPolicy. According to istio documentation:

To configure an Istio authorization policy, you create an AuthorizationPolicy resource.

An authorization policy includes a selector and a list of rules. The selector specifies the target that the policy applies to, while the rules specify who is allowed to do what under which conditions. Specifically:

  • target refers to the selector section in the AuthorizationPolicy.
  • who refers to the from section in the rule of the AuthorizationPolicy.
  • what refers to the to section in the rule of the AuthorizationPolicy.
  • conditions refers to the when section in the rule of the AuthorizationPolicy.

Each rule has the following standard fields:

  • from: A list of sources.
  • to: A list of operations.
  • when: A list of custom conditions.

The following example shows an AuthorizationPolicy that allows two sources (service account cluster.local/ns/default/sa/sleep and namespace dev) to access the workloads with labels app: httpbin and version: v1 in namespace foo when the request is sent with a valid JWT token.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: httpbin
 namespace: foo
spec:
 selector:
   matchLabels:
     app: httpbin
     version: v1
 rules:
 - from:
   - source:
       principals: ["cluster.local/ns/default/sa/sleep"]
   - source:
       namespaces: ["dev"]
   to:
   - operation:
       methods: ["GET"]
   when:
   - key: request.auth.claims[iss]
     values: ["https://accounts.google.com"]

Also I recommend reading this and this istio blog posts which cover topics of multicluster security and about Admiral an open source project under istio-ecosystem that provides automatic configuration generation, syncing and service discovery for multicluster Istio service mesh.

Ambassador can be configured to lock down communication except for the traffic which WE specify with use of ServiceEntry, Dependency and GlobalTrafficPolicy objects.

Hope this helps.

-- Piotr Malec
Source: StackOverflow