Istio Authentication -Part 1

Introduction

Authentication

  • Peer Authentication
    For service-to-service authentication.
  • Request Authentication
    For end-user authentication. Using JSON Web Tokens (JWT)

Pre-requisite

  1. Cluster Environment created with EKS or KOPS
  2. Kubectl installed
  3. Istio installed
  4. Need Public key to access the cluster nodes
Service to Service — Workflow
kubectl create ns istio-servicea
kubectl create ns istio-serviceb
kubectl create ns servicec
kubectl create ns istio-serviced
kubectl get namespaces
kubectl label namespace istio-servicea istio-injection=enabled
kubectl label namespace istio-serviceb istio-injection=enabled
kubectl label namespace istio-serviced istio-injection=enabled
kubectl create -f serviceaccount.yaml
kubectl create -f service-a.yaml
kubectl create -f welcome-app.yaml
kubectl create -f service-b.yaml
kubectl create -f service-c.yaml
kubectl create -f service-d.yaml
kubectl create -f service-e.yaml
kubectl create -f serviced-ns-istio-serviceb.yaml
kubectl create -f servicee-ns-servicec.yaml
kubectl command — Application service
kubectl command — Application pods
kubectl describe pod podname -n namespace
kubectl describe pod service-a-58479bc7bd-vf4mz -n istio-servicea

Before Peer Authentication

Metrics — Before Peer Authentication

Namespace Level

kubectl create -f mtlspolicy.yaml
kubectl get peerauthentication.security.istio.io/default -n istio-servicea
Metrics — Istio Namespace Level

Workload Specific

kubectl create -f peer.yaml
Metrics — Istio Workload Specific

Authorization Policy

kubectl create -f peer.yaml
kubectl create -f AuthorizationPolicy.yaml
kubectl get authorizationpolicy -n istio-servicea
service-b enabled with Service Account
service-d where Service Account not enabled
Metrics — Istio Authorization Policy

Reference

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store