Enhancing security with Istio Service Mesh: Isolating Pod-to-Pod Communication - Altimetrik

Priyanka Baruah
August 22, 2024
5 mins
Priyanka Baruah
August 22, 2024
5 minute read

In the ever-evolving landscape of cloud-native architecture, security remains a paramount concern. With the proliferation of microservices and containerization, ensuring the integrity and confidentiality of data in transit has become increasingly challenging. Enter Istio Service Mesh, a powerful tool for managing and securing microservices-based applications. One of its key features which we’ll delve into is traffic management, which provides granular control over communication between individual pods, bolstering security in distributed environments.

Understanding Istio Service Mesh

Before delving into service isolation, let’s grasp the essence of Istio Service Mesh. Istio is an open-source service mesh that facilitates communication, monitoring, and security between microservices. It abstracts away the complexities of networking.

An Istio service mesh comprises two key components: the data plane and the control plane. Data Plane, at its core, employs a sidecar proxy model, where each microservice is accompanied by a lightweight proxy called Envoy. Control Plane manages these proxies to intercept all inbound and outbound traffic, allowing Istio to exert fine-grained control over communication between services.

Istio Service Mesh Security

The Significance of Service-to-Service Isolation

Service-to-Service isolation, facilitated by Istio’s traffic management, is crucial for maintaining a secure and reliable service environment. Unauthorized access or malicious activity from one pod could compromise the entire cluster. Service isolation mitigates this risk by segmenting communication channels between pods, enforcing routing rules that dictate flow of traffic and API calls between services.

Implementing Pod-to-Pod Isolation using Istio traffic management

Traffic Encryption

For securing service-to-service communication, Istio facilitates encryption of traffic between pods using mutual TLS (mTLS). At core, Citadel is responsible for traffic encryption. Peer authentication policies define the mutual TLS mode enforced by Istio on target workloads ensuring secure communication within the service mesh.

Following policy allow mTLS strict for all workload under namespace dev but leaving mTLs optional (both mTLS & plaintext) for connection to port 8080 for workload loki

apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: dev spec: mtls: mode: STRICT --- apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: loki namespace: dev spec: mtls: mode: STRICT portLevelMtls: "8080": mode: PERMISSIVE selector: matchLabels: app: loki

Istio’s traffic management model depends on the Envoy proxies that get deployed along with services. Injection of Envoy proxy instances to pods in namespace is done using below command –

kubectl label namespace ${ENV_NAME} istio-injection=enabled –overwrite

Once Istio-proxy sidecar container is deployed in the Istio enabled pods, Istio configures iptables rules in the pod’s network namespace to redirect traffic to sidecar proxies which implements mutual TLS.

Leveraging Istio’s inbuilt capabilities we can introduce tailored traffic configurations through its traffic management API. At core, component of Control Plane, Pilot is responsible for traffic management which uses the Envoy API to communicate with the Envoy sidecar.

With Istio Traffic Management there are infinite scenarios and use cases. Below emphasize n/w isolation for outbound traffic & external facing endpoints i.e.: controlling egress HTTPS traffic from Istio enabled K8s workloads and securing service-to-service communication using Istio traffic management API resources mainly focusing on the Sidecar and Service Entry.

Also read: Explore DDoS Attack Mitigation Techniques: Safeguard Your Network

Sidecar – [Pod Level Isolation]

By default, Istio configures envoy proxies to accept all incoming and outgoing traffic between pods. Sidecar configuration limits the reachability of services and fine-tune the set of ports and protocols that an Envoy proxy can accept. Sidecar configuration can be applied to all workloads in a particular namespace or to specific workloads using a workload Selector.

In the Following example Isolation is applied to pod level based on workload selector labels specifying which hosts the services within the selected workloads are allowed to communicate with.

apiVersion: networking.istio.io/v1alpha3 kind: Sidecar metadata: name: service-sidecar namespace: dev spec: workloadSelector: labels: app: serviceName egress: - hosts: - "./aws.amazon.com" - "./*.organization.com" outboundTrafficPolicy: mode: REGISTRY_ONLY

Adding “./*.<<namespace>>.svc.cluster.local” in hosts section will allow the pod to access any services within its own namespace in the Kubernetes cluster.

Modifying Outbound traffic policy to REGISTRY_ONLY, further enforces that only hosts defined with ServiceEntry resources are part of the mesh service registry and can be accessed to by sidecars of the mesh (pod)

ServiceEntry – [Service Mesh Level Isolation]

Istio maintains a service registry where all endpoint data is stored. Using this service registry, the Envoy proxies redirect traffic to the relevant services. ServiceEntry is used to add entry to the service registry. Configuring ServiceEntry allows us to manage traffic for services that are running outside of the mesh i.e.: whitelisting external endpoints.

With meshConfig.outboundTrafficPolicy.mode flag set to REGISTRY_ONLY requiring external resources that pods should be able to access, are configured as ServiceEntry Objects which will control the outbound traffic i.e APIs that can be accessed by pods over HTTPS.

apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: ext-svc namespace: dev spec: hosts: - aws.amazon.com - *.atlassian.net location: MESH_EXTERNAL ports: - name: https number: 443 protocol: HTTPS resolution: DNS

The above configuration ensures that services labeled with “app: serviceName” restricting egress HTTPS traffic and allowing outbound communication only to predetermined hosts. With DNS resolution, the sidecar proxy will ignore the original destination IP address and direct the traffic to specified hosts only after performing a DNS query to get an IP address of the host providing controlled access to external services.

When trying to access service which are not configured as ServiceEntry Objects will prohibit outbound traffic as shown below

kubectl exec -it pod-serviceName-bff85 -n dev --stdin --tty -- /bin/sh $ curl https://polaris.synopsys.com curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to polaris.synopsys.com:443

In summary, the Sidecar configuration defines egress rules for outbound traffic, while the Service Entry configuration defines external services accessibility within the mesh. Both configurations play a vital role in controlling traffic within the Istio service mesh.

Conclusion

The setup provides a good defense mechanism by limiting traffic from pods to internal Kubernetes infrastructure and other Kubernetes workloads, thereby preventing lateral movement. Augmenting this with container hardening further strengthens security and minimizes potential breaches. Additionally, using Istio’s Virtual Service, Destination Rule, and Gateway together can effectively manage traffic i.e,: Virtual Service to control request routing along with Destination Rule to define policies for traffic to a service, and a Gateway to manage inbound traffic.

Nonetheless, it’s essential to acknowledge that every setup has its own limitations, so it’s important to choose the best security measures to safeguard applications and mitigate the risk of security breaches in distributed environments based on architectural requirement.

Your vision, our expertise—let’s make it happen.