Skip to main content
Version: 1.3.x

Security

Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts
✓ Install the TSB demo environment
✓ Deploy the Istio Bookinfo sample app
✓ Create a Tenant
✓ Create a Workspace
✓ Create Config Groups
✓ Setup an Ingress Gateway

In this scenario, you’ll configure communication between services in the same workspace using TSB security settings.

Deploy a "sleep" service

First, deploy a sleep service in another namespace that does not belong to our bookinfo application workspace

Create the following sleep.yaml

# Copyright Istio Authors
#
#   Licensed under the Apache License, Version 2.0 (the "License");
#   you may not use this file except in compliance with the License.
#   You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
#   Unless required by applicable law or agreed to in writing, software
#   distributed under the License is distributed on an "AS IS" BASIS,
#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#   See the License for the specific language governing permissions and
#   limitations under the License.

##################################################################################################
# Sleep service
##################################################################################################
apiVersion: v1
kind: ServiceAccount
metadata:
  name: sleep
---
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      serviceAccountName: sleep
      containers:
      - name: sleep
        image: governmentpaas/curl-ssl
        command: ["/bin/sleep", "3650d"]
        imagePullPolicy: IfNotPresent
        volumeMounts:
        - mountPath: /etc/sleep/tls
          name: secret-volume
      volumes:
      - name: secret-volume
        secret:
          secretName: sleep-secret
          optional: true
---

Now, deploy the sleep service

kubectl create namespace sleep
kubectl label namespace sleep istio-injection=enabled --overwrite=true
kubectl apply -n sleep -f sleep.yaml

After waiting a bit for the configuration to propagate, call the bookinfo product page from the sleep service pod.

kubectl exec "$(kubectl get pod -l app=sleep -n sleep -o jsonpath={.items..metadata.name})" -c sleep -n sleep -- curl -s http://productpage.bookinfo:9080/productpage | grep -o "<title>.*</title>"

Expect output similar to:

<title>Simple Bookstore App</title>

It works, because services from outside the workspace are able to access services inside our application workspace. However, by adding SecuritySettings, you’ll disable access from outside of the workspace.

Create Security Setting

Using the UI

  • Under Tenant on the left panel, select Workspaces.
  • On the bookinfo-ws Workspace card, click on Security Groups.
  • Click on the bookinfo-security Security Group you created previously.
  • Select the Security Settings tab.

Now, you are going to add a new Security Setting

  1. Under Security Settings, click on Add new.... This will create a new Security Setting with default name fqn0.
  2. Click fqn0 to open its configuration form, and rename to bookinfo-security-settings.
  3. Set Authentication mode to REQUIRED.
  4. Set Authorization Settings to WORKSPACE.
  5. Save Changes.

Using tctl

Create the following security.yaml

apiVersion: security.tsb.tetrate.io/v2
kind: SecuritySetting
metadata:
  organization: tetrate
  name: bookinfo-security-settings
  group: bookinfo-security
  workspace: bookinfo-ws
  tenant: tetrate
spec:
  authentication: REQUIRED
  authorization:
    mode: WORKSPACE

Apply with tctl

tctl apply -f security.yaml

Verify

Wait a bit for the configuration to propagate. Try calling the product page from the sleep service pod now.

kubectl exec "$(kubectl get pod -l app=sleep -n sleep -o jsonpath={.items..metadata.name})" -c sleep -n sleep -- curl http://productpage.bookinfo:9080/productpage -v

Expect output similar to:

Trying 10.3.249.112:9080...
* Connected to productpage.bookinfo (10.3.249.112) port 9080 (#0)
> GET /productpage HTTP/1.1
> Host: productpage.bookinfo:9080
> User-Agent: curl/7.69.1
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< content-length: 19
< content-type: text/plain
< date: Wed, 11 Nov 2020 07:31:28 GMT
< server: envoy
< x-envoy-upstream-service-time: 1
< 
{ [19 bytes data]
100    19  100    19    0     0   3166      0 --:--:-- --:--:-- --:--:--  3166
* Connection #0 to host productpage.bookinfo left intact
RBAC: access denied

Request from sleep to bookinfo productpage failed because services from outside the workspace are not allowed to access services inside our application workspace.