From a464b6784e66f506da821ef70a11dc7c69cee443 Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Mon, 15 Jun 2020 12:45:49 +0900 Subject: [PATCH 01/10] Add doc on how to use Istio Authorization with Knative --- docs/serving/istio-authorization.md | 114 ++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) create mode 100644 docs/serving/istio-authorization.md diff --git a/docs/serving/istio-authorization.md b/docs/serving/istio-authorization.md new file mode 100644 index 00000000000..62928b438d9 --- /dev/null +++ b/docs/serving/istio-authorization.md @@ -0,0 +1,114 @@ +--- +title: "Knative application under the strict authorization policy" +weight: 25 +type: "docs" +--- + +When you deployed app to Knative Serving, serving system pods such as activator and autoscaler access to your app. +Hence, you have to allow the requests to your app when you configure security features such as istio authorization policy. + +> Tip: This example assumes that your application enabled istio sidecar injection. +> +> ``` +> $ kubectl create namespace serving-tests +> $ kubectl label namespace serving-tests istio-injection=enabled +> ``` +> The following policy example does not work without sidecar injection. + +For example, the following authorization policy denies all requests to workloads in namespace serving-tests. + +``` +$ cat < Date: Tue, 16 Jun 2020 09:01:47 +0900 Subject: [PATCH 02/10] Fix nit --- docs/serving/istio-authorization.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/serving/istio-authorization.md b/docs/serving/istio-authorization.md index 62928b438d9..4dce419c3f1 100644 --- a/docs/serving/istio-authorization.md +++ b/docs/serving/istio-authorization.md @@ -65,10 +65,13 @@ There are several solutions but this section is going to explain two typical sol Knative system pods access to your applcation by using the following paths. -- `/metrics` is a path to collect metrics (e.g. autoscaler) -- `/health` is a path to probe the service (e.g. activator, autoscaler, KIngres's probe) +- `/metrics` +- `/health` -Hence you can add `/metrics` and `/healthz` to the whitelist. +The /metrics path allows the autoscaler pod to collect metrics. +The /health path allows system pods to probe the service." + +You can add the `/metrics` and `/health` paths to the AuthorizationPolicy as shown in the example: ``` $ cat < Date: Tue, 16 Jun 2020 09:05:13 +0900 Subject: [PATCH 03/10] Fix nit 2 --- docs/serving/istio-authorization.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/serving/istio-authorization.md b/docs/serving/istio-authorization.md index 4dce419c3f1..3cad87e836d 100644 --- a/docs/serving/istio-authorization.md +++ b/docs/serving/istio-authorization.md @@ -5,7 +5,7 @@ type: "docs" --- When you deployed app to Knative Serving, serving system pods such as activator and autoscaler access to your app. -Hence, you have to allow the requests to your app when you configure security features such as istio authorization policy. +If you have configured additional security features, such as Istio's authorization policy, you must enable access to your Knative service for these system pods. > Tip: This example assumes that your application enabled istio sidecar injection. > @@ -56,14 +56,14 @@ $ curl http://hello-example.default.52.76.125.95.nip.io (hang up) ``` -To access your application, you need to configure "whitelist" for the requests from system pods. -There are several solutions but this section is going to explain two typical solutions -[Allow access from system pods by paths](#allow-access-from-system-pods-by-paths) and -[Allow access from system pods by namespace](#allow-access-from-system-pods-by-namespace). +To enable access to your application for requests from system pods, you must whitelist the system pods in your Istio AuthorizationPolicy. +You can enable access by: +[Allowing access from system pods by paths](#allow-access-from-system-pods-by-paths). +[Allowing access from system pods by namespace](#allow-access-from-system-pods-by-namespace). -### Allow access from system pods by paths +### Allowing access from system pods by paths -Knative system pods access to your applcation by using the following paths. +Knative system pods access your application using the following paths: - `/metrics` - `/health` @@ -91,7 +91,7 @@ spec: EOF ``` -### Allow access from system pods by namespace +### Allowing access from system pods by namespace You can allow access for all pods in the `knative-serving` namespace, as shown in the example: From 9e1488cbb0d8c8430da61ffb8753c3c653786f7f Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Tue, 16 Jun 2020 09:14:16 +0900 Subject: [PATCH 04/10] Fix nit 3 --- docs/serving/istio-authorization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/serving/istio-authorization.md b/docs/serving/istio-authorization.md index 3cad87e836d..c35003cab65 100644 --- a/docs/serving/istio-authorization.md +++ b/docs/serving/istio-authorization.md @@ -4,7 +4,7 @@ weight: 25 type: "docs" --- -When you deployed app to Knative Serving, serving system pods such as activator and autoscaler access to your app. +Knative Serving system pods, such as the activator and autoscaler components, require access to your deployed Knative services. If you have configured additional security features, such as Istio's authorization policy, you must enable access to your Knative service for these system pods. > Tip: This example assumes that your application enabled istio sidecar injection. @@ -52,7 +52,7 @@ It generally works with Kubernetes application, but it does not work with Knativ ``` $ kn service create hello-example --image=gcr.io/knative-samples/helloworld-go -$ curl http://hello-example.default.52.76.125.95.nip.io +$ curl http://hello-example.default.1.2.3.4.nip.io (hang up) ``` From cad71d67bccbc2f64dd9d296e622973a33a44880 Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Tue, 16 Jun 2020 20:08:36 +0900 Subject: [PATCH 05/10] Fix review comments --- docs/serving/istio-authorization.md | 51 ++++++++--------------------- 1 file changed, 13 insertions(+), 38 deletions(-) diff --git a/docs/serving/istio-authorization.md b/docs/serving/istio-authorization.md index c35003cab65..8ad9ee64738 100644 --- a/docs/serving/istio-authorization.md +++ b/docs/serving/istio-authorization.md @@ -1,5 +1,5 @@ --- -title: "Knative application under the strict authorization policy" +title: "Enabling requests to Knative services when additional authorization policies are enabled" weight: 25 type: "docs" --- @@ -7,13 +7,14 @@ type: "docs" Knative Serving system pods, such as the activator and autoscaler components, require access to your deployed Knative services. If you have configured additional security features, such as Istio's authorization policy, you must enable access to your Knative service for these system pods. -> Tip: This example assumes that your application enabled istio sidecar injection. -> -> ``` -> $ kubectl create namespace serving-tests -> $ kubectl label namespace serving-tests istio-injection=enabled -> ``` -> The following policy example does not work without sidecar injection. +## Before you begin + +You must meet the following prerequisites to use Istio AuthorizationPolicy: + +- [Enabling istio sidecar injection](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/). +- Using net-istio for your Knative Ingress. + +## Enabling Istio AuthorizationPolicy For example, the following authorization policy denies all requests to workloads in namespace serving-tests. @@ -29,39 +30,13 @@ spec: EOF ``` -Then, the following policy allows the request to `/` for your application. - -``` -$ cat < Date: Wed, 17 Jun 2020 10:01:33 +0900 Subject: [PATCH 06/10] Replace health with healthz --- docs/serving/istio-authorization.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/serving/istio-authorization.md b/docs/serving/istio-authorization.md index 8ad9ee64738..114cc4579bb 100644 --- a/docs/serving/istio-authorization.md +++ b/docs/serving/istio-authorization.md @@ -41,12 +41,12 @@ You can enable access by: Knative system pods access your application using the following paths: - `/metrics` -- `/health` +- `/healthz` The /metrics path allows the autoscaler pod to collect metrics. -The /health path allows system pods to probe the service." +The /healthz path allows system pods to probe the service." -You can add the `/metrics` and `/health` paths to the AuthorizationPolicy as shown in the example: +You can add the `/metrics` and `/healthz` paths to the AuthorizationPolicy as shown in the example: ``` $ cat < Date: Wed, 17 Jun 2020 11:27:00 +0900 Subject: [PATCH 07/10] Add comment for mTLS requirment --- docs/serving/istio-authorization.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/docs/serving/istio-authorization.md b/docs/serving/istio-authorization.md index 114cc4579bb..e1ebca325f8 100644 --- a/docs/serving/istio-authorization.md +++ b/docs/serving/istio-authorization.md @@ -83,10 +83,8 @@ spec: - from: - source: namespaces: ["knative-serving"] - rules: - - to: - - operation: - paths: - - / # The path for your application. EOF ``` + +Some rule like from.source.namespace above needs to require mTLS enabled. +Please refer to Istio [Authorization Policy](https://istio.io/latest/docs/reference/config/security/authorization-policy/) for details. From 453400a934c4787795b4e2945d999cd2e22d6c2a Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Mon, 22 Jun 2020 16:01:12 +0900 Subject: [PATCH 08/10] Fix review comment --- docs/serving/istio-authorization.md | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/docs/serving/istio-authorization.md b/docs/serving/istio-authorization.md index e1ebca325f8..04c2ad6ef8c 100644 --- a/docs/serving/istio-authorization.md +++ b/docs/serving/istio-authorization.md @@ -11,12 +11,12 @@ If you have configured additional security features, such as Istio's authorizati You must meet the following prerequisites to use Istio AuthorizationPolicy: -- [Enabling istio sidecar injection](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/). -- Using net-istio for your Knative Ingress. +- [Istio sidecar injection must be enabled](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/). +- [Using Istio for your Knative Ingress](https://knative.dev/docs/install/any-kubernetes-cluster/#installing-the-serving-component). ## Enabling Istio AuthorizationPolicy -For example, the following authorization policy denies all requests to workloads in namespace serving-tests. +For example, the following authorization policy denies all requests to workloads in namespace `serving-tests`. ``` $ cat < Date: Tue, 23 Jun 2020 09:17:10 +0900 Subject: [PATCH 09/10] Fix review comments --- docs/serving/istio-authorization.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/serving/istio-authorization.md b/docs/serving/istio-authorization.md index 04c2ad6ef8c..c5954c3091c 100644 --- a/docs/serving/istio-authorization.md +++ b/docs/serving/istio-authorization.md @@ -11,8 +11,8 @@ If you have configured additional security features, such as Istio's authorizati You must meet the following prerequisites to use Istio AuthorizationPolicy: +- [Istio must be used for your Knative Ingress](https://knative.dev/docs/install/any-kubernetes-cluster/#installing-the-serving-component). - [Istio sidecar injection must be enabled](https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/). -- [Using Istio for your Knative Ingress](https://knative.dev/docs/install/any-kubernetes-cluster/#installing-the-serving-component). ## Enabling Istio AuthorizationPolicy @@ -30,8 +30,8 @@ spec: EOF ``` -In addition to allowing your application path, you must configure Istio AuthorizationPolicy -to allow access, such as health checking and metrics collection, to your applications from system pods. +In addition to allowing your application path, you'll need to configure Istio AuthorizationPolicy +to allow health checking and metrics collection to your applications from system pods. You can allow access from system pods [by paths](#allow-access-from-system-pods-by-paths) or [by namespace](#allow-access-from-system-pods-by-namespace). @@ -43,7 +43,7 @@ Knative system pods access your application using the following paths: - `/healthz` The `/metrics` path allows the autoscaler pod to collect metrics. -The `/healthz` path allows system pods to probe the service." +The `/healthz` path allows system pods to probe the service. You can add the `/metrics` and `/healthz` paths to the AuthorizationPolicy as shown in the example: From e725e973b66664d9bd902c184c2b0ab8710a6f6f Mon Sep 17 00:00:00 2001 From: Kenjiro Nakayama Date: Tue, 23 Jun 2020 19:37:54 +0900 Subject: [PATCH 10/10] Remove allowing list by namespace --- docs/serving/istio-authorization.md | 26 +------------------------- 1 file changed, 1 insertion(+), 25 deletions(-) diff --git a/docs/serving/istio-authorization.md b/docs/serving/istio-authorization.md index c5954c3091c..ab1631b1bba 100644 --- a/docs/serving/istio-authorization.md +++ b/docs/serving/istio-authorization.md @@ -32,8 +32,7 @@ EOF In addition to allowing your application path, you'll need to configure Istio AuthorizationPolicy to allow health checking and metrics collection to your applications from system pods. -You can allow access from system pods -[by paths](#allow-access-from-system-pods-by-paths) or [by namespace](#allow-access-from-system-pods-by-namespace). +You can allow access from system pods [by paths](#allow-access-from-system-pods-by-paths). ## Allowing access from system pods by paths @@ -64,26 +63,3 @@ spec: - /healthz # The path to probe by system pod. EOF ``` - -## Allowing access from system pods by namespace - -You can allow access for all pods in the `knative-serving` namespace, as shown in the example: - -``` -$ cat <