Search code examples
ubuntuserviceyamlkubectlistio

Properly defining mTLS authentication policy within Istio

I'm trying to run through the following set of commands found in an Istio online course:

Set up Istio Certificate Authority (CA)

Version 2 of the guestbook application uses an external service (tone analyzer) which is not Istio-enabled. Thus, you will disable mTLS globally and enable it only for communication between internal cluster services in this lab.

  1. Ensure Citadel is running. Citadel is Istio's in-cluster Certificate Authority (CA) and is required for generating and managing cryptographic identities in the cluster.
kubectl get deployment -l istio=citadel -n istio-system

This is the expected output:

enter image description here

  1. Define the mTLS authentication policy for the Tone Analyzer service:
cat <<EOF | istioctl create -f -
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: mtls-to-analyzer
  namespace: default
spec:
  targets:
  - name: analyzer
  peers:
  - mtls:
EOF

Created config policy/default/mtls-to-analyzer at revision 3934195
  1. Confirm the policy was created:
kubectl get policies.authentication.istio.io

enter image description here

  1. Enable mTLS from guestbook by using a Destination rule:
cat <<EOF | istioctl create -f -
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: route-with-mtls-for-analyzer
  namespace: default
spec:
  host: "analyzer.default.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
EOF

Created config destination-rule/default/route-with-mtls-for-analyzer at revision 3934279

However, I run into the following error when I try to run the 2nd command:

Error: unknown command "create" for "istioctl"

When I use "install" rather than create:

cat <<EOF | istioctl install -f -
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: mtls-to-analyzer
  namespace: default
spec:
  targets:
  - name: Tone Analyzer-qy
  peers:
  - mtls:
EOF

I get the following error:

Error: failed to apply manifests: unknown field "peers" in v1alpha1.IstioOperatorSpec:

Could anyone provide some input on how I could modify the YAML so that the mTLS authentication service could be defined properly? I get the correct expected output on the first step, but I get the same "unknown field" error on the fourth step.

Solution

  • istioctl is mainly used to install and debug istio.

    To create istio objects should use kubectl

    I think what You wanted to use is kubectl instead of istioctl like in example below:

    cat <<EOF | kubectl create -f -
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: route-with-mtls-for-analyzer
  namespace: default
spec:
  host: "analyzer.default.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
EOF

    Depending on version of kubernetes cluster kubectl create can be depreciated and kubectl apply should be used in its place. So the command would look like this.

    cat <<EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: route-with-mtls-for-analyzer
  namespace: default
spec:
  host: "analyzer.default.svc.cluster.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL
EOF

    For more information review kubernetes documentation.

    Hope it helps.