New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Simplify TLS configuration on sidecar proxy #37330
Comments
Ingress tls mode and pa tls mode seems confusing, and have conflict. PA is to control istio mtls, should not be set at all if ingress tls has been set |
@howardjohn any comments? Though the current feature is extremely useful and helps us get rid of the envoy filter we have been using so far, the need to explicitly disable the PeerAuth at port level looks a bit of an overhead. |
We need to decide if we want mTLS or TLS, or to support mTLS and TLS |
mTLS "or" TLS on the same port, "without" the need of explicit peerAuth disable would be good enough(if that is easier to achieve). Like if we specify hybrid sidecar and use a port for ingress it should automatically be excluded and not an explicit PA should be necessary |
Looks we can support mtls and tls simultaneously, one for outsidecar access and one for inner mesh access. The later filter chain match with
|
Doing this will bring some change to permissive mode. |
@kfaseela @howardjohn @hzxuzhonghu ... Here are some proposals we came up with. cc: @aattuluri Solution 1:Honor If the sidecar config has TLS mode set to a. and if PA is set to STRICT, then we allow both user mTLS and istio mTLS. We would use ALPN to find the listener match. b. and if PA is set to PERMISSIVE, then we allow plaintext, user mTLS and istio mTLS c. and if PA is set to DISABLE, then we only allow plaintext and the mTLS setting on the sidecar is ignored. Since PeerAuthentication is supposed to control mTLS communication within the mesh, we should not even consider it when it comes to one-way TLS. With this proposal, we can probably extend it control mTLS communication ingressing from outside the mesh. Pros:
Cons:
Solution 2:Add another mode called Example:
Pros:
Cons:
Solution 3:Move the TLS configuration from the Sidecar IstioIngressListener API to PeerAuthentication. Even though this approach is not backwards compatible, this would eliminate the need for two separate config. Example:
|
Note: auto mtls relies on PeerAuthentication so we would needto update that code as well. Actually the client side code would also need to change, most likely, to detect if the client sent TLS (in which case we passthrough?) or plaintext (in which case we wrap in mTLS). |
This seems conflict with sidecar tls config |
I guess this iss too loose, not user's intention |
For simplicity why cannot we make user-defined tls override istio tls? Or can we move sidecar tls setting to PA? |
@hzxuzhonghu , yeah that's the |
@hzxuzhonghu , I agree this would be the simplest approach. Basically TLS config on the sidecar takes precedence over |
Assuming when you say "TLS config on sidecar" it covers both SIMPLE and MUTUAL TLS, that works for the usecases I am looking for! |
I do have some concerns here. The presence of PA is used in a number of places. inside istio, it is used to determine auto mTLS and multinetwork connectivity; that would all need to be updated to take Sidecar into account as well. The bigger problem is externally. There is an ecosystem of tooling around this. For example, users have Gatekeeper policies that say "All namespaces must have STRICT mTLS". If we have this new config suddenly override that, they may have policy violations. If we have a security policy that is implicitly overriden, that is very scary. |
Yes, it does break. I just think it is just introduced, and istio 1.13 is just released, maybe no user yet. Actually this looks the best way, no implicit overriden. |
@shriramsharma If Solution 1 has its own complexities, and Solution 2 is anyways not simplifying any configuration, so Solution 3 is only the way forward? :D But that means re-doing everything you already did?? |
Thanks @howardjohn @hzxuzhonghu @kfaseela for your feedback. I'll bring this up in the next |
It seems like moving the TLS config to I think, for now, we can continue using the feature in its current form. cc: @kfaseela @aattuluri |
Thanks for following up on this @shriramsharma ! |
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2022-05-05. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
The current implementation of a recent feature of enabling TLS on sidecar proxy seems to be a little complicated since we are required to disable
mTLS
on the app's port. See the example below.If
PeerAuthentication
is not configured and with the default modePERMISSIVE
, istiod would create listeners allowing plaintext and istio in-mesh mTLS with spiffe certs.When enabling TLS on the sidecar proxy with user-provided certs, the requirement of the feature was to not allow any plaintext traffic.
One way to fix this would be to remove the plaintext listener but doing so would give an incorrect impression to the mesh client as the mode itself is set to
PERMISSIVE
.Plus this gets further convoluted with the mode set to
STRICT
.I wanted to create this issue so that we can start a discussion on this and come to a conclusion on how we can simplify this configuration.
The text was updated successfully, but these errors were encountered: