A kubernetes cluster running with kubectl configured. (The easiest way to run a kubernetes cluster is kind). The steps below are tested using k8s v1.23.4.
Change directory to demo and follow the next steps:
- Download latest
istioctlpassing eitherlinuxormacosas parameter:
./download-istioctl linux
Verify that is working:
./istioctl version
The output should show 1.15.0.
- Deploy SPIRE to cluster
./deploy-spire
Verify:
kubectl get pod -n spire
NAME READY STATUS RESTARTS AGE
spire-agent-qkgtx 3/3 Running 0 2m2s
spire-server-0 1/1 Running 0 2m5s
- Create SPIRE registration entries:
First you need to get the demo-cluster ID generated by SPIRE Server when the
SPIRE agent was attested.
./show-spire-cluster-id
Output:
time="2022-05-10T18:42:21Z" level=info msg="Node attestation was successful" spiffe_id="spiffe://example.org/spire/agent/k8s_psat/demo-cluster/1cd8f089-f9cc-46ca-9196-64e6a9a40271" subsystem_name=attestor trust_domain_id="spiffe://example.org"
This will show a log line with a spiffe_id, copy the path section after demo_cluster.
In the output example it is 1cd8f089-f9cc-46ca-9196-64e6a9a40271
Run script and pass cluster ID as parameter:
./create-registration-entries 1cd8f089-f9cc-46ca-9196-64e6a9a40271
The output will be a list of registration entries, for example:
Entry ID : 4841a6ae-f9b7-4f73-b878-1863a34f26e9
SPIFFE ID : spiffe://example.org/ns/default/sa/bookinfo-details
Parent ID : spiffe://example.org/spire/agent/k8s_psat/demo-cluster/1cd8f089-f9cc-46ca-9196-64e6a9a40271
Revision : 0
TTL : default
Selector : k8s:ns:default
Selector : k8s:pod-image:docker.io/istio/examples-bookinfo-details-v1:1.16.2
Selector : k8s:pod-label:app:details
Selector : k8s:sa:bookinfo-details
Selector : unix:uid:1337
- Deploy
istio
./deploy-istio
Output:
namespace/istio-system created
✔ Istio core installed
✔ Istiod installed
✔ Ingress gateways installed
✔ Installation complete Making this installation the default for injection and validation.
peerauthentication.security.istio.io/default created
- Deploy
bookinfoapplication
./deploy-bookinfo
Verify:
kubectl get pod
NAME READY STATUS RESTARTS AGE
details-v1-7574cc5b79-bvb52 2/2 Running 0 57s
productpage-v1-6b69967768-gfgs5 2/2 Running 0 56s
ratings-v1-79c75cc987-mzb4v 2/2 Running 0 57s
reviews-v1-576f798b86-gxd8w 2/2 Running 0 56s
reviews-v2-76ff897c8c-pfxww 2/2 Running 0 56s
reviews-v3-7d45bc84c6-hgc5r 2/2 Running 0 56s
Wait until all the pods have their 2 containers ready (READY 2/2).
- Test
bookinfoapplication page
Forward traffic into the cluster:
./forward-port
Open in browser http://localhost:8000/productpage
To test what happens when the identity policy for one service is missing, you can remove one of the registration entries and then restart the corresponding pod.
Show registration entries:
./show-registration-entries
Look for the Entry ID of the service bookinfo-details:
Entry ID : e415f2c8-8857-4660-b2f8-6c6b491a4eb7
SPIFFE ID : spiffe://example.org/ns/default/sa/bookinfo-details
...
Copy the Entry ID and use the following script to delete it:
./delete-registration-entry e415f2c8-8857-4660-b2f8-6c6b491a4eb7
Then delete the pod of the bookinfo-details service to force it to restart:
kubectl delete pod $(kubectl get pod -l app=details -o jsonpath="{.items[0].metadata.name}")
Wait until the pod is recreated.
Reload the product page in the browser. Now the details section should display an error. Strict mTLS is enabled, thus if one service cannot get its identity, it will not able to communicate with any other service in the mesh.
Recreate the registration entry for the bookinfo-details service identity, passing the cluster ID:
./create-registration-entry-details 1cd8f089-f9cc-46ca-9196-64e6a9a40271
Wait a few seconds for the certificates to be delivered to the bookinfo-details Envoy proxy (you should see a READY 2/2 on the pod status).
Reload the bookinfo page on the browser. There should be no errors.
./cleanup-all
- SPIFFE and SPIRE documentation
- SPIRE Github project
- SPIRE configuration reference and attestors documentation
- A CSI driver for Kubernetes that facilitates injection of the SPIRE Agent socket
- SPIRE Kubernetes Workload Registrar: implements a Kubernetes ValidatingAdmissionWebhook that facilitates automatic workload registration within Kubernetes