This module will cover the security related capabilities of Istio service-mesh on Amazon EKS.
To be able to work on this module you should meet the following prerequisites. Ensure that you have the following tools installed locally:
This module will create its own EKS cluster with secure Istio workload configurations.
Note: Configuring this module in an existing cluster is not supported.
Provision an EKS cluster with Istio and the security module resources by executing the below commands.
# This assumes that you are currently in "istio-on-eks" base directory
cd modules/04-security/terraform
terraform init
terraform apply -auto-approveNote: The terraform stack can take between 25 to 30 minutes to provision all the resources required for this module. Take a short break and grab a cup of your favorite hot beverage. ☕
The terraform stack creates the following resources.
- VPC resources to host the EKS cluster
- EKS cluster named
istio-on-eks-04-security - Private CA configured to issue short lived certificates for mutual TLS
cert-managerandaws-privateca-issueraddon to issue short-lived certificates from AWS Private CAcert-manager-istio-csrto forward certificate requests from Istio control plane and workload proxies tocert-manager- Keycloak to manage application users and issue JSON Web Tokens (JWTs)
- Istio with built-in CA disabled and configured with
cert-manager-istio-csr - Gatekeeper for mutating workload deployments to enforce Open Policy Agent (OPA) based external authorization
- Workload microservices with an HTTPS route
The above setup installs Keycloak and creates the following Keycloak resources for request authentication and external authorization modules.
| Resource Type | Name | Purpose |
|---|---|---|
| Realm | workshop |
A container for users, roles and OIDC application client settings. |
| Client | productapp |
OIDC application client. |
| Roles | - |
See below section for Application Roles |
| Users | - |
See below section for Application Users |
The following application roles are created in the workshop realm.
| Role | Purpose |
|---|---|
guest |
Views products list. |
admin |
Views and modifies products list. |
other |
- |
The following application users and the corresponding role assignments are created in the workshop realm.
| User | Role |
|---|---|
alice |
guest |
bob |
admin |
charlie |
other |
The following scripts have been provided to interact with Keycloak and configure Istio request authentication and authorization resources from the terminal.
| Name | Purpose | Arguments |
|---|---|---|
scripts/helpers.sh |
Contains helper functions to generate and inspect access tokens, apply authentication and authorization policies on ingress gateway, and print Keycloak admin console access information. | See below section |
The following table lists the arguments of helpers.sh script:
| Short Form | Long Form | Value Type | Required | Default | Description |
|---|---|---|---|---|---|
-a |
--admin |
- |
No | - |
Print Keycloak admin password. This is a mutually exclusive option. See below for more details. |
-c |
--console |
- |
No | - |
Print Keycloak console URL. This is a mutually exclusive option. See below for more details. |
-g |
--generate |
- |
No | - |
Generate access token for application user (requires -u|--user). This is a mutually exclusive option. See below for more details. |
-u |
--user |
string |
Required when -g|--generate is set |
- |
Application username. |
-i |
--inspect |
- |
No | - |
Inspect access token (requires -t|--token). This is a mutually exclusive option. See below for more details. |
-t |
--token |
string |
Required when -i|--inspect is set |
- |
Access token. |
-w |
--wait-lb |
- |
No | - |
Wait for load balancer endpoint to become healthy (requires -l|--lb-arn-pattern). This is a mutually exclusive option. See below for more details. |
-l |
--lb-arn-pattern |
string |
Required when -w|--wait-lb is set |
- |
Load balancer ARN pattern. |
- |
--authn |
- |
- |
- |
Apply RequestAuthentication manifest. This is a mutually exclusive option. See below for more details. |
- |
--authz |
- |
- |
- |
Apply AuthorizationPolicy manifest. This is a mutually exclusive option. See below for more details. |
-n |
--keycloak-namespace |
string |
No | keycloak |
Namespace for keycloak. |
-r |
--keycloak-realm |
string |
No | workshop |
Keycloak realm for workshop. |
-h |
--help |
- |
No | - |
Show help message. |
-v |
--verbose |
- |
No | - |
Enable verbose output. |
The below options cannot appear together for an invocation of this script.
-a,--admin-c,--console-g,--generate-i,--inspect-w,--wait-lb--authn--authz
Below are some examples of using the helper script to perform various actions related to configuring Istio request authentication and authorization.
| Action description | Script invocation |
|---|---|
Generate access token for application user alice |
scripts/helpers.sh -g -u alice |
| Inspect generated access token | scripts/helpers.sh -i -t {TOKEN} |
Apply RequestAuthentication manifest |
scripts/helpers.sh --authn |
Apply AuthorizationPolicy manifest |
scripts/helpers.sh --authz |
| Print Keycloak admin console URL | scripts/helpers.sh -c |
| Print Keycloak admin user password | scripts/helpers.sh -a |
Note: Remember to set the correct AWS region in the terminal window before invoking the script. For example, in the bash terminal window execute the following. Make sure the region is the one where the terraform stack has created the keycloak resources.
export AWS_REGION=us-west-2Use the following code snippet to add the Istio Observability add-ons to the EKS cluster with deployed Istio.
for ADDON in kiali jaeger prometheus grafana
do
ADDON_URL="https://raw.githubusercontent.com/istio/istio/release-1.20/samples/addons/$ADDON.yaml"
kubectl apply -f $ADDON_URL
done
Run the following command in the terminal session to port-forward kiali traffic on to a designated port on your localhost.
kubectl port-forward svc/kiali 8080:20001 -n istio-system
Clean up all the resources using terraform destroy command.
terraform destroy -auto-approve