Enforce network policy for Istio

Big picture

Calico integrates seamlessly with Istio to enforce network policy within the Istio service mesh.

Value

Calico network policy for Istio lets you enforce application layer attributes like HTTP methods or paths, and cryptographically secure identities for Istio-enabled apps.

Concepts

Benefits of the Istio integration

The Calico support for Istio service mesh has the following benefits:

  • Pod traffic controls

    Lets you restrict ingress traffic inside and outside pods and mitigate common threats to Istio-enabled apps.

  • Supports security goals

    Enables adoption of a zero trust network model for security, including traffic encryption, multiple enforcement points, and multiple identity criteria for authentication.

  • Familiar policy language

    Kubernetes network policies and Calico network policies work as is; users do not need to learn another network policy model to adopt Istio.

See Enforce network policy using Istio tutorial to learn how application layer policy provides second-factor authentication for the mythical Yao Bank.

Before you begin

Required

Istio support

Following Istio versions have been verified to work with application layer policies:

  • Istio v1.15.2
  • Istio v1.10.2

Istio v1.9.x and lower are not supported.

Although we expect future minor versions to work with the corresponding manifest below (for example, v1.10.2 or v1.15.2), manifest compatibility depends entirely on the upstream changes in the respective Istio release.

How to

  1. Enable application layer policy
  2. Install Calico CSI Driver
  3. Install Istio
  4. Update Istio sidecar injector
  5. Add Calico authorization services to the mesh
  6. Add namespace labels

Enable application layer policy

To enable the application layer policy, you must enable the Policy Sync API on Felix cluster-wide.

In the default FelixConfiguration, set the field, policySyncPathPrefix to /var/run/nodeagent:

  • calicoctl
  • kubectl
  1. calicoctl patch FelixConfiguration default --patch \
  2. '{"spec": {"policySyncPathPrefix": "/var/run/nodeagent"}}'
  1. kubectl patch FelixConfiguration default --type=merge --patch \
  2. '{"spec": {"policySyncPathPrefix": "/var/run/nodeagent"}}'

Additionally, if you have installed Calico via the operator, you can optionally disable flexvolumes. Flexvolumes were used in earlier implementations and have since been deprecated.

  1. kubectl patch installation default --type=merge -p '{"spec": {"flexVolumePath": "None"}}'

Install Calico CSI Driver

Calico utilizes a Container Storage Interface (CSI) driver to help set up the policy sync API on every node. Apply the following to install the Calico CSI driver

  1. kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.4/manifests/csi-driver.yaml

Install Istio

  1. Verify application layer policy requirements.
  2. Install Istio using installation guide in the project documentation.
  1. curl -L https://git.io/getLatestIstio | ISTIO_VERSION=1.15.2 sh -
  2. cd $(ls -d istio-* --color=never)
  3. ./bin/istioctl install

Next, create the following PeerAuthentication policy.

Replace namespace below by rootNamespace value, if it’s customized in your environment.

  1. kubectl create -f - <<EOF
  2. apiVersion: security.istio.io/v1beta1
  3. kind: PeerAuthentication
  4. metadata:
  5. name: default-strict-mode
  6. namespace: istio-system
  7. spec:
  8. mtls:
  9. mode: STRICT
  10. EOF

Update Istio sidecar injector

The sidecar injector automatically modifies pods as they are created to work with Istio. This step modifies the injector configuration to add Dikastes (a Calico component), as sidecar containers.

  1. Follow the Automatic sidecar injection instructions to install the sidecar injector and enable it in your chosen namespace(s).
  2. Patch the istio-sidecar-injector ConfigMap to enable injection of Dikastes alongside Envoy.
  • Istio v1.15.x
  • Istio v1.10.x
  1. curl https://raw.githubusercontent.com/projectcalico/calico/v3.27.4/manifests/alp/istio-inject-configmap-1.15.yaml -o istio-inject-configmap.yaml
  2. kubectl patch configmap -n istio-system istio-sidecar-injector --patch "$(cat istio-inject-configmap.yaml)"

View sample manifest

  1. curl https://raw.githubusercontent.com/projectcalico/calico/v3.27.4/manifests/alp/istio-inject-configmap-1.10.yaml -o istio-inject-configmap.yaml
  2. kubectl patch configmap -n istio-system istio-sidecar-injector --patch "$(cat istio-inject-configmap.yaml)"

View sample manifest

Add Calico authorization services to the mesh

Apply the following manifest to configure Istio to query Calico for application layer policy authorization decisions.

This applies to Istio v1.15.x and v1.10.x:

  1. kubectl apply -f https://raw.githubusercontent.com/projectcalico/calico/v3.27.4/manifests/alp/istio-app-layer-policy-envoy-v3.yaml

View sample manifest

Add namespace labels

You can control enforcement of application layer policy on a per-namespace basis. However, this only works on pods that are started with the Envoy and Calico Dikastes sidecars (as noted in the step, Update Istio sidecar injector). Pods that do not have the Calico sidecars, enforce only standard Calico network policy.

To enable Istio and application layer policy in a namespace, add the label istio-injection=enabled.

  1. kubectl label namespace <your namespace name> istio-injection=enabled

If the namespace already has pods in it, you must recreate them for this to take effect.

Enforce network policy for Istio - 图1note

Envoy must be able to communicate with the istio-pilot.istio-system service. If you apply any egress policies to your pods, you must enable access.

  1. kubectl apply -f https://docs.tigera.io/files/allow-istio-pilot.yaml

Additional resources