Istio Webhook Management [Experimental]

The following information describes an experimental feature, which is intendedfor evaluation purposes only.

Istio has two webhooks: Galley and the sidecar injector. By default,these webhooks manage their own configurations. From asecurity perspective, this default behavior is not recommended because a compromised webhook could then conductprivilege escalation attacks.

This task shows how to use the new istioctl x post-install webhook command tosecurely manage the configurations of the webhooks.

Getting started

• Install Istio with DNS certificates configured andglobal.operatorManageWebhooks set to true.

$ cat <<EOF > ./istio.yaml
apiVersion: install.istio.io/v1alpha2
kind: IstioControlPlane
spec:
  values:
    global:
      operatorManageWebhooks: true
      certificates:
        - secretName: dns.istio-galley-service-account
          dnsNames: [istio-galley.istio-system.svc, istio-galley.istio-system]
        - secretName: dns.istio-sidecar-injector-service-account
          dnsNames: [istio-sidecar-injector.istio-system.svc, istio-sidecar-injector.istio-system]
EOF
$ istioctl manifest apply -f ./istio.yaml

• Install jq for JSON parsing.

Check webhook certificates

To display the DNS names in the webhook certificates of Galley and the sidecar injector, you need to get the secretfrom Kubernetes, parse it, decode it, and view the text output with the following commands:

$ kubectl get secret dns.istio-galley-service-account -n istio-system -o json | jq -r '.data["cert-chain.pem"]' | base64 --decode | openssl x509 -in - -text -noout
$ kubectl get secret dns.istio-sidecar-injector-service-account -n istio-system -o json | jq -r '.data["cert-chain.pem"]' | base64 --decode | openssl x509 -in - -text -noout

The output from the above commands should include the DNS names of Galley and the sidecar injector, respectively:

X509v3 Subject Alternative Name:
  DNS:istio-galley.istio-system.svc, DNS:istio-galley.istio-system

X509v3 Subject Alternative Name:
  DNS:istio-sidecar-injector.istio-system.svc, DNS:istio-sidecar-injector.istio-system

Enable webhook configurations

• To generate the MutatingWebhookConfiguration and ValidatingWebhookConfiguration configuration files, run the followingcommand.

$ istioctl manifest generate > istio.yaml

• Open the istio.yaml configuration file, search for kind: MutatingWebhookConfiguration and savethe MutatingWebhookConfiguration of the sidecar injector to sidecar-injector-webhook.yaml. The followingis a MutatingWebhookConfiguration in an example istio.yaml.

apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  name: istio-sidecar-injector
  labels:
    app: sidecarInjectorWebhook
    release: istio
webhooks:
  - name: sidecar-injector.istio.io
    clientConfig:
      service:
        name: istio-sidecar-injector
        namespace: istio-system
        path: "/inject"
      caBundle: ""
    rules:
      - operations: [ "CREATE" ]
        apiGroups: [""]
        apiVersions: ["v1"]
        resources: ["pods"]
    failurePolicy: Fail
    namespaceSelector:
      matchLabels:
        istio-injection: enabled

• Open the istio.yaml configuration file, search for kind: ValidatingWebhookConfiguration and savethe ValidatingWebhookConfiguration of Galley to galley-webhook.yaml. The followingis a ValidatingWebhookConfiguration in an example istio.yaml (onlya part of the configuration is shown to save space).

apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
  name: istio-galley
  labels:
    app: galley
    release: istio
    istio: galley
webhooks:
  - name: pilot.validation.istio.io
    clientConfig:
      service:
        name: istio-galley
        namespace: istio-system
        path: "/admitpilot"
      caBundle: ""
    rules:
      - operations:
        - CREATE
        - UPDATE
        apiGroups:
        - config.istio.io
        ... SKIPPED
    failurePolicy: Fail
    sideEffects: None

• Verify that there are no existing webhook configurations for Galley and the sidecar injector.The output of the following two commands should not contain any configurations forGalley and the sidecar injector.

$ kubectl get mutatingwebhookconfiguration
$ kubectl get validatingwebhookconfiguration

If there are existing webhook configurations (e.g., from a previous Istio deployment) forGalley and the sidecar injector, delete them using the following commands. Before runningthese commands, replace the webhook configuration names in the commands with theactual webhook configuration names of Galley and the sidecar injector in your cluster.

$ kubectl delete mutatingwebhookconfiguration SIDECAR-INJECTOR-WEBHOOK-CONFIGURATION-NAME
$ kubectl delete validatingwebhookconfiguration GALLEY-WEBHOOK-CONFIGURATION-NAME

• Use istioctl to enable the webhook configurations:

$ istioctl experimental post-install webhook enable --webhook-secret dns.istio-galley-service-account \
    --namespace istio-system --validation-path galley-webhook.yaml \
    --injection-path sidecar-injector-webhook.yaml

• To check that the sidecar injector webhook is working, verify that the webhook injects asidecar container into an example pod with the following commands:

$ kubectl create namespace test-injection
$ kubectl label namespaces test-injection istio-injection=enabled
$ kubectl run --generator=run-pod/v1 --image=nginx nginx-app --port=80 -n test-injection
$ kubectl get pod -n test-injection

The output from the get pod command should show the following. The 2/2 value means thatthe webhook injected a sidecar into the example pod:

NAME        READY   STATUS    RESTARTS   AGE
nginx-app   2/2     Running   0          10s

• Check that the validation webhook is working:

$ kubectl create namespace test-validation
$ kubectl apply -n test-validation -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: invalid-gateway
spec:
  selector:
    # DO NOT CHANGE THESE LABELS
    # The ingressgateway is defined in install/kubernetes/helm/istio/values.yaml
    # with these labels
    istio: ingressgateway
EOF

The output from the gateway creation command should show the following output. The errorin the output indicates that the validation webhook checked the gateway’s configuration YAML file:

Error from server: error when creating "invalid-gateway.yaml": admission webhook "pilot.validation.istio.io" denied the request: configuration is invalid: gateway must have at least one server

Show webhook configurations

• If you named the sidecar injector’s configuration istio-sidecar-injector andnamed Galley’s configuration istio-galley-istio-system, use the following commandto show the configurations of these two webhooks:

$ istioctl experimental post-install webhook status --validation-config=istio-galley-istio-system  --injection-config=istio-sidecar-injector

• If you named the sidecar injector’s configuration istio-sidecar-injector,use the following command to show the configuration of the sidecar injector:

$ istioctl experimental post-install webhook status --validation=false --injection-config=istio-sidecar-injector

• If you named Galley’s configuration istio-galley-istio-system, show Galley’s configuration with the following command:

$ istioctl experimental post-install webhook status --injection=false --validation-config=istio-galley-istio-system

Disable webhook configurations

• If you named the sidecar injector’s configuration istio-sidecar-injector andnamed Galley’s configuration istio-galley-istio-system, use the following commandto disable the configurations of these two webhooks:

$ istioctl experimental post-install webhook disable --validation-config=istio-galley-istio-system  --injection-config=istio-sidecar-injector

• If you named the sidecar injector’s configuration istio-sidecar-injector,disable the webhook with the following command:

$ istioctl experimental post-install webhook disable --validation=false --injection-config=istio-sidecar-injector

• If you named Galleys’s configuration istio-galley-istio-system, disable the webhook with the following command:

$ istioctl experimental post-install webhook disable --injection=false --validation-config=istio-galley-istio-system

Cleanup

You can run the following command to delete the resources created in this tutorial.

$ kubectl delete ns test-injection test-validation
$ kubectl delete -f galley-webhook.yaml
$ kubectl delete -f sidecar-injector-webhook.yaml

See also

Secure Webhook Management

A more secure way to manage Istio webhooks.

DNS Certificate Management

Provision and manage DNS certificates in Istio.

Introducing the Istio v1beta1 Authorization Policy

Introduction, motivation and design principles for the Istio v1beta1 Authorization Policy.

Multi-Mesh Deployments for Isolation and Boundary Protection

Deploy environments that require isolation into separate meshes and enable inter-mesh communication by mesh federation.

App Identity and Access Adapter

Using Istio to secure multi-cloud Kubernetes applications with zero code changes.

Change in Secret Discovery Service in Istio 1.3

Taking advantage of Kubernetes trustworthy JWTs to issue certificates for workload instances more securely.