Istio via Helm
The instructions below show how to install Curiefense on a Kubernetes cluster, embedded in an Istio service mesh. It assumes that the instructions described in First Tasks have been completed successfully.
The following tasks, each described below in sequence, should be performed:
​Setup Synchronization​
​Reset State​
​Create Namespaces​
​Setup Secrets​
​Setup TLS​
​Deploy the (Sample) App​
At the bottom of this page is a Reference section describing the charts and configuration variables.
An AWS S3 bucket must be available to synchronize configurations between the confserver and the Curiefense Istio sidecars. The following Curiefense variables must be set:
In
deploy/istio-helm/chart/values.yaml:Set
curieconf_manifest_urlto the bucket URL.
In
deploy/curiefense-helm/curiefense/values.yaml:Set
curieconf_manifest_urlto the bucket URL.Set
curiefense_db_hostnameto the hostname (or FQDN) of the database server if you choose to supply your own database. If you choose to use the instance from ourcuriefensechart, use the defaultlogdbvalue.
Access to a Kubernetes cluster running Helm v2 is required. Dynamic provisioning of persistent volumes must be supported. To set a StorageClass other than the default, change or override variable storage_class_name in deploy/curiefense-helm/curiefense/values.yaml.
Below are instructions for several ways to achieve this:
Using minikube, Kubernetes 1.14.9 and Helm v2.13.1 (dynamic provisioning is enabled by default)
Using Google GKE, Kubernetes 1.16.13 (with RBAC) and Helm v2.16.7 (dynamic provisioning is enabled by default)
Using Amazon EKS, Kubernetes 1.18 (with RBAC) and Helm v2.16.7 (dynamic provisioning is enabled by default)
This section describes the install for a single-node test setup (which is generally not useful for production).
Starting from a fresh ubuntu 20.04 VM:
Install docker (https://docs.docker.com/engine/install/ubuntu/)
Install kubectl (https://kubernetes.io/docs/tasks/tools/install-kubectl/) -- use version 1.14.9.
Install minikube (https://minikube.sigs.k8s.io/docs/start/)
Allow your user to interact with docker:
sudo usermod -aG docker $USER && newgrp docker
minikube start --kubernetes-version=v1.14.9 --driver=docker --memory='8g' --cpus 4eval $(minikube docker-env)minikube addons enable ingress
Start a screen or tmux, and keep the following command running:
minikube tunnel
Run the following commands:
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3chmod 700 get_helm.sh./get_helm.sh -v v2.13.1# socat is required but not installed by get_helm.shapt install socat
(Alternately, Helm can be manually downloaded as a binary release, as explained at https://helm.sh/docs/intro/install/. If you choose to do this, ensure that you obtain v2.13.1.)
Now install Helm to the Kubernetes cluster:
helm init
This option uses a more recent Kubernetes, with RBAC enabled.
Follow instructions at https://kubernetes.io/docs/tasks/tools/install-kubectl/. Use version 1.16.13.
gcloud container clusters create curiefense-gks --num-nodes=1 --machine-type=n1-standard-4gcloud container clusters get-credentials curiefense-gks
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3chmod 700 get_helm.sh./get_helm.sh -v v2.16.7
(Alternately, Helm can be manually downloaded as a binary release, as explained at https://helm.sh/docs/intro/install/. If you choose to do this, ensure that you obtain v2.16.7.)
Now we must define RBAC authorizations. Helm needs to be able to deploy applications to both the curiefense and istio-system namespaces.
To do that, we provide an example configuration, which installs Tiller in the kube-system namespaces, and grants it cluster-admin permissions.
kubectl -n kube-system create serviceaccount tillerkubectl create clusterrolebinding tiller --clusterrole cluster-admin --serviceaccount=kube-system:tiller
Finally, install Helm to the Kubernetes cluster:
helm init --service-account tiller
This option uses a more recent Kubernetes, with RBAC enabled.
Follow instructions at https://kubernetes.io/docs/tasks/tools/install-kubectl/. Use version 1.18.
Create a cluster
eksctl create cluster --name curiefense-eks-2 --version 1.18 --nodes 1 --nodes-max 1 --managed --region us-east-2 --node-type m5.xlarge
Install Helm v2.16.7
Follow all the "Install Helm v2.16.7" instructions shown above in the Google GKE section.
If you have a clean machine where Curiefense has never been installed, skip this step and go to the next.
Otherwise, run these commands:
kubectl delete namespaces bookinfohelm delete --purge curiefensehelm delete --purge istio-cf
Ensure that helm ls -a outputs nothing.
Run the following commands:
kubectl create namespace curiefensekubectl create namespace istio-system
Encode the AWS S3 credentials that have r/w access to the S3 bucket. This yields a base64 string:
cat << EOF | base64 -w0[default]access_key = xxxxxxxxxxxxxxxxxxxxsecret_key = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxEOF
Create a local file called s3cfg.yaml, with the contents below, replacing both occurrences of BASE64_S3CFG with the previously obtained base64 string:
---apiVersion: v1kind: Secretdata:s3cfg: "BASE64_S3CFG"metadata:namespace: curiefenselabels:app.kubernetes.io/name: s3cfgname: s3cfgtype: Opaque---apiVersion: v1kind: Secretdata:s3cfg: "BASE64_S3CFG"metadata:namespace: istio-systemlabels:app.kubernetes.io/name: s3cfgname: s3cfgtype: Opaque
Deploy this secret to the cluster:
kubectl apply -f s3cfg.yaml
Curiefense requires two database accounts. They will be automatically provisioned by the logdb container:
One with read/write authorization (described below as
BASE64_READWRITE_USERNAMEandBASE64_READWRITE_PASSWORD). If thelogdbcontainer is used (which is the default),BASE64_READWRITE_USERNAMEmust be set topostgres.One with read-only permissions (described below as
BASE64_READONLY_USERNAMEandBASE64_READONLY_PASSWORD). If thelogdbcontainer is used (which is the default),BASE64_READONLY_USERNAMEmust be set tologserver_ro.
Create a local file called dbsecret.yaml, with the contents below, containing database credentials. Replace BASE64_READWRITE_USERNAME, BASE64_READONLY_USERNAME, BASE64_READWRITE_PASSWORD and BASE64_READONLY_PASSWORD with the correct base64-encoded values.
---apiVersion: v1kind: Secretdata:username: "BASE64_READWRITE_USERNAME"password: "BASE64_READWRITE_PASSWORD"metadata:namespace: curiefenselabels:app.kubernetes.io/name: curiefense-db-credentialsname: curiefense-db-credentialstype: Opaque---apiVersion: v1kind: Secretdata:username: "BASE64_READONLY_USERNAME"password: "BASE64_READONLY_PASSWORD"metadata:namespace: curiefenselabels:app.kubernetes.io/name: curiefense-db-readonly-credentialsname: curiefense-db-readonly-credentialstype: Opaque
Deploy this secret to the cluster:
kubectl apply -f dbsecret.yaml
An example file with weak default credentials is provided at deploy/curiefense-helm/example-dbsecret.yaml.
Using TLS is optional.
The UIServer can be made to be reachable over HTTPS. To do that, two secrets have to be created to hold the TLS certificate and TLS key.
Create a local file called uiserver-tls.yaml, replacing TLS_CERT_BASE64 with the base64-encoded PEM X509 TLS certificate, and TLS_KEY_BASE64 with the base64-encoded TLS key.
---apiVersion: v1data:uisslcrt: TLS_CERT_BASE64kind: Secretmetadata:labels:app.kubernetes.io/name: uisslcrtname: uisslcrtnamespace: curiefensetype: Opaque---apiVersion: v1data:uisslkey: TLS_KEY_BASE64kind: Secretmetadata:labels:app.kubernetes.io/name: uisslkeyname: uisslkeynamespace: curiefensetype: Opaque
Deploy this secret to the cluster:
kubectl apply -f uiserver-tls.yaml
An example file with self-signed certificates is provided at deploy/curiefense-helm/example-uiserver-tls.yaml.
Deploy the Istio service mesh:
cd ~/curiefense/deploy/istio-helm./deploy.sh
And then the Curiefense components:
cd ~/curiefense/deploy/curiefense-helm./deploy.sh
The application to be protected by Curiefense should now be deployed. These instructions are for the sample application bookinfo.
Create the Kubernetes namespace, and add the istio-injection=enabled label that will make Istio automatically inject necessary sidecars to applications that are deployed in this namespace.
kubectl create namespace bookinfokubectl label namespace bookinfo istio-injection=enabled
git clone https://github.com/istio/istio/ -b 1.5.10kubectl apply -n bookinfo -f istio/samples/bookinfo/platform/kube/bookinfo.yamlkubectl apply -n bookinfo -f istio/samples/bookinfo/networking/bookinfo-gateway.yaml
Check that bookinfo Pods are running (wait a bit if they are not):
kubectl get -n bookinfo pod -l app=ratings
Sample output example:
NAME READY STATUS RESTARTS AGEratings-v1-f745cf57b-cjg69 2/2 Running 0 79s
Check that the application is working by querying its API directly without going through the Istio service mesh:
kubectl exec -n bookinfo -it "$(kubectl get -n bookinfo pod -l app=ratings -o jsonpath='{.items[0].metadata.name}')" -c ratings -- curl -sS productpage:9080/productpage | grep "<title>"
Expected output:
<title>Simple Bookstore App</title>
curl -sS http://$(kubectl -n istio-system get svc istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')/productpage|grep "<title>"
(Replace "ip" with "hostname" if running in an environment where the LoadBalancer yields a FQDN, as is the case with Amazon's ELB.)
Expected output:
<title>Simple Bookstore App</title>
If this error occurs: Could not resolve host: a6fdxxxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxx.us-west-2.elb.amazonaws.com ...the ELB is not ready yet. Wait and retry until it becomes available (typically a few minutes).
Run this query (add random characters at the end)
curl http://$(kubectl -n istio-system get svc istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')/productpage/TEST_STRING
(Replace "ip" with "hostname" if running in an environment where the LoadBalancer yields a FQDN, as is the case with Amazon's ELB.)
Run this to ensure that the logs have been recorded and are reachable from the UI server:
kubectl exec -n curiefense -it "$(kubectl get -n curiefense pod -l app.kubernetes.io/name=uiserver -o jsonpath='{.items[0].metadata.name}')" -c uiserver -- curl 'http://localhost/logs/api/v1/exec/' -H 'Content-Type: application/json;charset=utf-8' --data-raw '{"statement":"SELECT Path FROM logs ORDER BY StartTime DESC LIMIT 1024","parameters":[]}'
Check that TEST_STRING appears in the output.
Run the following commands to expose Curiefense services through NodePorts. Warning: if the machine has a public IP, the services will be exposed on the Internet.
Start with this command:
kubectl apply -f ~/curiefense/deploy/curiefense-helm/expose-services.yaml
The following command can be used to determine the IP address of your cluster nodes on which services will be exposed:
kubectl get nodes -o wide
If you are using minikube, also run the following commands on the host in order to expose services on the Internet:
sudo iptables -t nat -A PREROUTING -p tcp --match multiport --dports 30000,30080,30081,30300,30443 -j DNAT --to 172.17.0.2sudo iptables -I FORWARD -p tcp --match multiport --dports 30000,30080,30081,30300,30443,30444 -j ACCEPT
If you are using Amazon EKS, you will also need to allow inbound connections for port range 30000-30500 from your IP. Go to the EC2 page in the AWS console, select the EC2 instance for the cluster (named curiefense-eks-...-Node), select the "Security" pane, select the security group (named eks-cluster-sg-curiefense-eks-[0-9]+), then add the incoming rule.
The UIServer is now available on port 30080 over HTTP, and on port 30443 over HTTPS.
Grafana is now available on port 30300 over HTTP.
For the bookinfo sample app, the Book Review product page is now available on port 30081 over HTTP, and on port 30444 over HTTPS.
The confserver is now available on port 30000 over HTTP.
For a full list of ports used by Curiefense containers, see the Reference page on services and containers.
Helm charts are divided as follows:
curiefense-admin- confserver, curielogserver and UIServer.curiefense-dashboards- Grafana and Prometheus.curiefense-log- logdb, namely: PostgreSQL.curiefense-proxy- curielogger, curiesync and redis.
Configuration variables in deploy/curiefense-helm/curiefense/values.yaml can be modified or overridden to fit your deployment needs:
Variables in the
imagessection define the Docker image names for each component. Override this if you want to host images on your own private registry.storage_class_nameis the StorageClass that is used for dynamic provisioning of Persistent Volumes. It defaults tonull(default storage class, which works by default on EKS, GKE and minikube)...._storage_sizevariables define the size of persistent volumes. The defaults are fine for a test or small-scale deployment.curieconf_manifest_urlis the URL of the AWS S3 bucket that is used to synchronize configurations between theconfserverand the Curiefense Istio sidecars.curiefense_db_hostnamedefines the hostname of the postgres server that will be used to store logs. Defaults to the providedlogdbStatefulSet. Override this to replace the postgres instance with one you supply, or an AWS Aurora instance.docker_tagdefines the image tag versions that should be used.deploy.shwill override this to deploy a version that matches the current working directory, unless theDOCKER_TAGenvironment variable is set.
Components added or modified by Curiefense are defined in deploy/istio-helm/chart/charts/gateways. Compared to the upstream Istio Kubernetes distribution, we add or change the following Pods:
An
initContainercalledcuriesync-initialpullhas been added. It synchronizes configuration before running Envoy.A container called
curiesynchas been added. It periodically fetches the configuration that should be applied from an S3 bucket (configurable with thecurieconf_manifest_urlvariable), and makes it available to Envoy. This configuration is used by the LUA code that inspects traffic.The container called
istio-proxynow uses our custom Docker image, embedding our HTTP Filter, written in Lua.An
EnvoyFilterhas been added. It forwards access logs tocurielogger(seecuriefense_access_logs_filter.yaml).An
EnvoyFilterhas been added. It runs Curiefense's Lua code to inspect incoming traffic on the Ingress Gateways (seecuriefense_lua_filter.yaml).
Configuration variables in deploy/istio-helm/chart/values.yaml can be modified or overridden to fit your deployment needs:
gw_imagedefines the name of the image that contains our filtering code and modified Envoy binary.curiesync_imagedefines the name of the image that contains scripts that synchronize local Envoy configuration with the AWS S3 bucket defined incurieconf_manifest_url.curieconf_manifest_urlis the URL of the AWS S3 bucket that is used to synchronize configurations between theconfserverand the Curiefense Istio sidecars.curiefense_namespaceshould contain the name of the namespace where Curiefense components defined indeploy/curiefense-helm/are running.redis_hostdefines the hostname of the redis server that will be used bycurieproxy. Defaults to the provided redis StatefulSet. Override this to replace the redis instance with one you supply.initial_curieconf_pulldefines whether a configuration should be pulled from the AWS S3 bucket before running Envoy (true), or if traffic should be allowed to flow with a default configuration until the next synchronization (typically every 10s).
​
