Anthos Service Mesh 1.6

Integrating IAP with Anthos Service Mesh

This guide describes how to integrate Identity-Aware Proxy (IAP) with Anthos Service Mesh. The IAP integration with Anthos Service Mesh enables you to safely access services based on Google's BeyondCorp principles. IAP verifies user identity and context of the request to determine if a user should be allowed to access an application or resource. The IAP integration with Anthos Service Mesh provides you with the following benefits:

  • Complete context-aware access control to the workloads running on Anthos Service Mesh. You can set fine-grained access policies based on attributes of the originating request, such as user identity, the IP address, and device type. You can combine your access policies with restrictions based on the hostname and path of a request URL.

  • Enable support for context-aware claims in Anthos Service Mesh authorization.

  • Scalable, secure, and highly available access to your application through a Google Cloud load balancer. High performance load balancing provides built-in protection of distributed denial-of-service (DDoS) attacks and support for global anycast IP addressing.

Prerequisites

This guide assumes that you have:

Setting up a cluster with Anthos Service Mesh

To set up a GKE on Google Cloud cluster, follow the guide Installing Anthos Service Mesh on GKE on Google Cloud. Note the following steps that you need to do when you follow the other guide:

  1. When you set up your project, enable iap.googleapis.com when you enable the other APIs that Anthos Service Mesh requires.

  2. The cluster that you are updating must have the --addons=HttpLoadBalancing option set. The HttpLoadBalancing add-on enables an HTTP (L7) load balancing controller for the cluster. Run the following command to update the cluster with the options required by Anthos Service Mesh:

        gcloud container clusters update ${CLUSTER_NAME} \
          --update-addons=HttpLoadBalancing=ENABLED
    
  3. When you install Anthos Service Mesh, use the following pkg get command instead of the one in the install guide. If you are updating an existing installation, be sure to run rm -r asm first, to ensure you are using the correct package.

    kpt pkg get https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages.git/asm-iap@release-1.6-asm asm 
  4. If you are using this guide to update an existing, functioning HTTP Cloud Load Balancer, run the following to preserve your existing http and status ports:

    kpt cfg set asm gcloud.container.cluster.ingress.httpPort $(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
    kpt cfg set asm gcloud.container.cluster.ingress.statusPort $(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="status-port")].nodePort}')

    This causes the istio-ingressgateway service to be of type NodePort, which configures Anthos Service Mesh to open a specific port (default 31223) for status checks on the service mesh. This allows you to set up a load balancer, which routes traffic sent to your domain name to this port. If port 31223 is already in use in your cluster, use kpt cfg set to specify an available port.

Reserving a static IP address and configuring DNS

To integrate Identity-Aware Proxy with Anthos Service Mesh, you have to set up a Google Cloud HTTP(S) load balancer, which requires a domain name that points to a static IP address. You can reserve a static external IP address, which assigns the address to your project indefinitely until you explicitly release it.

  1. Reserve a static external IP address:

    gcloud compute addresses create example-static-ip --global
    
  2. Get the static IP address:

    gcloud compute addresses describe example-static-ip --global
    
  3. In your domain name registrar, configure a fully qualified domain name (FQDN) with the static IP address. Typically, you add an A record to your DNS settings. The configuration steps and terminology for adding an A record for a FQDN vary depending on your domain name registrar.

  4. Set the domain name in an environment variable:

    export DOMAIN_NAME=YOUR_DOMAIN_NAME

    It can take 24 to 48 hours for the DNS setting to propagate. You can continue setting up everything in this guide, but you won't be able to test the setup until the DNS settings propagate.

Deploying a sample application

Before you enable IAP, you need an application running on your GKE cluster so you can verify that all requests have an identity. This guide uses the Bookinfo sample to demonstrate how to setup the HTTP(S) load balancer and enable IAP.

Follow the steps to deploy Bookinfo. Until you deploy the load balancer, the Bookinfo application isn't accessible outside of your GKE cluster (such as from a browser).

External requests

Bookinfo's Gateway resource (defined in samples/bookinfo/networking/bookinfo-gateway.yaml) uses the preconfigured istio-ingressgateway. Recall that when you deployed Anthos Service Mesh, you specified NodePort for the istio-ingressgateway, which opens a specific port on the service mesh. Although the nodes in your cluster have external IP addresses, requests coming from outside your cluster are blocked by Google Cloud firewall rules. With IAP, the correct way to expose applications to the public internet is by using a load balancer. Don't expose the node addresses using firewall rules, which would bypass IAP.

To route requests to Bookinfo, you set up an HTTP(S) load balancer in your Cloud project. Because the load balancer is in your project, it is inside of the firewall and can access the nodes in your cluster. After you configure the load balancer with the static IP address and your domain name, you can send requests to the domain name, and the load balancer forwards the requests to the nodes in the cluster.

Enabling IAP

The following steps describe how to enable IAP.

  1. Check if you already have an existing brand by using the list command. You may only have one brand per project.

    gcloud alpha iap oauth-brands list
    

    The following is an example gcloud response, if the brand exists:

    name: projects/[PROJECT_NUMBER]/brands/[BRAND_ID]
    applicationTitle: [APPLICATION_TITLE]
    supportEmail: [SUPPORT_EMAIL]
    orgInternalOnly: true
    
  2. If no brand exists, use the create command:

    gcloud alpha iap oauth-brands create --application_title=APPLICATION_TITLE --support_email=SUPPORT_EMAIL
    

    The above fields are required when calling this API:

    • supportEmail: The support email displayed on the OAuth consent screen. This email address can either be a user's address or a Google Groups alias. While service accounts also have an email address, they are not actual valid email addresses, and cannot be used when creating a brand. However, a service account can be the owner of a Google Group. Either create a new Google Group or configure an existing group and set the desired service account as an owner of the group.

    • applicationTitle: The application name displayed on OAuth consent screen.

    The response contains the following fields:

    name: projects/[PROJECT_NUMBER]/brands/[BRAND_NAME]
    applicationTitle: [APPLICATION_TITLE]
    supportEmail: [SUPPORT_EMAIL]
    orgInternalOnly: true
    

Creating an IAP OAuth Client

  1. Use the create command to create a client. Use the brand name from previous step.

    gcloud alpha iap oauth-clients create projects/PROJECT-ID/brands/BRAND-ID --display_name=NAME
    

    The response contains the following fields:

    name: projects/[PROJECT_NUMBER]/brands/[BRAND_NAME]/identityAwareProxyClients/[CLIENT_ID]
    secret: [CLIENT_SECRET]
    displayName: [NAME]
    
  2. Use the client ID (CLIENT_ID in the above step) and CLIENT_SECRET to enable IAP. Create a kubernetes secret with the materials from your OAuth Client:

    kubectl create secret generic -n istio-system my-secret --from-literal=client_id=CLIENT_ID \
    --from-literal=client_secret=CLIENT_SECRET
    

Deploying the load balancer

You can use an Ingress resource to create an HTTP(S) load balancer with automatically configured SSL certificates. Google-managed SSL certificates are provisioned, renewed, and managed for your domain.

  1. Create a ManagedCertificate resource. This resource specifies the domain for the SSL certificate. The spec.domains list must contain only one domain. Wildcard domains aren't supported.

    cat <<EOF | kubectl apply -f -
    apiVersion: networking.gke.io/v1beta1
    kind: ManagedCertificate
    metadata:
      name: example-certificate
      namespace: istio-system
    spec:
      domains:
        - ${DOMAIN_NAME}
    EOF
  2. Create a BackendConfig resource. This resource instructs GCLB how to perform Health Checks on the Ingress Gateway, as well as configure Identity-Aware Proxy. First, collect a few values from the Ingress Gateway about health checks:

    • Health check ingress port: This is the health check port of istio-ingress.

      export HC_INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="status-port")].nodePort}')

    • Health check ingress path: This is the health check path of istio-ingress.

      export HC_INGRESS_PATH=$(kubectl -n istio-system get deployments istio-ingressgateway -o jsonpath='{.spec.template.spec.containers[?(@.name=="istio-proxy")].readinessProbe.httpGet.path}')

    cat <<EOF | kubectl apply -n istio-system -f -
    apiVersion: cloud.google.com/v1beta1
    kind: BackendConfig
    metadata:
      name: http-hc-config
    spec:
      healthCheck:
        checkIntervalSec: 2
        timeoutSec: 1
        healthyThreshold: 1
        unhealthyThreshold: 10
        port: ${HC_INGRESS_PORT}
        type: HTTP
        requestPath: ${HC_INGRESS_PATH}
      iap:
        enabled: true
        oauthclientCredentials:
          secretName: my-secret
    EOF
  3. Annotate the ingress service with your BackendConfig.

        kubectl annotate -n istio-system service/istio-ingressgateway --overwrite \
          cloud.google.com/backend-config='{"default": "http-hc-config"}' \
          cloud.google.com/neg='{"ingress":false}'
    
  4. Create the load balancer by defining the Ingress resource.

    • Set the networking.gke.io/managed-certificates annotation to the name of the certificate you created in the previous step, example-certificate.

    • Set the kubernetes.io/ingress.global-static-ip-name annotation to the name of the static IP address you reserved, example-static-ip.

    • Set the serviceName to istio-ingressgateway, which is used in the Gateway resource for the Bookinfo sample.

    cat <<EOF | kubectl create -f -
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: example-ingress
      namespace: istio-system
      annotations:
        kubernetes.io/ingress.global-static-ip-name: example-static-ip
        networking.gke.io/managed-certificates: example-certificate
    spec:
      backend:
        serviceName: istio-ingressgateway
        servicePort: 80
    EOF
  5. In the Cloud Console, go to the Kubernetes Engine > Services & Ingress page.

    Go to the Services & Ingress page

    You should see the "Creating ingress" message in the Status column. Wait for GKE to fully provision the Ingress before continuing. Refresh the page every few minutes to get the most up-to-date status on the Ingress. After the Ingress is provisioned, you might see the "Ok" status, or the error "All backend services are in UNHEALTHY state." One of the resources that GKE provisions is a default health check. If you see the error message, that indicates that the Ingress is provisioned and that the default health check ran. When you see either the "Ok" status or the error, continue with the next section to configure the health checks for the load balancer.

Configure the IAP access list

Add a user to the access policy for IAP:

gcloud beta iap web add-iam-policy-binding \
    --member=user:EMAIL_ADDRESS \
    --role=roles/iap.httpsResourceAccessor

where EMAIL_ADDRESS is the user's full email address such as alice@example.com.

  1. Test the load balancer. Point your browser to:

    http://YOUR_DOMAIN_NAME/productpage

    where YOUR_DOMAIN_NAME is the domain name that you configured with the external static IP address.

    You should see the Bookinfo application's productpage. If you refresh the page several times, you should see different versions of reviews, presented in a round robin style: red stars, black stars, no stars.

    You should also test https access to Bookinfo.

Enable RCToken support on the service mesh

By default, IAP generates a JSON Web Token (JWT) that is scoped to the OAuth client. For Anthos Service Mesh, you can configure IAP to generate a RequestContextToken (RCToken), which is a JWT but with a configurable audience. RCToken lets you configure the audience of the JWT to an arbitrary string, which can be used in the Anthos Service Mesh policies for fine-grained authorization.

To configure the RCToken:

  1. Create an environment variable for your project number. This is the number that was automatically generated and assigned to your project when you created it. (This isn't the same as the project ID.)

    export PROJECT_NUMBER=YOUR_PROJECT_NUMBER
  2. Create an environment variable for the RCToken audience. This can be any string that you want.

    export RCTOKEN_AUD="your-rctoken-aud"
    
  3. Fetch the existing IAP settings

    gcloud beta iap settings get --format json \
    --project=${PROJECT_NUMBER} --resource-type=compute > iapSettings.json
    
  4. Update IapSettings with the RCToken audience.

    cat iapSettings.json | jq --arg RCTOKEN_AUD_STR $RCTOKEN_AUD \
    '. + {applicationSettings: {csmSettings: {rctokenAud: $RCTOKEN_AUD_STR}}}' \
    > updatedIapSettings.json
    
    gcloud beta iap settings set updatedIapSettings.json --format json \
    --project=${PROJECT_NUMBER} --resource-type=compute
    
  5. Enable RCToken authentication on the Istio ingress gateway.

    cat <<EOF | kubectl apply -f -
    apiVersion: "security.istio.io/v1beta1"
    kind: "RequestAuthentication"
    metadata:
      name: "ingressgateway-jwt-policy"
      namespace: "istio-system"
    spec:
      selector:
        matchLabels:
          app: istio-ingressgateway
      jwtRules:
      - issuer: "https://cloud.google.com/iap"
        jwksUri: "https://www.gstatic.com/iap/verify/public_key-jwk"
        audiences:
        - $RCTOKEN_AUD
        fromHeaders:
        - name: ingress-authorization
          prefix: "Istio "
        outputPayloadToHeader: "verified-jwt"
        forwardOriginalToken: true
    EOF
    
  6. Make sure requests to the Bookinfo productpage are still successful:

    http://DOMAIN_NAME/productpage

To test the policy:

  1. Create an IapSettings request object, but set the rctokenAud to a different string:

    echo $(cat <<EOF
    {
       "name": "projects/${PROJECT_NUMBER}/iap_web/compute",
       "applicationSettings": {
         "csmSettings": {
           "rctokenAud": "some-other-arbitrary-string"
         }
       }
     }
    EOF
    ) > request.txt
  2. Call the IapSettings API to set the RCtoken audience.

    curl --request PATCH --header "Authorization: Bearer $(gcloud beta auth application-default print-access-token)" ${IAP_SETTINGS_API}
  3. Make a request to the Bookinfo productpage and it should fail:

    http://DOMAIN_NAME/productpage

Cleaning up

After completing this tutorial, remove the following resources to prevent unwanted charges incurring on your account:

  1. Delete the managed certificate:

    kubectl delete managedcertificates example-certificate
  2. Delete the Ingress, which deallocates the load balancing resources:

    kubectl -n istio-system delete ingress example-ingress

  3. Delete the static IP address:

    gcloud compute addresses delete example-static-ip --global

    If you do this, be sure to delete the IP address from your domain registrar.

  4. Delete the cluster, which deletes the resources that make up the cluster, such as the compute instances, disks and network resources:

    gcloud container clusters delete ${CLUSTER_NAME}