Securing Kubernetes using Istio and Azure AD Authentication [JWT Authentication]

Introduction:

In recent years, Kubernetes has become one of the most popular platforms for deploying and managing containerized applications. However, with this rise in popularity comes an increase in security risks. In order to address these risks, many organizations are turning to Istio for service mesh management and Azure AD for identity and access management. This article will explore how Istio and Azure AD can be used to secure Kubernetes using JWT authentication.

What is Istio?

Istio is an open-source service mesh that provides a layer of abstraction between microservices and the network infrastructure. It offers a range of features, including traffic management, service discovery, and security. Istio works by injecting sidecar proxies into the containers that make up the service mesh. These proxies intercept all network traffic between services, providing a centralized point of control for management and security.

What is Azure AD?

Azure Active Directory (AD) is a cloud-based identity and access management service that provides secure authentication and authorization for applications and services. It supports a range of authentication protocols, including OAuth 2.0 and OpenID Connect. Azure AD also offers a range of features, such as multi-factor authentication, conditional access, and identity protection.

Securing Kubernetes using Istio and Azure AD Authentication

To secure Kubernetes using Istio and Azure AD Authentication, we will use JWT authentication. JWT (JSON Web Token) is an open standard for securely transmitting information between parties as a JSON object. It is commonly used for authentication and authorization in web applications.

Implementation:

Here are the steps to secure Kubernetes using Istio and Azure AD Authentication:

Step 1: Create an Azure AD App Registration

The first step is to create an Azure AD app registration. This will allow Istio to authenticate requests using Azure AD.

To create an Azure AD app registration, follow these steps:

1. Log in to the Azure portal.
2. Click on “App registrations” in the left-hand menu.
3. Click on “New registration”.
4. Give the app a name and select “Web” as the application type.
5. Add a redirect URI for your application.
6. Click on “Register”.
7. Take note of the “Application (client) ID” and “Directory (tenant) ID” values, as you will need these later.

Step 2: Configure Istio for JWT Authentication

The next step is to configure Istio for JWT authentication.

To configure Istio for JWT authentication, follow these steps:

1. Install Istio on your Kubernetes cluster.
2. Enable the Istio ingress gateway.
3. Create a secret containing your Azure AD app registration credentials.
4. Configure Istio to use JWT authentication by creating an Istio policy and binding.

Here is an example policy and binding:

1. Create a file RequestAuthentication.yaml and AuthorizationPolicy.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: jwt-azure
  namespace: istio-system
spec:
  selector:
    matchLabels:
      enablesecurity: "<namespace>" #make sure to add this label in the pods
  jwtRules:
  - issuer: "https://sts.windows.net/<tenant_id>/"
    jwksUri: "https://login.microsoftonline.com/common/discovery/keys"
    fromHeaders:
    - name: x-jwt-assertion  #can be changed as to which header you want to pass
      prefix: "Bearer "

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: auth-policy
 namespace: istio-system
spec:
 selector:
   matchLabels:
      enablesecurity: "<namespace>" #make sure to add this label in the pods
 rules:
 - from:
   - source:
       requestPrincipals: ["*"]
   - source: #optional
        notNamespaces: ["<namespace>"] #adding exception to not check authentication to allow internal communication in namespace

2. Apply both the yaml :)

How to acquire for the token from AD ?

I have added a python script to acquire a valid JWT token using the client id and client secret created.

import requests
import json
from requests.api import get
from requests.structures import CaseInsensitiveDict

url = "https://login.microsoftonline.com/<tenant_id>/oauth2/token"
headers = CaseInsensitiveDict()
headers["Accept"] = "application/json"
headers["Content-Type"] = "application/x-www-form-urlencoded"
data = "grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>&resource=https%3A%2F%2Fmanagement.azure.com%2F"
resp = requests.post(url, headers=headers, data=data)
response = json.loads(resp.content)
print("Bearer " , str(response['access_token']))

Conclusion:

In conclusion, securing Kubernetes using Istio and Azure AD authentication is a powerful combination that can provide robust security for your containerized applications. By using Istio to implement mutual TLS and fine-grained access control, and Azure AD authentication to validate JWT tokens, you can ensure that only authorized users and services are able to access your Kubernetes cluster. This approach can help you to meet compliance requirements, protect your applications from attacks, and ensure the confidentiality, integrity, and availability of your data. By following the steps outlined in this article, you can easily implement this security solution in your own Kubernetes environment.