Traffic Connector for Istio

API Traffic Connectors enable monitoring of API traffic for observability and security insights.

This guide provides a step-by-step process to integrate SentryFlow with Istio, aimed at enhancing API observability. It includes detailed commands for each step along with their explanations.

SentryFlow makes use of following to provide visibility into API calls:

• Envoy Wasm Filter
• Istio Wasm Plugin
• Istio EnvoyFilter

Prerequisites

• Deploy Istio service mesh. Follow this to deploy it if you've not deployed.
• Enable the envoy proxy injection by labeling the namespace in which you'll deploy your workloads:

  kubectl label ns <namespace_name> istio-injection=enabled
  

How To

To Observe API calls of your workloads running on top of Istio Service Mesh in Kubernetes environment, follow the below steps:

1. Download SentryFlow manifest file

curl -sO https://raw.githubusercontent.com/5GSEC/SentryFlow/refs/heads/main/deployments/sentryflow.yaml

1. Update the .receivers configuration in sentryflow configmap as follows:

filters:
  server:
    port: 8081

  # Envoy filter is required for `istio-sidecar` service-mesh receiver.
  # Leave it as it is unless you want to use your filter.
  envoy:
    uri: 5gsec/sentryflow-httpfilter:v0.1

receivers:
  serviceMeshes:
    - name: istio-sidecar # SentryFlow makes use of `name` to configure receivers. DON'T CHANGE IT.
      namespace: istio-system # Kubernetes namespace in which you've deployed Istio.
  ...

1. Apply the updated manifest file:

kubectl apply -f sentryflow.yaml

1. Trigger API calls to generate traffic.

2. Use SentryFlow log client to see the API Events.