Traffic Connector for Istio¶
This guide details the integration of Istio with the AccuKnox API Security Module.
Info
The AccuKnox API Security Module supports two integration methods with Istio:
- Istio Service Mesh: Monitors service-to-service communication within the mesh using sidecar proxies.
- Istio Gateway: Monitors ingress and egress traffic through the Istio Gateway.
Follow the steps below to setup Istio as well as a sample application. If you already have an application running, you can skip straight to Install AccuKnox API Security Module.
Install Google Microservices Demo (Optional)
This demo application is useful for generating realistic service-to-service traffic.
1. Create Namespace
kubectl create namespace microservices-demo
2. Deploy the Demo
kubectl apply -n microservices-demo \
-f https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/main/release/kubernetes-manifests.yaml
3. Verify Deployment
kubectl get pods -n microservices-demo
Wait until all pods are in the Running state.
Install Istio¶
Istio provides sidecar injection and gateway support.
1. Download Istio¶
curl -L https://istio.io/downloadIstio | sh -
cd istio-*
export PATH=$PWD/bin:$PATH
2. Install Istio Control Plane¶
Install using the default profile (recommended for most setups):
istioctl install --set profile=demo -y
Verify the installation:
kubectl get pods -n istio-system
2. Setup Istio Gateway (For Gateway-based Integration)¶
If you are using an Istio Gateway-based integration, set up the Istio Gateway and a Virtual Service to route traffic.
Create Gateway configuration:
cat <<'EOF' > gateway.yaml
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: demo-gateway
namespace: microservices-demo
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
EOF
Apply the configuration:
kubectl apply -f gateway.yaml
Create a VirtualService to route traffic:
cat <<'EOF' > virtualservice.yaml
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: frontend
namespace: microservices-demo
spec:
hosts:
- "*"
gateways:
- demo-gateway
http:
- route:
- destination:
host: frontend
port:
number: 80
EOF
Apply the configuration:
kubectl apply -f virtualservice.yaml
3. Integrate using Istio Service Mesh¶
For a service mesh-based integration, execute the following steps.
1. Enable Istio Sidecar Injection¶
Enable automatic sidecar injection for workloads.
kubectl label namespace microservices-demo istio-injection=enabled
Note
Replace microservices-demo with the namespace that you wish to monitor.
2. Restart Pods¶
kubectl rollout restart deployment -n microservices-demo
Verify sidecars:
kubectl get pods -n microservices-demo
Each pod should now have 2 containers.
Install AccuKnox API Security Module¶
helm upgrade --install sentryflow \
oci://public.ecr.aws/k9v9d5v2/sentryflow-helm-charts \
--version v0.1.6 \
--namespace sentryflow \
--create-namespace \
--set config.receivers.istio.enabled=true \
--set config.receivers.namespace=istio-system
Verify successful installation¶
-
Check WasmPlugins:
Ensure
http-filter-gatewayandhttp-filter-sidecarare present.kubectl get wasmplugins.extensions.istio.io -n istio-system -
Check EnvoyFilter:
kubectl get envoyfilters.networking.istio.io -n istio-system -
Check plugins are pulled in
istio-ingressgateway:kubectl -n istio-system logs deploy/istio-ingressgateway -c istio-proxy | \ grep -i -E "wasm|oci|pull|download|http-filter-gateway|http-filter-sidecar"You should see logs indicating the image fetch:
info wasm fetching image k9v9d5v2/sentryflow-httpfilter from registry public.ecr.aws with tag latest-sidecar info wasm fetching image k9v9d5v2/sentryflow-httpfilter from registry public.ecr.aws with tag latest-gateway
Patch Summary Engine¶
Important
Before this step, you must onboard the cluster on SaaS if you haven't already.
Configure Discovery Engine¶
Edit the ConfigMap:
kubectl edit cm -n agents discovery-engine-sumengine
Update the configuration to enable SentryFlow:
data:
app.yaml: |
...
summary-engine:
sentryflow:
enabled: true
cron-interval: 0h0m30s
decode-jwt: true
include-bodies: true
redact-sensitive-data: false
threshold: 10000
sensitive-rules-files-path:
- /var/lib/sumengine/sensitive-data-rules.yaml
watcher:
...
sentryflow:
enabled: true
event-type:
access-log: true
metric: false
service:
enabled: true
name: sentryflow
port: "8080"
url: "sentryflow.sentryflow"
Restart Discovery Engine:
kubectl rollout restart deployment -n agents discovery-engine
Check AccuKnox API Security Module logs:
Look for exporter added in the logs.
kubectl logs -n sentryflow -l app=sentryflow -f
Info
This can take a little time as the discovery engine starts and terminates a couple of times. The logs should eventually show up in SaaS.
Test Ingress Gateway with Microservice Demo (Optional)
| Step | Action | Command |
|---|---|---|
| 1 | Port forward gateway | kubectl port-forward -n istio-system svc/istio-ingressgateway 8080:80 |
| 2 | Open in browser | http://localhost:8080 |
| 3 | Make requests (CLI) | curl http://localhost:8080/testcurl http://localhost:8080/sentryflowcurl http://localhost:8080/echo |
| 4 | Verify Logs | kubectl logs -n agents discovery-engine-<your pod> -fLook for: sent N events |
Check the API Inventory Page¶
Check AccuKnox's API inventory by setting the time filter to 1hr or 15 minutes. It can take from 30s to 1 min to get logs in SaaS. Check the metadata in the API for Gateway and Sidecar source.
Next Steps
Proceed to the API Security Use Case to learn how to view your API inventory, create collections, upload OpenAPI specifications, and scan for security findings.