Trust Domain Migration

In Istio 1.4, we introduce an alpha feature to support trust domain migration for authorization policy. This means if an Istio mesh needs to change its trust domain, the authorization policy doesn’t need to be changed manually. In Istio, if a workload is running in namespace with the service account bar, and the trust domain of the system is my-td, the identity of said workload is spiffe://my-td/ns/foo/sa/bar. By default, the Istio mesh trust domain is cluster.local, unless you specify it during the installation.

Before you begin this task, do the following:

Read the .
Install Istio with a custom trust domain and mutual TLS enabled.

Deploy the httpbin sample in the default namespace and the sample in the default and sleep-allow namespaces:

$ kubectl label namespace default istio-injection=enabled
$ kubectl apply -f @samples/httpbin/httpbin.yaml@
$ kubectl apply -f @samples/sleep/sleep.yaml@
$ kubectl create namespace sleep-allow
$ kubectl label namespace sleep-allow istio-injection=enabled
$ kubectl apply -f @samples/sleep/sleep.yaml@ -n sleep-allow

Apply the authorization policy below to deny all requests to httpbin except from sleep in the sleep-allow namespace.

$ kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: service-httpbin.default.svc.cluster.local
  namespace: default
spec:
  rules:
  - from:
        principals:
        - old-td/ns/sleep-allow/sa/sleep
    to:
    - operation:
        methods:
        - GET
  selector:
      app: httpbin
---
EOF

Notice that it may take tens of seconds for the authorization policy to be propagated to the sidecars.

Verify that requests to httpbin from:

sleep in the default namespace are denied.

$ kubectl exec "$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})" -c sleep -- curl http://httpbin.default:8000/ip -sS -o /dev/null -w "%{http_code}\n"
403

sleep in the sleep-allow namespace are allowed.

$ kubectl exec "$(kubectl -n sleep-allow get pod -l app=sleep -o jsonpath={.items..metadata.name})" -c sleep -n sleep-allow -- curl http://httpbin.default:8000/ip -sS -o /dev/null -w "%{http_code}\n"
200

Install Istio with a new trust domain.

Redeploy istiod to pick up the trust domain changes.

$ kubectl rollout restart deployment -n istio-system istiod

Redeploy the httpbin and sleep applications to pick up changes from the new Istio control plane.
```
$ kubectl delete pod --all
```
```
$ kubectl delete pod --all -n sleep-allow
```

Install Istio with a new trust domain and trust domain aliases.

$ cat <<EOF > ./td-installation.yaml
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  meshConfig:
    trustDomain: new-td
    trustDomainAliases:
      - old-td
EOF
$ istioctl install --set profile=demo -f td-installation.yaml -y

Without changing the authorization policy, verify that requests to httpbin from:

sleep in the default namespace are denied.

$ kubectl exec "$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})" -c sleep -- curl http://httpbin.default:8000/ip -sS -o /dev/null -w "%{http_code}\n"
403

sleep in the sleep-allow namespace are allowed.

$ kubectl exec "$(kubectl -n sleep-allow get pod -l app=sleep -o jsonpath={.items..metadata.name})" -c sleep -n sleep-allow -- curl http://httpbin.default:8000/ip -sS -o /dev/null -w "%{http_code}\n"
200

$ kubectl delete authorizationpolicy service-httpbin.default.svc.cluster.local
$ kubectl delete deploy httpbin; kubectl delete service httpbin; kubectl delete serviceaccount httpbin
$ kubectl delete deploy sleep; kubectl delete service sleep; kubectl delete serviceaccount sleep
$ istioctl uninstall --purge -y
$ rm ./td-installation.yaml