How to confirm pod port secured by ztunnel? #52014

kminder · 2024-07-11T22:56:17Z

kminder
Jul 11, 2024

Prior to Ambient, we used nmap to ensure ports secured by Istio.
This is an example of probing a pod port protected by proxyv2 with nmap.

$ kubectl exec -it -n ossp-debug ossp-debug-0 -- nmap -Pn --script ssl-enum-ciphers ${POD_IP} -p 8080
Starting Nmap 7.92 ( https://nmap.org ) at 2024-07-11 22:35 UTC
Nmap scan report for 10-244-1-22.hellospectra.hellospectra.svc.cluster.local (10.244.1.22)
Host is up (0.00042s latency).

PORT     STATE SERVICE
8080/tcp open  http-proxy
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.3:
|     ciphers:
|       TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
|       TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
|     cipher preference: client
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

With Ambient ztunnel the same query gives no indication that the port is protected.

$ kubectl exec -it -n ossp-debug ossp-debug-0 -- nmap -Pn --script ssl-enum-ciphers ${POD_IP} -p 8080
Starting Nmap 7.92 ( https://nmap.org ) at 2024-07-11 22:34 UTC
Nmap scan report for 10-244-1-21.hellospectra.hellospectra.svc.cluster.local (10.244.1.21)
Host is up (0.00036s latency).

PORT     STATE SERVICE
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

I know that the pod is protected because I can't access it from a pod outside the mesh.

$ kubectl exec -it -n ossp-debug ossp-debug-0 -- curl http://hellospectra.hellospectra.svc:8080/hello-spectra
curl: (56) Recv failure: Connection reset by peer
command terminated with exit code 56

But can from a pod inside the mesh.

$ kubectl exec -it -n hellospectra hellospectra -- curl http://hellospectra.hellospectra.svc:8080/hello-spectra
{"message":"Hello from Spectra!"}

Is there a better way/tool to confirm this?

Answered by howardjohn

Jul 11, 2024

There are a few ways:

the TLS is on port 15008. Presence of TLS port does not prove non-mtls is denied though
Runtime inspection of actual traffic: access logs indicate if mtls was used. Tcpdump could as well, though less ergonomic
Attempt to access outside the mesh like you did
Policy inspection to show the config state: istioctl zc

View full answer

howardjohn · 2024-07-11T22:59:44Z

howardjohn
Jul 11, 2024
Maintainer

There are a few ways:

the TLS is on port 15008. Presence of TLS port does not prove non-mtls is denied though
Runtime inspection of actual traffic: access logs indicate if mtls was used. Tcpdump could as well, though less ergonomic
Attempt to access outside the mesh like you did
Policy inspection to show the config state: istioctl zc

3 replies

kminder Jul 11, 2024
Author

Seems like checking for HBONE is as close as we are going to get unless someone else has a better suggestion. Thanks.

$ istioctl experimental ztunnel-config workloads | grep ${POD_IP} | cut -w -f 6
HBONE

howardjohn Jul 12, 2024
Maintainer

Just to clarify, that just means the pod will accept hbone. Which is true for any pod in the mesh. It doesn't imply the pod will reject plaintext (driven by authorization policy or Peer authentication)

kminder Jul 12, 2024
Author

Understood. For future readers, I also have this in my cluster and no other authorization policies or peer authentications exist.

kubectl apply -n istio-system -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: "default"
  namespace: "istio-system"
spec:
  mtls:
    mode: STRICT
EOF

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to confirm pod port secured by ztunnel? #52014

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

How to confirm pod port secured by ztunnel? #52014

kminder Jul 11, 2024

Replies: 1 comment · 3 replies

howardjohn Jul 11, 2024 Maintainer

kminder Jul 11, 2024 Author

howardjohn Jul 12, 2024 Maintainer

kminder Jul 12, 2024 Author

kminder
Jul 11, 2024

Replies: 1 comment 3 replies

howardjohn
Jul 11, 2024
Maintainer

kminder Jul 11, 2024
Author

howardjohn Jul 12, 2024
Maintainer

kminder Jul 12, 2024
Author