1

I have a setup using Kubernetes and Istio where we run a set of services. Each of our services have an istio-sidecar and a REST-api. What we would like is that whenever a service within our setup calls another that the called service knows what service is the caller (Preferably through a header).

Looking at the example image from bookinfo: bookinfo-image (Link due to <10 reputation) This would mean that in the source code for the ratings service I would like to be able to, for example, read a header telling me the request came from e.g. Reviews-v2.

My intuition tells me that I should be able to handle this in the istio sidecars, but I fail to realise exactly how.

Until now I have looked at especially envoy filters in the hope that they could help me. I see that for the envoy filters I would be able to set a header, but what I don't see is how I would get the information about what service made the call in order to set it in the header.

Dan Kohn
  • 33,811
  • 9
  • 84
  • 100
user1168407
  • 31
  • 4

2 Answers2

4

Envoy automatically sets the X-Forwarded-Client-Cert header, which contains the SPIFFE ID of the caller. SPIFFE ID in Istio is a URI in the form spiffe://cluster.local/ns/<namespace>/sa/<service account>. Practically, it designates the Kubernetes Service Account of the caller. You may want to test it by using the Istio httpbin sample and sending a request to httpbin:8000/headers

Vadim Eisenberg
  • 3,337
  • 1
  • 18
  • 14
  • I checked for this header both using the httpbin:8000/headers endpoint, and also dumping all available headers in my application, and I seem to not get this header from istio/envoy. Maybe it gets filtered off somewhere. – user1168407 Sep 25 '19 at 14:10
  • You should set Istio mutual TLS authentication https://istio.io/docs/tasks/security/authn-policy/ – Vadim Eisenberg Sep 25 '19 at 14:53
  • Ah, that could be why it was missing, but we found another way to do it for now, that I will describe in an answer. – user1168407 Sep 25 '19 at 15:50
2

I ended up finding another solution by using a "rule". If we made sure that policy enforcing is enabled and then added the rule:

apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: header-rule
  namespace: istio-system
spec:
  actions: []
  requestHeaderOperations:
    - name: serviceid
      values:
      - source.labels["app"]
      operation: REPLACE

We achieved what we were attempting to do.

user1168407
  • 31
  • 4