Skip to content

Record DNS lookups and convert them into service registry entries

License

Notifications You must be signed in to change notification settings

istio-ecosystem/dns-discovery

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

dns-discovery

CircleCI

In a Nutshell

dns-discovery automatically detects egress traffic in a Kubernetes cluster and creates a matching Service Entry object for each host. This improves visibility to the cluster traffic and allows cluster operators to enforce a tight network security policy.

The Problem

When deploying Istio onto a Kubernetes cluster, the user needs to explicitly define each external end-point that the application relies on – this process, which usually involves trial and error, makes it harder to deploy Istio.

For example, if the application relies on storage.googleapis.com, the user must instruct Istio to allow access to this end-point by adding a Service Entry definition.

In Istio 1.0 and earlier versions, the default behavior was to block access to external end-points - this created a connectivity issue and applications were breaking until the operator could discover all the end-points and configure them manually.

Istio 1.1 changed the default to allow access to all external end-points - this resolved the connectivity problem but created a security problem instead; now any traffic can leave the cluster – including malicious traffic.

The Solution

dns-discovery is a container that is deployed into the Kubernetes cluster as a proxy in front of the Kubernetes DNS service.

The proxy sees all attempts to connect to external end-points by monitoring DNS lookups and automatically configures Istio to allow them by adding an Istio Service Entry for each hostname.

The proxy can be easily configured to learn the egress communication patterns automatically. When the learning phase is done, the service entries can be deployed into a production environment to enforce a tight security policy.

Installation

Mac

$ make install

Linux

$ ./deploy.sh

Building

$ make build && make docker

Kubernetes Network Policies

If you are restricting access to your DNS service with a Kubernetes network policy, please note that this will change the DNS pod to listen on UDP port 54 instead of the standard port 53 and you should update the policy. The DNS service continues to listen on the standard port UDP 53.

Changing Istio's Default Behavior for External End-Points

https://istio.io/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services

About

Record DNS lookups and convert them into service registry entries

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •