No meu SERVICE ninguém MESH: uma visão descomplicada sobre segurança com Istio.

Transcript

1. No meu SERVICE ninguém MESH No meu SERVICE ninguém MESH

2. 2 Cláudio de Oliveira Tech Lead APIs @luizalabs Java &

   Golang K8s, Docker & Mesh

3. Tiago Angelo Sr. Software Engineer @ zup innovation • microservices

   and service mesh enthusiast • organizer of community.cncf.io/campinas and meetup.com/Golang-Campinas @kurtisangelo on Twitter /angelokurtis on GitHub

4. Agenda 1 - Few words about microservice 4 - AuthN

   & AuthZ 3 -Service Mesh 2 - Security challenges 5 - Mutual TLS

5. Microservices key points Few words about microservices…. language heterogeneity reduce

   time to market, if you compare with legacy system helps in path to digital transformation helps large companies to delivery software with confidence

6. NETWORK github.com/angelokurtis/football-bets

7. Security Challenges Common securities challenges for microservices

8. Challenge language heterogeneity Microservices enable different services with different languages,

   in general, it is recommended, it is called technology heterogeneity. Problem Frameworks have different concerns about security

9. Challenge Team expertise Teams have different worries about security, some

   teams have strong expertise on this topic and others not, sometimes we’ ve got different security levels in our MSA Problem Team expertise

10. Challenge Three Authentication vs Authorization There are two things when

    we think about security Authentication and Authorization Problem teams have no idea about the difference between these topics

11. Service Mesh Service Mesh

12. Definition “A service mesh is a configurable, low‑latency infrastructure layer

    designed to handle a high volume of network‑based interprocess communication among application infrastructure services using application programming interfaces (APIs).”
13. None

14. let’s zoom in a little bit…...

15. None

16. ALLLLLL services interactions happen over to sidecar a.k.a envoy proxy

17. None

18. The Sidecar as Policy Enforcement Points (PEPs)

19. we already give the platform a chance to handle our

    deployments let's give a chance to a platform to handle network for us, a.k.a security concerns

20. Step Back Step Back

21. Kubernetes is a very successful platform to help developers to

    deploy their containers and manage their workloads. The important part here: the kubernetes implements a sort of patterns to achieve it

22. All the deployment decisions are made on the platform Kubernetes

    Our applications don’t care about the cluster workload, kubernetes does it for us
23. None
24. None

25. Istio & Security Istio & Security

26. Security by default: no changes needed for application code and

    infrastructure Defense in depth: integrate with existing security systems to provide multiple layers of defense Zero-trust network: build security solutions on untrusted networks
27. None

28. End-User Authn & AuthZ End-User Authn & Authz

29. It verifies the original client making the request as an

    end-user or device. Istio enables request-level authentication with JSON Web Token (JWT) validation and a streamlined developer experience for open source OpenID Connect provider

30. it integrates with OpenID Connect provider

31. None
32. None

33. End-User Authz End-User Authz

34. Each Envoy proxy runs an authorization engine that authorizes requests

    at runtime. When a request comes to the proxy, the authorization engine evaluates the request context against the current authorization policies, and returns the authorization result, either ALLOW or DENY.
35. None
36. None

37. NETWORK github.com/angelokurtis/football-bets

38. let’s recap the Istio Request Flow

39. Istio Request Flow Istio Request Flow

40. None

41. Service-to-Service Authn Service-to-Service Authn

42. Transport authentication, also known as service-to-service authentication: verifies the direct

    client making the connection. Istio offers mutual TLS as a full stack solution for transport authentication

43. Provides a key management system to automate key and certificate

    generation, distribution, and rotation
44. None
45. None
46. None

47. Choose your mTLS flavor!!! Strict - Hard Permissive - Soft

    Disabled - Very Soft

48. Fine grained control policies Mesh-wide policy Namespace-wide policy Workload policy

49. None

50. Final Words about Service Mesh Final words about Service Mesh

51. Zero code changes is not a 100% true Are headers

    propagated???

52. Can your service run with a sidecar???

53. Readiness and Liveness Probes???

54. THANKS! Any questions? You can find us at: linkedin.com/in/claudioed twitter.com/claudioed

    linkedin.com/in/tiagoangelo twitter.com/kurtisangelo Join us: community.cncf.io/campinas