Upgrade to Pro — share decks privately, control downloads, hide ads and more …

No meu SERVICE ninguém MESH

No meu SERVICE ninguém MESH

Claudio Eduardo de Oliveira

September 28, 2020

More Decks by Claudio Eduardo de Oliveira

Other Decks in Programming


  1. Cláudio de Oliveira Sr. Software Engineer @ zup innovation K8s,

    Service Mesh and Golang enthusiast lead organizer CNCF Campinas • community.cncf.io/campinas • Golang Campinas & Soujava @claudioed on Twitter /claudioed on GitHub
  2. Tiago Angelo Sr. Software Engineer @ zup innovation • microservices

    and service mesh enthusiast • organizer of community.cncf.io/campinas and meetup.com/Golang-Campinas @kurtisangelo on Twitter /angelokurtis on GitHub
  3. Agenda 1 - Few words about microservice 4 - AuthN

    & AuthZ 3 -Service Mesh 2 - Security challenges 5 - Mutual TLS
  4. Few words about microservices…. language heterogeneity reduce time to market,

    if you compare with legacy system helps in path to digital transformation helps large companies to delivery software with confidence
  5. Microservices enable different services with different languages, in general, it

    is recommended, it is called technology heterogeneity. Problem Frameworks have different concerns about security
  6. Teams have different worries about security, some teams have strong

    expertise on this topic and others not, sometimes we’ ve got different security levels in our MSA Problem Team expertise
  7. There are two things when we think about security Authentication

    and Authorization Problem teams have no idea about the difference between these topics
  8. Definition “A service mesh is a configurable, low‑latency infrastructure layer

    designed to handle a high volume of network‑based interprocess communication among application infrastructure services using application programming interfaces (APIs).”
  9. we already give the platform a chance to handle our

    deployments let's give a chance to a platform to handle network for us, a.k.a security concerns
  10. Kubernetes is a very successful platform to help developers to

    deploy their containers and manage their workloads. The important part here: the kubernetes implements a sort of patterns to achieve it
  11. All the deployment decisions are made on the platform Kubernetes

    Our applications don’t care about the cluster workload, kubernetes does it for us
  12. Security by default: no changes needed for application code and

    infrastructure Defense in depth: integrate with existing security systems to provide multiple layers of defense Zero-trust network: build security solutions on untrusted networks
  13. It verifies the original client making the request as an

    end-user or device. Istio enables request-level authentication with JSON Web Token (JWT) validation and a streamlined developer experience for open source OpenID Connect provider
  14. Each Envoy proxy runs an authorization engine that authorizes requests

    at runtime. When a request comes to the proxy, the authorization engine evaluates the request context against the current authorization policies, and returns the authorization result, either ALLOW or DENY.
  15. Transport authentication, also known as service-to-service authentication: verifies the direct

    client making the connection. Istio offers mutual TLS as a full stack solution for transport authentication
  16. THANKS! Any questions? You can find us at: linkedin.com/in/claudioed twitter.com/claudioed

    linkedin.com/in/tiagoangelo twitter.com/kurtisangelo Join us: community.cncf.io/campinas