Upgrade to Pro — share decks privately, control downloads, hide ads and more …

No meu SERVICE ninguém MESH

No meu SERVICE ninguém MESH


Claudio Eduardo de Oliveira

September 28, 2020


  1. No meu SERVICE ninguém MESH

  2. Cláudio de Oliveira Sr. Software Engineer @ zup innovation K8s,

    Service Mesh and Golang enthusiast lead organizer CNCF Campinas • community.cncf.io/campinas • Golang Campinas & Soujava @claudioed on Twitter /claudioed on GitHub
  3. Tiago Angelo Sr. Software Engineer @ zup innovation • microservices

    and service mesh enthusiast • organizer of community.cncf.io/campinas and meetup.com/Golang-Campinas @kurtisangelo on Twitter /angelokurtis on GitHub
  4. Agenda 1 - Few words about microservice 4 - AuthN

    & AuthZ 3 -Service Mesh 2 - Security challenges 5 - Mutual TLS
  5. Few words about microservices…. language heterogeneity reduce time to market,

    if you compare with legacy system helps in path to digital transformation helps large companies to delivery software with confidence
  6. NETWORK github.com/angelokurtis/football-bets

  7. Security Challenges

  8. Microservices enable different services with different languages, in general, it

    is recommended, it is called technology heterogeneity. Problem Frameworks have different concerns about security
  9. Teams have different worries about security, some teams have strong

    expertise on this topic and others not, sometimes we’ ve got different security levels in our MSA Problem Team expertise
  10. There are two things when we think about security Authentication

    and Authorization Problem teams have no idea about the difference between these topics
  11. Service Mesh

  12. Definition “A service mesh is a configurable, low‑latency infrastructure layer

    designed to handle a high volume of network‑based interprocess communication among application infrastructure services using application programming interfaces (APIs).”
  13. None
  14. let’s zoom in a little bit…...

  15. None
  16. ALLLLLL services interactions happen over to sidecar a.k.a envoy proxy

  17. None
  18. The Sidecar as Policy Enforcement Points (PEPs)

  19. we already give the platform a chance to handle our

    deployments let's give a chance to a platform to handle network for us, a.k.a security concerns
  20. Step Back

  21. Kubernetes is a very successful platform to help developers to

    deploy their containers and manage their workloads. The important part here: the kubernetes implements a sort of patterns to achieve it
  22. All the deployment decisions are made on the platform Kubernetes

    Our applications don’t care about the cluster workload, kubernetes does it for us
  23. None
  24. None
  25. Istio & Security

  26. Security by default: no changes needed for application code and

    infrastructure Defense in depth: integrate with existing security systems to provide multiple layers of defense Zero-trust network: build security solutions on untrusted networks
  27. None
  28. End-User Authn & AuthZ

  29. It verifies the original client making the request as an

    end-user or device. Istio enables request-level authentication with JSON Web Token (JWT) validation and a streamlined developer experience for open source OpenID Connect provider
  30. it integrates with OpenID Connect provider

  31. None
  32. None
  33. End-User Authz

  34. Each Envoy proxy runs an authorization engine that authorizes requests

    at runtime. When a request comes to the proxy, the authorization engine evaluates the request context against the current authorization policies, and returns the authorization result, either ALLOW or DENY.
  35. None
  36. None
  37. NETWORK github.com/angelokurtis/football-bets

  38. let’s recap the Istio Request Flow

  39. Istio Request Flow Istio Request Flow

  40. None
  41. Service-to-Service Authn Service-to-Service Authn

  42. Transport authentication, also known as service-to-service authentication: verifies the direct

    client making the connection. Istio offers mutual TLS as a full stack solution for transport authentication
  43. Provides a key management system to automate key and certificate

    generation, distribution, and rotation
  44. None
  45. None
  46. None
  47. Choose your mTLS flavor!!! Strict - Hard Permissive - Soft

    Disabled - Very Soft
  48. Fine grained control policies Mesh-wide policy Namespace-wide policy Workload policy

  49. None
  50. Final Words about Service Mesh Final words about Service Mesh

  51. Zero code changes is not a 100% true Are headers

  52. Can your service run with a sidecar???

  53. Readiness and Liveness Probes???

  54. THANKS! Any questions? You can find us at: linkedin.com/in/claudioed twitter.com/claudioed

    linkedin.com/in/tiagoangelo twitter.com/kurtisangelo Join us: community.cncf.io/campinas