Securing your microservices using Istio

Transcript

1. Securing Your Microservices using Istio
   Christian Posta | @christianposta | Solo.io
   Sandeep Parikh | @crcsmnky | Google Cloud
   

   View Slide

2. What we’ll cover
   Challenges
   Why Istio
   Solutions
   What’s New
   Questions
   

   View Slide

3. Challenges
   

   View Slide

4. Securing service to
   service communication
   

   View Slide

5. How do you encrypt traffic between your services?
   In Kubernetes deployments, services
   communicate using plain-text.
   Securing communication channels
   requires apps to support encryption
   and infrastructure to supply keys at
   scale
   Service A
   Service B
   Infra
   

   View Slide

6. Determining which apps
   support encryption
   Distributed system to
   provision & manage keys
   Challenges implementing encryption
   Updating applications to
   include encryption support
   

   View Slide

7. Controlling access to
   your services
   

   View Slide

8. How do you prevent unauthorized access?
   Kubernetes provides RBAC capabilities
   but they’re coarse-grained and don’t
   know about app specifics.
   Implementing authorization controls
   requires apps to understand service- or
   user-level identity, and implement that
   for all routes.
   Service B
   Service C
   Service A
   

   View Slide

9. Challenges implementing authorization
   Apps need to understand and verify
   service / user identity on every call
   Apps need to apply identity controls to
   every route / verb combination
   

   View Slide

10. Why Istio
    

    View Slide

11. Without Istio
    App Encryption library
    Tracing library
    Identity support
    Circuit breaking
    Ingress control
    Certificate authority
    Egress firewall
    Access control
    

    View Slide

12. Without Istio With Istio
    App Encryption library
    Tracing library
    Identity support
    Circuit breaking
    Ingress control
    Certificate authority
    Egress firewall
    Access control
    Pod
    App
    Egress
    Ingress
    Circuit breaking
    Fault injection
    Identity
    Encryption
    Observability
    Ingress/Egress Controls – Certificate
    Authority – Access Controls – Routing Rules
    Control plane
    

    View Slide

13. Istio security architecture
    

    View Slide

14. Solutions
    

    View Slide

15. Ecosystem tools
    

    View Slide

16. Securing communications
    Lots of work securing connections
    between Ingress and Pods (e.g.
    cert-manager).
    Service-to-service authentication and
    encryption relies on custom
    approaches.
    Kubernetes Service Accounts can be
    used to establish service identity but
    apps need to know about them.
    User identity is more bespoke and
    depends on custom integrations.
    Incorporating identity
    

    View Slide

17. Encrypting service
    traffic using Istio
    

    View Slide

18. Enabling mTLS
    Policy
    Tell services what sorts of
    connections they can accept
    DestinationRule
    Tell clients what sorts of
    connections they should use
    

    View Slide

19. Securing a subset
    of services
    How do you use Istio to slowly
    deploy mTLS across the mesh,
    while also keeping legacy clients
    in mind?
    service
    frontend
    backend
    namespace: legacy namespace: secure
    istio-injection: enabled
    

    View Slide

20. service
    frontend
    backend
    namespace: legacy namespace: secure
    istio-injection: enabled
    Apply Policy with PERMISSIVE mode
    apiVersion: auth.istio.io/v1alpha1
    kind: Policy
    metadata:
    name: mtls-backend
    namespace: secure
    spec:
    targets:
    - name: backend
    peers:
    - mtls:
    mode: PERMISSIVE
    PERMISSIVE
    

    View Slide

21. Apply DestinationRule with MUTUAL mode
    service
    frontend
    backend
    namespace: legacy namespace: secure
    istio-injection: enabled
    apiVersion: net.istio.io/v1alpha3
    kind: DestinationRule
    metadata:
    name: mtls-mutual
    spec:
    host: backend.secure
    trafficPolicy:
    tls:
    mode: ISTIO_MUTUAL
    PERMISSIVE
    MUTUAL
    

    View Slide

22. Apply Policy with STRICT mode
    service
    frontend
    backend
    namespace: legacy namespace: secure
    istio-injection: enabled
    apiVersion: auth.istio.io/v1alpha1
    kind: Policy
    metadata:
    name: mtls-backend
    namespace: secure
    spec:
    targets:
    - name: backend
    peers:
    - mtls:
    mode: STRICT
    PERMISSIVE
    MUTUAL
    

    View Slide

23. ● Enable STRICT mTLS using just Policy objects
    ● Istio sidecars automatically know to use mTLS connections
    ● Can be overridden by DestinationRule objects
    ● Mesh-wide installation flag
    New in 1.4 – Auto mTLS (alpha)
    $ istioctl manifest apply --set profile=demo \
    --set values.global.mtls.auto=true \
    --set values.global.mtls.enabled=false
    

    View Slide

24. Authorizing service
    access using Istio
    

    View Slide

25. New in 1.4 – AuthorizationPolicy
    ClusterRbacConfig
    ServiceRole
    ServiceRoleBinding
    Kubernetes
    Service Account
    Before Istio 1.4
    AuthorizationPolicy
    Kubernetes
    Service Account
    Istio 1.4+
    

    View Slide

26. Controlling access
    to services
    How do you use fine-grained authz
    controls to manage access to/from
    specific services?
    Service A
    Service B
    Service C
    namespace: team1
    istio-injection: enabled
    namespace: team2
    istio-injection: enabled
    

    View Slide

27. Controlling access
    to services
    A can talk B
    B can talk C
    A can’t talk to C
    Service A
    Service B
    Service C
    namespace: team1
    istio-injection: enabled
    namespace: team2
    istio-injection: enabled
    

    View Slide

28. Use AuthorizationPolicy to control access
    apiVersion: security.istio.io/v1beta1
    kind: AuthorizationPolicy
    metadata:
    name: my-authz-policy
    namespace: team2
    spec:
    selector:
    matchLabels:
    app: serviceC
    rules:
    - from:
    - source:
    principals:
    - "cluster.local/ns/team2/sa/serviceB"
    Service A
    Service B
    Service C
    namespace: team1
    istio-injection: enabled
    namespace: team2
    istio-injection: enabled
    

    View Slide

29. User Identity Authentication with JWT
    apiVersion: authentication.istio.io/v1alpha1
    kind: Policy
    metadata:
    name: frontend-jwt-policy
    spec:
    targets:
    - name: frontend
    peers:
    - mtls:
    mode: PERMISSIVE
    origins:
    - jwt:
    issuer:
    http://keycloak.default:8080/auth/realms/istio
    jwksUri:
    http://keycloak.default:8080/auth/realms/istio/p
    rotocol/openid-connect/certs
    principalBinding: USE_ORIGIN
    Service B
    Service C
    Bearer: token
    Need JWT
    

    View Slide

30. Demos
    ➔ Preventing unauthorized access to services
    ➔ Automatically enabling mTLS encryption
    ➔ Require a JWT for auth
    

    View Slide

31. Hipster Shop
    github.com/GoogleCloudPlatform/microservices-demo
    

    View Slide

32. Automatically enabling mTLS
    

    View Slide

33. Authorized service access
    

    View Slide

34. Authorized service access
    

    View Slide

35. What’s new
    

    View Slide

36. What’s (also) new in 1.4
    ● Mixer-less telemetry (alpha)
    ● AuthorizationPolicy (beta)
    ● Auto mTLS (experiemental)
    ● Expanded istioctl analyze capabilities
    ● Sidecar improvements (graceful exits, more metrics, percent-mirroring)
    ● istio.io/news/releases/1.4.x/announcing-1.4/change-notes/
    

    View Slide

37. What’s coming in 1.5
    ● istiod
    ○ Microservices to monolith (blog post, video)
    ● Control plane security
    ● Draft release notes
    

    View Slide

38. Thank You!
    Questions or Comments?
    Find us @christianposta and @crcsmnky
    Learn More
    ● Istio istio.io
    ● Google Cloud cloud.google.com
    ● Solo.io www.solo.io
    ● Gloo gloo.solo.io
    ● Service Mesh Hub servicemeshhub.io
    Demo
    ● crcsmnky/securing-microservices-istio
    

    View Slide