Securing your microservices using Istio

Transcript

1. Securing Your Microservices using Istio Christian Posta | @christianposta |

   Solo.io Sandeep Parikh | @crcsmnky | Google Cloud

2. What we’ll cover Challenges Why Istio Solutions What’s New Questions

3. Challenges

4. Securing service to service communication

5. How do you encrypt traffic between your services? In Kubernetes

   deployments, services communicate using plain-text. Securing communication channels requires apps to support encryption and infrastructure to supply keys at scale Service A Service B Infra

6. Determining which apps support encryption Distributed system to provision &

   manage keys Challenges implementing encryption Updating applications to include encryption support

7. Controlling access to your services

8. How do you prevent unauthorized access? Kubernetes provides RBAC capabilities

   but they’re coarse-grained and don’t know about app specifics. Implementing authorization controls requires apps to understand service- or user-level identity, and implement that for all routes. Service B Service C Service A

9. Challenges implementing authorization Apps need to understand and verify service

   / user identity on every call Apps need to apply identity controls to every route / verb combination

10. Why Istio

11. Without Istio App Encryption library Tracing library Identity support Circuit

    breaking Ingress control Certificate authority Egress firewall Access control

12. Without Istio With Istio App Encryption library Tracing library Identity

    support Circuit breaking Ingress control Certificate authority Egress firewall Access control Pod App Egress Ingress Circuit breaking Fault injection Identity Encryption Observability Ingress/Egress Controls – Certificate Authority – Access Controls – Routing Rules Control plane

13. Istio security architecture

14. Solutions

15. Ecosystem tools

16. Securing communications Lots of work securing connections between Ingress and

    Pods (e.g. cert-manager). Service-to-service authentication and encryption relies on custom approaches. Kubernetes Service Accounts can be used to establish service identity but apps need to know about them. User identity is more bespoke and depends on custom integrations. Incorporating identity

17. Encrypting service traffic using Istio

18. Enabling mTLS Policy Tell services what sorts of connections they

    can accept DestinationRule Tell clients what sorts of connections they should use

19. Securing a subset of services How do you use Istio

    to slowly deploy mTLS across the mesh, while also keeping legacy clients in mind? service frontend backend namespace: legacy namespace: secure istio-injection: enabled

20. service frontend backend namespace: legacy namespace: secure istio-injection: enabled Apply

    Policy with PERMISSIVE mode apiVersion: auth.istio.io/v1alpha1 kind: Policy metadata: name: mtls-backend namespace: secure spec: targets: - name: backend peers: - mtls: mode: PERMISSIVE PERMISSIVE

21. Apply DestinationRule with MUTUAL mode service frontend backend namespace: legacy

    namespace: secure istio-injection: enabled apiVersion: net.istio.io/v1alpha3 kind: DestinationRule metadata: name: mtls-mutual spec: host: backend.secure trafficPolicy: tls: mode: ISTIO_MUTUAL PERMISSIVE MUTUAL

22. Apply Policy with STRICT mode service frontend backend namespace: legacy

    namespace: secure istio-injection: enabled apiVersion: auth.istio.io/v1alpha1 kind: Policy metadata: name: mtls-backend namespace: secure spec: targets: - name: backend peers: - mtls: mode: STRICT PERMISSIVE MUTUAL

23. • Enable STRICT mTLS using just Policy objects • Istio

    sidecars automatically know to use mTLS connections • Can be overridden by DestinationRule objects • Mesh-wide installation flag New in 1.4 – Auto mTLS (alpha) $ istioctl manifest apply --set profile=demo \ --set values.global.mtls.auto=true \ --set values.global.mtls.enabled=false

24. Authorizing service access using Istio

25. New in 1.4 – AuthorizationPolicy ClusterRbacConfig ServiceRole ServiceRoleBinding Kubernetes Service

    Account Before Istio 1.4 AuthorizationPolicy Kubernetes Service Account Istio 1.4+

26. Controlling access to services How do you use fine-grained authz

    controls to manage access to/from specific services? Service A Service B Service C namespace: team1 istio-injection: enabled namespace: team2 istio-injection: enabled

27. Controlling access to services A can talk B B can

    talk C A can’t talk to C Service A Service B Service C namespace: team1 istio-injection: enabled namespace: team2 istio-injection: enabled

28. Use AuthorizationPolicy to control access apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:

    name: my-authz-policy namespace: team2 spec: selector: matchLabels: app: serviceC rules: - from: - source: principals: - "cluster.local/ns/team2/sa/serviceB" Service A Service B Service C namespace: team1 istio-injection: enabled namespace: team2 istio-injection: enabled

29. User Identity Authentication with JWT apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata:

    name: frontend-jwt-policy spec: targets: - name: frontend peers: - mtls: mode: PERMISSIVE origins: - jwt: issuer: http://keycloak.default:8080/auth/realms/istio jwksUri: http://keycloak.default:8080/auth/realms/istio/p rotocol/openid-connect/certs principalBinding: USE_ORIGIN Service B Service C Bearer: token Need JWT

30. Demos ➔ Preventing unauthorized access to services ➔ Automatically enabling

    mTLS encryption ➔ Require a JWT for auth

31. Hipster Shop github.com/GoogleCloudPlatform/microservices-demo

32. Automatically enabling mTLS

33. Authorized service access

34. Authorized service access

35. What’s new

36. What’s (also) new in 1.4 • Mixer-less telemetry (alpha) •

    AuthorizationPolicy (beta) • Auto mTLS (experiemental) • Expanded istioctl analyze capabilities • Sidecar improvements (graceful exits, more metrics, percent-mirroring) • istio.io/news/releases/1.4.x/announcing-1.4/change-notes/

37. What’s coming in 1.5 • istiod ◦ Microservices to monolith

    (blog post, video) • Control plane security • Draft release notes

38. Thank You! Questions or Comments? Find us @christianposta and @crcsmnky

    Learn More • Istio istio.io • Google Cloud cloud.google.com • Solo.io www.solo.io • Gloo gloo.solo.io • Service Mesh Hub servicemeshhub.io Demo • crcsmnky/securing-microservices-istio