Securing your microservices using Istio

Securing your microservices using Istio

A1af6e45dfb6e6cb9a64834484adf788?s=128

Sandeep Parikh

January 28, 2020
Tweet

Transcript

  1. Securing Your Microservices using Istio Christian Posta | @christianposta |

    Solo.io Sandeep Parikh | @crcsmnky | Google Cloud
  2. What we’ll cover Challenges Why Istio Solutions What’s New Questions

  3. Challenges

  4. Securing service to service communication

  5. How do you encrypt traffic between your services? In Kubernetes

    deployments, services communicate using plain-text. Securing communication channels requires apps to support encryption and infrastructure to supply keys at scale Service A Service B Infra
  6. Determining which apps support encryption Distributed system to provision &

    manage keys Challenges implementing encryption Updating applications to include encryption support
  7. Controlling access to your services

  8. How do you prevent unauthorized access? Kubernetes provides RBAC capabilities

    but they’re coarse-grained and don’t know about app specifics. Implementing authorization controls requires apps to understand service- or user-level identity, and implement that for all routes. Service B Service C Service A
  9. Challenges implementing authorization Apps need to understand and verify service

    / user identity on every call Apps need to apply identity controls to every route / verb combination
  10. Why Istio

  11. Without Istio App Encryption library Tracing library Identity support Circuit

    breaking Ingress control Certificate authority Egress firewall Access control
  12. Without Istio With Istio App Encryption library Tracing library Identity

    support Circuit breaking Ingress control Certificate authority Egress firewall Access control Pod App Egress Ingress Circuit breaking Fault injection Identity Encryption Observability Ingress/Egress Controls – Certificate Authority – Access Controls – Routing Rules Control plane
  13. Istio security architecture

  14. Solutions

  15. Ecosystem tools

  16. Securing communications Lots of work securing connections between Ingress and

    Pods (e.g. cert-manager). Service-to-service authentication and encryption relies on custom approaches. Kubernetes Service Accounts can be used to establish service identity but apps need to know about them. User identity is more bespoke and depends on custom integrations. Incorporating identity
  17. Encrypting service traffic using Istio

  18. Enabling mTLS Policy Tell services what sorts of connections they

    can accept DestinationRule Tell clients what sorts of connections they should use
  19. Securing a subset of services How do you use Istio

    to slowly deploy mTLS across the mesh, while also keeping legacy clients in mind? service frontend backend namespace: legacy namespace: secure istio-injection: enabled
  20. service frontend backend namespace: legacy namespace: secure istio-injection: enabled Apply

    Policy with PERMISSIVE mode apiVersion: auth.istio.io/v1alpha1 kind: Policy metadata: name: mtls-backend namespace: secure spec: targets: - name: backend peers: - mtls: mode: PERMISSIVE PERMISSIVE
  21. Apply DestinationRule with MUTUAL mode service frontend backend namespace: legacy

    namespace: secure istio-injection: enabled apiVersion: net.istio.io/v1alpha3 kind: DestinationRule metadata: name: mtls-mutual spec: host: backend.secure trafficPolicy: tls: mode: ISTIO_MUTUAL PERMISSIVE MUTUAL
  22. Apply Policy with STRICT mode service frontend backend namespace: legacy

    namespace: secure istio-injection: enabled apiVersion: auth.istio.io/v1alpha1 kind: Policy metadata: name: mtls-backend namespace: secure spec: targets: - name: backend peers: - mtls: mode: STRICT PERMISSIVE MUTUAL
  23. • Enable STRICT mTLS using just Policy objects • Istio

    sidecars automatically know to use mTLS connections • Can be overridden by DestinationRule objects • Mesh-wide installation flag New in 1.4 – Auto mTLS (alpha) $ istioctl manifest apply --set profile=demo \ --set values.global.mtls.auto=true \ --set values.global.mtls.enabled=false
  24. Authorizing service access using Istio

  25. New in 1.4 – AuthorizationPolicy ClusterRbacConfig ServiceRole ServiceRoleBinding Kubernetes Service

    Account Before Istio 1.4 AuthorizationPolicy Kubernetes Service Account Istio 1.4+
  26. Controlling access to services How do you use fine-grained authz

    controls to manage access to/from specific services? Service A Service B Service C namespace: team1 istio-injection: enabled namespace: team2 istio-injection: enabled
  27. Controlling access to services A can talk B B can

    talk C A can’t talk to C Service A Service B Service C namespace: team1 istio-injection: enabled namespace: team2 istio-injection: enabled
  28. Use AuthorizationPolicy to control access apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata:

    name: my-authz-policy namespace: team2 spec: selector: matchLabels: app: serviceC rules: - from: - source: principals: - "cluster.local/ns/team2/sa/serviceB" Service A Service B Service C namespace: team1 istio-injection: enabled namespace: team2 istio-injection: enabled
  29. User Identity Authentication with JWT apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata:

    name: frontend-jwt-policy spec: targets: - name: frontend peers: - mtls: mode: PERMISSIVE origins: - jwt: issuer: http://keycloak.default:8080/auth/realms/istio jwksUri: http://keycloak.default:8080/auth/realms/istio/p rotocol/openid-connect/certs principalBinding: USE_ORIGIN Service B Service C Bearer: token Need JWT
  30. Demos ➔ Preventing unauthorized access to services ➔ Automatically enabling

    mTLS encryption ➔ Require a JWT for auth
  31. Hipster Shop github.com/GoogleCloudPlatform/microservices-demo

  32. Automatically enabling mTLS

  33. Authorized service access

  34. Authorized service access

  35. What’s new

  36. What’s (also) new in 1.4 • Mixer-less telemetry (alpha) •

    AuthorizationPolicy (beta) • Auto mTLS (experiemental) • Expanded istioctl analyze capabilities • Sidecar improvements (graceful exits, more metrics, percent-mirroring) • istio.io/news/releases/1.4.x/announcing-1.4/change-notes/
  37. What’s coming in 1.5 • istiod ◦ Microservices to monolith

    (blog post, video) • Control plane security • Draft release notes
  38. Thank You! Questions or Comments? Find us @christianposta and @crcsmnky

    Learn More • Istio istio.io • Google Cloud cloud.google.com • Solo.io www.solo.io • Gloo gloo.solo.io • Service Mesh Hub servicemeshhub.io Demo • crcsmnky/securing-microservices-istio