Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Isolated multiple trust domain mTLS in Envoy and Istio

Isolated multiple trust domain mTLS in Envoy and Istio

mathetake

April 20, 2021
Tweet

More Decks by mathetake

Other Decks in Technology

Transcript

  1. Takeshi Yoneda, Software Engineer, Tetrate.io
    SPIFFE Meetup Tokyo #3
    Isolated multiple trust domain mTLS
    in Envoy and Istio

    View full-size slide

  2. • Takeshi Yoneda (Ϛελέ) / Twitter, Github: @mathetake
    • Software Engineer at Tetrate.io, California, US
    • OSS dev: Envoy, Istio, Proxy-Wasm, Wasm, TinyGo
    • C++ committer of Proxy-Wasm project
    • Contributor/Member of V8, Envoy, Istio, TinyGo, etc.
    whoami

    View full-size slide

  3. 1. Introduction to SPIFFE
    2. Introduction to Service Mesh
    3. Introduction to mTLS
    4. mTLS in Envoy / Istio
    5. SPIFFE Certificate Validator in Envoy
    6. Independent multiple trust domain support in Istio
    Agenda

    View full-size slide

  4. 1. Introduction to SPIFFE

    View full-size slide

  5. • SPIFFE = “Secure Production Identity Framework For Everyone”
    • Identityͱͦͷೝূʹؔ͢Δඪ४࢓༷
    SPIFFE = Specification

    View full-size slide

  6. • ࠓ೔ؔ܎͢Δ࢓༷
    • SPIFFE Identity
    • SVID(SPIFFE Verifiable Identity Document)
    • x.509 SVID
    SPIFFE = Specification

    View full-size slide

  7. • ࠓ೔ؔ܎͢Δ࢓༷
    • SPIFFE Identity
    • SVID(SPIFFE Verifiable Identity Document)
    • x.509 SVID
    SPIFFE = Specification

    View full-size slide

  8. • SPIFFE Identity = ݸʑͷWorkloadΛࣝผ͢ΔͨΊͷID
    • “spiffe://trust-domain-name/your/workload“ ͷܗͷURI
    • “trust-domain-name” = Trust Root
    • “your/workload” = Trust Root಺ͷWorkload
    • ྫ) spiffe://my-app.com/ns/kube-system/sa/my-service-account
    SPIFFE Identity

    View full-size slide

  9. • SVID = ݸʑͷWorkload͕ࣗ਎Λূ໌͢ΔͨΊͷݕূՄೳͳυΩϡϝϯτ
    • ҎԼͷ3͔ͭΒߏ੒
    • A SPIFFE ID
    • A Valid Signature
    • (Optional) Public key
    SVID(SPIFFE Verifiable Identity Document)

    View full-size slide

  10. • x.509 SVID = SVIDͷ࣮૷(ܗࣜ)ͷҰͭ
    • x.509ূ໌ॻͷ֦ு࢓༷Λ༻͍Δ
    • URI SAN(Subject Alternative Name)ΛͨͩҰ͚ͭͩ࣋ͭ
    • URI SANͷ஋͕SVID (e.g. “spiffe://my-domain/my/workload”) ͷܗ
    x.509 SVID

    View full-size slide

  11. • x.509 SVIDͷݕূ͸௨ৗͷPKIͱಉ͡
    • URI SANʹ੍໿͕͋Δ͚ͩ
    • x.509 SVIDΛʹॺ໊ͨ͠Trust DomainͷRoot CAͰݕূ͢ΔͷΈ
    • طଘͷTLSͷΠϯϑϥʹ৐͔ͬΕΔ
    x.509 SVID

    View full-size slide

  12. x.509 SVID
    https://thinkit.co.jp/sites/default/files/article_node/zl_kubernetes_07_04.png

    View full-size slide

  13. 2. Introduction to Service Mesh

    View full-size slide

  14. • Polyglot
    • Multiple Protocol
    • Observability
    • AuthN/Z
    Problems in Microservices
    https://blogs.vmware.com/networkvirtualization/2018/12/nsx-service-mesh.html/

    View full-size slide

  15. • Service Mesh = Microservices؀ڥԼͷΞʔΩςΫνϟͷҰछ
    • αʔϏε΁ͷ ingress/egreeΛ͢΂ͯϓϩΩγܦ༝ʹ͢Δ
    Service Mesh = Architecture
    https://blog.envoyproxy.io/service-mesh-data-plane-vs-control-plane-2774e720f7fc

    View full-size slide

  16. • τϥϑΟοΫ͕͢΂ͯproxyΛܦ༝͢Δ͜ͱͷԸܙ
    • AuthN/ZΛΞϓϦέʔγϣϯ͔Β෼཭
    • ϓϩτίϧͷtranscodingΛΞϓϦέʔγϣϯ͔Β෼཭
    • Retry/RatelimitͳͲΛΞϓϦέʔγϣϯ͔Β෼཭
    • Ұ؏ͨ͠Metrics/Logͷऔಘ(Observability++)
    Service Mesh = Architecture

    View full-size slide

  17. • τϥϑΟοΫ͕͢΂ͯproxyΛܦ༝͢Δ͜ͱͷԸܙ
    • AuthN/ZΛΞϓϦέʔγϣϯ͔Β෼཭
    • ϓϩτίϧͷtranscodingΛΞϓϦέʔγϣϯ͔Β෼཭
    • Retry/RatelimitͳͲΛΞϓϦέʔγϣϯ͔Β෼཭
    • Ұ؏ͨ͠Metrics/Logͷऔಘ(Observability++)
    Service Mesh = Architecture
    ωοτϫʔΫϨΠϠʔͷ΋Ζ΋ΖΛશ෦ϓϩΩγͰ

    View full-size slide

  18. • ֤αʔϏε͕όϥόϥʹProxyͷઃఆΛ͍ͯͯ͠͸ແବ͕ଟ͍
    • Control Plane = தԝूݖతʹ֤αʔϏεͷProxyΛ؅ཧ͢Δਓ
    Control Plane in Service Mesh
    https://www.weave.works/blog/introduction-to-service-meshes-on-kubernetes-and-progressive-delivery

    View full-size slide

  19. • Data Plane = Control Planeʹ؅ཧ͞ΕΔProxyୡ
    • ඞવతʹҰछྨͷProxy ServerʹͳΔ
    Data Plane in Service Mesh
    https://www.weave.works/blog/introduction-to-service-meshes-on-kubernetes-and-progressive-delivery

    View full-size slide

  20. What is Envoy?
    • “Cloud-native high-performance edge/middle/service proxy”
    • CNCF Graduated Project, Github Star: 16,000+
    • Written in C++

    View full-size slide

  21. • ϦϞʔτͰಈతʹઃఆΛมߋ͢ΔxDSͱ͍͏ϓϩτίϧΛ࣋ͭ
    • EnvoyΛData Planeͱ͓ͯ͠खܰService Mesh͕࡞ΕΔ
    • xDS ServerΛ࣮૷͠Control Planeͱ͢Ε͹Α͍
    Envoy as a Data Plane
    https://i-beam.org/2019/01/22/hello-envoy/

    View full-size slide

  22. What is Istio?
    • xDS ServerΛ࣮૷ͨ͠Control PlaneͷҰͭ
    • GitHub Star 20k+
    • ੈքதͷ໊ͩͨΔاۀ͕ຊ৔ӡ༻
    https://www.suse.com/c/understanding-istio-and-its-installation/
    https://github.com/istio/istio

    View full-size slide

  23. 3. Introduction to mTLS

    View full-size slide

  24. Problems in Zero-Trust env
    • Man in the Middle attack
    • ͢΂ͯͷ௨৴Λ҉߸Խ͍ͨ͠
    • ʮ௨৴૬ख͸ຊ౰ʹαʔϏεhogeͳͷ͔?ʯ
    • ͔֬ΊΔखஈ͕ඞཁ: PKI?

    View full-size slide

  25. TLS: Authenticating Servers
    • ௨ৗͷαʔό<->ΫϥΠΞϯτͷ௨৴ͷ৔߹
    • αʔόʔͷূ໌ॻΛΫϥΠΞϯτͷखݩʹ͋Δϧʔτূ໌ॻͰݕূ
    • ݕূࣦഊ͢Ε͹ϋϯυγΣΠΫࣦഊ
    ূ໌ॻ͘Ε
    ূ໌ॻͰ͢
    google.com
    ݕূ
    ͔֬ʹgoogleͬΆ͍͔Βݕࡧ݁Ռ͘Ε

    View full-size slide

  26. Problems in Zero-Trust env
    • ௨ৗͷTLSͩͱ৺΋ͱͳ͍
    • ࿩͔͚ͯ͘͠Δ૬ख͕୭ͳʹ͔Λݕূ͠ͳ͍ͱҙຯ͕ͳ͍
    • ΫϥΠΞϯτ΋ೝূ͠ͳ͚Ε͹ͳΒͳ͍

    View full-size slide

  27. mTLS = mutual TLS
    • ϋϯυγΣΠΫ࣌ʹΫϥΠΞϯτʹ΋ূ໌ॻͷఏࣔΛཁٻ
    • ΫϥΠΞϯτ͚ͩͰ͸ͳ͘αʔόʔ΋ূ໌ॻΛݕূ
    • OK: TLSηογϣϯཱ֬
    • NG: ϋϯυγΣΠΫࣦഊ

    View full-size slide

  28. Handshake in mTLS
    https://www.slideshare.net/lmeirosu/mtls-securing-microservice-architecture-with-mutual-tls-authentication

    View full-size slide

  29. Handshake in mTLS
    https://www.slideshare.net/lmeirosu/mtls-securing-microservice-architecture-with-mutual-tls-authentication
    αʔόʔೝূ

    View full-size slide

  30. Handshake in mTLS
    https://www.slideshare.net/lmeirosu/mtls-securing-microservice-architecture-with-mutual-tls-authentication
    ΫϥΠΞϯτೝূ

    View full-size slide

  31. Mutual TLS in Service Mesh
    • Control Plane͔Β֤Data Plane(= ֤Workload/Service) ΁ূ໌ॻΛൃߦ
    • Control Plane͕Root CAΛ؅ཧͯ͠ॺ໊
    • ূ໌ॻͷ಺༰ΛݩʹAuthN/ZΛ੍ޚ͢Δ
    https://speakerdeck.com/hannaprinz/service-mesh-fixing-microservice-architecture-for-good
    Control Plane

    View full-size slide

  32. 4. mTLS AuthZ in Envoy / Istio

    View full-size slide

  33. mTLS in Envoy
    • validation_contextͱ͍͏API͕ଘࡏ
    • ͲͷΑ͏ʹΫϥΠΞϯτূ໌ॻΛݕূ͢Δ͔ΛࢦఆͰ͖Δ

    View full-size slide

  34. mTLS in Istio
    • Istiod(Control Plane)͕֤Envoyʹূ໌ॻΛ഑Δ
    • ಈతʹEnvoyͷvalidation_context͕ઃఆ͞ΕmTLS͕ୡ੒
    • ֤ূ໌ॻ -> Workload Identity
    https://istio.io/latest/docs/concepts/security/#authorization-architecture

    View full-size slide

  35. Istio as a SVID issuer
    • Istioͷ֤Workload Identity͸SPIFFE x.509 SVIDʹ४ڌ
    • URI SAN͕ͨͩҰͭଘࡏ(= SVID)
    • spiffe:///ns//sa/
    • SVIDͷத਎ʹService Account΍Namespaceؚ͕·Ε͍ͯΔ

    View full-size slide

  36. SAN Matching in Envoy
    • ΫϥΠΞϯτূ໌ॻͷSANͷmatchingΛߦ͑Δ
    • Match͠ͳ͍৔߹͸ϋϯυγΣΠΫࣦഊͱ͍͏ڍಈ

    View full-size slide

  37. mTLS + SAN Matching + SVID = !
    • ֤Workload͸·ͣSVIDΛݕূ
    • ݕূޙSVIDͷத਎(=URI SAN)ΛऔΓग़͢
    • Service Account΍Namespace͕Θ͔Δ
    • SAN MatchingΛk8sͷSA΍NSΛݩʹઃఆ
    • WorkloadϨϕϧͰࡉ͔͍ೝূೝՄ͕ୡ੒Ͱ͖Δ

    View full-size slide

  38. Problems in Multi-cluster cases
    • Istio: k8s cluster = 1: 1ͱ͍͏ؔ܎ੑ
    • ෳ਺ͷIstioͷΫϥελ͕૬ޓʹmTLS͍ͨ͠৔߹…?
    • ྡͷΫϥελʔ͔ΒTrust Bundle(Root CA)Λऔಘ

    View full-size slide

  39. Problems in Multi-cluster cases
    • ϋϯυγΣΠΫຖʹTrust BundleΛ੾Γସ͑ͳ͍ͱ͍͚ͳ͍
    • ੾Γସ͑ͣʹTrust BundleΛࠞͥͨΒͲ͏ͳΔ͔
    • ΫϥελʔA -> ΫϥελʔBʹ࿩͔͚͠Δέʔε
    • AͷWorkload͕Bͷ಺෦ͷWorkloadͷ;ΓΛ͢Δ͔΋͠Εͳ͍
    • ೝՄΛ͢Γൈ͚ͯ͠·͏
    • Trust domains are not isolated from each other.

    View full-size slide

  40. Problems in Envoy listener for Multi-cluster
    • validation_context͕ෳ਺ͷTrust DomainΛαϙʔτ͍ͯ͠ͳ͔ͬͨ
    • Trust BundleΛϚʔδͯ͠Ұͭʹ·ͱΊͳ͍ͱ͍͚ͳ͍

    View full-size slide

  41. 5. SPIFFE Certificate Validator in Envoy

    View full-size slide

  42. SPIFFE Certificate Validator
    • ʮෳ਺ͷTrust domainΛಠཱͨ͠ܗͰݕূ͢Δ࢓૊Έʯ͕ඞཁ
    • SPIFFE Certificate ValidatorͱݺͿ͜ͱʹ
    • ઌ೔4ͭͷPRΛܦ࣮ͯ૷͠·ͨ͠ (߹Θͤͯ5000ߦ͙Β͍)

    View full-size slide

  43. SPIFFE Certificate Validator

    View full-size slide

  44. SPIFFE Certificate Validator: How it works
    1. ΫϥΠΞϯτূ໌ॻͷSVIDΛऔΓग़͢
    2. SVID͔ΒTrust Domain (spiffe://ͷޙΖͷ෦෼)
    3. Trust DomainʹରԠ͢ΔTrust BundleΛબ୒
    4. બ͹ΕͨTrust BundleΛݩʹূ໌ॻΛݕূ
    5. ϋϯυγΣΠΫ׬ྃ

    View full-size slide

  45. Reviewed by SPIFFE maintainers 🎉

    View full-size slide

  46. 6. Independent multiple trust domain in Istio

    View full-size slide

  47. Isolated cross-cluster mTLS in Istio
    • ݱঢ়αϙʔτ͍ͯ͠ͳ͍
    • Root CA͸ඞͣෳ਺ͷΫϥελͰγΣΞ͞Ε͍ͯΔͱ͍͏લఏ
    • ΫϥελA͕ΫϥελBͷ;ΓΛग़དྷͯ͠·͏

    View full-size slide

  48. Using SPIFFE Validator in Istio (WIP)
    • Envoyʹ࣮૷ͨ͠SPIFFE ValidatorΛ࢖͏͜ͱΛఏҊத

    View full-size slide

  49. Using SPIFFE Validator in Istio (WIP)
    Root CAΛ௥Ճ͢ΔࡍʹTrust DomainΛׂΓ౰ͯΒΕΔΑ͏ʹ͢Δ

    View full-size slide

  50. Independent multiple trust domain in Istio(WIP)
    Cluster B
    Bundle Endpoint
    Bundle Endpoint
    Cluster A
    mTLS
    GET Bundle
    mTLS

    View full-size slide

  51. ·ͱΊ
    • Service Mesh = αʔϏεؒ௨৴ΛϓϩΩγʹ೚ͤΔΞʔΩςΫνϟ
    • mTLS͸Service MeshͰॏཁ: SAN Matchingͱ߹ΘͤͯೝՄʹ΋࢖͑Δ
    • Istio͸x.509 SVIDͷissuer
    • Envoyͷ৽ػೳSPIFFE Validator
    • ෳ਺ͷTrust DomainΛҰͭͷListenerͰ҆શʹೝূͰ͖Δ
    • Cross-ClusterͳmTLSͷ࣮ݱͷͨΊͷجૅٕज़
    • IstioͰ͜ΕΛԠ༻ͨ͠Cross-ClusterೝূೝՄͷ࢓૊ΈΛ࣮૷/ఏҊத

    View full-size slide

  52. We are hiring! https://www.tetrate.io/careers/
    Work Anytime and Anywhere + Unlimited paid time off

    View full-size slide