Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Isolated multiple trust domain mTLS in Envoy and Istio

Isolated multiple trust domain mTLS in Envoy and Istio

mathetake

April 20, 2021
Tweet

More Decks by mathetake

Other Decks in Technology

Transcript

  1. • Takeshi Yoneda (Ϛελέ) / Twitter, Github: @mathetake • Software

    Engineer at Tetrate.io, California, US • OSS dev: Envoy, Istio, Proxy-Wasm, Wasm, TinyGo • C++ committer of Proxy-Wasm project • Contributor/Member of V8, Envoy, Istio, TinyGo, etc. whoami
  2. 1. Introduction to SPIFFE 2. Introduction to Service Mesh 3.

    Introduction to mTLS 4. mTLS in Envoy / Istio 5. SPIFFE Certificate Validator in Envoy 6. Independent multiple trust domain support in Istio Agenda
  3. • SPIFFE = “Secure Production Identity Framework For Everyone” •

    Identityͱͦͷೝূʹؔ͢Δඪ४࢓༷ SPIFFE = Specification
  4. • SPIFFE Identity = ݸʑͷWorkloadΛࣝผ͢ΔͨΊͷID • “spiffe://trust-domain-name/your/workload“ ͷܗͷURI • “trust-domain-name”

    = Trust Root • “your/workload” = Trust Root಺ͷWorkload • ྫ) spiffe://my-app.com/ns/kube-system/sa/my-service-account SPIFFE Identity
  5. • SVID = ݸʑͷWorkload͕ࣗ਎Λূ໌͢ΔͨΊͷݕূՄೳͳυΩϡϝϯτ • ҎԼͷ3͔ͭΒߏ੒ • A SPIFFE ID

    • A Valid Signature • (Optional) Public key SVID(SPIFFE Verifiable Identity Document)
  6. • x.509 SVID = SVIDͷ࣮૷(ܗࣜ)ͷҰͭ • x.509ূ໌ॻͷ֦ு࢓༷Λ༻͍Δ • URI SAN(Subject

    Alternative Name)ΛͨͩҰ͚ͭͩ࣋ͭ • URI SANͷ஋͕SVID (e.g. “spiffe://my-domain/my/workload”) ͷܗ x.509 SVID
  7. • Polyglot • Multiple Protocol • Observability • AuthN/Z Problems

    in Microservices https://blogs.vmware.com/networkvirtualization/2018/12/nsx-service-mesh.html/
  8. • Service Mesh = Microservices؀ڥԼͷΞʔΩςΫνϟͷҰछ • αʔϏε΁ͷ ingress/egreeΛ͢΂ͯϓϩΩγܦ༝ʹ͢Δ Service Mesh

    = Architecture https://blog.envoyproxy.io/service-mesh-data-plane-vs-control-plane-2774e720f7fc
  9. • ֤αʔϏε͕όϥόϥʹProxyͷઃఆΛ͍ͯͯ͠͸ແବ͕ଟ͍ • Control Plane = தԝूݖతʹ֤αʔϏεͷProxyΛ؅ཧ͢Δਓ Control Plane in

    Service Mesh https://www.weave.works/blog/introduction-to-service-meshes-on-kubernetes-and-progressive-delivery
  10. • Data Plane = Control Planeʹ؅ཧ͞ΕΔProxyୡ • ඞવతʹҰछྨͷProxy ServerʹͳΔ Data

    Plane in Service Mesh https://www.weave.works/blog/introduction-to-service-meshes-on-kubernetes-and-progressive-delivery
  11. What is Envoy? • “Cloud-native high-performance edge/middle/service proxy” • CNCF

    Graduated Project, Github Star: 16,000+ • Written in C++
  12. What is Istio? • xDS ServerΛ࣮૷ͨ͠Control PlaneͷҰͭ • GitHub Star

    20k+ • ੈքதͷ໊ͩͨΔاۀ͕ຊ৔ӡ༻ https://www.suse.com/c/understanding-istio-and-its-installation/ https://github.com/istio/istio
  13. Problems in Zero-Trust env • Man in the Middle attack

    • ͢΂ͯͷ௨৴Λ҉߸Խ͍ͨ͠ • ʮ௨৴૬ख͸ຊ౰ʹαʔϏεhogeͳͷ͔?ʯ • ͔֬ΊΔखஈ͕ඞཁ: PKI?
  14. Mutual TLS in Service Mesh • Control Plane͔Β֤Data Plane(= ֤Workload/Service)

    ΁ূ໌ॻΛൃߦ • Control Plane͕Root CAΛ؅ཧͯ͠ॺ໊ • ূ໌ॻͷ಺༰ΛݩʹAuthN/ZΛ੍ޚ͢Δ https://speakerdeck.com/hannaprinz/service-mesh-fixing-microservice-architecture-for-good Control Plane
  15. mTLS in Istio • Istiod(Control Plane)͕֤Envoyʹূ໌ॻΛ഑Δ • ಈతʹEnvoyͷvalidation_context͕ઃఆ͞ΕmTLS͕ୡ੒ • ֤ূ໌ॻ

    -> Workload Identity https://istio.io/latest/docs/concepts/security/#authorization-architecture
  16. Istio as a SVID issuer • Istioͷ֤Workload Identity͸SPIFFE x.509 SVIDʹ४ڌ

    • URI SAN͕ͨͩҰͭଘࡏ(= SVID) • spiffe://<trust-domain>/ns/<namespace>/sa/<service-account> • SVIDͷத਎ʹService Account΍Namespaceؚ͕·Ε͍ͯΔ
  17. mTLS + SAN Matching + SVID = ! • ֤Workload͸·ͣSVIDΛݕূ

    • ݕূޙSVIDͷத਎(=URI SAN)ΛऔΓग़͢ • Service Account΍Namespace͕Θ͔Δ • SAN MatchingΛk8sͷSA΍NSΛݩʹઃఆ • WorkloadϨϕϧͰࡉ͔͍ೝূೝՄ͕ୡ੒Ͱ͖Δ
  18. Problems in Multi-cluster cases • Istio: k8s cluster = 1:

    1ͱ͍͏ؔ܎ੑ • ෳ਺ͷIstioͷΫϥελ͕૬ޓʹmTLS͍ͨ͠৔߹…? • ྡͷΫϥελʔ͔ΒTrust Bundle(Root CA)Λऔಘ
  19. Problems in Multi-cluster cases • ϋϯυγΣΠΫຖʹTrust BundleΛ੾Γସ͑ͳ͍ͱ͍͚ͳ͍ • ੾Γସ͑ͣʹTrust BundleΛࠞͥͨΒͲ͏ͳΔ͔

    • ΫϥελʔA -> ΫϥελʔBʹ࿩͔͚͠Δέʔε • AͷWorkload͕Bͷ಺෦ͷWorkloadͷ;ΓΛ͢Δ͔΋͠Εͳ͍ • ೝՄΛ͢Γൈ͚ͯ͠·͏ • Trust domains are not isolated from each other.
  20. SPIFFE Certificate Validator: How it works 1. ΫϥΠΞϯτূ໌ॻͷSVIDΛऔΓग़͢ 2. SVID͔ΒTrust

    Domain (spiffe://ͷޙΖͷ෦෼) 3. Trust DomainʹରԠ͢ΔTrust BundleΛબ୒ 4. બ͹ΕͨTrust BundleΛݩʹূ໌ॻΛݕূ 5. ϋϯυγΣΠΫ׬ྃ
  21. Independent multiple trust domain in Istio(WIP) Cluster B Bundle Endpoint

    Bundle Endpoint Cluster A mTLS GET Bundle mTLS
  22. ·ͱΊ • Service Mesh = αʔϏεؒ௨৴ΛϓϩΩγʹ೚ͤΔΞʔΩςΫνϟ • mTLS͸Service MeshͰॏཁ: SAN

    Matchingͱ߹ΘͤͯೝՄʹ΋࢖͑Δ • Istio͸x.509 SVIDͷissuer • Envoyͷ৽ػೳSPIFFE Validator • ෳ਺ͷTrust DomainΛҰͭͷListenerͰ҆શʹೝূͰ͖Δ • Cross-ClusterͳmTLSͷ࣮ݱͷͨΊͷجૅٕज़ • IstioͰ͜ΕΛԠ༻ͨ͠Cross-ClusterೝূೝՄͷ࢓૊ΈΛ࣮૷/ఏҊத