Identity provisioning in a Service Mesh

Transcript

1. POWERING THE WORLD’S APPLICATION NETWORKS Ignasi Barrera Founding Engineer DevSecOps

   and Zero Trust Architecture (ZTA) for Multi-Cloud Environments January 2021

2. Offload network and authn/authz functionality to the sidecars No application

   changes required ! Service Service Proxy Proxy Discovery Security Configuration Ingress traffic Egress traffic Mesh traffic Data plane Control Plane Certificates Metrics Metrics Configuration & Policy

3. The sidecar container runs two processes: • The Envoy proxy

   • The istio-agent Service istiod Data plane Control Plane XDS SDS

4. The agent generates an x.509 certificate with the SPIFFE identity,

   a private key, and sends a CSR for signing Service istiod Data plane Control Plane SDS Generates certificate and sends CSR

5. istiod validates the certificate and authenticates the client making the

   request, then forwards the CSR to the CA to have it signed Service istiod Data plane Control Plane SDS Authenticates client Checks identity and sends CSR to the CA

6. The CA signs the certificate and returns it Service istiod

   Data plane Control Plane SDS Signs the certificate

7. When the signed certificate is received, the agent pushes it

   to the proxy Service istiod Data plane Control Plane SDS Schedule certificate rotation process Push the certificate to Envoy through the SDS channel
8. None

9. For any further queries, feel free to contact us at

   [email protected] @tetrateio Tetrate www.tetrate.io