Isolated multiple trust domain mTLS in Envoy and Istio

Slide 1

Slide 1 text

Takeshi Yoneda, Software Engineer, Tetrate.io SPIFFE Meetup Tokyo #3 Isolated multiple trust domain mTLS in Envoy and Istio

Slide 2

Slide 2 text

• Takeshi Yoneda (Ϛελέ) / Twitter, Github: @mathetake • Software Engineer at Tetrate.io, California, US • OSS dev: Envoy, Istio, Proxy-Wasm, Wasm, TinyGo • C++ committer of Proxy-Wasm project • Contributor/Member of V8, Envoy, Istio, TinyGo, etc. whoami

Slide 3

Slide 3 text

1. Introduction to SPIFFE 2. Introduction to Service Mesh 3. Introduction to mTLS 4. mTLS in Envoy / Istio 5. SPIFFE Certificate Validator in Envoy 6. Independent multiple trust domain support in Istio Agenda

Slide 4

Slide 4 text

1. Introduction to SPIFFE

Slide 5

Slide 5 text

• SPIFFE = “Secure Production Identity Framework For Everyone” • Identityͱͦͷೝূʹؔ͢Δඪ४࢓༷ SPIFFE = Specification

Slide 6

Slide 6 text

• ࠓ೔ؔ܎͢Δ࢓༷ • SPIFFE Identity • SVID(SPIFFE Verifiable Identity Document) • x.509 SVID SPIFFE = Specification

Slide 7

Slide 7 text

• ࠓ೔ؔ܎͢Δ࢓༷ • SPIFFE Identity • SVID(SPIFFE Verifiable Identity Document) • x.509 SVID SPIFFE = Specification

Slide 8

Slide 8 text

• SPIFFE Identity = ݸʑͷWorkloadΛࣝผ͢ΔͨΊͷID • “spiffe://trust-domain-name/your/workload“ ͷܗͷURI • “trust-domain-name” = Trust Root • “your/workload” = Trust Root಺ͷWorkload • ྫ) spiffe://my-app.com/ns/kube-system/sa/my-service-account SPIFFE Identity

Slide 9

Slide 9 text

• SVID = ݸʑͷWorkload͕ࣗ਎Λূ໌͢ΔͨΊͷݕূՄೳͳυΩϡϝϯτ • ҎԼͷ3͔ͭΒߏ੒ • A SPIFFE ID • A Valid Signature • (Optional) Public key SVID(SPIFFE Verifiable Identity Document)

Slide 10

Slide 10 text

• x.509 SVID = SVIDͷ࣮૷(ܗࣜ)ͷҰͭ • x.509ূ໌ॻͷ֦ு࢓༷Λ༻͍Δ • URI SAN(Subject Alternative Name)ΛͨͩҰ͚ͭͩ࣋ͭ • URI SANͷ஋͕SVID (e.g. “spiffe://my-domain/my/workload”) ͷܗ x.509 SVID

Slide 11

Slide 11 text

• x.509 SVIDͷݕূ͸௨ৗͷPKIͱಉ͡ • URI SANʹ੍໿͕͋Δ͚ͩ • x.509 SVIDΛʹॺ໊ͨ͠Trust DomainͷRoot CAͰݕূ͢ΔͷΈ • طଘͷTLSͷΠϯϑϥʹ৐͔ͬΕΔ x.509 SVID

Slide 12

Slide 12 text

x.509 SVID https://thinkit.co.jp/sites/default/files/article_node/zl_kubernetes_07_04.png

Slide 13

Slide 13 text

2. Introduction to Service Mesh

Slide 14

Slide 14 text

• Polyglot • Multiple Protocol • Observability • AuthN/Z Problems in Microservices https://blogs.vmware.com/networkvirtualization/2018/12/nsx-service-mesh.html/

Slide 15

Slide 15 text

• Service Mesh = Microservices؀ڥԼͷΞʔΩςΫνϟͷҰछ • αʔϏε΁ͷ ingress/egreeΛ͢΂ͯϓϩΩγܦ༝ʹ͢Δ Service Mesh = Architecture https://blog.envoyproxy.io/service-mesh-data-plane-vs-control-plane-2774e720f7fc

Slide 16

Slide 16 text

• τϥϑΟοΫ͕͢΂ͯproxyΛܦ༝͢Δ͜ͱͷԸܙ • AuthN/ZΛΞϓϦέʔγϣϯ͔Β෼཭ • ϓϩτίϧͷtranscodingΛΞϓϦέʔγϣϯ͔Β෼཭ • Retry/RatelimitͳͲΛΞϓϦέʔγϣϯ͔Β෼཭ • Ұ؏ͨ͠Metrics/Logͷऔಘ(Observability++) Service Mesh = Architecture

Slide 17

Slide 17 text

Slide 18

Slide 18 text

• ֤αʔϏε͕όϥόϥʹProxyͷઃఆΛ͍ͯͯ͠͸ແବ͕ଟ͍ • Control Plane = தԝूݖతʹ֤αʔϏεͷProxyΛ؅ཧ͢Δਓ Control Plane in Service Mesh https://www.weave.works/blog/introduction-to-service-meshes-on-kubernetes-and-progressive-delivery

Slide 19

Slide 19 text

• Data Plane = Control Planeʹ؅ཧ͞ΕΔProxyୡ • ඞવతʹҰछྨͷProxy ServerʹͳΔ Data Plane in Service Mesh https://www.weave.works/blog/introduction-to-service-meshes-on-kubernetes-and-progressive-delivery

Slide 20

Slide 20 text

What is Envoy? • “Cloud-native high-performance edge/middle/service proxy” • CNCF Graduated Project, Github Star: 16,000+ • Written in C++

Slide 21

Slide 21 text

• ϦϞʔτͰಈతʹઃఆΛมߋ͢ΔxDSͱ͍͏ϓϩτίϧΛ࣋ͭ • EnvoyΛData Planeͱ͓ͯ͠खܰService Mesh͕࡞ΕΔ • xDS ServerΛ࣮૷͠Control Planeͱ͢Ε͹Α͍ Envoy as a Data Plane https://i-beam.org/2019/01/22/hello-envoy/

Slide 22

Slide 22 text

What is Istio? • xDS ServerΛ࣮૷ͨ͠Control PlaneͷҰͭ • GitHub Star 20k+ • ੈքதͷ໊ͩͨΔاۀ͕ຊ৔ӡ༻ https://www.suse.com/c/understanding-istio-and-its-installation/ https://github.com/istio/istio

Slide 23

Slide 23 text

3. Introduction to mTLS

Slide 24

Slide 24 text

Problems in Zero-Trust env • Man in the Middle attack • ͢΂ͯͷ௨৴Λ҉߸Խ͍ͨ͠ • ʮ௨৴૬ख͸ຊ౰ʹαʔϏεhogeͳͷ͔?ʯ • ͔֬ΊΔखஈ͕ඞཁ: PKI?

Slide 25

Slide 25 text

TLS: Authenticating Servers • ௨ৗͷαʔό<->ΫϥΠΞϯτͷ௨৴ͷ৔߹ • αʔόʔͷূ໌ॻΛΫϥΠΞϯτͷखݩʹ͋Δϧʔτূ໌ॻͰݕূ • ݕূࣦഊ͢Ε͹ϋϯυγΣΠΫࣦഊ ূ໌ॻ͘Ε ূ໌ॻͰ͢ google.com ݕূ ͔֬ʹgoogleͬΆ͍͔Βݕࡧ݁Ռ͘Ε

Slide 26

Slide 26 text

Problems in Zero-Trust env • ௨ৗͷTLSͩͱ৺΋ͱͳ͍ • ࿩͔͚ͯ͘͠Δ૬ख͕୭ͳʹ͔Λݕূ͠ͳ͍ͱҙຯ͕ͳ͍ • ΫϥΠΞϯτ΋ೝূ͠ͳ͚Ε͹ͳΒͳ͍

Slide 27

Slide 27 text

mTLS = mutual TLS • ϋϯυγΣΠΫ࣌ʹΫϥΠΞϯτʹ΋ূ໌ॻͷఏࣔΛཁٻ • ΫϥΠΞϯτ͚ͩͰ͸ͳ͘αʔόʔ΋ূ໌ॻΛݕূ • OK: TLSηογϣϯཱ֬ • NG: ϋϯυγΣΠΫࣦഊ

Slide 28

Slide 28 text

Handshake in mTLS https://www.slideshare.net/lmeirosu/mtls-securing-microservice-architecture-with-mutual-tls-authentication

Slide 29

Slide 29 text

Handshake in mTLS https://www.slideshare.net/lmeirosu/mtls-securing-microservice-architecture-with-mutual-tls-authentication αʔόʔೝূ

Slide 30

Slide 30 text

Handshake in mTLS https://www.slideshare.net/lmeirosu/mtls-securing-microservice-architecture-with-mutual-tls-authentication ΫϥΠΞϯτೝূ

Slide 31

Slide 31 text

Mutual TLS in Service Mesh • Control Plane͔Β֤Data Plane(= ֤Workload/Service) ΁ূ໌ॻΛൃߦ • Control Plane͕Root CAΛ؅ཧͯ͠ॺ໊ • ূ໌ॻͷ಺༰ΛݩʹAuthN/ZΛ੍ޚ͢Δ https://speakerdeck.com/hannaprinz/service-mesh-fixing-microservice-architecture-for-good Control Plane

Slide 32

Slide 32 text

4. mTLS AuthZ in Envoy / Istio

Slide 33

Slide 33 text

mTLS in Envoy • validation_contextͱ͍͏API͕ଘࡏ • ͲͷΑ͏ʹΫϥΠΞϯτূ໌ॻΛݕূ͢Δ͔ΛࢦఆͰ͖Δ

Slide 34

Slide 34 text

mTLS in Istio • Istiod(Control Plane)͕֤Envoyʹূ໌ॻΛ഑Δ • ಈతʹEnvoyͷvalidation_context͕ઃఆ͞ΕmTLS͕ୡ੒ • ֤ূ໌ॻ -> Workload Identity https://istio.io/latest/docs/concepts/security/#authorization-architecture

Slide 35

Slide 35 text

Istio as a SVID issuer • Istioͷ֤Workload Identity͸SPIFFE x.509 SVIDʹ४ڌ • URI SAN͕ͨͩҰͭଘࡏ(= SVID) • spiffe:///ns//sa/ • SVIDͷத਎ʹService Account΍Namespaceؚ͕·Ε͍ͯΔ

Slide 36

Slide 36 text

SAN Matching in Envoy • ΫϥΠΞϯτূ໌ॻͷSANͷmatchingΛߦ͑Δ • Match͠ͳ͍৔߹͸ϋϯυγΣΠΫࣦഊͱ͍͏ڍಈ

Slide 37

Slide 37 text

mTLS + SAN Matching + SVID = ! • ֤Workload͸·ͣSVIDΛݕূ • ݕূޙSVIDͷத਎(=URI SAN)ΛऔΓग़͢ • Service Account΍Namespace͕Θ͔Δ • SAN MatchingΛk8sͷSA΍NSΛݩʹઃఆ • WorkloadϨϕϧͰࡉ͔͍ೝূೝՄ͕ୡ੒Ͱ͖Δ

Slide 38

Slide 38 text

Problems in Multi-cluster cases • Istio: k8s cluster = 1: 1ͱ͍͏ؔ܎ੑ • ෳ਺ͷIstioͷΫϥελ͕૬ޓʹmTLS͍ͨ͠৔߹…? • ྡͷΫϥελʔ͔ΒTrust Bundle(Root CA)Λऔಘ

Slide 39

Slide 39 text

Problems in Multi-cluster cases • ϋϯυγΣΠΫຖʹTrust BundleΛ੾Γସ͑ͳ͍ͱ͍͚ͳ͍ • ੾Γସ͑ͣʹTrust BundleΛࠞͥͨΒͲ͏ͳΔ͔ • ΫϥελʔA -> ΫϥελʔBʹ࿩͔͚͠Δέʔε • AͷWorkload͕Bͷ಺෦ͷWorkloadͷ;ΓΛ͢Δ͔΋͠Εͳ͍ • ೝՄΛ͢Γൈ͚ͯ͠·͏ • Trust domains are not isolated from each other.

Slide 40

Slide 40 text

Problems in Envoy listener for Multi-cluster • validation_context͕ෳ਺ͷTrust DomainΛαϙʔτ͍ͯ͠ͳ͔ͬͨ • Trust BundleΛϚʔδͯ͠Ұͭʹ·ͱΊͳ͍ͱ͍͚ͳ͍

Slide 41

Slide 41 text

5. SPIFFE Certificate Validator in Envoy

Slide 42

Slide 42 text

SPIFFE Certificate Validator • ʮෳ਺ͷTrust domainΛಠཱͨ͠ܗͰݕূ͢Δ࢓૊Έʯ͕ඞཁ • SPIFFE Certificate ValidatorͱݺͿ͜ͱʹ • ઌ೔4ͭͷPRΛܦ࣮ͯ૷͠·ͨ͠ (߹Θͤͯ5000ߦ͙Β͍)

Slide 43

Slide 43 text

SPIFFE Certificate Validator

Slide 44

Slide 44 text

SPIFFE Certificate Validator: How it works 1. ΫϥΠΞϯτূ໌ॻͷSVIDΛऔΓग़͢ 2. SVID͔ΒTrust Domain (spiffe://ͷޙΖͷ෦෼) 3. Trust DomainʹରԠ͢ΔTrust BundleΛબ୒ 4. બ͹ΕͨTrust BundleΛݩʹূ໌ॻΛݕূ 5. ϋϯυγΣΠΫ׬ྃ

Slide 45

Slide 45 text

Reviewed by SPIFFE maintainers 🎉

Slide 46

Slide 46 text

6. Independent multiple trust domain in Istio

Slide 47

Slide 47 text

Isolated cross-cluster mTLS in Istio • ݱঢ়αϙʔτ͍ͯ͠ͳ͍ • Root CA͸ඞͣෳ਺ͷΫϥελͰγΣΞ͞Ε͍ͯΔͱ͍͏લఏ • ΫϥελA͕ΫϥελBͷ;ΓΛग़དྷͯ͠·͏

Slide 48

Slide 48 text

Using SPIFFE Validator in Istio (WIP) • Envoyʹ࣮૷ͨ͠SPIFFE ValidatorΛ࢖͏͜ͱΛఏҊத

Slide 49

Slide 49 text

Using SPIFFE Validator in Istio (WIP) Root CAΛ௥Ճ͢ΔࡍʹTrust DomainΛׂΓ౰ͯΒΕΔΑ͏ʹ͢Δ

Slide 50

Slide 50 text

Independent multiple trust domain in Istio(WIP) Cluster B Bundle Endpoint Bundle Endpoint Cluster A mTLS GET Bundle mTLS

Slide 51

Slide 51 text

·ͱΊ

Slide 52

Slide 52 text

·ͱΊ • Service Mesh = αʔϏεؒ௨৴ΛϓϩΩγʹ೚ͤΔΞʔΩςΫνϟ • mTLS͸Service MeshͰॏཁ: SAN Matchingͱ߹ΘͤͯೝՄʹ΋࢖͑Δ • Istio͸x.509 SVIDͷissuer • Envoyͷ৽ػೳSPIFFE Validator • ෳ਺ͷTrust DomainΛҰͭͷListenerͰ҆શʹೝূͰ͖Δ • Cross-ClusterͳmTLSͷ࣮ݱͷͨΊͷجૅٕज़ • IstioͰ͜ΕΛԠ༻ͨ͠Cross-ClusterೝূೝՄͷ࢓૊ΈΛ࣮૷/ఏҊத

Slide 53

Slide 53 text

We are hiring! https://www.tetrate.io/careers/ Work Anytime and Anywhere + Unlimited paid time off