Slide 1

Slide 1 text

Securing Your Microservices using Istio Christian Posta | @christianposta | Solo.io Sandeep Parikh | @crcsmnky | Google Cloud

Slide 2

Slide 2 text

What we’ll cover Challenges Why Istio Solutions What’s New Questions

Slide 3

Slide 3 text

Challenges

Slide 4

Slide 4 text

Securing service to service communication

Slide 5

Slide 5 text

How do you encrypt traffic between your services? In Kubernetes deployments, services communicate using plain-text. Securing communication channels requires apps to support encryption and infrastructure to supply keys at scale Service A Service B Infra

Slide 6

Slide 6 text

Determining which apps support encryption Distributed system to provision & manage keys Challenges implementing encryption Updating applications to include encryption support

Slide 7

Slide 7 text

Controlling access to your services

Slide 8

Slide 8 text

How do you prevent unauthorized access? Kubernetes provides RBAC capabilities but they’re coarse-grained and don’t know about app specifics. Implementing authorization controls requires apps to understand service- or user-level identity, and implement that for all routes. Service B Service C Service A

Slide 9

Slide 9 text

Challenges implementing authorization Apps need to understand and verify service / user identity on every call Apps need to apply identity controls to every route / verb combination

Slide 10

Slide 10 text

Why Istio

Slide 11

Slide 11 text

Without Istio App Encryption library Tracing library Identity support Circuit breaking Ingress control Certificate authority Egress firewall Access control

Slide 12

Slide 12 text

Without Istio With Istio App Encryption library Tracing library Identity support Circuit breaking Ingress control Certificate authority Egress firewall Access control Pod App Egress Ingress Circuit breaking Fault injection Identity Encryption Observability Ingress/Egress Controls – Certificate Authority – Access Controls – Routing Rules Control plane

Slide 13

Slide 13 text

Istio security architecture

Slide 14

Slide 14 text

Solutions

Slide 15

Slide 15 text

Ecosystem tools

Slide 16

Slide 16 text

Securing communications Lots of work securing connections between Ingress and Pods (e.g. cert-manager). Service-to-service authentication and encryption relies on custom approaches. Kubernetes Service Accounts can be used to establish service identity but apps need to know about them. User identity is more bespoke and depends on custom integrations. Incorporating identity

Slide 17

Slide 17 text

Encrypting service traffic using Istio

Slide 18

Slide 18 text

Enabling mTLS Policy Tell services what sorts of connections they can accept DestinationRule Tell clients what sorts of connections they should use

Slide 19

Slide 19 text

Securing a subset of services How do you use Istio to slowly deploy mTLS across the mesh, while also keeping legacy clients in mind? service frontend backend namespace: legacy namespace: secure istio-injection: enabled

Slide 20

Slide 20 text

service frontend backend namespace: legacy namespace: secure istio-injection: enabled Apply Policy with PERMISSIVE mode apiVersion: auth.istio.io/v1alpha1 kind: Policy metadata: name: mtls-backend namespace: secure spec: targets: - name: backend peers: - mtls: mode: PERMISSIVE PERMISSIVE

Slide 21

Slide 21 text

Apply DestinationRule with MUTUAL mode service frontend backend namespace: legacy namespace: secure istio-injection: enabled apiVersion: net.istio.io/v1alpha3 kind: DestinationRule metadata: name: mtls-mutual spec: host: backend.secure trafficPolicy: tls: mode: ISTIO_MUTUAL PERMISSIVE MUTUAL

Slide 22

Slide 22 text

Apply Policy with STRICT mode service frontend backend namespace: legacy namespace: secure istio-injection: enabled apiVersion: auth.istio.io/v1alpha1 kind: Policy metadata: name: mtls-backend namespace: secure spec: targets: - name: backend peers: - mtls: mode: STRICT PERMISSIVE MUTUAL

Slide 23

Slide 23 text

● Enable STRICT mTLS using just Policy objects ● Istio sidecars automatically know to use mTLS connections ● Can be overridden by DestinationRule objects ● Mesh-wide installation flag New in 1.4 – Auto mTLS (alpha) $ istioctl manifest apply --set profile=demo \ --set values.global.mtls.auto=true \ --set values.global.mtls.enabled=false

Slide 24

Slide 24 text

Authorizing service access using Istio

Slide 25

Slide 25 text

New in 1.4 – AuthorizationPolicy ClusterRbacConfig ServiceRole ServiceRoleBinding Kubernetes Service Account Before Istio 1.4 AuthorizationPolicy Kubernetes Service Account Istio 1.4+

Slide 26

Slide 26 text

Controlling access to services How do you use fine-grained authz controls to manage access to/from specific services? Service A Service B Service C namespace: team1 istio-injection: enabled namespace: team2 istio-injection: enabled

Slide 27

Slide 27 text

Controlling access to services A can talk B B can talk C A can’t talk to C Service A Service B Service C namespace: team1 istio-injection: enabled namespace: team2 istio-injection: enabled

Slide 28

Slide 28 text

Use AuthorizationPolicy to control access apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: my-authz-policy namespace: team2 spec: selector: matchLabels: app: serviceC rules: - from: - source: principals: - "cluster.local/ns/team2/sa/serviceB" Service A Service B Service C namespace: team1 istio-injection: enabled namespace: team2 istio-injection: enabled

Slide 29

Slide 29 text

User Identity Authentication with JWT apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: frontend-jwt-policy spec: targets: - name: frontend peers: - mtls: mode: PERMISSIVE origins: - jwt: issuer: http://keycloak.default:8080/auth/realms/istio jwksUri: http://keycloak.default:8080/auth/realms/istio/p rotocol/openid-connect/certs principalBinding: USE_ORIGIN Service B Service C Bearer: token Need JWT

Slide 30

Slide 30 text

Demos ➔ Preventing unauthorized access to services ➔ Automatically enabling mTLS encryption ➔ Require a JWT for auth

Slide 31

Slide 31 text

Hipster Shop github.com/GoogleCloudPlatform/microservices-demo

Slide 32

Slide 32 text

Automatically enabling mTLS

Slide 33

Slide 33 text

Authorized service access

Slide 34

Slide 34 text

Authorized service access

Slide 35

Slide 35 text

What’s new

Slide 36

Slide 36 text

What’s (also) new in 1.4 ● Mixer-less telemetry (alpha) ● AuthorizationPolicy (beta) ● Auto mTLS (experiemental) ● Expanded istioctl analyze capabilities ● Sidecar improvements (graceful exits, more metrics, percent-mirroring) ● istio.io/news/releases/1.4.x/announcing-1.4/change-notes/

Slide 37

Slide 37 text

What’s coming in 1.5 ● istiod ○ Microservices to monolith (blog post, video) ● Control plane security ● Draft release notes

Slide 38

Slide 38 text

Thank You! Questions or Comments? Find us @christianposta and @crcsmnky Learn More ● Istio istio.io ● Google Cloud cloud.google.com ● Solo.io www.solo.io ● Gloo gloo.solo.io ● Service Mesh Hub servicemeshhub.io Demo ● crcsmnky/securing-microservices-istio