Securing Your Microservices using Istio Christian Posta | @christianposta | Solo.io Sandeep Parikh | @crcsmnky | Google Cloud

What we’ll cover Challenges Why Istio Solutions What’s New Questions

Challenges

Securing service to service communication

How do you encrypt traffic between your services? In Kubernetes deployments, services communicate using plain-text. Securing communication channels requires apps to support encryption and infrastructure to supply keys at scale Service A Service B Infra

Determining which apps support encryption Distributed system to provision & manage keys Challenges implementing encryption Updating applications to include encryption support

Controlling access to your services

How do you prevent unauthorized access? Kubernetes provides RBAC capabilities but they’re coarse-grained and don’t know about app specifics. Implementing authorization controls requires apps to understand service- or user-level identity, and implement that for all routes. Service B Service C Service A

Challenges implementing authorization Apps need to understand and verify service / user identity on every call Apps need to apply identity controls to every route / verb combination

Why Istio

Without Istio App Encryption library Tracing library Identity support Circuit breaking Ingress control Certificate authority Egress firewall Access control

Without Istio With Istio App Encryption library Tracing library Identity support Circuit breaking Ingress control Certificate authority Egress firewall Access control Pod App Egress Ingress Circuit breaking Fault injection Identity Encryption Observability Ingress/Egress Controls – Certificate Authority – Access Controls – Routing Rules Control plane

Istio security architecture

Solutions

Ecosystem tools

Securing communications Lots of work securing connections between Ingress and Pods (e.g. cert-manager). Service-to-service authentication and encryption relies on custom approaches. Kubernetes Service Accounts can be used to establish service identity but apps need to know about them. User identity is more bespoke and depends on custom integrations. Incorporating identity

Encrypting service traffic using Istio

Enabling mTLS Policy Tell services what sorts of connections they can accept DestinationRule Tell clients what sorts of connections they should use

Securing a subset of services How do you use Istio to slowly deploy mTLS across the mesh, while also keeping legacy clients in mind? service frontend backend namespace: legacy namespace: secure istio-injection: enabled

service frontend backend namespace: legacy namespace: secure istio-injection: enabled Apply Policy with PERMISSIVE mode apiVersion: auth.istio.io/v1alpha1 kind: Policy metadata: name: mtls-backend namespace: secure spec: targets: - name: backend peers: - mtls: mode: PERMISSIVE PERMISSIVE

Apply DestinationRule with MUTUAL mode service frontend backend namespace: legacy namespace: secure istio-injection: enabled apiVersion: net.istio.io/v1alpha3 kind: DestinationRule metadata: name: mtls-mutual spec: host: backend.secure trafficPolicy: tls: mode: ISTIO_MUTUAL PERMISSIVE MUTUAL

Apply Policy with STRICT mode service frontend backend namespace: legacy namespace: secure istio-injection: enabled apiVersion: auth.istio.io/v1alpha1 kind: Policy metadata: name: mtls-backend namespace: secure spec: targets: - name: backend peers: - mtls: mode: STRICT PERMISSIVE MUTUAL

● Enable STRICT mTLS using just Policy objects ● Istio sidecars automatically know to use mTLS connections ● Can be overridden by DestinationRule objects ● Mesh-wide installation flag New in 1.4 – Auto mTLS (alpha) $ istioctl manifest apply --set profile=demo \ --set values.global.mtls.auto=true \ --set values.global.mtls.enabled=false

Authorizing service access using Istio

New in 1.4 – AuthorizationPolicy ClusterRbacConfig ServiceRole ServiceRoleBinding Kubernetes Service Account Before Istio 1.4 AuthorizationPolicy Kubernetes Service Account Istio 1.4+

Controlling access to services How do you use fine-grained authz controls to manage access to/from specific services? Service A Service B Service C namespace: team1 istio-injection: enabled namespace: team2 istio-injection: enabled

Controlling access to services A can talk B B can talk C A can’t talk to C Service A Service B Service C namespace: team1 istio-injection: enabled namespace: team2 istio-injection: enabled

Use AuthorizationPolicy to control access apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: my-authz-policy namespace: team2 spec: selector: matchLabels: app: serviceC rules: - from: - source: principals: - "cluster.local/ns/team2/sa/serviceB" Service A Service B Service C namespace: team1 istio-injection: enabled namespace: team2 istio-injection: enabled

User Identity Authentication with JWT apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: frontend-jwt-policy spec: targets: - name: frontend peers: - mtls: mode: PERMISSIVE origins: - jwt: issuer: http://keycloak.default:8080/auth/realms/istio jwksUri: http://keycloak.default:8080/auth/realms/istio/p rotocol/openid-connect/certs principalBinding: USE_ORIGIN Service B Service C Bearer: token Need JWT

Demos ➔ Preventing unauthorized access to services ➔ Automatically enabling mTLS encryption ➔ Require a JWT for auth

Hipster Shop github.com/GoogleCloudPlatform/microservices-demo

Automatically enabling mTLS

Authorized service access

Authorized service access

What’s new

What’s (also) new in 1.4 ● Mixer-less telemetry (alpha) ● AuthorizationPolicy (beta) ● Auto mTLS (experiemental) ● Expanded istioctl analyze capabilities ● Sidecar improvements (graceful exits, more metrics, percent-mirroring) ● istio.io/news/releases/1.4.x/announcing-1.4/change-notes/

What’s coming in 1.5 ● istiod ○ Microservices to monolith (blog post, video) ● Control plane security ● Draft release notes

Thank You! Questions or Comments? Find us @christianposta and @crcsmnky Learn More ● Istio istio.io ● Google Cloud cloud.google.com ● Solo.io www.solo.io ● Gloo gloo.solo.io ● Service Mesh Hub servicemeshhub.io Demo ● crcsmnky/securing-microservices-istio