Slide 1

Slide 1 text

© 2019 Palo Alto Networks. All Rights Reserved. Securing Kubernetes Networking with Consul Connect and Envoy Christoph Puhl Consul Technology Specialist | Field CTO Office | HashiCorp [email protected] | @cpu601

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

Multi-*

Slide 4

Slide 4 text

Multi-Cloud

Slide 5

Slide 5 text

Multi-Runtime

Slide 6

Slide 6 text

The Cloud Landscape STATIC DYNAMIC Dedicated Private Cloud AWS Azure GCP vCenter Terraform CloudFormation Resource Manager Cloud Deployment Manager Provision Operations IP: Hardware Identity: AD/LDAP Identity: AWS IAM Identity: Azure AD Identity: GCP IAM Secure Security Hardware Various Hardware Proprietary Istio Proprietary CloudMap AppMesh Connect Networking vSphere vSphere EKS/ECS Lambda AKS/ACS Azure Functions GKE Cloud Functions Run Development

Slide 7

Slide 7 text

A Common Operating Model with HashiCorp Provision Operations Secure Security Connect Networking Run Development Private Cloud AWS Azure GCP

Slide 8

Slide 8 text

The Road to Service Mesh...

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

Traditional Datacenter

Slide 12

Slide 12 text

Modern Datacenter

Slide 13

Slide 13 text

Monoliths & Microservices

Slide 14

Slide 14 text

This is a monolith

Slide 15

Slide 15 text

Monoliths

Slide 16

Slide 16 text

These are microservices

Slide 17

Slide 17 text

Microservices

Slide 18

Slide 18 text

Microservices

Slide 19

Slide 19 text

Microservices

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

Service Discovery Service Segmentation Service Configuration Dynamic Infrastructure Challenges

Slide 22

Slide 22 text

Service Registry & Discovery

Slide 23

Slide 23 text

Service Discovery B = [ ‘1.2.3.4’, ‘1.2.3.5’, ‘1.2.3.6’ ]

Slide 24

Slide 24 text

Service Discovery B = ‘1.2.3.4’

Slide 25

Slide 25 text

Service Discovery 1.2.3.4

Slide 26

Slide 26 text

Service Discovery

Slide 27

Slide 27 text

Service Mesh

Slide 28

Slide 28 text

Service Segmentation

Slide 29

Slide 29 text

Service Segmentation

Slide 30

Slide 30 text

Service Segmentation

Slide 31

Slide 31 text

Service Segmentation

Slide 32

Slide 32 text

Service Segmentation

Slide 33

Slide 33 text

Consul Service Mesh

Slide 34

Slide 34 text

Control Plane vs. Data Plane ● Consul as Control Plane ● Pluggable Proxies as Data Plane ● Instructions to proxies are cached on the Consul agent ● New instructions are pulled only on changes

Slide 35

Slide 35 text

Certificate Authority

Slide 36

Slide 36 text

Certificate Generation ● X.509 Certificate ● SPIFFE Compatible ● Automatic Generation & Rotation ● Provides Identity and Encryption

Slide 37

Slide 37 text

Service Access Graph

Slide 38

Slide 38 text

$ consul intention create -deny web '*' Created: web => * (deny) $ consul intention create -allow web db Created: web => db (allow) TERMINAL Service Graph Codify Intentions Same intentions are applied no matter where the service exists

Slide 39

Slide 39 text

Web UI Manage intentions via web interface

Slide 40

Slide 40 text

Application Integration

Slide 41

Slide 41 text

Sidecar Proxies Sidecar proxy to secure traffic for any application Consul provides sidecar proxies running alongside applications to transparently wraps traffic in TLS and enforces the intentions. ● No code modification required ● Minimal performance overhead ● Pluggable data plane: Built-in Layer 4 proxy, native Envoy integration or other third-party proxy integration ● Operational flexibility, decoupling security concern from the application itself

Slide 42

Slide 42 text

apiVersion: v1 kind: Pod metadata: name: cats annotations: "consul.hashicorp.com/connect-inject": "true" spec: containers: - name: cats image: grove-mountain/cats:1.0.1 ports: - containerPort: 8000 name: http TERMINAL Proxy Registration Kubernetes

Slide 43

Slide 43 text

Sidecar Proxies

Slide 44

Slide 44 text

Sidecar Proxies

Slide 45

Slide 45 text

Sidecar Proxies

Slide 46

Slide 46 text

L7 Traffic Management

Slide 47

Slide 47 text

L4 Traffic "web.service.consul"

Slide 48

Slide 48 text

L7 Traffic Management HTTP Routing Traffic Splitting Custom Resolution "web.service.consul"

Slide 49

Slide 49 text

L7 Traffic Management HTTP Routing Traffic Splitting Custom Resolution "web.service.consul" /api => service: "api" path: "/" Subset: "v2" v1 v2 v1 Meta.Version == 2

Slide 50

Slide 50 text

Mesh Gateways

Slide 51

Slide 51 text

Mesh Gateways Single Kubernetes cluster Most Service Meshes are build for a single cluster. Multi-cluster Service Mesh Connection multiple Service Meshes across different Kubernetes clusters not solved yet. Service Mesh across clouds Connection Services Meshes across different environments (Clouds, On-Prem, etc.) requires a lot of work. Multi-Cloud and -Cluster challenge

Slide 52

Slide 52 text

Mesh Gateways

Slide 53

Slide 53 text

Mesh Gateways

Slide 54

Slide 54 text

Mesh Gateways ● Mesh gateways, built upon Envoy, will sit on the public internet and accept L4 traffic with mTLS ● Mesh gateways will perform NAT and route the traffic to correct endpoint on the private network ● All the services need NOT be exposed on public network for cross cloud service communication

Slide 55

Slide 55 text

Kubernetes Integration

Slide 56

Slide 56 text

Native Service Mesh Integration with Kubernetes ● Consul Helm Chart: Automatically install, configure and upgrade Consul servers and clients on Kubernetes ● Consul Connect Auto-Inject: Services on Kubernetes can be configured to automatically use Connect to securely communicate via mutual TLS ● Mesh Gateway: Easily connect multiple Kubernetes clusters Zero-touch deployment to enable federated multi-cluster communication on Kubernetes. Kubernetes and non-Kubernetes services can be discovered and connected automatically.

Slide 57

Slide 57 text

Demo

Slide 58

Slide 58 text

Consul Connect Multi-Cloud Demo Environment

Slide 59

Slide 59 text

Consul Connect Multi-Cloud Demo Environment Client HTTP GET / web-be VM web-fe VM web-be VM

Slide 60

Slide 60 text

Consul Connect Multi-Cloud Demo Environment Client HTTP GET / web-be VM web-fe VM api api web-be VM

Slide 61

Slide 61 text

Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be VM web-fe VM api api web-be VM

Slide 62

Slide 62 text

TERMINAL Kind = "service-router" Name = "web-be" Routes = [ { Match { HTTP { Path_Prefix = "/api" } } Destination { Service = "api", Prefix_Rewrite = "/" } } ] L7 Traffic Management HTTP Routing • Path (exact, prefix, regex) • Header • Query Params • HTTP Methods

Slide 63

Slide 63 text

Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be VM web-fe VM api api web-be VM

Slide 64

Slide 64 text

Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be VM web-fe VM api V1 api V1 web-be VM

Slide 65

Slide 65 text

Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be VM web-fe VM api V1 api V1 api V2 api V2 web-be VM

Slide 66

Slide 66 text

Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be VM web-fe VM api V1 api V1 api V2 api V2 v2 20% v1 80% web-be VM

Slide 67

Slide 67 text

TERMINAL Kind = "service-splitter" Name = "api" Splits = [ { Weight = 80 Service_Subset = "v1" }, { Weight = 20 Service_Subset = "v2" } ] L7 Traffic Management Traffic Splitting

Slide 68

Slide 68 text

L7 Traffic Management Custom Resolution TERMINAL Kind = "service-resolver" Name = "api" DefaultSubset = "v1" Subsets = { "v1" = { Filter = "Service.Meta.version == v1" }, "v2" = { Filter = "Service.Meta.version == v2" }, }

Slide 69

Slide 69 text

Consul Connect Multi-Cloud Demo Environment web-be VM web-fe VM Client HTTP GET /api api V1 api V1 api V2 api V2 v2 20% v1 80% web-be VM

Slide 70

Slide 70 text

Consul Connect Multi-Cloud Demo Environment Client HTTP GET / web-be VM web-fe VM api V1 api V1 api V2 api V2 web-be VM

Slide 71

Slide 71 text

Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be VM web-fe VM api V1 api V1 api V2 api V2 v2 20% v1 80% web-be VM

Slide 72

Slide 72 text

Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be VM web-fe VM api V1 api V1 api V2 api V2 v2 20% v1 80% web-be VM web-fe pod

Slide 73

Slide 73 text

Consul Connect Multi-Cloud Demo Environment web-be VM web-fe VM api V1 api V1 api V2 api V2 v2 20% v1 80% web-be VM Client HTTP GET /api web-fe pod

Slide 74

Slide 74 text

Consul Connect Multi-Cloud Demo Environment Client HTTP GET / web-be VM web-fe VM api V1 api V1 api V2 api V2 web-be VM web-fe pod

Slide 75

Slide 75 text

www.hashicorp.com [email protected] Thank you

Slide 76

Slide 76 text

www.hashicorp.com [email protected] Find us at booth S27