Slide 1

Slide 1 text

Online Meetup #6 July 14, 2020

Slide 2

Slide 2 text

2 | Copyright © 2020 Meetup Agenda • WebAssembly + Envoy Recap • Demos of Community Extensions • Community Q&A • Roadmap Discussion Solo.io Team for Today’s Meetup Betty Junod @bettyjunod Yuval Kohavi @kohaviyuval Scott Weiss @ilackarms Shane O’Donnell @sodman74

Slide 3

Slide 3 text

3 | Copyright © 2020 Introduction What is WebAssembly? WebAssembly (wasm) is a binary instruction format for a stack-based virtual machine. Wasm is designed as a portable target for compilation of high-level languages like C/C++/Rust, enabling deployment on the web for client and server applications. PORTABLE SECURE FAST ANY LANGUAGE

Slide 4

Slide 4 text

4 | Copyright © 2020 Introduction EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM gRPC TRANSCODER CUSTOM FILTERS EXTERNAL AUTH RATE LIMITING ROUTER UPSTREAM WASM gRPC TRANSCODER BEFORE AFTER Only C++ Maintain Envoy distro Hard dependency Stop and recompile

Slide 5

Slide 5 text

5 | Copyright © 2020 Introduction Terminology WebAssembly (wasm) The actual WebAssembly binary instruction format Envoy-wasm Where the work is happening to provide support for WebAssembly in the Envoy. Not yet available in the upstream project. Repo github.com/envoyproxy/envoy-wasm WebAssembly Hub Public hub by Solo.io to publish and share wasm extensions for Envoy based tools (Envoy, Gloo, Istio) Launched Dec 2019 and updated March 2020 wasme CLI by Solo.io for the developer experience to build, push, pull wasm extensions for Envoy based tools (Envoy, Gloo, Istio) Module Extension Filter Terms used for the customization built using wasm for Envoy THANK YOU! 220+ Community Repos Available THANK YOU!

Slide 6

Slide 6 text

6 | Copyright © 2020 Introduction How does wasm work with Envoy • Write filter in any language • Compile to .wasm module • Dynamically load in Envoy during runtime

Slide 7

Slide 7 text

7 | Copyright © 2020 Blake Covarrubias Sr. Product Manager @blakecova Bryant Hagadorn Security Engineer bit.ly/2ZSEzWF Guest Speakers and Demos

Slide 8

Slide 8 text

8 | Copyright © 2020 Secure Link by Blake About this Filter Secure Link checks the authenticity of requested links and protects resources from unauthorized access. Authenticity is verified by comparing the checksum value passed in a request with the value computed for the request, using a shared secret. This filter is experimental / proof-of-concept. It is not meant to be used in production deployments. Secure Link was inspired by nginx's ngx_http_secure_link_url module. See http://nginx.org/en/docs/http/ngx_http_secure_link_module.html for more information. Code on GitHub https://github.com/blake/secure-link-filter/ Wasme Pull Command wasme pull webassemblyhub.io/blake/secure-link:v0.1

Slide 9

Slide 9 text

WASM Security Headers (kronos) BRYANT HAGADORN 7/14/2020

Slide 10

Slide 10 text

Inspiration HelmetJS (https://helmetjs.github.io/) Django CSP(https://django-csp.readthedocs.io/en/latest/) PHP Secure Headers (https://github.com/BePsvPT/secure-headers)

Slide 11

Slide 11 text

What are Security Headers? https://wiki.owasp.org/index.php/OWASP_Secure_Headers_Project Security headers generally instruct the browser how to interact with the rest of the internet. This can include information on how to process cross-domain requests, upgrading to HTTPS from HTTP, etc. They are not silver bullets in web application security, but generally recommended best practices according to OWASP. Inevitable agility vs. security debate

Slide 12

Slide 12 text

Before: Nginx

Slide 13

Slide 13 text

Before: Express

Slide 14

Slide 14 text

After:

Slide 15

Slide 15 text

Demo Currently have Istio on top of GKE cluster, BookInfo and BookInfo Gateways installed…. Install Istio 1.5

Slide 16

Slide 16 text

Next Steps for the Project Support dynamic header security items (such as whitelisting of common libraries like Bootstrap, Google Fonts, or other custom CDN-served cross-domain items that are better hosted elsewhere) Storing configuration inside of Kubernetes Secret or ConfigMap (rather than inside of the Kronos) Apply security headers only to UI and API’s interacting Get BookInfo to an A Apply least privilege automatically, flag violations, automatically suggest headers Feedback from the community?

Slide 17

Slide 17 text

How to help or reach me? Create issues in the repo: https://github.com/blhagadorn/kronos Add me on LinkedIn to chat: https://www.linkedin.com/in/bryanthagadorn/ Reach out on Kubernetes (haggs) or Solo.io slack (Bryant Hagadorn) https://medium.com/@bryant.hagadorn

Slide 18

Slide 18 text

18 | Copyright © 2020 Community Q&A

Slide 19

Slide 19 text

19 | Copyright © 2020 QUESTION What kinds of filters are possible besides Header Transformation?

Slide 20

Slide 20 text

20 | Copyright © 2020 QUESTION Is Istio 1.6 supported?

Slide 21

Slide 21 text

21 | Copyright © 2020 QUESTION What languages are currently supported for WebAssembly+Envoy and the tooling by Solo.io (WebAssembly Hub and wasme)?

Slide 22

Slide 22 text

22 | Copyright © 2020 QUESTION How do you pronounce wasm and wasme?

Slide 23

Slide 23 text

23 | Copyright © 2020 QUESTION How can you communicate or send data between two filters?

Slide 24

Slide 24 text

24 | Copyright © 2020 What’s Next

Slide 25

Slide 25 text

25 | Copyright © 2020 Currently in Development • Add Wasm for Gloo Enterprise github.com/solo-io/gloo/issues/3035 • Update to latest version of Envoy-Wasm github.com/solo-io/wasme/issues/131 • Istio 1.6 support github.com/solo-io/wasme/issues/126

Slide 26

Slide 26 text

26 | Copyright © 2020 Feedback, Discussion, Questions • Which languages are you most interested in next? • What other service meshes are you interested in using WebAssembly with? • What kind of filters are you interested in? (or content to help build your own) • What kind of capabilities does your company need to use WebAssembly? (i.e. tooling, integrations, security, support, etc) • What else?

Slide 27

Slide 27 text

27 | Copyright © 2020 About Us solo.io Community slack.solo.io WebAssembly Hub webassemblyhub.io Get Involved ● Suggest features or file issues github.com/solo-io/wasme/issues ● Review the OCI image spec github.com/solo-io/wasm-image-spec ● Check out envoy-wasm github.com/envoyproxy/envoy-wasm ● SDK for Proxy and Solo.io Guest Speakers Filters ● Blake’s filter 63/secure-link ● Bryant’s filter 174/kronos and blog bit.ly/3gKAWZG