Workshop Multi-Cluster Service Mesh Operations

2 | Copyright © 2020 About me @djannot denis.jannot@solo.io http://www.recorditblog.com denisjannot Denis Jannot Director of Field Engineering - EMEA @ Solo

3 | Copyright © 2020 From Monolith to Microservices MONOLITH MICROSERVICES

4 | Copyright © 2020 Kubernetes became the most popular platform MONOLITH MICROSERVICES

5 | Copyright © 2020 How do you expose your apps ? The Ingress way MICROSERVICES Ingress TLS Basic routing Kubernetes Service Pods

6 | Copyright © 2020 API Gateways MICROSERVICES API GATEWAY Connect Secure Control Observe

7 | Copyright © 2020 Service to Service communication requirements • Identity Management • Encryption • Certificate Management • Traffic Management • Health check • Access Control • Telemetry • ...

8 | Copyright © 2020 Service to Service communications Encryption Telemetry Traffic management Access control Identity Management Certificate management Health check Kubernetes Service Third Party Encryption

9 | Copyright © 2020 Service to Service communications MICROSERVICES API GATEWAY Encryption Telemetry Traffic management Access control Health check Identity Management Certificate management Third Party Encryption

10 | Copyright © 2020 Service to Service communications MICROSERVICES API GATEWAY Encryption Telemetry Traffic management Access control Health check Identity Management Certificate management Third Party Encryption

11 | Copyright © 2020 Service to Service communications SERVICE MESH Control Plane Encryption Telemetry Traffic management Access control Identity Management Certificate management Health check Data Plane

12 | Copyright © 2020 Why Envoy Proxy for Service Mesh Data Plane • Neutral Foundation (CNCF) • Large, diverse, vibrant community • Built ground up for dynamic services environment • Dynamic configuration, driven by API • Highly extensible • L7 filters (HTTP/1, HTTP/2, gRPC, redis, mysql, Kafka, etc) • Deep signals telemetry out of the box • Versatile deployment options

13 | Copyright © 2020 Istio Architecture

14 | Copyright © 2020 Istio Multicluster (shared control plane)

15 | Copyright © 2020 Istio Multicluster (replicated control plane)

16 | Copyright © 2020 Multicluster Service Mesh challenges • You need Federated Trust and Identity • You need to allow communications between clusters • You need to manage access control globally • You need to define a Disaster Recovery strategy • You need to secure the Edge as well • All of the above is highly complex

17 | Copyright © 2020 Gloo Mesh is simplifying everything MULTI-CLUSTER STATE MESH TRAFFIC TARGET WORKLOAD TRAFFIC POLICY ACCESS POLICY VIRTUAL MESH ISSUED CERTIFICATE CREATE CUSTOM RESOURCES WATCH MESH DISCOVERY MESH NETWORKING DISCOVER & WATCH MESH, PODS, SERVICES CREATE POLICIES SIGN CERTS CLUSTER CLUSTER CLUSTER istiod istiod istiod

18 | Copyright © 2020 Gloo Mesh Discovery CLUSTER CLUSTER CLUSTER istiod istiod istiod MULTI-CLUSTER STATE MESH TRAFFIC TARGET WORKLOAD CREATE CUSTOM RESOURCES MESH DISCOVERY InputSnapshot MeshTranslator WorkloadTranslator TrafficTargetTranslator StartDiscovery SECRET ADDED KUBERNETES CLUSTER CRD ADDED OutputSnapshot

19 | Copyright © 2020 Gloo Mesh Networking MESH NETWORKING InputSnapshot VirtualMeshTranslator FederationTranslator FailoverTranslator StartNetworking TRAFFIC POLICY ACCESS POLICY VIRTUAL MESH ISSUED CERTIFICATE WATCH mtlsTranslator TrafficTargetTranslator CERT OutputSnapshot TrafficPolicyTranslator AccessPolicyTranslator CLUSTER istiod

20 | Copyright © 2020 20 | Copyright © 2020 Labs Environment

21 | Copyright © 2020 on MGMT CLUSTER 1 CLUSTER 2

22 | Copyright © 2020 22 | Copyright © 2020 Lab 1 Deploy your Kubernetes clusters

23 | Copyright © 2020 23 | Copyright © 2020 Lab 2 Deploy Gloo Mesh and register the clusters

24 | Copyright © 2020 24 | Copyright © 2020 Lab 3 Deploy Istio on both clusters

25 | Copyright © 2020 25 | Copyright © 2020 Lab 4 Deploy the Bookinfo demo app

26 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Current state

27 | Copyright © 2020 27 | Copyright © 2020 Federated Trust and Identity

28 | Copyright © 2020 Istio Identity

29 | Copyright © 2020 Service to Service Authentication • By default the TLS protocol only proves the identity of the server to the client using X.509 certificate and the authentication of the client to the server is left to the application layer. • Mutual TLS authentication refers to two parties authenticating each other at the same time. • In Istio, Mutual TLS work as follow: − Istio re-routes the outbound traffic from a client to the client’s local sidecar Envoy. − The client side Envoy starts a mutual TLS handshake with the server side Envoy. During the handshake, the client side Envoy also does a secure naming check to verify that the service account presented in the server certificate is authorized to run the target service. − The client side Envoy and the server side Envoy establish a mutual TLS connection, and Istio forwards the traffic from the client side Envoy to the server side Envoy. − After authorization, the server side Envoy forwards the traffic to the server service through local TCP connections.

30 | Copyright © 2020 SPIFFE ID • SPIFFE, the Secure Production Identity Framework for Everyone, is a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments. Systems that adopt SPIFFE can easily and reliably mutually authenticate wherever they are running. • A SPIFFE ID is a string that uniquely and specifically identifies a workload. SPIFFE IDs are a Uniform Resource Identifier (URI) which takes the following format: spiffe://trust domain/workload identifier

31 | Copyright © 2020 SPIFFE ID in Istio • The SPIFFE ID of a workload looks like spiffe:///ns//sa/ • The default trust domain is cluster.local, so a the SPIFFE ID corresponding to a Pod started with the service account pod-sa in the default namespace would be spiffe://cluster.local/ns/default/sa/pod-sa. • In a multi-cluster deployment, using the cluster.local trust domain is a problem because there would be no way to differentiate a workload of a cluster from one of another cluster if they use the same service account and namespace names. • Istio allows you to use a different trust domain using the trustDomain parameter of the MeshConfig option.

32 | Copyright © 2020 Istio Multicluster (replicated control plane)

33 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Virtual Mesh creation workflow CERT-AGENT CERT-AGENT CREATE CERTIFICATE / KEY AND CSR SHARED ROOT SIGN CERT WITH SHARED ROOT

34 | Copyright © 2020 34 | Copyright © 2020 Lab 5 Create the Virtual Mesh

35 | Copyright © 2020 35 | Copyright © 2020 Global Access Control

36 | Copyright © 2020 Istio Authorization

37 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER RBAC disabled

38 | Copyright © 2020 Enable RBAC apiVersion: networking.mesh.gloo.solo.io/v1alpha2 kind: VirtualMesh metadata: name: virtual-mesh namespace: gloo-mesh spec: mtlsConfig: autoRestartPods: true shared: rootCertificateAuthority: generated: null federation: {} globalAccessPolicy: ENABLED meshes: - name: istiod-istio-system-cluster1 namespace: gloo-mesh - name: istiod-istio-system-cluster2 namespace: gloo-mesh apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: cluster1 owner.networking.mesh.gloo.solo.io: gloo-mesh name: global-access-control namespace: istio-system spec: {} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: cluster1 owner.networking.mesh.gloo.solo.io: gloo-mesh spec: rules: - {} selector: matchLabels: istio: ingressgateway CLUSTER 1 MGMT CLUSTER 1

39 | Copyright © 2020 Enable RBAC apiVersion: networking.mesh.gloo.solo.io/v1alpha2 kind: VirtualMesh metadata: name: virtual-mesh namespace: gloo-mesh spec: mtlsConfig: autoRestartPods: true shared: rootCertificateAuthority: generated: null federation: {} globalAccessPolicy: ENABLED meshes: - name: istiod-istio-system-cluster1 namespace: gloo-mesh - name: istiod-istio-system-cluster2 namespace: gloo-mesh apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: cluster2 owner.networking.mesh.gloo.solo.io: gloo-mesh name: global-access-control namespace: istio-system spec: {} CLUSTER 2 MGMT apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: cluster2 owner.networking.mesh.gloo.solo.io: gloo-mesh spec: rules: - {} selector: matchLabels: istio: ingressgateway CLUSTER 2

40 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER RBAC enabled

41 | Copyright © 2020 Ingress Gateway apiVersion: networking.mesh.gloo.solo.io/v1alpha2 kind: AccessPolicy metadata: namespace: gloo-mesh name: istio-ingressgateway spec: sourceSelector: - kubeServiceAccountRefs: serviceAccounts: - name: istio-ingressgateway-service-account namespace: istio-system clusterName: cluster1 destinationSelector: - kubeServiceMatcher: namespaces: - default labels: service: productpage MGMT apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: annotations: labels: cluster.multicluster.solo.io: cluster1 owner.networking.mesh.gloo.solo.io: gloo-mesh name: productpage namespace: default spec: rules: - from: - source: principals: - cluster1/ns/istio-system/sa/istio-ing ressgateway-service-account selector: matchLabels: app: productpage CLUSTER 1

42 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Ingress Gateway

43 | Copyright © 2020 Productpage apiVersion: networking.mesh.gloo.solo.io/v1alpha2 kind: AccessPolicy metadata: namespace: gloo-mesh name: productpage spec: sourceSelector: - kubeServiceAccountRefs: serviceAccounts: - name: bookinfo-productpage namespace: default clusterName: cluster1 destinationSelector: - kubeServiceMatcher: namespaces: - default labels: service: details - kubeServiceMatcher: namespaces: - default labels: service: reviews MGMT apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: cluster1 owner.networking.mesh.gloo.solo.io: gloo-mesh name: details namespace: default spec: rules: - from: - source: principals: - cluster1/ns/default/sa/bookinfo-productpage selector: matchLabels: app: reviews CLUSTER 1 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: cluster1 owner.networking.mesh.gloo.solo.io: gloo-mesh name: details namespace: default spec: rules: - from: - source: principals: - cluster1/ns/default/sa/bookinfo-productpage selector: matchLabels: app: details CLUSTER 1

44 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Productpage

45 | Copyright © 2020 Reviews apiVersion: networking.mesh.gloo.solo.io/v1al pha2 kind: AccessPolicy metadata: namespace: gloo-mesh name: reviews spec: sourceSelector: - kubeServiceAccountRefs: serviceAccounts: - name: bookinfo-reviews namespace: default clusterName: cluster1 destinationSelector: - kubeServiceMatcher: namespaces: - default labels: service: ratings MGMT apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: cluster1 owner.networking.mesh.gloo.solo.io: gloo-mesh name: ratings namespace: default spec: rules: - from: - source: principals: - cluster1/ns/default/sa/bookinfo-revie ws selector: matchLabels: app: ratings CLUSTER 1

46 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Reviews

47 | Copyright © 2020 47 | Copyright © 2020 Lab 6 Access Control

48 | Copyright © 2020 48 | Copyright © 2020 Multi-cluster Traffic

49 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Before

50 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER After

51 | Copyright © 2020 Traffic Policy apiVersion: networking.mesh.gloo.solo.io/v1alpha2 kind: TrafficPolicy metadata: namespace: gloo-mesh name: simple spec: destinationSelector: - kubeServiceRefs: services: - clusterName: cluster1 name: reviews namespace: default trafficShift: destinations: - kubeService: clusterName: cluster2 name: reviews namespace: default subset: version: v3 weight: 75 - kubeService: clusterName: cluster1 name: reviews namespace: default subset: version: v1 weight: 15 - kubeService: clusterName: cluster1 name: reviews namespace: default subset: version: v2 weight: 10 MGMT

52 | Copyright © 2020 apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: labels: cluster.multicluster.solo.io: cluster1 owner.networking.mesh.gloo.solo.io: gloo-mesh name: reviews namespace: default spec: hosts: - reviews.default.svc.cluster.local http: - route: - destination: host: reviews.default.svc.cluster2.global subset: version-v3 weight: 75 - destination: host: reviews.default.svc.cluster.local subset: version-v1 weight: 15 - destination: host: reviews.default.svc.cluster.local subset: version-v2 weight: 10 CLUSTER 1 apiVersion: networking.istio.io/v1beta1 kind: ServiceEntry metadata: labels: cluster.multicluster.solo.io: cluster1 owner.networking.mesh.gloo.solo.io: gloo-mesh name: reviews.default.svc.cluster2.global namespace: istio-system spec: addresses: - 253.124.25.94 endpoints: - address: 172.18.0.230 labels: cluster: cluster2 ports: http: 15443 hosts: - reviews.default.svc.cluster2.global location: MESH_INTERNAL ports: - name: http number: 9080 protocol: TCP resolution: DNS CLUSTER 1 apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: labels: cluster.multicluster.solo.io: cluster1 owner.networking.mesh.gloo.solo.io: gloo-mesh name: reviews.default.svc.cluster2.global namespace: istio-system spec: host: reviews.default.svc.cluster2.global subsets: - labels: cluster: cluster2 name: version-v3 - labels: cluster: cluster2 name: version-v1 - labels: cluster: cluster2 name: version-v2 trafficPolicy: tls: mode: ISTIO_MUTUAL CLUSTER 1

53 | Copyright © 2020 apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: labels: cluster.multicluster.solo.io: cluster2 owner.networking.mesh.gloo.solo.io: gloo-mesh name: virtual-mesh.gloo-mesh namespace: istio-system spec: configPatches: - applyTo: NETWORK_FILTER match: context: GATEWAY listener: filterChain: filter: name: envoy.filters.network.sni_cluster portNumber: 15443 patch: operation: INSERT_AFTER value: name: envoy.filters.network.tcp_cluster_rewrite typed_config: '@type': type.googleapis.com/istio.envoy.config.filter.n etwork.tcp_cluster_rewrite.v2alpha1.TcpClusterR ewrite cluster_pattern: \.cluster2.global$ cluster_replacement: .cluster.local workloadSelector: labels: istio: ingressgateway CLUSTER 2 apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: labels: cluster.multicluster.solo.io: cluster2 owner.networking.mesh.gloo.solo.io: gloo-mesh name: reviews namespace: default spec: host: reviews.default.svc.cluster.local subsets: - labels: version: v3 name: version-v3 - labels: version: v1 name: version-v1 - labels: version: v2 name: version-v2 trafficPolicy: tls: mode: ISTIO_MUTUAL CLUSTER 2 apiVersion: v1 kind: Pod metadata: labels: app: reviews istio.io/rev: default pod-template-hash: d978546db security.istio.io/tlsMode: istio service.istio.io/canonical-name: reviews service.istio.io/canonical-revision: v3 version: v3 name: reviews-v3-d978546db-dj59b namespace: default spec: ... CLUSTER 2 apiVersion: v1 kind: Service metadata: labels: app: reviews service: reviews name: reviews namespace: default spec: clusterIP: 10.97.193.52 ports: - name: http port: 9080 protocol: TCP targetPort: 9080 selector: app: reviews sessionAffinity: None type: ClusterIP status: loadBalancer: {} CLUSTER 2

54 | Copyright © 2020 Reviews apiVersion: networking.mesh.gloo.solo.io/v1alpha2 kind: AccessPolicy metadata: namespace: gloo-mesh name: reviews spec: sourceSelector: - kubeServiceAccountRefs: serviceAccounts: - name: bookinfo-reviews namespace: default clusterName: cluster1 - name: bookinfo-reviews namespace: default clusterName: cluster2 destinationSelector: - kubeServiceMatcher: namespaces: - default labels: service: ratings MGMT apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: cluster2 owner.networking.mesh.gloo.solo.io: gloo-mesh name: ratings namespace: default spec: rules: - from: - source: principals: - cluster2/ns/default/sa/bookinfo-revie ws selector: matchLabels: app: ratings CLUSTER 2

55 | Copyright © 2020 55 | Copyright © 2020 Lab 7 Multi-cluster Traffic

56 | Copyright © 2020 56 | Copyright © 2020 Traffic Failover

57 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Before Failover

58 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER After Failover

59 | Copyright © 2020 Outlier Detection apiVersion: networking.mesh.gloo.solo.io/v1alpha2 kind: TrafficPolicy metadata: namespace: gloo-mesh name: mgmt-reviews-outlier spec: destinationSelector: - kubeServiceRefs: services: - name: reviews namespace: default clusterName: cluster1 - name: reviews namespace: default clusterName: cluster2 outlierDetection: consecutiveErrors: 1 interval: 10s baseEjectionTime: 2m apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: labels: cluster.multicluster.solo.io: cluster1 owner.networking.mesh.gloo.solo.io: gloo-mesh name: reviews namespace: default spec: host: reviews.default.svc.cluster.local trafficPolicy: outlierDetection: baseEjectionTime: 120s consecutive5xxErrors: 1 interval: 10s maxEjectionPercent: 100 tls: mode: ISTIO_MUTUAL maxEjectionPercent default value is 10% ! apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: labels: cluster.multicluster.solo.io: cluster2 owner.networking.mesh.gloo.solo.io: gloo-mesh name: reviews namespace: default spec: host: reviews.default.svc.cluster.local trafficPolicy: outlierDetection: baseEjectionTime: 120s consecutive5xxErrors: 1 interval: 10s maxEjectionPercent: 100 tls: mode: ISTIO_MUTUAL MGMT CLUSTER 1 CLUSTER 2

60 | Copyright © 2020 Envoy Filter apiVersion: networking.mesh.gloo.solo.io/v1alpha2 kind: FailoverService metadata: name: reviews-failover namespace: gloo-mesh spec: hostname: reviews-failover.default.global port: number: 9080 protocol: http meshes: - name: istiod-istio-system-cluster1 namespace: gloo-mesh backingServices: - kubeService: name: reviews namespace: default clusterName: cluster1 - kubeService: name: reviews namespace: default clusterName: cluster2 apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: creationTimestamp: "2020-09-03T08:26:14Z" generation: 1 labels: cluster.multicluster.solo.io: cluster1 owner.networking.mesh.gloo.solo.io: gloo-mesh name: reviews-failover namespace: istio-system spec: configPatches: - applyTo: CLUSTER match: cluster: name: outbound|9080||reviews-failover.default.global patch: operation: REMOVE - applyTo: CLUSTER match: cluster: name: outbound|9080||reviews-failover.default.global patch: operation: ADD value: cluster_type: name: envoy.clusters.aggregate typed_config: '@type': type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.config.cluster.aggregate.v2alpha.ClusterConfig value: clusters: - outbound|9080||reviews.default.svc.cluster.local - outbound|9080||reviews.default.svc.cluster2.global connect_timeout: 1s lb_policy: CLUSTER_PROVIDED name: outbound|9080||reviews-failover.default.global MGMT CLUSTER 1

61 | Copyright © 2020 Service Entry apiVersion: networking.istio.io/v1beta1 kind: ServiceEntry metadata: creationTimestamp: "2020-09-03T08:26:14Z" generation: 1 labels: cluster.multicluster.solo.io: cluster1 owner.networking.mesh.gloo.solo.io: gloo-mesh name: reviews-failover namespace: gloo-mesh spec: addresses: - 240.76.63.152 hosts: - reviews-failover.default.global location: MESH_INTERNAL ports: - name: http number: 9080 protocol: http resolution: DNS CLUSTER 1 apiVersion: networking.mesh.gloo.solo.io/v1alpha2 kind: FailoverService metadata: name: reviews-failover namespace: gloo-mesh spec: hostname: reviews-failover.default.global port: number: 9080 protocol: http meshes: - name: istiod-istio-system-cluster1 namespace: gloo-mesh backingServices: - kubeService: name: reviews namespace: default clusterName: cluster1 - kubeService: name: reviews namespace: default clusterName: cluster2 MGMT

62 | Copyright © 2020 Virtual Service apiVersion: networking.mesh.gloo.solo.io/v1alpha2 kind: TrafficPolicy metadata: name: reviews-shift-failover namespace: default spec: destinationSelector: - kubeServiceRefs: services: - clusterName: cluster1 name: reviews namespace: default trafficShift: destinations: - failoverServiceRef: name: reviews-failover namespace: gloo-mesh apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: labels: cluster.multicluster.solo.io: cluster1 owner.networking.mesh.gloo.solo.io: gloo-mesh name: reviews namespace: default spec: hosts: - reviews.default.svc.cluster.local http: - route: - destination: host: reviews-failover.default.global port: number: 9080 MGMT CLUSTER 1

63 | Copyright © 2020 63 | Copyright © 2020 Lab 8 Traffic Failover

64 | Copyright © 2020 64 | Copyright © 2020 Gloo Mesh RBAC

65 | Copyright © 2020 Kubernetes RBAC • In large organizations, several teams are using the same Kubernetes cluster. They use Kubernetes RBAC to define who can do what and where. kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: namespace: default name: namespace-admin rules: - apiGroups: [""] # "" indicates the core API group resources: ["*"] # any resource verbs: ["*"] # any action kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: default-namespace-admin namespace: default subjects: - kind: User name: user1 apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: namespace-admin apiGroup: rbac.authorization.k8s.io

66 | Copyright © 2020 RBAC in multi cluster Service Mesh • Gloo Mesh provides Custom Resource Definitions (CRDs) to define policies globally (across multiple clusters). • Gloo Mesh translate the TrafficPolicies and AccessPolicies into Istio resources on the local clusters. • So, how do we manage RBAC now ? How can we define who is allowed to create these Gloo Mesh policies ? We can’t use Kubernetes Roles because we need to be more fine grained.

67 | Copyright © 2020 RBAC in multi cluster Service Mesh • Gloo Mesh provides Custom Resource Definitions (CRDs) to define policies globally (across multiple clusters). • Gloo Mesh translate the TrafficPolicies and AccessPolicies into Istio resources on the local clusters. • So, how do we manage RBAC now ? How can we define who is allowed to create these Gloo Mesh policies ? We can’t use Kubernetes Roles because we need to be more fine grained.

68 | Copyright © 2020 68 | Copyright © 2020 Lab 9 Gloo Mesh Enterprise RBAC

69 | Copyright © 2020 69 | Copyright © 2020 Gloo Mesh Enterprise UI

70 | Copyright © 2020 70 | Copyright © 2020 Lab 10 Exploring the Gloo Mesh Enterprise UI

71 | Copyright © 2020 The benefits of Gloo Mesh Without Gloo Mesh With Gloo Mesh Federated identity Manual process Automated and more secure Authorization Local Global Traffic management Local and complex Global and simple RBAC Limited Fine grained Management Local CLI Global CLI & UI

72 | Copyright © 2020 72 | Copyright © 2020 Securing the Edge

73 | Copyright © 2020 How do you secure the Edge ? • The Istio Ingress Gateway can be used for that purpose, but it doesn’t provide the functionalities that you generally get in modern Edge/API Gateways like: − External authentication (OAuth, API keys, JWT, …) − Rate limiting − Complex transformations − ...

74 | Copyright © 2020 That’s exactly what Gloo Edge does

75 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE REVIEWS istiod istiod PRODUCTPAGE REVIEWS CLUSTER ISTIO INGRESS GATEWAY ISTIO INGRESS GATEWAY

76 | Copyright © 2020 But how do you integrate them ? Istio Ingress Gateway • Gloo Edge can access the services directly and take all the routing decisions • The communications between Gloo Edge and the services are secured with mTLS. SERVICE MESH

77 | Copyright © 2020 77 | Copyright © 2020 Lab 11 Securing the Edge

78 | Copyright © 2020 But how do you integrate them ? Istio Ingress Gateway • Gloo Edge can send the requests to the Istio Ingress Gateway and let it take the routing decisions • The communications between Gloo Edge and Istio Ingress Gateway the services are secured with mTLS. SERVICE MESH

79 | Copyright © 2020 CLUSTER PRODUCTPAGE REVIEWS istiod istiod PRODUCTPAGE REVIEWS ISTIO INGRESS GATEWAY ISTIO INGRESS GATEWAY CLUSTER CLUSTER

80 | Copyright © 2020 CLUSTER PRODUCTPAGE REVIEWS istiod istiod PRODUCTPAGE REVIEWS ISTIO INGRESS GATEWAY ISTIO INGRESS GATEWAY CLUSTER CLUSTER

81 | Copyright © 2020 81 | Copyright © 2020 Thank you! Feedback Request a workshop https://forms.gle/gTSVnKFycmu8HJfb7 Continue the conversation https://slack.solo.io

82 | Copyright © 2020