Slide 1

Slide 1 text

No meu SERVICE ninguém MESH

Slide 2

Slide 2 text

Cláudio de Oliveira Sr. Software Engineer @ zup innovation K8s, Service Mesh and Golang enthusiast lead organizer CNCF Campinas ● community.cncf.io/campinas ● Golang Campinas & Soujava @claudioed on Twitter /claudioed on GitHub

Slide 3

Slide 3 text

Tiago Angelo Sr. Software Engineer @ zup innovation ● microservices and service mesh enthusiast ● organizer of community.cncf.io/campinas and meetup.com/Golang-Campinas @kurtisangelo on Twitter /angelokurtis on GitHub

Slide 4

Slide 4 text

Agenda 1 - Few words about microservice 4 - AuthN & AuthZ 3 -Service Mesh 2 - Security challenges 5 - Mutual TLS

Slide 5

Slide 5 text

Few words about microservices…. language heterogeneity reduce time to market, if you compare with legacy system helps in path to digital transformation helps large companies to delivery software with confidence

Slide 6

Slide 6 text

NETWORK github.com/angelokurtis/football-bets

Slide 7

Slide 7 text

Security Challenges

Slide 8

Slide 8 text

Microservices enable different services with different languages, in general, it is recommended, it is called technology heterogeneity. Problem Frameworks have different concerns about security

Slide 9

Slide 9 text

Teams have different worries about security, some teams have strong expertise on this topic and others not, sometimes we’ ve got different security levels in our MSA Problem Team expertise

Slide 10

Slide 10 text

There are two things when we think about security Authentication and Authorization Problem teams have no idea about the difference between these topics

Slide 11

Slide 11 text

Service Mesh

Slide 12

Slide 12 text

Definition “A service mesh is a configurable, low‑latency infrastructure layer designed to handle a high volume of network‑based interprocess communication among application infrastructure services using application programming interfaces (APIs).”

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

let’s zoom in a little bit…...

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

ALLLLLL services interactions happen over to sidecar a.k.a envoy proxy

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

The Sidecar as Policy Enforcement Points (PEPs)

Slide 19

Slide 19 text

we already give the platform a chance to handle our deployments let's give a chance to a platform to handle network for us, a.k.a security concerns

Slide 20

Slide 20 text

Step Back

Slide 21

Slide 21 text

Kubernetes is a very successful platform to help developers to deploy their containers and manage their workloads. The important part here: the kubernetes implements a sort of patterns to achieve it

Slide 22

Slide 22 text

All the deployment decisions are made on the platform Kubernetes Our applications don’t care about the cluster workload, kubernetes does it for us

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

Istio & Security

Slide 26

Slide 26 text

Security by default: no changes needed for application code and infrastructure Defense in depth: integrate with existing security systems to provide multiple layers of defense Zero-trust network: build security solutions on untrusted networks

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

End-User Authn & AuthZ

Slide 29

Slide 29 text

It verifies the original client making the request as an end-user or device. Istio enables request-level authentication with JSON Web Token (JWT) validation and a streamlined developer experience for open source OpenID Connect provider

Slide 30

Slide 30 text

it integrates with OpenID Connect provider

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

End-User Authz

Slide 34

Slide 34 text

Each Envoy proxy runs an authorization engine that authorizes requests at runtime. When a request comes to the proxy, the authorization engine evaluates the request context against the current authorization policies, and returns the authorization result, either ALLOW or DENY.

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

NETWORK github.com/angelokurtis/football-bets

Slide 38

Slide 38 text

let’s recap the Istio Request Flow

Slide 39

Slide 39 text

Istio Request Flow Istio Request Flow

Slide 40

Slide 40 text

No content

Slide 41

Slide 41 text

Service-to-Service Authn Service-to-Service Authn

Slide 42

Slide 42 text

Transport authentication, also known as service-to-service authentication: verifies the direct client making the connection. Istio offers mutual TLS as a full stack solution for transport authentication

Slide 43

Slide 43 text

Provides a key management system to automate key and certificate generation, distribution, and rotation

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

No content

Slide 46

Slide 46 text

No content

Slide 47

Slide 47 text

Choose your mTLS flavor!!! Strict - Hard Permissive - Soft Disabled - Very Soft

Slide 48

Slide 48 text

Fine grained control policies Mesh-wide policy Namespace-wide policy Workload policy

Slide 49

Slide 49 text

No content

Slide 50

Slide 50 text

Final Words about Service Mesh Final words about Service Mesh

Slide 51

Slide 51 text

Zero code changes is not a 100% true Are headers propagated???

Slide 52

Slide 52 text

Can your service run with a sidecar???

Slide 53

Slide 53 text

Readiness and Liveness Probes???

Slide 54

Slide 54 text

THANKS! Any questions? You can find us at: linkedin.com/in/claudioed twitter.com/claudioed linkedin.com/in/tiagoangelo twitter.com/kurtisangelo Join us: community.cncf.io/campinas