Workshop - Service Mesh Hub

Slide 1

Slide 1 text

Workshop Multi-Cluster Service Mesh Operations

Slide 2

Slide 2 text

Slide 3

Slide 3 text

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Slide 8

Slide 8 text

Slide 9

Slide 9 text

Slide 10

Slide 10 text

10 | Copyright © 2020 Multicluster Service Mesh challenges • You need Federated Trust and Identity • You need to allow communications between clusters • You need to manage access control globally • You need to define a Disaster Recovery strategy • You need to secure the Edge as well • All of the above is highly complex

Slide 11

Slide 11 text

11 | Copyright © 2020 Service Mesh Hub is simplifying everything MULTI-CLUSTER STATE MESH TRAFFIC TARGET WORKLOAD TRAFFIC POLICY ACCESS POLICY VIRTUAL MESH ISSUED CERTIFICATE CREATE CUSTOM RESOURCES WATCH MESH DISCOVERY MESH NETWORKING DISCOVER & WATCH MESH, PODS, SERVICES CREATE POLICIES SIGN CERTS CLUSTER CLUSTER CLUSTER istiod istiod istiod

Slide 12

Slide 12 text

12 | Copyright © 2020 SMH Mesh Discovery CLUSTER CLUSTER CLUSTER istiod istiod istiod MULTI-CLUSTER STATE MESH TRAFFIC TARGET WORKLOAD CREATE CUSTOM RESOURCES MESH DISCOVERY InputSnapshot MeshTranslator WorkloadTranslator TrafficTargetTranslator StartDiscover y SECRET ADDED KUBERNETES CLUSTER CRD ADDED OutputSnapshot

Slide 13

Slide 13 text

13 | Copyright © 2020 SMH Mesh Networking MESH NETWORKING InputSnapshot VirtualMeshTranslator FederationTranslator FailoverTranslator StartNetworkin g TRAFFIC POLICY ACCESS POLICY VIRTUAL MESH ISSUED CERTIFICATE WATCH mtlsTranslator TrafficTargetTranslator CERT OutputSnapshot TrafficPolicyTranslator AccessPolicyTranslator CLUSTER istiod

Slide 14

Slide 14 text

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Slide 22

Slide 22 text

Slide 23

Slide 23 text

23 | Copyright © 2020 Service to Service Authentication • By default the TLS protocol only proves the identity of the server to the client using X.509 certificate and the authentication of the client to the server is left to the application layer. • Mutual TLS authentication refers to two parties authenticating each other at the same time. • In Istio, Mutual TLS work as follow: − Istio re-routes the outbound traffic from a client to the client’s local sidecar Envoy. − The client side Envoy starts a mutual TLS handshake with the server side Envoy. During the handshake, the client side Envoy also does a secure naming check to verify that the service account presented in the server certificate is authorized to run the target service. − The client side Envoy and the server side Envoy establish a mutual TLS connection, and Istio forwards the traffic from the client side Envoy to the server side Envoy. − After authorization, the server side Envoy forwards the traffic to the server service through local TCP connections.

Slide 24

Slide 24 text

24 | Copyright © 2020 SPIFFE ID • SPIFFE, the Secure Production Identity Framework for Everyone, is a set of open- source standards for securely identifying software systems in dynamic and heterogeneous environments. Systems that adopt SPIFFE can easily and reliably mutually authenticate wherever they are running. • A SPIFFE ID is a string that uniquely and specifically identifies a workload. SPIFFE IDs are a Uniform Resource Identifier (URI) which takes the following format: spiffe://trust domain/workload identifier

Slide 25

Slide 25 text

25 | Copyright © 2020 SPIFFE ID in Istio • The SPIFFE ID of a workload looks like spiffe:///ns//sa/ • The default trust domain is cluster.local, so a the SPIFFE ID corresponding to a Pod started with the service account pod-sa in the default namespace would be spiffe://cluster.local/ns/default/sa/pod-sa. • In a multi-cluster deployment, using the cluster.local trust domain is a problem because there would be no way to differentiate a workload of a cluster from one of another cluster if they use the same service account and namespace names. • Istio allows you to use a different trust domain using the trustDomain parameter of the MeshConfig option.

Slide 26

Slide 26 text

Slide 27

Slide 27 text

27 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Virtual Mesh creation workflow CERT-AGENT CERT-AGENT CREATE CERTIFICATE / KEY AND CSR SHARED ROOT SIGN CERT WITH SHARED ROOT

Slide 28

Slide 28 text

Slide 29

Slide 29 text

Slide 30

Slide 30 text

Slide 31

Slide 31 text

Slide 32

Slide 32 text

32 | Copyright © 2020 Enable RBAC apiVersion: networking.smh.solo.io/v1alpha2 kind: VirtualMesh metadata: name: virtual-mesh namespace: service-mesh-hub spec: mtlsConfig: autoRestartPods: true shared: rootCertificateAuthority: generated: null federation: {} globalAccessPolicy: ENABLED meshes: - name: istiod-istio-system-kind2 namespace: service-mesh-hub - name: istiod-istio-system-kind3 namespace: service-mesh-hub apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: global-access-control namespace: istio-system spec: {} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub spec: rules: - {} selector: matchLabels: istio: ingressgateway CLUSTER 2 CLUSTER 1 CLUSTER 2

Slide 33

Slide 33 text

33 | Copyright © 2020 Enable RBAC apiVersion: networking.smh.solo.io/v1alpha2 kind: VirtualMesh metadata: name: virtual-mesh namespace: service-mesh-hub spec: mtlsConfig: autoRestartPods: true shared: rootCertificateAuthority: generated: null federation: {} globalAccessPolicy: ENABLED meshes: - name: istiod-istio-system-kind2 namespace: service-mesh-hub - name: istiod-istio-system-kind3 namespace: service-mesh-hub apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh-hub name: global-access-control namespace: istio-system spec: {} CLUSTER 3 CLUSTER 1 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh-hub spec: rules: - {} selector: matchLabels: istio: ingressgateway CLUSTER 3

Slide 34

Slide 34 text

Slide 35

Slide 35 text

35 | Copyright © 2020 Ingress Gateway apiVersion: networking.smh.solo.io/v1alpha2 kind: AccessPolicy metadata: namespace: service-mesh-hub name: istio-ingressgateway spec: sourceSelector: - kubeServiceAccountRefs: serviceAccounts: - name: istio-ingressgateway- service-account namespace: istio-system clusterName: kind2 destinationSelector: - kubeServiceMatcher: namespaces: - default labels: service: productpage CLUSTER 1 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: annotations: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: productpage namespace: default spec: rules: - from: - source: principals: - kind2/ns/istio- system/sa/istio-ingressgateway- service-account selector: matchLabels: app: productpage CLUSTER 2

Slide 36

Slide 36 text

Slide 37

Slide 37 text

37 | Copyright © 2020 Productpage apiVersion: networking.smh.solo.io/v1alpha2 kind: AccessPolicy metadata: namespace: service-mesh-hub name: productpage spec: sourceSelector: - kubeServiceAccountRefs: serviceAccounts: - name: bookinfo-productpage namespace: default clusterName: kind2 destinationSelector: - kubeServiceMatcher: namespaces: - default labels: service: details - kubeServiceMatcher: namespaces: - default labels: service: reviews CLUSTER 1 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: details namespace: default spec: rules: - from: - source: principals: - kind2/ns/default/sa/bookinfo-productpage selector: matchLabels: app: reviews CLUSTER 2 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: details namespace: default spec: rules: - from: - source: principals: - kind2/ns/default/sa/bookinfo-productpage selector: matchLabels: app: details CLUSTER 2

Slide 38

Slide 38 text

Slide 39

Slide 39 text

39 | Copyright © 2020 Reviews apiVersion: networking.smh.solo.io/v1alpha2 kind: AccessPolicy metadata: namespace: service-mesh-hub name: reviews spec: sourceSelector: - kubeServiceAccountRefs: serviceAccounts: - name: bookinfo-reviews namespace: default clusterName: kind2 destinationSelector: - kubeServiceMatcher: namespaces: - default labels: service: ratings CLUSTER 1 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: ratings namespace: default spec: rules: - from: - source: principals: - kind2/ns/default/sa/bookinfo-reviews selector: matchLabels: app: ratings CLUSTER 2

Slide 40

Slide 40 text

Slide 41

Slide 41 text

Slide 42

Slide 42 text

Slide 43

Slide 43 text

Slide 44

Slide 44 text

Slide 45

Slide 45 text

45 | Copyright © 2020 Traffic Policy apiVersion: networking.smh.solo.io/v1alpha2 kind: TrafficPolicy metadata: namespace: service-mesh-hub name: simple spec: destinationSelector: - kubeServiceRefs: services: - clusterName: kind2 name: reviews namespace: default trafficShift: destinations: - kubeService: clusterName: kind3 name: reviews namespace: default subset: version: v3 weight: 75 - kubeService: clusterName: kind2 name: reviews namespace: default subset: version: v1 weight: 15 - kubeService: clusterName: kind2 name: reviews namespace: default subset: version: v2 weight: 10 CLUSTER 1

Slide 46

Slide 46 text

46 | Copyright © 2020 apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: reviews namespace: default spec: hosts: - reviews.default.svc.cluster.local http: - route: - destination: host: reviews.default.svc.kind3.global subset: version-v3 weight: 75 - destination: host: reviews.default.svc.cluster.local subset: version-v1 weight: 15 - destination: host: reviews.default.svc.cluster.local subset: version-v2 weight: 10 CLUSTER 2 apiVersion: networking.istio.io/v1beta1 kind: ServiceEntry metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: reviews.default.svc.kind3.global namespace: istio-system spec: addresses: - 253.124.25.94 endpoints: - address: 172.18.0.230 labels: cluster: kind3 ports: http: 15443 hosts: - reviews.default.svc.kind3.global location: MESH_INTERNAL ports: - name: http number: 9080 protocol: TCP resolution: DNS CLUSTER 2 apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: reviews.default.svc.kind3.global namespace: istio-system spec: host: reviews.default.svc.kind3.global subsets: - labels: cluster: kind3 name: version-v3 - labels: cluster: kind3 name: version-v1 - labels: cluster: kind3 name: version-v2 trafficPolicy: tls: mode: ISTIO_MUTUAL CLUSTER 2

Slide 47

Slide 47 text

47 | Copyright © 2020 apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh- hub name: virtual-mesh.service-mesh-hub namespace: istio-system spec: configPatches: - applyTo: NETWORK_FILTER match: context: GATEWAY listener: filterChain: filter: name: envoy.filters.network.sni_cluster portNumber: 15443 patch: operation: INSERT_AFTER value: name: envoy.filters.network.tcp_cluster_rewrite typed_config: '@type': type.googleapis.com/istio.envoy.config.filter.n etwork.tcp_cluster_rewrite.v2alpha1.TcpClusterR ewrite cluster_pattern: \.kind3.global$ cluster_replacement: .cluster.local workloadSelector: labels: istio: ingressgateway CLUSTER 3 apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh-hub name: reviews namespace: default spec: host: reviews.default.svc.cluster.local subsets: - labels: version: v3 name: version-v3 - labels: version: v1 name: version-v1 - labels: version: v2 name: version-v2 trafficPolicy: tls: mode: ISTIO_MUTUAL CLUSTER 3 apiVersion: v1 kind: Pod metadata: labels: app: reviews istio.io/rev: default pod-template-hash: d978546db security.istio.io/tlsMode: istio service.istio.io/canonical-name: reviews service.istio.io/canonical-revision: v3 version: v3 name: reviews-v3-d978546db-dj59b namespace: default spec: ... CLUSTER 3 apiVersion: v1 kind: Service metadata: labels: app: reviews service: reviews name: reviews namespace: default spec: clusterIP: 10.97.193.52 ports: - name: http port: 9080 protocol: TCP targetPort: 9080 selector: app: reviews sessionAffinity: None type: ClusterIP status: loadBalancer: {} CLUSTER 3

Slide 48

Slide 48 text

48 | Copyright © 2020 Reviews apiVersion: networking.smh.solo.io/v1alpha2 kind: AccessPolicy metadata: namespace: service-mesh-hub name: reviews spec: sourceSelector: - kubeServiceAccountRefs: serviceAccounts: - name: bookinfo-reviews namespace: default clusterName: kind2 - name: bookinfo-reviews namespace: default clusterName: kind3 destinationSelector: - kubeServiceMatcher: namespaces: - default labels: service: ratings CLUSTER 1 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh-hub name: ratings namespace: default spec: rules: - from: - source: principals: - kind3/ns/default/sa/bookinfo-reviews selector: matchLabels: app: ratings CLUSTER 3

Slide 49

Slide 49 text

Slide 50

Slide 50 text

Slide 51

Slide 51 text

Slide 52

Slide 52 text

Slide 53

Slide 53 text

53 | Copyright © 2020 Outlier Detection apiVersion: networking.smh.solo.io/v1alpha2 kind: TrafficPolicy metadata: namespace: service-mesh-hub name: mgmt-reviews-outlier spec: destinationSelector: - kubeServiceRefs: services: - name: reviews namespace: default clusterName: kind2 - name: reviews namespace: default clusterName: kind3 outlierDetection: consecutiveErrors: 1 interval: 10s baseEjectionTime: 2m apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: reviews namespace: default spec: host: reviews.default.svc.cluster.local trafficPolicy: outlierDetection: baseEjectionTime: 120s consecutive5xxErrors: 1 interval: 10s maxEjectionPercent: 100 tls: mode: ISTIO_MUTUAL maxEjectionPercent default value is 10% ! apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh-hub name: reviews namespace: default spec: host: reviews.default.svc.cluster.local trafficPolicy: outlierDetection: baseEjectionTime: 120s consecutive5xxErrors: 1 interval: 10s maxEjectionPercent: 100 tls: mode: ISTIO_MUTUAL CLUSTER 1 CLUSTER 2 CLUSTER 3

Slide 54

Slide 54 text

54 | Copyright © 2020 Envoy Filter apiVersion: networking.smh.solo.io/v1alpha2 kind: FailoverService metadata: name: reviews-failover namespace: service-mesh-hub spec: hostname: reviews-failover.default.global port: number: 9080 protocol: http meshes: - name: istiod-istio-system-kind2 namespace: service-mesh-hub backingServices: - kubeService: name: reviews namespace: default clusterName: kind2 - kubeService: name: reviews namespace: default clusterName: kind3 apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: creationTimestamp: "2020-09-03T08:26:14Z" generation: 1 labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: reviews-failover namespace: istio-system spec: configPatches: - applyTo: CLUSTER match: cluster: name: outbound|9080||reviews-failover.default.global patch: operation: REMOVE - applyTo: CLUSTER match: cluster: name: outbound|9080||reviews-failover.default.global patch: operation: ADD value: cluster_type: name: envoy.clusters.aggregate typed_config: '@type': type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.config.cluster.aggregate.v2alpha.ClusterConfig value: clusters: - outbound|9080||reviews.default.svc.cluster.local - outbound|9080||reviews.default.svc.kind3.global connect_timeout: 1s lb_policy: CLUSTER_PROVIDED name: outbound|9080||reviews-failover.default.global CLUSTER 1 CLUSTER 2

Slide 55

Slide 55 text

55 | Copyright © 2020 Service Entry apiVersion: networking.smh.solo.io/v1alpha2 kind: FailoverService metadata: name: reviews-failover namespace: service-mesh-hub spec: hostname: reviews-failover.default.global port: number: 9080 protocol: http meshes: - name: istiod-istio-system-kind2 namespace: service-mesh-hub backingServices: - kubeService: name: reviews namespace: default clusterName: kind2 - kubeService: name: reviews namespace: default clusterName: kind3 apiVersion: networking.istio.io/v1beta1 kind: ServiceEntry metadata: creationTimestamp: "2020-09-03T08:26:14Z" generation: 1 labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service- mesh-hub name: reviews-failover namespace: service-mesh-hub spec: addresses: - 240.76.63.152 hosts: - reviews-failover.default.global location: MESH_INTERNAL ports: - name: http number: 9080 protocol: http resolution: DNS CLUSTER 1 CLUSTER 2

Slide 56

Slide 56 text

56 | Copyright © 2020 Virtual Service apiVersion: networking.smh.solo.io/v1alpha2 kind: TrafficPolicy metadata: name: reviews-shift-failover namespace: default spec: destinationSelector: - kubeServiceRefs: services: - clusterName: kind2 name: reviews namespace: default trafficShift: destinations: - failoverServiceRef: name: reviews-failover namespace: service-mesh-hub apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service- mesh-hub name: reviews namespace: default spec: hosts: - reviews.default.svc.cluster.local http: - route: - destination: host: reviews- failover.default.global port: number: 9080 CLUSTER 1 CLUSTER 2

Slide 57

Slide 57 text

Slide 58

Slide 58 text

Slide 59

Slide 59 text

59 | Copyright © 2020 How do you secure the Edge ? • The Istio Ingress Gateway can be used for that purpose, but it doesn’t provide the functionalities that you generally get in modern Edge/API Gateways like: − External authentication (OAuth, API keys, JWT, …) − Rate limiting − Complex transformations − ...

Slide 60

Slide 60 text

Slide 61

Slide 61 text

Slide 62

Slide 62 text

62 | Copyright © 2020 But how do you integrate them ? Istio Ingress Gateway • Gloo can access the services directly and take all the routing decisions • The communications between Gloo and the services are secured with mTLS. SERVICE MESH

Slide 63

Slide 63 text

Slide 64

Slide 64 text

64 | Copyright © 2020 But how do you integrate them ? Istio Ingress Gateway • Gloo can send the requests to the Istio Ingress Gateway and let it take the routing decisions • The communications between Gloo and Istio Ingress Gateway the services are secured with mTLS. SERVICE MESH

Slide 65

Slide 65 text

Slide 66

Slide 66 text

Slide 67

Slide 67 text

67 | Copyright © 2020 § Learn More www.solo.io § Gloo http://www.solo.io/products/gloo § Service Mesh Hub github.com/solo-io/service-mesh-hub § Community slack.solo.io § Request a Personalized Demo lp.solo.io/lp-request-a-demo-overview