Securing Kubernetes Networking with Consul Connect and Envoy

Transcript

1. © 2019 Palo Alto Networks. All Rights Reserved. Securing Kubernetes

   Networking with Consul Connect and Envoy Christoph Puhl Consul Technology Specialist | Field CTO Office | HashiCorp [email protected] | @cpu601
2. None

3. Multi-*

4. Multi-Cloud

5. Multi-Runtime

6. The Cloud Landscape STATIC DYNAMIC Dedicated Private Cloud AWS Azure

   GCP vCenter Terraform CloudFormation Resource Manager Cloud Deployment Manager Provision Operations IP: Hardware Identity: AD/LDAP Identity: AWS IAM Identity: Azure AD Identity: GCP IAM Secure Security Hardware Various Hardware Proprietary Istio Proprietary CloudMap AppMesh Connect Networking vSphere vSphere EKS/ECS Lambda AKS/ACS Azure Functions GKE Cloud Functions Run Development

7. A Common Operating Model with HashiCorp Provision Operations Secure Security

   Connect Networking Run Development Private Cloud AWS Azure GCP

8. The Road to Service Mesh...

9. None
10. None

11. Traditional Datacenter

12. Modern Datacenter

13. Monoliths & Microservices

14. This is a monolith

15. Monoliths

16. These are microservices

17. Microservices

18. Microservices

19. Microservices

20. None

21. Service Discovery Service Segmentation Service Configuration Dynamic Infrastructure Challenges

22. Service Registry & Discovery

23. Service Discovery B = [ ‘1.2.3.4’, ‘1.2.3.5’, ‘1.2.3.6’ ]

24. Service Discovery B = ‘1.2.3.4’

25. Service Discovery 1.2.3.4

26. Service Discovery

27. Service Mesh

28. Service Segmentation

29. Service Segmentation

30. Service Segmentation

31. Service Segmentation

32. Service Segmentation

33. Consul Service Mesh

34. Control Plane vs. Data Plane • Consul as Control Plane

    • Pluggable Proxies as Data Plane • Instructions to proxies are cached on the Consul agent • New instructions are pulled only on changes

35. Certificate Authority

36. Certificate Generation • X.509 Certificate • SPIFFE Compatible • Automatic

    Generation & Rotation • Provides Identity and Encryption

37. Service Access Graph

38. $ consul intention create -deny web '*' Created: web =>

    * (deny) $ consul intention create -allow web db Created: web => db (allow) TERMINAL Service Graph Codify Intentions Same intentions are applied no matter where the service exists

39. Web UI Manage intentions via web interface

40. Application Integration

41. Sidecar Proxies Sidecar proxy to secure traffic for any application

    Consul provides sidecar proxies running alongside applications to transparently wraps traffic in TLS and enforces the intentions. • No code modification required • Minimal performance overhead • Pluggable data plane: Built-in Layer 4 proxy, native Envoy integration or other third-party proxy integration • Operational flexibility, decoupling security concern from the application itself

42. apiVersion: v1 kind: Pod metadata: name: cats annotations: "consul.hashicorp.com/connect-inject": "true"

    spec: containers: - name: cats image: grove-mountain/cats:1.0.1 ports: - containerPort: 8000 name: http TERMINAL Proxy Registration Kubernetes

43. Sidecar Proxies

44. Sidecar Proxies

45. Sidecar Proxies

46. L7 Traffic Management

47. L4 Traffic "web.service.consul"

48. L7 Traffic Management HTTP Routing Traffic Splitting Custom Resolution "web.service.consul"

49. L7 Traffic Management HTTP Routing Traffic Splitting Custom Resolution "web.service.consul"

    /api => service: "api" path: "/" Subset: "v2" v1 v2 v1 Meta.Version == 2

50. Mesh Gateways

51. Mesh Gateways Single Kubernetes cluster Most Service Meshes are build

    for a single cluster. Multi-cluster Service Mesh Connection multiple Service Meshes across different Kubernetes clusters not solved yet. Service Mesh across clouds Connection Services Meshes across different environments (Clouds, On-Prem, etc.) requires a lot of work. Multi-Cloud and -Cluster challenge

52. Mesh Gateways

53. Mesh Gateways

54. Mesh Gateways • Mesh gateways, built upon Envoy, will sit

    on the public internet and accept L4 traffic with mTLS • Mesh gateways will perform NAT and route the traffic to correct endpoint on the private network • All the services need NOT be exposed on public network for cross cloud service communication

55. Kubernetes Integration

56. Native Service Mesh Integration with Kubernetes • Consul Helm Chart:

    Automatically install, configure and upgrade Consul servers and clients on Kubernetes • Consul Connect Auto-Inject: Services on Kubernetes can be configured to automatically use Connect to securely communicate via mutual TLS • Mesh Gateway: Easily connect multiple Kubernetes clusters Zero-touch deployment to enable federated multi-cluster communication on Kubernetes. Kubernetes and non-Kubernetes services can be discovered and connected automatically.

57. Demo

58. Consul Connect Multi-Cloud Demo Environment

59. Consul Connect Multi-Cloud Demo Environment Client HTTP GET / web-be

    VM web-fe VM web-be VM

60. Consul Connect Multi-Cloud Demo Environment Client HTTP GET / web-be

    VM web-fe VM api api web-be VM

61. Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be

    VM web-fe VM api api web-be VM

62. TERMINAL Kind = "service-router" Name = "web-be" Routes = [

    { Match { HTTP { Path_Prefix = "/api" } } Destination { Service = "api", Prefix_Rewrite = "/" } } ] L7 Traffic Management HTTP Routing • Path (exact, prefix, regex) • Header • Query Params • HTTP Methods

63. Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be

    VM web-fe VM api api web-be VM

64. Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be

    VM web-fe VM api V1 api V1 web-be VM

65. Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be

    VM web-fe VM api V1 api V1 api V2 api V2 web-be VM

66. Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be

    VM web-fe VM api V1 api V1 api V2 api V2 v2 20% v1 80% web-be VM

67. TERMINAL Kind = "service-splitter" Name = "api" Splits = [

    { Weight = 80 Service_Subset = "v1" }, { Weight = 20 Service_Subset = "v2" } ] L7 Traffic Management Traffic Splitting

68. L7 Traffic Management Custom Resolution TERMINAL Kind = "service-resolver" Name

    = "api" DefaultSubset = "v1" Subsets = { "v1" = { Filter = "Service.Meta.version == v1" }, "v2" = { Filter = "Service.Meta.version == v2" }, }

69. Consul Connect Multi-Cloud Demo Environment web-be VM web-fe VM Client

    HTTP GET /api api V1 api V1 api V2 api V2 v2 20% v1 80% web-be VM

70. Consul Connect Multi-Cloud Demo Environment Client HTTP GET / web-be

    VM web-fe VM api V1 api V1 api V2 api V2 web-be VM

71. Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be

    VM web-fe VM api V1 api V1 api V2 api V2 v2 20% v1 80% web-be VM

72. Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be

    VM web-fe VM api V1 api V1 api V2 api V2 v2 20% v1 80% web-be VM web-fe pod

73. Consul Connect Multi-Cloud Demo Environment web-be VM web-fe VM api

    V1 api V1 api V2 api V2 v2 20% v1 80% web-be VM Client HTTP GET /api web-fe pod

74. Consul Connect Multi-Cloud Demo Environment Client HTTP GET / web-be

    VM web-fe VM api V1 api V1 api V2 api V2 web-be VM web-fe pod

75. www.hashicorp.com [email protected] Thank you

76. www.hashicorp.com [email protected] Find us at booth S27