Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Kubernetes Networking with Consul Conn...

Prisma Cloud
November 18, 2019

Securing Kubernetes Networking with Consul Connect and Envoy

Today’s organizations are faced with the challenge of securely deploying and connecting services in cloud environments. Kubernetes and service mesh are popular solutions, but how should you get started?

In this talk, Christoph Puhl will share how the open source Consul Connect and Envoy can be used to solve both network segmentation and seamless transport security with mutual TLS within your Kubernetes cluster. In addition to this, we will see how Connect can provide encrypted and authorized access to services and data stores which are running outside the cluster and potentially in a separate and isolated network.

Prisma Cloud

November 18, 2019
Tweet

More Decks by Prisma Cloud

Other Decks in Technology

Transcript

  1. © 2019 Palo Alto Networks. All Rights Reserved. Securing Kubernetes

    Networking with Consul Connect and Envoy Christoph Puhl Consul Technology Specialist | Field CTO Office | HashiCorp [email protected] | @cpu601
  2. The Cloud Landscape STATIC DYNAMIC Dedicated Private Cloud AWS Azure

    GCP vCenter Terraform CloudFormation Resource Manager Cloud Deployment Manager Provision Operations IP: Hardware Identity: AD/LDAP Identity: AWS IAM Identity: Azure AD Identity: GCP IAM Secure Security Hardware Various Hardware Proprietary Istio Proprietary CloudMap AppMesh Connect Networking vSphere vSphere EKS/ECS Lambda AKS/ACS Azure Functions GKE Cloud Functions Run Development
  3. A Common Operating Model with HashiCorp Provision Operations Secure Security

    Connect Networking Run Development Private Cloud AWS Azure GCP
  4. Control Plane vs. Data Plane • Consul as Control Plane

    • Pluggable Proxies as Data Plane • Instructions to proxies are cached on the Consul agent • New instructions are pulled only on changes
  5. Certificate Generation • X.509 Certificate • SPIFFE Compatible • Automatic

    Generation & Rotation • Provides Identity and Encryption
  6. $ consul intention create -deny web '*' Created: web =>

    * (deny) $ consul intention create -allow web db Created: web => db (allow) TERMINAL Service Graph Codify Intentions Same intentions are applied no matter where the service exists
  7. Sidecar Proxies Sidecar proxy to secure traffic for any application

    Consul provides sidecar proxies running alongside applications to transparently wraps traffic in TLS and enforces the intentions. • No code modification required • Minimal performance overhead • Pluggable data plane: Built-in Layer 4 proxy, native Envoy integration or other third-party proxy integration • Operational flexibility, decoupling security concern from the application itself
  8. apiVersion: v1 kind: Pod metadata: name: cats annotations: "consul.hashicorp.com/connect-inject": "true"

    spec: containers: - name: cats image: grove-mountain/cats:1.0.1 ports: - containerPort: 8000 name: http TERMINAL Proxy Registration Kubernetes
  9. L7 Traffic Management HTTP Routing Traffic Splitting Custom Resolution "web.service.consul"

    /api => service: "api" path: "/" Subset: "v2" v1 v2 v1 Meta.Version == 2
  10. Mesh Gateways Single Kubernetes cluster Most Service Meshes are build

    for a single cluster. Multi-cluster Service Mesh Connection multiple Service Meshes across different Kubernetes clusters not solved yet. Service Mesh across clouds Connection Services Meshes across different environments (Clouds, On-Prem, etc.) requires a lot of work. Multi-Cloud and -Cluster challenge
  11. Mesh Gateways • Mesh gateways, built upon Envoy, will sit

    on the public internet and accept L4 traffic with mTLS • Mesh gateways will perform NAT and route the traffic to correct endpoint on the private network • All the services need NOT be exposed on public network for cross cloud service communication
  12. Native Service Mesh Integration with Kubernetes • Consul Helm Chart:

    Automatically install, configure and upgrade Consul servers and clients on Kubernetes • Consul Connect Auto-Inject: Services on Kubernetes can be configured to automatically use Connect to securely communicate via mutual TLS • Mesh Gateway: Easily connect multiple Kubernetes clusters Zero-touch deployment to enable federated multi-cluster communication on Kubernetes. Kubernetes and non-Kubernetes services can be discovered and connected automatically.
  13. TERMINAL Kind = "service-router" Name = "web-be" Routes = [

    { Match { HTTP { Path_Prefix = "/api" } } Destination { Service = "api", Prefix_Rewrite = "/" } } ] L7 Traffic Management HTTP Routing • Path (exact, prefix, regex) • Header • Query Params • HTTP Methods
  14. Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be

    VM web-fe VM api V1 api V1 api V2 api V2 web-be VM
  15. Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be

    VM web-fe VM api V1 api V1 api V2 api V2 v2 20% v1 80% web-be VM
  16. TERMINAL Kind = "service-splitter" Name = "api" Splits = [

    { Weight = 80 Service_Subset = "v1" }, { Weight = 20 Service_Subset = "v2" } ] L7 Traffic Management Traffic Splitting
  17. L7 Traffic Management Custom Resolution TERMINAL Kind = "service-resolver" Name

    = "api" DefaultSubset = "v1" Subsets = { "v1" = { Filter = "Service.Meta.version == v1" }, "v2" = { Filter = "Service.Meta.version == v2" }, }
  18. Consul Connect Multi-Cloud Demo Environment web-be VM web-fe VM Client

    HTTP GET /api api V1 api V1 api V2 api V2 v2 20% v1 80% web-be VM
  19. Consul Connect Multi-Cloud Demo Environment Client HTTP GET / web-be

    VM web-fe VM api V1 api V1 api V2 api V2 web-be VM
  20. Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be

    VM web-fe VM api V1 api V1 api V2 api V2 v2 20% v1 80% web-be VM
  21. Consul Connect Multi-Cloud Demo Environment Client HTTP GET /api web-be

    VM web-fe VM api V1 api V1 api V2 api V2 v2 20% v1 80% web-be VM web-fe pod
  22. Consul Connect Multi-Cloud Demo Environment web-be VM web-fe VM api

    V1 api V1 api V2 api V2 v2 20% v1 80% web-be VM Client HTTP GET /api web-fe pod
  23. Consul Connect Multi-Cloud Demo Environment Client HTTP GET / web-be

    VM web-fe VM api V1 api V1 api V2 api V2 web-be VM web-fe pod