Workshop - Service Mesh Hub

Transcript

1. Workshop Multi-Cluster Service Mesh Operations

2. 2 | Copyright © 2020 From Monolith to Microservices MONOLITH

   MICROSERVICES

3. 3 | Copyright © 2020 How do you expose your

   applications ? MICROSERVICES EDGE GATEWAY Connect Secure Control Observe

4. 4 | Copyright © 2020 How do internal services talk

   together ? THE OLD WAY MICROSERVICES API GATEWAY Connect Secure Control Observe

5. 5 | Copyright © 2020 How do internal services talk

   together ? THE OLD WAY MICROSERVICES API GATEWAY Connect Secure Control Observe

6. 6 | Copyright © 2020 How do internal services talk

   together ? THE NEW WAY SERVICE MESH Connect Secure Control Observe

7. 7 | Copyright © 2020 Istio Architecture

8. 8 | Copyright © 2020 Istio Multicluster (shared control plane)

9. 9 | Copyright © 2020 Istio Multicluster (replicated control plane)

10. 10 | Copyright © 2020 Multicluster Service Mesh challenges •

    You need Federated Trust and Identity • You need to allow communications between clusters • You need to manage access control globally • You need to define a Disaster Recovery strategy • You need to secure the Edge as well • All of the above is highly complex

11. 11 | Copyright © 2020 Service Mesh Hub is simplifying

    everything MULTI-CLUSTER STATE MESH TRAFFIC TARGET WORKLOAD TRAFFIC POLICY ACCESS POLICY VIRTUAL MESH ISSUED CERTIFICATE CREATE CUSTOM RESOURCES WATCH MESH DISCOVERY MESH NETWORKING DISCOVER & WATCH MESH, PODS, SERVICES CREATE POLICIES SIGN CERTS CLUSTER CLUSTER CLUSTER istiod istiod istiod

12. 12 | Copyright © 2020 SMH Mesh Discovery CLUSTER CLUSTER

    CLUSTER istiod istiod istiod MULTI-CLUSTER STATE MESH TRAFFIC TARGET WORKLOAD CREATE CUSTOM RESOURCES MESH DISCOVERY InputSnapshot MeshTranslator WorkloadTranslator TrafficTargetTranslator StartDiscover y SECRET ADDED KUBERNETES CLUSTER CRD ADDED OutputSnapshot

13. 13 | Copyright © 2020 SMH Mesh Networking MESH NETWORKING

    InputSnapshot VirtualMeshTranslator FederationTranslator FailoverTranslator StartNetworkin g TRAFFIC POLICY ACCESS POLICY VIRTUAL MESH ISSUED CERTIFICATE WATCH mtlsTranslator TrafficTargetTranslator CERT OutputSnapshot TrafficPolicyTranslator AccessPolicyTranslator CLUSTER istiod

14. 14 | Copyright © 2020 14 | Copyright © 2020

    Labs Environment

15. 15 | Copyright © 2020 on Cluster 1 Cluster 2

    Cluster 3

16. 16 | Copyright © 2020 16 | Copyright © 2020

    Lab 1 Deploy your Kubernetes clusters

17. 17 | Copyright © 2020 17 | Copyright © 2020

    Lab 2 Deploy Service Mesh Hub and register the clusters

18. 18 | Copyright © 2020 18 | Copyright © 2020

    Lab 3 Deploy Istio on both clusters

19. 19 | Copyright © 2020 19 | Copyright © 2020

    Lab 4 Deploy the Bookinfo demo app

20. 20 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Current state

21. 21 | Copyright © 2020 21 | Copyright © 2020

    Federated Trust and Identity

22. 22 | Copyright © 2020 Istio Identity

23. 23 | Copyright © 2020 Service to Service Authentication •

    By default the TLS protocol only proves the identity of the server to the client using X.509 certificate and the authentication of the client to the server is left to the application layer. • Mutual TLS authentication refers to two parties authenticating each other at the same time. • In Istio, Mutual TLS work as follow: − Istio re-routes the outbound traffic from a client to the client’s local sidecar Envoy. − The client side Envoy starts a mutual TLS handshake with the server side Envoy. During the handshake, the client side Envoy also does a secure naming check to verify that the service account presented in the server certificate is authorized to run the target service. − The client side Envoy and the server side Envoy establish a mutual TLS connection, and Istio forwards the traffic from the client side Envoy to the server side Envoy. − After authorization, the server side Envoy forwards the traffic to the server service through local TCP connections.

24. 24 | Copyright © 2020 SPIFFE ID • SPIFFE, the

    Secure Production Identity Framework for Everyone, is a set of open- source standards for securely identifying software systems in dynamic and heterogeneous environments. Systems that adopt SPIFFE can easily and reliably mutually authenticate wherever they are running. • A SPIFFE ID is a string that uniquely and specifically identifies a workload. SPIFFE IDs are a Uniform Resource Identifier (URI) which takes the following format: spiffe://trust domain/workload identifier

25. 25 | Copyright © 2020 SPIFFE ID in Istio •

    The SPIFFE ID of a workload looks like spiffe://<trust domain>/ns/<namespace>/sa/<service account> • The default trust domain is cluster.local, so a the SPIFFE ID corresponding to a Pod started with the service account pod-sa in the default namespace would be spiffe://cluster.local/ns/default/sa/pod-sa. • In a multi-cluster deployment, using the cluster.local trust domain is a problem because there would be no way to differentiate a workload of a cluster from one of another cluster if they use the same service account and namespace names. • Istio allows you to use a different trust domain using the trustDomain parameter of the MeshConfig option.

26. 26 | Copyright © 2020 Istio Multicluster (replicated control plane)

27. 27 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Virtual Mesh creation workflow CERT-AGENT CERT-AGENT CREATE CERTIFICATE / KEY AND CSR SHARED ROOT SIGN CERT WITH SHARED ROOT

28. 28 | Copyright © 2020 28 | Copyright © 2020

    Lab 5 Create the Virtual Mesh

29. 29 | Copyright © 2020 29 | Copyright © 2020

    Global Access Control

30. 30 | Copyright © 2020 Istio Authorization

31. 31 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER RBAC disabled

32. 32 | Copyright © 2020 Enable RBAC apiVersion: networking.smh.solo.io/v1alpha2 kind:

    VirtualMesh metadata: name: virtual-mesh namespace: service-mesh-hub spec: mtlsConfig: autoRestartPods: true shared: rootCertificateAuthority: generated: null federation: {} globalAccessPolicy: ENABLED meshes: - name: istiod-istio-system-kind2 namespace: service-mesh-hub - name: istiod-istio-system-kind3 namespace: service-mesh-hub apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: global-access-control namespace: istio-system spec: {} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub spec: rules: - {} selector: matchLabels: istio: ingressgateway CLUSTER 2 CLUSTER 1 CLUSTER 2

33. 33 | Copyright © 2020 Enable RBAC apiVersion: networking.smh.solo.io/v1alpha2 kind:

    VirtualMesh metadata: name: virtual-mesh namespace: service-mesh-hub spec: mtlsConfig: autoRestartPods: true shared: rootCertificateAuthority: generated: null federation: {} globalAccessPolicy: ENABLED meshes: - name: istiod-istio-system-kind2 namespace: service-mesh-hub - name: istiod-istio-system-kind3 namespace: service-mesh-hub apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh-hub name: global-access-control namespace: istio-system spec: {} CLUSTER 3 CLUSTER 1 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh-hub spec: rules: - {} selector: matchLabels: istio: ingressgateway CLUSTER 3

34. 34 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER RBAC enabled

35. 35 | Copyright © 2020 Ingress Gateway apiVersion: networking.smh.solo.io/v1alpha2 kind:

    AccessPolicy metadata: namespace: service-mesh-hub name: istio-ingressgateway spec: sourceSelector: - kubeServiceAccountRefs: serviceAccounts: - name: istio-ingressgateway- service-account namespace: istio-system clusterName: kind2 destinationSelector: - kubeServiceMatcher: namespaces: - default labels: service: productpage CLUSTER 1 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: annotations: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: productpage namespace: default spec: rules: - from: - source: principals: - kind2/ns/istio- system/sa/istio-ingressgateway- service-account selector: matchLabels: app: productpage CLUSTER 2

36. 36 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Ingress Gateway

37. 37 | Copyright © 2020 Productpage apiVersion: networking.smh.solo.io/v1alpha2 kind: AccessPolicy

    metadata: namespace: service-mesh-hub name: productpage spec: sourceSelector: - kubeServiceAccountRefs: serviceAccounts: - name: bookinfo-productpage namespace: default clusterName: kind2 destinationSelector: - kubeServiceMatcher: namespaces: - default labels: service: details - kubeServiceMatcher: namespaces: - default labels: service: reviews CLUSTER 1 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: details namespace: default spec: rules: - from: - source: principals: - kind2/ns/default/sa/bookinfo-productpage selector: matchLabels: app: reviews CLUSTER 2 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: details namespace: default spec: rules: - from: - source: principals: - kind2/ns/default/sa/bookinfo-productpage selector: matchLabels: app: details CLUSTER 2

38. 38 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Productpage

39. 39 | Copyright © 2020 Reviews apiVersion: networking.smh.solo.io/v1alpha2 kind: AccessPolicy

    metadata: namespace: service-mesh-hub name: reviews spec: sourceSelector: - kubeServiceAccountRefs: serviceAccounts: - name: bookinfo-reviews namespace: default clusterName: kind2 destinationSelector: - kubeServiceMatcher: namespaces: - default labels: service: ratings CLUSTER 1 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: ratings namespace: default spec: rules: - from: - source: principals: - kind2/ns/default/sa/bookinfo-reviews selector: matchLabels: app: ratings CLUSTER 2

40. 40 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Reviews

41. 41 | Copyright © 2020 41 | Copyright © 2020

    Lab 6 Access Control

42. 42 | Copyright © 2020 42 | Copyright © 2020

    Multi-cluster Traffic

43. 43 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Before

44. 44 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER After

45. 45 | Copyright © 2020 Traffic Policy apiVersion: networking.smh.solo.io/v1alpha2 kind:

    TrafficPolicy metadata: namespace: service-mesh-hub name: simple spec: destinationSelector: - kubeServiceRefs: services: - clusterName: kind2 name: reviews namespace: default trafficShift: destinations: - kubeService: clusterName: kind3 name: reviews namespace: default subset: version: v3 weight: 75 - kubeService: clusterName: kind2 name: reviews namespace: default subset: version: v1 weight: 15 - kubeService: clusterName: kind2 name: reviews namespace: default subset: version: v2 weight: 10 CLUSTER 1

46. 46 | Copyright © 2020 apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata:

    labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: reviews namespace: default spec: hosts: - reviews.default.svc.cluster.local http: - route: - destination: host: reviews.default.svc.kind3.global subset: version-v3 weight: 75 - destination: host: reviews.default.svc.cluster.local subset: version-v1 weight: 15 - destination: host: reviews.default.svc.cluster.local subset: version-v2 weight: 10 CLUSTER 2 apiVersion: networking.istio.io/v1beta1 kind: ServiceEntry metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: reviews.default.svc.kind3.global namespace: istio-system spec: addresses: - 253.124.25.94 endpoints: - address: 172.18.0.230 labels: cluster: kind3 ports: http: 15443 hosts: - reviews.default.svc.kind3.global location: MESH_INTERNAL ports: - name: http number: 9080 protocol: TCP resolution: DNS CLUSTER 2 apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: reviews.default.svc.kind3.global namespace: istio-system spec: host: reviews.default.svc.kind3.global subsets: - labels: cluster: kind3 name: version-v3 - labels: cluster: kind3 name: version-v1 - labels: cluster: kind3 name: version-v2 trafficPolicy: tls: mode: ISTIO_MUTUAL CLUSTER 2

47. 47 | Copyright © 2020 apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata:

    labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh- hub name: virtual-mesh.service-mesh-hub namespace: istio-system spec: configPatches: - applyTo: NETWORK_FILTER match: context: GATEWAY listener: filterChain: filter: name: envoy.filters.network.sni_cluster portNumber: 15443 patch: operation: INSERT_AFTER value: name: envoy.filters.network.tcp_cluster_rewrite typed_config: '@type': type.googleapis.com/istio.envoy.config.filter.n etwork.tcp_cluster_rewrite.v2alpha1.TcpClusterR ewrite cluster_pattern: \.kind3.global$ cluster_replacement: .cluster.local workloadSelector: labels: istio: ingressgateway CLUSTER 3 apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh-hub name: reviews namespace: default spec: host: reviews.default.svc.cluster.local subsets: - labels: version: v3 name: version-v3 - labels: version: v1 name: version-v1 - labels: version: v2 name: version-v2 trafficPolicy: tls: mode: ISTIO_MUTUAL CLUSTER 3 apiVersion: v1 kind: Pod metadata: labels: app: reviews istio.io/rev: default pod-template-hash: d978546db security.istio.io/tlsMode: istio service.istio.io/canonical-name: reviews service.istio.io/canonical-revision: v3 version: v3 name: reviews-v3-d978546db-dj59b namespace: default spec: ... CLUSTER 3 apiVersion: v1 kind: Service metadata: labels: app: reviews service: reviews name: reviews namespace: default spec: clusterIP: 10.97.193.52 ports: - name: http port: 9080 protocol: TCP targetPort: 9080 selector: app: reviews sessionAffinity: None type: ClusterIP status: loadBalancer: {} CLUSTER 3

48. 48 | Copyright © 2020 Reviews apiVersion: networking.smh.solo.io/v1alpha2 kind: AccessPolicy

    metadata: namespace: service-mesh-hub name: reviews spec: sourceSelector: - kubeServiceAccountRefs: serviceAccounts: - name: bookinfo-reviews namespace: default clusterName: kind2 - name: bookinfo-reviews namespace: default clusterName: kind3 destinationSelector: - kubeServiceMatcher: namespaces: - default labels: service: ratings CLUSTER 1 apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh-hub name: ratings namespace: default spec: rules: - from: - source: principals: - kind3/ns/default/sa/bookinfo-reviews selector: matchLabels: app: ratings CLUSTER 3

49. 49 | Copyright © 2020 49 | Copyright © 2020

    Lab 7 Multi-cluster Traffic

50. 50 | Copyright © 2020 50 | Copyright © 2020

    Traffic Failover

51. 51 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER Before Failover

52. 52 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE INGRESS GATEWAY

    INGRESS GATEWAY REVIEWS istiod istiod DETAILS RATINGS PRODUCTPAGE REVIEWS RATINGS DETAILS v3 v1 v2 v1 v2 CLUSTER After Failover

53. 53 | Copyright © 2020 Outlier Detection apiVersion: networking.smh.solo.io/v1alpha2 kind:

    TrafficPolicy metadata: namespace: service-mesh-hub name: mgmt-reviews-outlier spec: destinationSelector: - kubeServiceRefs: services: - name: reviews namespace: default clusterName: kind2 - name: reviews namespace: default clusterName: kind3 outlierDetection: consecutiveErrors: 1 interval: 10s baseEjectionTime: 2m apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: reviews namespace: default spec: host: reviews.default.svc.cluster.local trafficPolicy: outlierDetection: baseEjectionTime: 120s consecutive5xxErrors: 1 interval: 10s maxEjectionPercent: 100 tls: mode: ISTIO_MUTUAL maxEjectionPercent default value is 10% ! apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: labels: cluster.multicluster.solo.io: kind3 owner.networking.smh.solo.io: service-mesh-hub name: reviews namespace: default spec: host: reviews.default.svc.cluster.local trafficPolicy: outlierDetection: baseEjectionTime: 120s consecutive5xxErrors: 1 interval: 10s maxEjectionPercent: 100 tls: mode: ISTIO_MUTUAL CLUSTER 1 CLUSTER 2 CLUSTER 3

54. 54 | Copyright © 2020 Envoy Filter apiVersion: networking.smh.solo.io/v1alpha2 kind:

    FailoverService metadata: name: reviews-failover namespace: service-mesh-hub spec: hostname: reviews-failover.default.global port: number: 9080 protocol: http meshes: - name: istiod-istio-system-kind2 namespace: service-mesh-hub backingServices: - kubeService: name: reviews namespace: default clusterName: kind2 - kubeService: name: reviews namespace: default clusterName: kind3 apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: creationTimestamp: "2020-09-03T08:26:14Z" generation: 1 labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service-mesh-hub name: reviews-failover namespace: istio-system spec: configPatches: - applyTo: CLUSTER match: cluster: name: outbound|9080||reviews-failover.default.global patch: operation: REMOVE - applyTo: CLUSTER match: cluster: name: outbound|9080||reviews-failover.default.global patch: operation: ADD value: cluster_type: name: envoy.clusters.aggregate typed_config: '@type': type.googleapis.com/udpa.type.v1.TypedStruct type_url: type.googleapis.com/envoy.config.cluster.aggregate.v2alpha.ClusterConfig value: clusters: - outbound|9080||reviews.default.svc.cluster.local - outbound|9080||reviews.default.svc.kind3.global connect_timeout: 1s lb_policy: CLUSTER_PROVIDED name: outbound|9080||reviews-failover.default.global CLUSTER 1 CLUSTER 2

55. 55 | Copyright © 2020 Service Entry apiVersion: networking.smh.solo.io/v1alpha2 kind:

    FailoverService metadata: name: reviews-failover namespace: service-mesh-hub spec: hostname: reviews-failover.default.global port: number: 9080 protocol: http meshes: - name: istiod-istio-system-kind2 namespace: service-mesh-hub backingServices: - kubeService: name: reviews namespace: default clusterName: kind2 - kubeService: name: reviews namespace: default clusterName: kind3 apiVersion: networking.istio.io/v1beta1 kind: ServiceEntry metadata: creationTimestamp: "2020-09-03T08:26:14Z" generation: 1 labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service- mesh-hub name: reviews-failover namespace: service-mesh-hub spec: addresses: - 240.76.63.152 hosts: - reviews-failover.default.global location: MESH_INTERNAL ports: - name: http number: 9080 protocol: http resolution: DNS CLUSTER 1 CLUSTER 2

56. 56 | Copyright © 2020 Virtual Service apiVersion: networking.smh.solo.io/v1alpha2 kind:

    TrafficPolicy metadata: name: reviews-shift-failover namespace: default spec: destinationSelector: - kubeServiceRefs: services: - clusterName: kind2 name: reviews namespace: default trafficShift: destinations: - failoverServiceRef: name: reviews-failover namespace: service-mesh-hub apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: labels: cluster.multicluster.solo.io: kind2 owner.networking.smh.solo.io: service- mesh-hub name: reviews namespace: default spec: hosts: - reviews.default.svc.cluster.local http: - route: - destination: host: reviews- failover.default.global port: number: 9080 CLUSTER 1 CLUSTER 2

57. 57 | Copyright © 2020 57 | Copyright © 2020

    Lab 8 Traffic Failover

58. 58 | Copyright © 2020 58 | Copyright © 2020

    Securing the Edge

59. 59 | Copyright © 2020 How do you secure the

    Edge ? • The Istio Ingress Gateway can be used for that purpose, but it doesn’t provide the functionalities that you generally get in modern Edge/API Gateways like: − External authentication (OAuth, API keys, JWT, …) − Rate limiting − Complex transformations − ...

60. 60 | Copyright © 2020 That’s exactly what Gloo does

61. 61 | Copyright © 2020 CLUSTER CLUSTER PRODUCTPAGE REVIEWS istiod

    istiod PRODUCTPAGE REVIEWS CLUSTER ISTIO INGRESS GATEWAY ISTIO INGRESS GATEWAY

62. 62 | Copyright © 2020 But how do you integrate

    them ? Istio Ingress Gateway • Gloo can access the services directly and take all the routing decisions • The communications between Gloo and the services are secured with mTLS. SERVICE MESH

63. 63 | Copyright © 2020 63 | Copyright © 2020

    Lab 9 Securing the Edge

64. 64 | Copyright © 2020 But how do you integrate

    them ? Istio Ingress Gateway • Gloo can send the requests to the Istio Ingress Gateway and let it take the routing decisions • The communications between Gloo and Istio Ingress Gateway the services are secured with mTLS. SERVICE MESH

65. 65 | Copyright © 2020 CLUSTER PRODUCTPAGE REVIEWS istiod istiod

    PRODUCTPAGE REVIEWS ISTIO INGRESS GATEWAY ISTIO INGRESS GATEWAY CLUSTER CLUSTER

66. 66 | Copyright © 2020 CLUSTER PRODUCTPAGE REVIEWS istiod istiod

    PRODUCTPAGE REVIEWS ISTIO INGRESS GATEWAY ISTIO INGRESS GATEWAY CLUSTER CLUSTER

67. 67 | Copyright © 2020 § Learn More www.solo.io §

    Gloo http://www.solo.io/products/gloo § Service Mesh Hub github.com/solo-io/service-mesh-hub § Community slack.solo.io § Request a Personalized Demo lp.solo.io/lp-request-a-demo-overview