Upload File

istio cloud native online series - intro to istio security

  • Home
  • Internet
  • Istio Cloud Native Online Series - Intro to Istio Security
20
Confidential & Proprietary Google Cloud Platform 1 An Introduction to Istio Security Tao Li ([email protected]) November 29, 2017

Upload: matt-b

Post on 21-Jan-2018

119 views

Category:

Internet


0 download

Report

TRANSCRIPT

Page 1: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 1

An Introduction to Istio Security

Tao Li ([email protected])

November 29, 2017

Page 2: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 2

Problem Statement

IT’s shift to a modern distributed architecture has left

enterprises unable to monitor, manage or secure their

services in a consistent way.

Page 3: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 3

Istio Overview

Page 4: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 4

Istio Overview

Page 5: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 5

Why Security?

Page 6: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 6

Page 7: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 7

Istio Security incorporates the learnings of securing millions of service

endpoints in Google’s production environment

Page 8: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 8

Istio Security Scope

Page 9: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 9

Istio Security Scopes

● Mutual authentication and encryption between Istio endpoints○ Based on service accounts○ Encoded in x509 cert○ Mutual TLS (mTLS) between client/server proxies (Envoy)

● Support additional authN ○ TLS + JWT for end user authentication

● Security policy to allow fine control○ A unique interface to config Authn/Authz/Audit policy

Page 10: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 10

Service-to-service mTLS Communication

Page 11: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 11

Securing the service communication

SAN: “spiffe://myorg.com/ns/default/sa/team1”

EnvoyFrontend Envoy Backend

SAN: “spiffe://myorg.com/ns/default/sa/team2”

Client Server

K8s PodK8s Pod

Page 12: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 12

Securing the service communication

EnvoyFrontend Envoy Backend

Client Server

mTLS Handshake

K8s PodK8s Pod

Page 13: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 13

Securing the service communication

EnvoyFrontend Envoy Backend

Secure Naming Info

Can “spiffe://.../team2” run service

“Backend”?

Client Server

mTLS Handshake

Discovery Service

K8s PodK8s Pod

SAN: “spiffe://.../team2”

Page 14: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 14

Securing the service communication

EnvoyFrontend Envoy Backend

Secure Naming Info

Client Server

mTLS Handshake

Discovery Service Mixer

AuthZ

Should I accept “spiffe://...//team1”?

K8s PodK8s Pod

SAN: “spiffe://.../team1”

Page 15: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 15

Securing the service communication

EnvoyFrontend Envoy Backend

Secure Naming Info

Secure data transmission

Client Server

mTLS Handshake

Discovery Service Mixer

AuthZ

K8s PodK8s Pod

Page 16: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 16

Service Identity Provisioning

Page 17: Istio Cloud Native Online Series - Intro to Istio Security

Envoy Service2

VM/Bare-metal machine

Node Agent

CSR

Identity Provisioning

Isito CA

Pod

EnvoyService1

K8s Node

Volume mount

K8s ApiServer

Page 18: Istio Cloud Native Online Series - Intro to Istio Security

EnvoyService1 Envoy Service2

VM/Bare-metal machine

Node Agent

CSR

K8s Node

Identity Provisioning

Isito CA

Node Agent

CSR

Pod

Page 19: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 19

Roadmap

● Istio Security on Hybrid● End-User Authentication● Security Policy● Pluggable CA Support (e.g., Vault)● Incremental Istio Security Adoption

Page 20: Istio Cloud Native Online Series - Intro to Istio Security

Confidential & ProprietaryGoogle Cloud Platform 20

Questions?

[email protected]

mailto:[email protected]

Intro Hardware Native - LRZ

English 11 - Loudoun County Public Schools...Vocab Quiz – Unit One: Chapter 1 Journal Puritan Literature Intro ... Native American Lit. Overview ... a Native American who speaks

Service Mesh The Salesforce - Istio

Services Mesh Istio: Sailing to a Secure - Istio... · Istio: Sailing to a Secure Services Mesh Spike Curtis, Tigera & Dan Berg, IBM. ... Ops needs a cross-platform toolchain: Canary

DevOps Engineer – Kubernetes, Istio & Kafka (f/m/x)DevOps Engineer – Kubernetes, Istio & Kafka (f/m/x) Job-ID: DO-2020-003 home-iX is looking for you to join our team. We’re

FAMILY ISTIOPHORIDAE ISTIO Makaira ISTIO Istio Istiophorus

HYBRID CLOUD ISTIO: SOLVING CHALLENGES OF...ISTIO: SOLVING CHALLENGES OF HYBRID CLOUD Zack Butcher (@ZackButcher) - Stealth Startup Christian Posta (@christianposta) - Red Hat 8 May,

Istio / Service Mesh - events.redhat.com · Istio and Microservices Distributed Traces supplemental slide Follow a request as it moves from one service to another Where is it getting

xiaorui.ccxiaorui.cc/static/service_mesh.pdf · httpl.l, http2.O grpc/tcp wtih or without mTLS Istio citadel report Envoy Pod servB . istio Istio jaeger prometheus zipkin fluented

SHD - Intro to openHAB · (HomeKit, IFTTT, Alexa, Google Assistant, MyCroft,…) GATEWAY RUNTIME NATIVE APP OPENHAB CLOUD ANDROID NATIVE APP IOS NATIVE APP WINDOWS ALEXA SKILL GOOGLE

Connect, secure and monitor services Istio Overview on GCP and …€¦ · Connect, secure and monitor services on GCP and in hybrid environments. Confidential & Proprietary Istio:

HMP DEIS 1 and 2 Intro-Proj FINAL - Hawaii...Polynesian introductions, eight are indigenous (native to the Hawaiian Islands and elsewhere), and three endemic (native to the Hawaiian

Istio · Weaving the mesh svcA sidecar sidecar Service A ... Fault Injection ... Istio adds fault tolerance to your application

FAMILY ISTIOPHORIDAE ISTIO Makaira ISTIO Istio ...forage organisms during the warmer season and back to warm waters for spawning or over-wintering during the colder season. Being among

打造企業內的 SRE 透過 Istio. 透過 Istio...Istio in 2 minutes Gallery Service A Service B proxy proxy Control Plane API on K8S API Server Citadel Logging plugin oring plugin

Istio Journey Airbnb’s

Austin Cloud Native Meetup #1 - Intro / Demo

Intro to Apache Apex - Next Gen Native Hadoop Platform - Hackac

SPRING 2016 IUPUI HISTORY COURSES. HIST-A 207 – INTRODUCTION TO NATIVE AMERICAN HISTORY Jennifer Guiliano Mo 3:00PM – 5:40PM 27835 Intro to Native studies

How to Manage Any Layer-7 Traic in an Istio Service Mesh?

Microservices, Kubernetes and Istio - A Great Fit!

Securing Microservices with Istio

How to Manage Any Layer-7 Traffic in an Istio Service Mesh?

An introduction to Istio - DeveloperMarch · An introduction to Istio bit.ly/sail-into-cloud Sail smoothly in the Cloud . I am a Developer Active Open Source Contributor Knative Minishift

Intro to Apache Apex - Next Gen Native Hadoop Platform

Istio Service Meshpeople.redhat.com/abach/OSAW/FILES/DAY2/7 Istio Service Mesh.pdf · Enforce consistently across diverse protocols and runtimes with little or no application changes

Transparently Securing Kafka, Istio-style, with up to 300% ... · Transparently Securing Kafka, Istio-style, with up to 300% Higher Performance than Native TLS in Microservice Environments

Managing Microservice Applications with Istio

React Native Intro

Unit 1 Review. Intro Native Americans Onondaga Central NY Part of Iroquois Confederation Navajo Arizona, Utah, New Mexico Largest Native American Nation

Intro to react native

An Intro to Safely Transporting Native Children Bridget Canniff & Luella Azule NPAIHB Injury Prevention Program

Intro to Xamarin for Visual Studio: Native iOS, Android, and Windows Apps in C#

Expert Kubernetes & ISTIO: Service Mesh

Istio...Modeling the Service Mesh etcd Kubernetes Consul Abstract Model Custom discovery Platform Adapter Envoy API Rules API Istio-Manager Service discovery & traffic rules 1. Environment-specific