istio cloud native online series - intro to istio security
TRANSCRIPT
Confidential & ProprietaryGoogle Cloud Platform 1
An Introduction to Istio Security
Tao Li ([email protected])
November 29, 2017
Confidential & ProprietaryGoogle Cloud Platform 2
Problem Statement
IT’s shift to a modern distributed architecture has left
enterprises unable to monitor, manage or secure their
services in a consistent way.
Confidential & ProprietaryGoogle Cloud Platform 7
Istio Security incorporates the learnings of securing millions of service
endpoints in Google’s production environment
Confidential & ProprietaryGoogle Cloud Platform 9
Istio Security Scopes
● Mutual authentication and encryption between Istio endpoints○ Based on service accounts○ Encoded in x509 cert○ Mutual TLS (mTLS) between client/server proxies (Envoy)
● Support additional authN ○ TLS + JWT for end user authentication
● Security policy to allow fine control○ A unique interface to config Authn/Authz/Audit policy
Confidential & ProprietaryGoogle Cloud Platform 11
Securing the service communication
SAN: “spiffe://myorg.com/ns/default/sa/team1”
EnvoyFrontend Envoy Backend
SAN: “spiffe://myorg.com/ns/default/sa/team2”
Client Server
K8s PodK8s Pod
Confidential & ProprietaryGoogle Cloud Platform 12
Securing the service communication
EnvoyFrontend Envoy Backend
Client Server
mTLS Handshake
K8s PodK8s Pod
Confidential & ProprietaryGoogle Cloud Platform 13
Securing the service communication
EnvoyFrontend Envoy Backend
Secure Naming Info
Can “spiffe://.../team2” run service
“Backend”?
Client Server
mTLS Handshake
Discovery Service
K8s PodK8s Pod
SAN: “spiffe://.../team2”
Confidential & ProprietaryGoogle Cloud Platform 14
Securing the service communication
EnvoyFrontend Envoy Backend
Secure Naming Info
Client Server
mTLS Handshake
Discovery Service Mixer
AuthZ
Should I accept “spiffe://...//team1”?
K8s PodK8s Pod
SAN: “spiffe://.../team1”
Confidential & ProprietaryGoogle Cloud Platform 15
Securing the service communication
EnvoyFrontend Envoy Backend
Secure Naming Info
Secure data transmission
Client Server
mTLS Handshake
Discovery Service Mixer
AuthZ
K8s PodK8s Pod
Envoy Service2
VM/Bare-metal machine
Node Agent
CSR
Identity Provisioning
Isito CA
Pod
EnvoyService1
K8s Node
Volume mount
K8s ApiServer
EnvoyService1 Envoy Service2
VM/Bare-metal machine
Node Agent
CSR
K8s Node
Identity Provisioning
Isito CA
Node Agent
CSR
Pod
Confidential & ProprietaryGoogle Cloud Platform 19
Roadmap
● Istio Security on Hybrid● End-User Authentication● Security Policy● Pluggable CA Support (e.g., Vault)● Incremental Istio Security Adoption
Confidential & ProprietaryGoogle Cloud Platform 20
Questions?