securing kubernetes applications with consul and vault · 2020-05-29 · microservices. modern...
TRANSCRIPT
![Page 1: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/1.jpg)
Securing Kubernetes Applications with Consul and Vault
Copyright © 2020 HashiCorp
![Page 2: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/2.jpg)
What is Service Mesh?
![Page 3: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/3.jpg)
Why should I use Service Mesh?
![Page 4: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/4.jpg)
History of Services
![Page 5: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/5.jpg)
Traditional Datacenter
![Page 6: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/6.jpg)
Monoliths
![Page 7: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/7.jpg)
Microservices
![Page 8: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/8.jpg)
Modern Datacenter
![Page 9: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/9.jpg)
Service Discovery
ServiceSegmentation
Service Configuration
Dynamic Infrastructure Challenges
![Page 10: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/10.jpg)
Consul Service Mesh
![Page 11: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/11.jpg)
Certificate Authority
![Page 12: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/12.jpg)
Certificate Generation
● X.509 Certificate
● SPIFFE Compatible
● Automatic Generation & Rotation
● Provides Identity and Encryption
![Page 13: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/13.jpg)
Control Plane vs. Data Plane
● Consul as Control Plane
● Pluggable Proxies as Data Plane
● Instructions to proxies are cached on
the Consul agent
● New instructions are pulled only on
changes
![Page 14: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/14.jpg)
Service Access Graph
![Page 15: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/15.jpg)
$ consul intention create -deny web '*'Created: web => * (deny)
$ consul intention create -allow web dbCreated: web => db (allow)
TERMINAL
Service Graph
Codify Intentions
Same intentions are applied no matter where the service exists
![Page 16: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/16.jpg)
Web UI
Manage intentions via web interface
![Page 17: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/17.jpg)
Application Integration
![Page 18: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/18.jpg)
Sidecar Proxies
Sidecar proxy to secure traffic for any application
Consul provides sidecar proxies running alongside applications to transparently wraps traffic in TLS and enforces the intentions.
● No code modification required● Minimal performance overhead● Pluggable data plane: Built-in Layer 4 proxy,
native Envoy integration or other third-party proxy integration
● Operational flexibility, decoupling security concern from the application itself
![Page 19: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/19.jpg)
apiVersion: v1kind: Podmetadata: name: cats annotations: "consul.hashicorp.com/connect-inject": "true"spec: containers: - name: cats image: grove-mountain/cats:1.0.1 ports: - containerPort: 8000 name: http
TERMINAL
Proxy Registration
Kubernetes
![Page 20: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/20.jpg)
Sidecar Proxies
![Page 21: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/21.jpg)
Sidecar Proxies
![Page 22: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/22.jpg)
Sidecar Proxies
![Page 23: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/23.jpg)
Extra Benefits
![Page 24: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/24.jpg)
Mesh Gateways
![Page 25: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/25.jpg)
Mesh Gateways
Single Kubernetes clusterMost Service Meshes are build for a single cluster
Multi-cluster Service MeshConnection multiple Service Meshes across different Kubernetes clusters not solved yet
Service Mesh across cloudsConnection Services Meshes across different environments (Clouds, On-Prem, etc.) requires a lot of work
Multi-Cloud and -Cluster challenge
![Page 26: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/26.jpg)
Mesh Gateways
10.8.1.1/2410.8.1.1/24
IP2IP1
WebDB
API X
![Page 27: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/27.jpg)
Mesh Gateways
10.8.1.1/2410.8.1.1/24
IP2IP1
WebDB
APIConnect
Mesh Gateway
Connect Mesh
Gateway
![Page 28: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/28.jpg)
Mesh Gateways
● Mesh gateways, built upon Envoy, will sit on the public internet and accept L4 traffic with mTLS
● Mesh gateways will perform NAT and route the traffic to correct endpoint on the private network
● All the services need NOT be exposed on public network for cross cloud service communication
![Page 29: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/29.jpg)
L7 Traffic Management
![Page 30: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/30.jpg)
L4 Traffic
"web.service.consul"
![Page 31: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/31.jpg)
L7 Traffic Management
HTTP RoutingTraffic Splitting
Custom Resolution
"web.service.consul"
![Page 32: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/32.jpg)
L7 Traffic Management
HTTP RoutingTraffic Splitting
Custom Resolution
"web.service.consul"
/api =>service: "api"
path: "/"Subset: "v2"
v1
v2
v1
Meta.Version == 2
![Page 33: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/33.jpg)
Secrets
![Page 34: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/34.jpg)
VaultProvides the foundation for cloud security that leverages trusted sources of identity to keep secrets and application data secure in the cloud operating model
Secrets management to centrally store and protect secrets across clouds and applications
Data encryption to keep application data secure across environments and workloads
Advanced Data Protection to secure workloads and data across traditional systems, clouds, and infrastructure.
300+ EnterpriseCustomers
1M+ Monthly D/Ls
2T+ Transactions
![Page 35: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/35.jpg)
Guiding Principle: Identity Brokering
● Authenticate and access different clouds, systems, and endpoints using trusted identities
● Leverage multiple identities across different platforms with single policy enforcement
● Integrate trusted identities in the same application workflow to reduce operational overhead
![Page 36: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/36.jpg)
Single Control Plane for cloud security
● Automate, control, and secure infrastructure and applications through one API
● Unified support across heterogeneous environments
● Integrate with providers and technologies you’re already using
![Page 37: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/37.jpg)
Broad Ecosystem Integration
![Page 38: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/38.jpg)
How Vault Works
![Page 39: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/39.jpg)
Vault Client
![Page 40: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/40.jpg)
Vault Client
Vault + AuthenticatingBefore a client/user can interact with Vault, it must authenticate against an authentication backend. Once authenticated, a token is returned to the user/client with any defined and/or appropriate policies.
![Page 41: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/41.jpg)
Vault Client
![Page 42: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/42.jpg)
Vault Client
Vault + SecretsAuthentication Token RequiredSecrets can be stored and generated. Some secrets can generated dynamically, while others are verbatim. Secrets are returned to the user/client with any defined and/or appropriate policies.
![Page 43: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/43.jpg)
Vault Client
![Page 44: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/44.jpg)
Copyright © 2018 HashiCorp ⁄ 44
Demos
![Page 45: Securing Kubernetes Applications with Consul and Vault · 2020-05-29 · Microservices. Modern Datacenter. Service Discovery Service Segmentation Service ... API Connect Mesh Gateway](https://reader033.vdocuments.site/reader033/viewer/2022052612/5f0a94277e708231d42c52e3/html5/thumbnails/45.jpg)
ResourcesLearn Vault
Vault - Helm Chart
Demo: Vault Helm Chart (youtube)
Learn Consul
Consul - Helm Chart
Demo: Consul Helm Chart (youtube)