SlideShare a Scribd company logo

Using Istio to Secure & Monitor Your Services

Alcide
Alcide

Good observability in a microservice architecture is not easy. Istio can help to remove the complexity from developers and leave the work to the operator. Learn how to gain a deeper understanding of using Istio for monitoring tasks, while using Istio security features to secure your microservices and spot security anomalies. For the recorded webinar: https://bit.ly/2KNaGmc

Software
1 of 33
Download to read offline
Using Istio to Secure & Monitor Your Services Webinar April 16, 2019
Agenda → Why a service mesh? → Istio security stack → Extending Istio security → Istio monitoring concepts → Istio monitoring stack → Extending monitoring
Why Service Mesh? And Why Now? → Microservices and highly distributed architecture - HARD → Intelligent routing (canary deployments ) - HARD → Observability ← → Ops & Monitoring - HARD → Securing microservices - VERY HARD Service mesh defined: Uniform Application Runtime which introduce Observability and Control
Connect → Layer 7 path-based routing → Traffic shaping → Load balancing - A/B testing, canarying Manage → Telemetry → Fleet-wide Visibility - Zipkin, Prometheus & Grafana Secure → Identity based service access control → Service authorization - API level access control → Service-Service encryption with TLS (mTLS) What’s in the mesh? Connect, manage and secure microservices
https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security/ ATLS - “Istio”
Controlling Envoy Dataplane → Logging → Quota → Authz (more later) → Telemetry (more later)
Istio 1.1 at glance → Namespace Isolation (Sidecar Resource - next slide) → Multi-Cluster → Helm based Installation → Locality based Load Balancing → Identity Provision through SDS (Secret Discovery Service) → Vault CA Integration → Egress Policy (On by default) → Policy Checks (Off by default) → Improved perf, scale & stability
Sidecar proxy - inbound and outbound config apiVersion: networking.istio.io/v1alpha3 kind: Sidecar metadata: name: no-ip-tables namespace: prod-us1 spec: workloadSelector: labels: app: productpage ingress: - port: number: 9080 # binds to 0.0.0.0:9080 protocol: HTTP name: somename defaultEndpoint: 127.0.0.1:8080 captureMode: NONE # not needed if metadata is set for entire proxy egress: - port: number: 3306 protocol: MYSQL name: egressmysql captureMode: NONE # not needed if metadata is set for entire proxy bind: 127.0.0.1 hosts: - "*/mysql.foo.com" Scope Traffic Routing Mode Istio Sidecar Resource → Namespace Isolation → Single default config per namespace → Workload Selector overrides → Can Restrict Egress Traffic
Example: Grant authenticated users with read access to version v1,v2 of products service apiVersion: "rbac.istio.io/v1alpha1" kind: RbacConfig metadata: name: default spec: mode: 'ON_WITH_INCLUSION' inclusion: namespaces: ["default"] apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRole metadata: name: products-viewer-version namespace: default spec: rules: - services: ["products.default.svc.cluster.local"] methods: ["GET", "HEAD"] constraints: - key: request.headers[version] values: ["v1", "v2"] apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRoleBinding metadata: name: binding-products-all-authenticated-users namespace: default spec: subjects: - properties: source.principal: "*" roleRef: kind: ServiceRole name: "products-viewer-version" read access authenticated users condition Istio Service Authorization (RBAC)
Istio 1.2 - Staying Ahead of the (Authz) Curve → Authorization APIs Rev 2.0 → Authorization Istio config model - base label selector. → Flexible policy semantics - exclusion and expression condition. → Support DENY semantics. → Introducing mesh global policies. → Allow policies to be applied to the edge (ingress/egress). → Introduce inline permissions for better user experience. Authorization APIs Evolve
Use Case: PCI DSS Compliance → Cluster X: PCI Cardholder services & workloads → Cluster A: Customer facing service & workloads → In-Cluster special segmentation → Cross Clusters & VPCs policies → Istio Network Policies → DevSecOps overhead → Compute Resource overhead Commerce Application On Istio Istio Control Plane
Extend Istio Security w/ Off-Mesh Security → Workload Escape → Sidecar Vulnerability Blast Radius → System/Control Plane Workloads Defense → DNS Tunneling as Kubernetes service discovery → Apply machine learning based profiling, detection & mitigation of post intrusion events such as data exfiltration, lateral movement, and command & control communications.
Security & 4 Golden Signals of Monitoring → Latency - time it takes to service a request → Traffic - how much demand is being placed on your system (RPS) → Errors - The request fail rates (HTTP 500, HTTP 443, ...) → Saturation - How “full” is your service. https://landing.google.com/sre/sre-book/chapters/monitoring-distributed-systems/
Istio Monitoring Concepts → Mixer / Proxies
Istio Monitoring Concepts → Mixer / Proxies → Backend
→ Mixer / Proxies → Backend → Telemetry attributes Istio Monitoring Concepts
→ Mixer / Proxies → Backend → Telemetry attributes → Adapter Istio Monitoring Concepts
→ Mixer / Proxies → Backend → Telemetry attributes → Adapter → Instance Istio Monitoring Concepts
→ Mixer / Proxies → Backend → Telemetry attributes → Adapter → Instance → Handler Istio Monitoring Concepts
→ Mixer / Proxies → Backend → Telemetry attributes → Adapter → Instance → Handler → Rule Istio Monitoring Concepts
Istio Monitoring Stack → Prometheus
Istio Monitoring Stack → Prometheus → Grafana
Istio Monitoring Stack → Prometheus → Grafana → Kiali
Data Plane Monitoring Proxy sidecar Application → Latency penalty (BPF integration / CNI plugin) → Performance degradation (SDS) → Resources consumption ( > version 1.1) → RED method (blackbox monitoring) → Rate → Errors → Duration
Control Plane Monitoring → Pilot → Ingress / Egress gateway(s) → Policy mixer → Upgrade process
Extending Monitoring → Mixer adapters
Extending Monitoring → Mixer adapters → Expose new metrics
Extending Monitoring → Mixer adapter → Expose new metrics → Instrument your code (whitebox monitoring)
Extending Monitoring → Mixer adapter → Expose new metrics → Instrument your code → HTTP API Spec
Your Top 3 Takeaways Security ➔ Understand mesh network policy ➔ Track mesh components ➔ Extend observability Monitoring ➔ Understand the concepts ➔ Track mesh components ➔ Extend observability
Q & A
Learn More Webinar will be available at: https://giantswarm.io/ Additional reading: https://blog.giantswarm.io/ Visit us at KubeCon Barcelona: Booth #SE-7 Webinar will be available at: https://www.alcide.io/ Additional reading: https://blog.alcide.io/ Visit us at KubeCon Barcelona: Booth #SE-47
Thank You! gadinaor gadinaor pipo02mix fernando-ripoll-lafuente @pipo02mix

Recommended

Securing Microservices with Istio
Securing Microservices with IstioSecuring Microservices with Istio
Securing Microservices with IstioDaniel Berg
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Codemotion
 
Microservices With Istio Service Mesh
Microservices With Istio Service MeshMicroservices With Istio Service Mesh
Microservices With Istio Service MeshNatanael Fonseca
 
Service Mesh 101 - Digging into your service
Service Mesh 101 - Digging into your service Service Mesh 101 - Digging into your service
Service Mesh 101 - Digging into your service Huynh Thai Bao
 
Securing AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultSecuring AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultShrivatsa Upadhye
 
ISTIO Deep Dive
ISTIO Deep DiveISTIO Deep Dive
ISTIO Deep DiveYong Feng
 
Istio : Service Mesh
Istio : Service MeshIstio : Service Mesh
Istio : Service MeshKnoldus Inc.
 
Web Security Deployment
Web Security DeploymentWeb Security Deployment
Web Security DeploymentCisco Canada
 

Recommended

Securing Microservices with Istio
Securing Microservices with IstioSecuring Microservices with Istio
Securing Microservices with IstioDaniel Berg
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Codemotion
 
Microservices With Istio Service Mesh
Microservices With Istio Service MeshMicroservices With Istio Service Mesh
Microservices With Istio Service MeshNatanael Fonseca
 
Service Mesh 101 - Digging into your service
Service Mesh 101 - Digging into your service Service Mesh 101 - Digging into your service
Service Mesh 101 - Digging into your service Huynh Thai Bao
 
Securing AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultSecuring AWS Accounts with Hashi Vault
Securing AWS Accounts with Hashi VaultShrivatsa Upadhye
 
ISTIO Deep Dive
ISTIO Deep DiveISTIO Deep Dive
ISTIO Deep DiveYong Feng
 
Istio : Service Mesh
Istio : Service MeshIstio : Service Mesh
Istio : Service MeshKnoldus Inc.
 
Web Security Deployment
Web Security DeploymentWeb Security Deployment
Web Security DeploymentCisco Canada
 
Istio a service mesh
Istio a service meshIstio a service mesh
Istio a service meshChandresh Pancholi
 
Connecting All Abstractions with Istio
Connecting All Abstractions with IstioConnecting All Abstractions with Istio
Connecting All Abstractions with IstioVMware Tanzu
 
Consul: Service Mesh for Microservices
Consul: Service Mesh for MicroservicesConsul: Service Mesh for Microservices
Consul: Service Mesh for MicroservicesArmonDadgar
 
Mulesoftppt
Mulesoftppt Mulesoftppt
Mulesoftppt ennVee TechnoGroup Inc.
 
CXF 3.0, What's new?
CXF 3.0, What's new?CXF 3.0, What's new?
CXF 3.0, What's new?Daniel Kulp
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practiceswalk2talk srl
 
Cisco Ironport WSA- Introduction and Guide in Short
Cisco Ironport WSA- Introduction and Guide in ShortCisco Ironport WSA- Introduction and Guide in Short
Cisco Ironport WSA- Introduction and Guide in ShortPriyank Sharma
 
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...Dzmitry Durasau
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measuresMaarten Smeets
 
The elegant way of implementing microservices with istio
The elegant way of implementing microservices with istioThe elegant way of implementing microservices with istio
The elegant way of implementing microservices with istioInho Kang
 
Apache CXF Security Solutions
Apache CXF Security SolutionsApache CXF Security Solutions
Apache CXF Security SolutionsDaniel Kulp
 
Introduction to Istio Service Mesh
Introduction to Istio Service MeshIntroduction to Istio Service Mesh
Introduction to Istio Service MeshGeorgios Andrianakis
 
Kafka and kafka connect
Kafka and kafka connectKafka and kafka connect
Kafka and kafka connectTouraj Ebrahimi
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Web API Management meets the Internet of Things
Web API Management meets the Internet of ThingsWeb API Management meets the Internet of Things
Web API Management meets the Internet of ThingsPaul Fremantle
 
NGINX Plus R18: What's new
NGINX Plus R18: What's newNGINX Plus R18: What's new
NGINX Plus R18: What's newNGINX, Inc.
 
Kafka Security
Kafka SecurityKafka Security
Kafka SecuritySriharsha Chintalapani
 
Fiware cloud developers week brussels
Fiware cloud developers week brusselsFiware cloud developers week brussels
Fiware cloud developers week brusselsFernando Lopez Aguilar
 
Azure Network and Infrastructure
Azure Network and InfrastructureAzure Network and Infrastructure
Azure Network and InfrastructurePhi Huynh
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 
Dev309 from asgard to zuul - netflix oss-final
Dev309 from asgard to zuul - netflix oss-finalDev309 from asgard to zuul - netflix oss-final
Dev309 from asgard to zuul - netflix oss-finalRuslan Meshenberg
 
Managing Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesManaging Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesIftach Schonbaum
 

More Related Content

What's hot

Connecting All Abstractions with Istio
Connecting All Abstractions with IstioConnecting All Abstractions with Istio
Connecting All Abstractions with IstioVMware Tanzu
 
Consul: Service Mesh for Microservices
Consul: Service Mesh for MicroservicesConsul: Service Mesh for Microservices
Consul: Service Mesh for MicroservicesArmonDadgar
 
CXF 3.0, What's new?
CXF 3.0, What's new?CXF 3.0, What's new?
CXF 3.0, What's new?Daniel Kulp
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practiceswalk2talk srl
 
Cisco Ironport WSA- Introduction and Guide in Short
Cisco Ironport WSA- Introduction and Guide in ShortCisco Ironport WSA- Introduction and Guide in Short
Cisco Ironport WSA- Introduction and Guide in ShortPriyank Sharma
 
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...Dzmitry Durasau
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measuresMaarten Smeets
 
The elegant way of implementing microservices with istio
The elegant way of implementing microservices with istioThe elegant way of implementing microservices with istio
The elegant way of implementing microservices with istioInho Kang
 
Apache CXF Security Solutions
Apache CXF Security SolutionsApache CXF Security Solutions
Apache CXF Security SolutionsDaniel Kulp
 
Introduction to Istio Service Mesh
Introduction to Istio Service MeshIntroduction to Istio Service Mesh
Introduction to Istio Service MeshGeorgios Andrianakis
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Web API Management meets the Internet of Things
Web API Management meets the Internet of ThingsWeb API Management meets the Internet of Things
Web API Management meets the Internet of ThingsPaul Fremantle
 
NGINX Plus R18: What's new
NGINX Plus R18: What's newNGINX Plus R18: What's new
NGINX Plus R18: What's newNGINX, Inc.
 
Azure Network and Infrastructure
Azure Network and InfrastructureAzure Network and Infrastructure
Azure Network and InfrastructurePhi Huynh
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDCShiu-Fun Poon
 

What's hot (20)

Istio a service mesh
Istio a service meshIstio a service mesh
Istio a service mesh
 
Connecting All Abstractions with Istio
Connecting All Abstractions with IstioConnecting All Abstractions with Istio
Connecting All Abstractions with Istio
 
Consul: Service Mesh for Microservices
Consul: Service Mesh for MicroservicesConsul: Service Mesh for Microservices
Consul: Service Mesh for Microservices
 
Mulesoftppt
Mulesoftppt Mulesoftppt
Mulesoftppt
 
CXF 3.0, What's new?
CXF 3.0, What's new?CXF 3.0, What's new?
CXF 3.0, What's new?
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practices
 
Cisco Ironport WSA- Introduction and Guide in Short
Cisco Ironport WSA- Introduction and Guide in ShortCisco Ironport WSA- Introduction and Guide in Short
Cisco Ironport WSA- Introduction and Guide in Short
 
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
BAUG Meetup #1 2022: Публикация ресурсов в Интернет в Microsoft Azure. Обзор ...
 
Webservice security considerations and measures
Webservice security considerations and measuresWebservice security considerations and measures
Webservice security considerations and measures
 
The elegant way of implementing microservices with istio
The elegant way of implementing microservices with istioThe elegant way of implementing microservices with istio
The elegant way of implementing microservices with istio
 
Apache CXF Security Solutions
Apache CXF Security SolutionsApache CXF Security Solutions
Apache CXF Security Solutions
 
Introduction to Istio Service Mesh
Introduction to Istio Service MeshIntroduction to Istio Service Mesh
Introduction to Istio Service Mesh
 
Kafka and kafka connect
Kafka and kafka connectKafka and kafka connect
Kafka and kafka connect
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Web API Management meets the Internet of Things
Web API Management meets the Internet of ThingsWeb API Management meets the Internet of Things
Web API Management meets the Internet of Things
 
NGINX Plus R18: What's new
NGINX Plus R18: What's newNGINX Plus R18: What's new
NGINX Plus R18: What's new
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
 
Fiware cloud developers week brussels
Fiware cloud developers week brusselsFiware cloud developers week brussels
Fiware cloud developers week brussels
 
Azure Network and Infrastructure
Azure Network and InfrastructureAzure Network and Infrastructure
Azure Network and Infrastructure
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
 

Similar to Using Istio to Secure & Monitor Your Services

Dev309 from asgard to zuul - netflix oss-final
Dev309 from asgard to zuul - netflix oss-finalDev309 from asgard to zuul - netflix oss-final
Dev309 from asgard to zuul - netflix oss-finalRuslan Meshenberg
 
Managing Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesManaging Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesIftach Schonbaum
 
(DEV309) From Asgard to Zuul: How Netflix’s Proven Open Source Tools Can Help...
(DEV309) From Asgard to Zuul: How Netflix’s Proven Open Source Tools Can Help...(DEV309) From Asgard to Zuul: How Netflix’s Proven Open Source Tools Can Help...
(DEV309) From Asgard to Zuul: How Netflix’s Proven Open Source Tools Can Help...Amazon Web Services
 
Istio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyIstio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyLee Calcote
 
All About Microservices and OpenSource Microservice Frameworks
All About Microservices and OpenSource Microservice FrameworksAll About Microservices and OpenSource Microservice Frameworks
All About Microservices and OpenSource Microservice FrameworksMohammad Asif Siddiqui
 
Server Monitoring (Scaling while bootstrapped)
Server Monitoring (Scaling while bootstrapped)Server Monitoring (Scaling while bootstrapped)
Server Monitoring (Scaling while bootstrapped)Ajibola Aiyedogbon
 
Introduction to Istio for APIs and Microservices meetup
Introduction to Istio for APIs and Microservices meetupIntroduction to Istio for APIs and Microservices meetup
Introduction to Istio for APIs and Microservices meetupDaniel Ciruli
 
Managing microservices with Istio Service Mesh
Managing microservices with Istio Service MeshManaging microservices with Istio Service Mesh
Managing microservices with Istio Service MeshRafik HARABI
 
Web Scale Reasoning and the LarKC Project
Web Scale Reasoning and the LarKC ProjectWeb Scale Reasoning and the LarKC Project
Web Scale Reasoning and the LarKC ProjectSaltlux Inc.
 
Unmeshing the service mesh
Unmeshing the service meshUnmeshing the service mesh
Unmeshing the service meshCodeValue
 
Web Oriented Architecture at Oracle
Web Oriented Architecture at OracleWeb Oriented Architecture at Oracle
Web Oriented Architecture at OracleEmiliano Pecis
 
Service Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioService Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioMichelle Holley
 
Progress application server for openedge best practices - PUG Baltic Annual C...
Progress application server for openedge best practices - PUG Baltic Annual C...Progress application server for openedge best practices - PUG Baltic Annual C...
Progress application server for openedge best practices - PUG Baltic Annual C...Alen Leit
 
AWS User Group Sydney - Atlassian 5-10-16
AWS User Group Sydney - Atlassian 5-10-16AWS User Group Sydney - Atlassian 5-10-16
AWS User Group Sydney - Atlassian 5-10-16PolarSeven Pty Ltd
 
Cwin16 tls-a micro-service deployment - v1.0
Cwin16 tls-a micro-service deployment - v1.0Cwin16 tls-a micro-service deployment - v1.0
Cwin16 tls-a micro-service deployment - v1.0Capgemini
 
Kamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication PlatformsKamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication PlatformsDaniel-Constantin Mierla
 
Policy Based Approach To Runtime Governace
Policy Based Approach To Runtime GovernacePolicy Based Approach To Runtime Governace
Policy Based Approach To Runtime GovernaceMichiel.Kemperman
 
Cisco Automation with Puppet and onePK - PuppetConf 2013
Cisco Automation with Puppet and onePK - PuppetConf 2013Cisco Automation with Puppet and onePK - PuppetConf 2013
Cisco Automation with Puppet and onePK - PuppetConf 2013Puppet
 

Similar to Using Istio to Secure & Monitor Your Services (20)

Dev309 from asgard to zuul - netflix oss-final
Dev309 from asgard to zuul - netflix oss-finalDev309 from asgard to zuul - netflix oss-final
Dev309 from asgard to zuul - netflix oss-final
 
Managing Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesManaging Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on Kubernetes
 
(DEV309) From Asgard to Zuul: How Netflix’s Proven Open Source Tools Can Help...
(DEV309) From Asgard to Zuul: How Netflix’s Proven Open Source Tools Can Help...(DEV309) From Asgard to Zuul: How Netflix’s Proven Open Source Tools Can Help...
(DEV309) From Asgard to Zuul: How Netflix’s Proven Open Source Tools Can Help...
 
Istio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxyIstio: Using nginMesh as the service proxy
Istio: Using nginMesh as the service proxy
 
Oracle API Gateway
Oracle API GatewayOracle API Gateway
Oracle API Gateway
 
All About Microservices and OpenSource Microservice Frameworks
All About Microservices and OpenSource Microservice FrameworksAll About Microservices and OpenSource Microservice Frameworks
All About Microservices and OpenSource Microservice Frameworks
 
Introduction To Cloud Computing
Introduction To Cloud ComputingIntroduction To Cloud Computing
Introduction To Cloud Computing
 
Server Monitoring (Scaling while bootstrapped)
Server Monitoring (Scaling while bootstrapped)Server Monitoring (Scaling while bootstrapped)
Server Monitoring (Scaling while bootstrapped)
 
Introduction to Istio for APIs and Microservices meetup
Introduction to Istio for APIs and Microservices meetupIntroduction to Istio for APIs and Microservices meetup
Introduction to Istio for APIs and Microservices meetup
 
Managing microservices with Istio Service Mesh
Managing microservices with Istio Service MeshManaging microservices with Istio Service Mesh
Managing microservices with Istio Service Mesh
 
Web Scale Reasoning and the LarKC Project
Web Scale Reasoning and the LarKC ProjectWeb Scale Reasoning and the LarKC Project
Web Scale Reasoning and the LarKC Project
 
Unmeshing the service mesh
Unmeshing the service meshUnmeshing the service mesh
Unmeshing the service mesh
 
Web Oriented Architecture at Oracle
Web Oriented Architecture at OracleWeb Oriented Architecture at Oracle
Web Oriented Architecture at Oracle
 
Service Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioService Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with Istio
 
Progress application server for openedge best practices - PUG Baltic Annual C...
Progress application server for openedge best practices - PUG Baltic Annual C...Progress application server for openedge best practices - PUG Baltic Annual C...
Progress application server for openedge best practices - PUG Baltic Annual C...
 
AWS User Group Sydney - Atlassian 5-10-16
AWS User Group Sydney - Atlassian 5-10-16AWS User Group Sydney - Atlassian 5-10-16
AWS User Group Sydney - Atlassian 5-10-16
 
Cwin16 tls-a micro-service deployment - v1.0
Cwin16 tls-a micro-service deployment - v1.0Cwin16 tls-a micro-service deployment - v1.0
Cwin16 tls-a micro-service deployment - v1.0
 
Kamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication PlatformsKamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication Platforms
 
Policy Based Approach To Runtime Governace
Policy Based Approach To Runtime GovernacePolicy Based Approach To Runtime Governace
Policy Based Approach To Runtime Governace
 
Cisco Automation with Puppet and onePK - PuppetConf 2013
Cisco Automation with Puppet and onePK - PuppetConf 2013Cisco Automation with Puppet and onePK - PuppetConf 2013
Cisco Automation with Puppet and onePK - PuppetConf 2013
 

Recently uploaded

Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfkalichargn70th171
 
Software Coding for software engineering
Software Coding for software engineeringSoftware Coding for software engineering
Software Coding for software engineeringssuserb3a23b
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 

Recently uploaded (20)

Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
 
Software Coding for software engineering
Software Coding for software engineeringSoftware Coding for software engineering
Software Coding for software engineering
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Odoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting ServiceOdoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting Service
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 

Using Istio to Secure & Monitor Your Services

  • 1. Using Istio to Secure & Monitor Your Services Webinar April 16, 2019
  • 2. Agenda → Why a service mesh? → Istio security stack → Extending Istio security → Istio monitoring concepts → Istio monitoring stack → Extending monitoring
  • 3. Why Service Mesh? And Why Now? → Microservices and highly distributed architecture - HARD → Intelligent routing (canary deployments ) - HARD → Observability ← → Ops & Monitoring - HARD → Securing microservices - VERY HARD Service mesh defined: Uniform Application Runtime which introduce Observability and Control
  • 4. Connect → Layer 7 path-based routing → Traffic shaping → Load balancing - A/B testing, canarying Manage → Telemetry → Fleet-wide Visibility - Zipkin, Prometheus & Grafana Secure → Identity based service access control → Service authorization - API level access control → Service-Service encryption with TLS (mTLS) What’s in the mesh? Connect, manage and secure microservices
  • 6. Controlling Envoy Dataplane → Logging → Quota → Authz (more later) → Telemetry (more later)
  • 7. Istio 1.1 at glance → Namespace Isolation (Sidecar Resource - next slide) → Multi-Cluster → Helm based Installation → Locality based Load Balancing → Identity Provision through SDS (Secret Discovery Service) → Vault CA Integration → Egress Policy (On by default) → Policy Checks (Off by default) → Improved perf, scale & stability
  • 8. Sidecar proxy - inbound and outbound config apiVersion: networking.istio.io/v1alpha3 kind: Sidecar metadata: name: no-ip-tables namespace: prod-us1 spec: workloadSelector: labels: app: productpage ingress: - port: number: 9080 # binds to 0.0.0.0:9080 protocol: HTTP name: somename defaultEndpoint: 127.0.0.1:8080 captureMode: NONE # not needed if metadata is set for entire proxy egress: - port: number: 3306 protocol: MYSQL name: egressmysql captureMode: NONE # not needed if metadata is set for entire proxy bind: 127.0.0.1 hosts: - "*/mysql.foo.com" Scope Traffic Routing Mode Istio Sidecar Resource → Namespace Isolation → Single default config per namespace → Workload Selector overrides → Can Restrict Egress Traffic
  • 9. Example: Grant authenticated users with read access to version v1,v2 of products service apiVersion: "rbac.istio.io/v1alpha1" kind: RbacConfig metadata: name: default spec: mode: 'ON_WITH_INCLUSION' inclusion: namespaces: ["default"] apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRole metadata: name: products-viewer-version namespace: default spec: rules: - services: ["products.default.svc.cluster.local"] methods: ["GET", "HEAD"] constraints: - key: request.headers[version] values: ["v1", "v2"] apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRoleBinding metadata: name: binding-products-all-authenticated-users namespace: default spec: subjects: - properties: source.principal: "*" roleRef: kind: ServiceRole name: "products-viewer-version" read access authenticated users condition Istio Service Authorization (RBAC)
  • 10. Istio 1.2 - Staying Ahead of the (Authz) Curve → Authorization APIs Rev 2.0 → Authorization Istio config model - base label selector. → Flexible policy semantics - exclusion and expression condition. → Support DENY semantics. → Introducing mesh global policies. → Allow policies to be applied to the edge (ingress/egress). → Introduce inline permissions for better user experience. Authorization APIs Evolve
  • 11. Use Case: PCI DSS Compliance → Cluster X: PCI Cardholder services & workloads → Cluster A: Customer facing service & workloads → In-Cluster special segmentation → Cross Clusters & VPCs policies → Istio Network Policies → DevSecOps overhead → Compute Resource overhead Commerce Application On Istio Istio Control Plane
  • 12. Extend Istio Security w/ Off-Mesh Security → Workload Escape → Sidecar Vulnerability Blast Radius → System/Control Plane Workloads Defense → DNS Tunneling as Kubernetes service discovery → Apply machine learning based profiling, detection & mitigation of post intrusion events such as data exfiltration, lateral movement, and command & control communications.
  • 13. Security & 4 Golden Signals of Monitoring → Latency - time it takes to service a request → Traffic - how much demand is being placed on your system (RPS) → Errors - The request fail rates (HTTP 500, HTTP 443, ...) → Saturation - How “full” is your service. https://landing.google.com/sre/sre-book/chapters/monitoring-distributed-systems/
  • 14. Istio Monitoring Concepts → Mixer / Proxies
  • 15. Istio Monitoring Concepts → Mixer / Proxies → Backend
  • 16. → Mixer / Proxies → Backend → Telemetry attributes Istio Monitoring Concepts
  • 17. → Mixer / Proxies → Backend → Telemetry attributes → Adapter Istio Monitoring Concepts
  • 18. → Mixer / Proxies → Backend → Telemetry attributes → Adapter → Instance Istio Monitoring Concepts
  • 19. → Mixer / Proxies → Backend → Telemetry attributes → Adapter → Instance → Handler Istio Monitoring Concepts
  • 20. → Mixer / Proxies → Backend → Telemetry attributes → Adapter → Instance → Handler → Rule Istio Monitoring Concepts
  • 22. Istio Monitoring Stack → Prometheus → Grafana
  • 23. Istio Monitoring Stack → Prometheus → Grafana → Kiali
  • 24. Data Plane Monitoring Proxy sidecar Application → Latency penalty (BPF integration / CNI plugin) → Performance degradation (SDS) → Resources consumption ( > version 1.1) → RED method (blackbox monitoring) → Rate → Errors → Duration
  • 25. Control Plane Monitoring → Pilot → Ingress / Egress gateway(s) → Policy mixer → Upgrade process
  • 27. Extending Monitoring → Mixer adapters → Expose new metrics
  • 28. Extending Monitoring → Mixer adapter → Expose new metrics → Instrument your code (whitebox monitoring)
  • 29. Extending Monitoring → Mixer adapter → Expose new metrics → Instrument your code → HTTP API Spec
  • 30. Your Top 3 Takeaways Security ➔ Understand mesh network policy ➔ Track mesh components ➔ Extend observability Monitoring ➔ Understand the concepts ➔ Track mesh components ➔ Extend observability
  • 31. Q & A
  • 32. Learn More Webinar will be available at: https://giantswarm.io/ Additional reading: https://blog.giantswarm.io/ Visit us at KubeCon Barcelona: Booth #SE-7 Webinar will be available at: https://www.alcide.io/ Additional reading: https://blog.alcide.io/ Visit us at KubeCon Barcelona: Booth #SE-47