Good observability in a microservice architecture is not easy. Istio can help to remove the complexity from developers and leave the work to the operator. Learn how to gain a deeper understanding of using Istio for monitoring tasks, while using Istio security features to secure your microservices and spot security anomalies.
For the recorded webinar: https://bit.ly/2KNaGmc
3. Why Service Mesh? And Why Now?
→ Microservices and highly distributed architecture - HARD
→ Intelligent routing (canary deployments ) - HARD
→ Observability ← → Ops & Monitoring - HARD
→ Securing microservices - VERY HARD
Service mesh defined:
Uniform Application Runtime which introduce Observability and Control
4. Connect
→ Layer 7 path-based routing
→ Traffic shaping
→ Load balancing - A/B testing, canarying
Manage
→ Telemetry
→ Fleet-wide Visibility - Zipkin, Prometheus & Grafana
Secure
→ Identity based service access control
→ Service authorization - API level access control
→ Service-Service encryption with TLS (mTLS)
What’s in the mesh?
Connect, manage and secure microservices
10. Istio 1.2 - Staying Ahead of the (Authz) Curve
→ Authorization APIs Rev 2.0
→ Authorization Istio config model -
base label selector.
→ Flexible policy semantics -
exclusion and expression condition.
→ Support DENY semantics.
→ Introducing mesh global policies.
→ Allow policies to be applied to the edge (ingress/egress).
→ Introduce inline permissions for better user experience.
Authorization APIs Evolve
11. Use Case: PCI DSS Compliance
→ Cluster X: PCI Cardholder services &
workloads
→ Cluster A: Customer facing service &
workloads
→ In-Cluster special segmentation
→ Cross Clusters & VPCs policies
→ Istio Network Policies
→ DevSecOps overhead
→ Compute Resource overhead
Commerce Application On Istio
Istio
Control Plane
12. Extend Istio Security w/ Off-Mesh Security
→ Workload Escape
→ Sidecar Vulnerability Blast Radius
→ System/Control Plane Workloads Defense
→ DNS Tunneling as Kubernetes service discovery
→ Apply machine learning based profiling, detection & mitigation of post intrusion
events such as data exfiltration, lateral movement, and command & control
communications.
13. Security & 4 Golden Signals of Monitoring
→ Latency - time it takes to service a request
→ Traffic - how much demand is being placed on your system (RPS)
→ Errors - The request fail rates (HTTP 500, HTTP 443, ...)
→ Saturation - How “full” is your service.
https://landing.google.com/sre/sre-book/chapters/monitoring-distributed-systems/
32. Learn More
Webinar will be available at:
https://giantswarm.io/
Additional reading:
https://blog.giantswarm.io/
Visit us at KubeCon Barcelona:
Booth #SE-7
Webinar will be available at:
https://www.alcide.io/
Additional reading:
https://blog.alcide.io/
Visit us at KubeCon Barcelona:
Booth #SE-47