SlideShare a Scribd company logo

ISTIO-Envoy-MutualTLS_v2.pptx

Download as PPTX, PDF
Y
yingxinwang4

introduce Istio envoy.

Internet
1 of 16
ISTIO & ENVOY – Security For Security Subcommittee
Micro Service Architecture - Background EM IM1 IM2 IM3 IM4 IM5 Monolithic Application SLB/ADC/API-Gateway Internet Image Micro Service based EM IM1 IM2 IM3 IM4 IM5 Image ES ES ES IS1 IS1 IS1 IS1 IS4 IS4 IS5 IS5 SLB/ADC/API-Gateway Internet IS2 IS2 IS3 IS3 In monolithic application, entire application is scaled-out, waste of memory, no rolling upgrades, massive integration time, big maintenance. Micro Service architecture: • Each individual module is a micro service • Each module can scale-out independently • Typically each micro service is implemented as container
Micro Service Architecture - Challenges ES ES ES IS1 IS1 IS1 IS1 IS4 IS4 IS5 IS5 SLB/ADC/API-Gateway Internet IS2 IS2 IS3 IS3 • Need for load balancing among internal hierarchy • Special load balancers – Expensive • Each consumer balancing its connections across producers. Independent LB decision. May load one instance of producers. • Special logic at each service. • Need for discovery of service instances • Special logic at the each service. • Need for health checks • Special logic at each service • Need for tracing/visibility • Special logic at each service • Need for network firewall capability • Special logic at each service • Authenticate and Authorize consumers • Special logic at each service level • Need for Mutual TLS among producers and consumers. • Special logic to get certificate enrolled. • Special logic to initiate/accept TLS connections
Micro Service Architecture – Development Challenges ES ES ES IS1 IS1 IS1 IS1 IS4 IS4 IS5 IS5 SLB/ADC/API-Gateway Internet IS2 IS2 IS3 IS3 • Polyglot • Any special logic at each service level need to support multiple language bindings. • Coordination among all development teams • Third party micro services (binary) – Can’t put our special logic there. • In some instances, it was found that 50% of the logic is related to non-application specific. Let application service developers not worry about micro-service tax.
Micro Service Architecture – Service Mesh technology ES ES ES IS1 IS1 IS1 IS4 IS4 IS5 IS5 Istio-ingress envoy Internet IS2 IS2 IS3 IS3 SC SC SC SC SC SC SC SC SC SC SC SC SC SC ISTIO Control Plane Pilot/Mixer/ CA SC (Side Car) – One for each Service instance (A container in each POD) - Envoy proxy - Service discovery, Load balancing, Failure handling, Circuit breaking (Limits), Fault injection (for troubleshooting), Health checks - Mutual TLS ISTIO Control plane: - Pilot: - Service discovery glue between Envoy and K8S - Traffic rule configuration - Security - Role based Access control (Pluggable RBAC engine, support for local RBAC, K8S RBAC adapters, but facility to add new adapters – Example AAF RBAC adapter) - Certificate Authority
ONAP - Non-ISTIO to ISTIO ONAP SDC SO OOF SDNC APPC DCAE MC VFC POLICY DB MUSIC Non ISTIO AAF ONAP SDC SO OOF SDNC APPC DCAE MC VFC POLICY DB MUSIC ISTIO with Envoy (CNCF) • Certificate Enrolment client • Authentication & Authorization • Service Discovery/registration • TLS, Visibility etc… AAF
Service to Envoy proxy – Security Concerns & Mitigation SVC1 Instance1 Envoy K8S POD 1 K8S POD2 Linux Kernel Name space 1 IP Tables Tproxy Name space 2 SVC2 Instance1 Envoy K8S POD 1 K8S POD2 Linux Kernel Name space 1 IP tables tproxy Name space 2 TLS ISTIO Pilot Pilot configures IP Tables to redirect the traffic coming from services to Envoy and Envoy to services. No configuration required at the service level to use Envoy as proxy Envoy acts as transparent proxy. Ensure that Source IP of the connection is maintained on both sides. Even though traffic is clear between instance and side car, it is not considered a security issue as both side car and service belong to same POD, hence same network name space. Clear traffic is never seen on the wire.
ISTIO CA - Features • Can generate self signed CA root certificate • Can take externally generated CA certificate and private key • Support for certificate chain (CA certificate signed by Intermediate CA) • CA redundancy • Two types of user certificate issue methods • Native K8S based for K8S orchestrated services • Non-K8S orchestrated services (VMs/Baremetal) • Certificate renewal • SPIFFE naming convention Envoy: - Auto reload of renewed certificates/keys - Integration with PKCS11 based security - Authentication – Mutual TLS - Authorization - ISTIO RBAC or adapters to remote RBAC K8S Master ISTIO CA SVC SC 1. Create Service account and Deploy service 2. POD deploy ment event 3. Create user key/certificate (signed by CA cert) 4. Send key/cert using secret mount ISTIO CA VM/Baremetal 3. Generate Cert, Sign using CA key Node agent 1. Key pair generation and CSR 2. Send CSR 4. Send Cert
Casablanca – ISTIO work • Rancher to instantiate ISTIO software components • Status : Currently manual installation of ISTIO components is done. • Migration path from NON-ISTIO to ISTIO • ISTIO Side car injection related changes • Securing the private keys of ISTIO CA and Envoy private keys. • Provide option to use either ISTIO RBAC and AAF CA RBAC – A way to choose the option (AAF CA RBAC is Stretch goal) • Any glue/tools to simplify the ISTIO deployment Any glue logic and scripts – Put it as part of MSB project. Goal – Entire ONAP using ISTIO all the time (No option to choose). Fix any gaps to make that happen.
HW Security - Casablanca work ISTIO CA Go Crypto Crypto11 (PKCS11 Interface) Crypto11 (PKCS11 Interface) SSHSM TPM /SGX plugin Hardware • Secure CA private key • Distribute CA private key securely to the Hardware (TPM/SGX) – Started conversations with ISITO security group. Extend the work done on AAF CA to ISTIO CA – Note : Current AAF CA is only testing purpose only. Envoy proxy OpenSSL LibP11 SSHSM TPM /SGX plugin Hardware • Secure user private key • Envoy takes care of RBAC. • ISTIO RBAC is quite powerful, but if lacks features, can add new adapter to talk to ONAP RBAC engine (AAF) Since Mutual TLS/RBAC is implemented in one way (C++ in case of envoy), provides opportunity to do good job of HW security & Accelerating TLS, thereby universal security and improving performance
Summary • Service mesh technologies take away the tax of Micro-Service architecture out of services and consolidate in side cars. - Less error prone - Faster development - Easy maintenance - Polyglot independent. • K8S native support • Security is one big piece of Service mesh - Enable Mutual TLS - Enable RBAC - Enables security without each developer putting effort independently in their projects - Provides opportunities to provide HW security and acceleration with one implementation.
Inter working with AAF
Overlap items • CA - AAF has CA and is being used by some services in Beijing release. - ISTIO has its own CA. • RBAC - AAF has RBAC and some services in Beijing release is already using AAF RBAC. - ISTIO has RBAC, which is simpler (Need to see if is good enough to satisfy ONAP requirements) • Three choices (Assuming that ISTIO Service mesh is chosen) • Choice 1: Use ISTIO CA and ISTIO RBAC across all ONAP services (Presented before) • Choice 2: Use ISTIO CA and use AAF RBAC • Choice 3: Use ISTIO CA and AAF CA together and use AAF RBAC (Being shown in next slide as it is superset)
Choice 3 (Keeping services that use AAF CA ) CA Key Generation Station (Secure system) ISTIO CA AAF CA AAF RBAC S1 Side car S2 ISTIO Mixer AAF RBAC Plugin 1 2 2 3 3 4 5 6 5 7 1. ONAP Administrator creates CA key pair and self- signed CA certificate (or it could be CA key pair and signed by root/intermediate CA) 2. ONAP Administrator using CA CLI/GUI, upload the CA private key/certificate and any chain in both ISTIO CA instances and AAF CA instances. 3. When S1 or S2 is brought up by OOM, corresponding CA will issue service certificates. Services get its own key/certificate & CA chain. 4. TLS establishment : Based on peer ID, service (or its side car) authenticates using CA certificate it has. 5. Authorization: When there is HTTP operation, its method, URL and other operation specific information, requester ID is sent to the RBAC engine to figure out the roles and permissions. 6. RBAC plugin talks to AAF RBAC to get the permissions (in case of ISTIO) 7. If permissions are allowed for that operation, operation proceeds. Otherwise, operation is denied. CADI No implication (based on current understanding) on existing services that are using CADI for authentication & authorization Additional RBAC plugin development at the ISTIO is required
Recommendation • Assumptions: • AAF RBAC is MUST • Recommendation for default setup • ISTIO CA • ISTIO Mixer with AAF RBAC plugin • Options: • If some deployment likes to use “ISTIO RBAC”, it should be possible. • If some deployment likes to use their own RBAC, ISTIO provides that option.
s

Recommended

PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...PROIDEA
 
Simplifying the secure data center
Simplifying the secure data centerSimplifying the secure data center
Simplifying the secure data centerCisco Canada
 
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18CodeOps Technologies LLP
 
Active network
Active networkActive network
Active networkMichel Burger
 
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)SDNRG ITB
 
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docxCopyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docxbobbywlane695641
 
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...Cisco Canada
 
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław Borek
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław BorekPLNOG14: Service orchestration in provider network, Tail-f - Przemysław Borek
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław BorekPROIDEA
 

Recommended

PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...PROIDEA
 
Simplifying the secure data center
Simplifying the secure data centerSimplifying the secure data center
Simplifying the secure data centerCisco Canada
 
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18
Make Java Microservices Resilient with Istio - Mangesh - IBM - CC18CodeOps Technologies LLP
 
Active network
Active networkActive network
Active networkMichel Burger
 
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)
Cisco SDN/NVF Innovations (SDN NVF Day ITB 2016)SDNRG ITB
 
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docxCopyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docxbobbywlane695641
 
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...
Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM...Cisco Canada
 
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław Borek
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław BorekPLNOG14: Service orchestration in provider network, Tail-f - Przemysław Borek
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław BorekPROIDEA
 
Cisco CSR1000V, VMware, and RESTful APIs
Cisco CSR1000V, VMware, and RESTful APIsCisco CSR1000V, VMware, and RESTful APIs
Cisco CSR1000V, VMware, and RESTful APIsPrivate
 
Pass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityPass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityHecrocro
 
Embracing SDN in the Next Gen Network
Embracing SDN in the Next Gen NetworkEmbracing SDN in the Next Gen Network
Embracing SDN in the Next Gen NetworkNetCraftsmen
 
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...Cisco Russia
 
Design and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANsDesign and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANsFab Fusaro
 
Managing microservices with Istio Service Mesh
Managing microservices with Istio Service MeshManaging microservices with Istio Service Mesh
Managing microservices with Istio Service MeshRafik HARABI
 
Cisco Application eXtension Platform (AXP) - James Weathersby, Cisco
Cisco Application eXtension Platform (AXP) - James Weathersby, CiscoCisco Application eXtension Platform (AXP) - James Weathersby, Cisco
Cisco Application eXtension Platform (AXP) - James Weathersby, Ciscomfrancis
 
Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...Cisco Canada
 
Building Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSBuilding Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSAWS User Group Bengaluru
 
Building Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSBuilding Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSAWS User Group Bengaluru
 
Multi fabric sales motions jg v3
Multi fabric sales motions jg v3Multi fabric sales motions jg v3
Multi fabric sales motions jg v3Jeff Green
 
Microservice creation using spring cloud, zipkin, ribbon, zull, eureka
Microservice creation using spring cloud, zipkin, ribbon, zull, eurekaMicroservice creation using spring cloud, zipkin, ribbon, zull, eureka
Microservice creation using spring cloud, zipkin, ribbon, zull, eurekaBinit Pathak
 
SDN in the Enterprise
SDN in the EnterpriseSDN in the Enterprise
SDN in the EnterpriseCisco Canada
 
CA Spectrum® Just Keeps Getting Better and Better
CA Spectrum® Just Keeps Getting Better and BetterCA Spectrum® Just Keeps Getting Better and Better
CA Spectrum® Just Keeps Getting Better and BetterCA Technologies
 
CCNA_RSE_Chp7.pptx
CCNA_RSE_Chp7.pptxCCNA_RSE_Chp7.pptx
CCNA_RSE_Chp7.pptxNarcisIlie1
 
ISTIO Deep Dive
ISTIO Deep DiveISTIO Deep Dive
ISTIO Deep DiveYong Feng
 
Application Centric Infrastructure (ACI), the policy driven data centre
Application Centric Infrastructure (ACI), the policy driven data centreApplication Centric Infrastructure (ACI), the policy driven data centre
Application Centric Infrastructure (ACI), the policy driven data centreCisco Canada
 
Application hosting in the Intelligent WAN
Application hosting in the Intelligent WANApplication hosting in the Intelligent WAN
Application hosting in the Intelligent WANCisco DevNet
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
IBM Impact session CICS & java a tale of liberty
IBM Impact session CICS & java a tale of libertyIBM Impact session CICS & java a tale of liberty
IBM Impact session CICS & java a tale of libertynick_garrod
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 

More Related Content

Similar to ISTIO-Envoy-MutualTLS_v2.pptx

Cisco CSR1000V, VMware, and RESTful APIs
Cisco CSR1000V, VMware, and RESTful APIsCisco CSR1000V, VMware, and RESTful APIs
Cisco CSR1000V, VMware, and RESTful APIsPrivate
 
Pass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityPass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityHecrocro
 
Embracing SDN in the Next Gen Network
Embracing SDN in the Next Gen NetworkEmbracing SDN in the Next Gen Network
Embracing SDN in the Next Gen NetworkNetCraftsmen
 
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...Cisco Russia
 
Design and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANsDesign and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANsFab Fusaro
 
Managing microservices with Istio Service Mesh
Managing microservices with Istio Service MeshManaging microservices with Istio Service Mesh
Managing microservices with Istio Service MeshRafik HARABI
 
Cisco Application eXtension Platform (AXP) - James Weathersby, Cisco
Cisco Application eXtension Platform (AXP) - James Weathersby, CiscoCisco Application eXtension Platform (AXP) - James Weathersby, Cisco
Cisco Application eXtension Platform (AXP) - James Weathersby, Ciscomfrancis
 
Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...Cisco Canada
 
Building Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSBuilding Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSAWS User Group Bengaluru
 
Building Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSBuilding Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSAWS User Group Bengaluru
 
Multi fabric sales motions jg v3
Multi fabric sales motions jg v3Multi fabric sales motions jg v3
Multi fabric sales motions jg v3Jeff Green
 
Microservice creation using spring cloud, zipkin, ribbon, zull, eureka
Microservice creation using spring cloud, zipkin, ribbon, zull, eurekaMicroservice creation using spring cloud, zipkin, ribbon, zull, eureka
Microservice creation using spring cloud, zipkin, ribbon, zull, eurekaBinit Pathak
 
SDN in the Enterprise
SDN in the EnterpriseSDN in the Enterprise
SDN in the EnterpriseCisco Canada
 
CA Spectrum® Just Keeps Getting Better and Better
CA Spectrum® Just Keeps Getting Better and BetterCA Spectrum® Just Keeps Getting Better and Better
CA Spectrum® Just Keeps Getting Better and BetterCA Technologies
 
CCNA_RSE_Chp7.pptx
CCNA_RSE_Chp7.pptxCCNA_RSE_Chp7.pptx
CCNA_RSE_Chp7.pptxNarcisIlie1
 
ISTIO Deep Dive
ISTIO Deep DiveISTIO Deep Dive
ISTIO Deep DiveYong Feng
 
Application Centric Infrastructure (ACI), the policy driven data centre
Application Centric Infrastructure (ACI), the policy driven data centreApplication Centric Infrastructure (ACI), the policy driven data centre
Application Centric Infrastructure (ACI), the policy driven data centreCisco Canada
 
Application hosting in the Intelligent WAN
Application hosting in the Intelligent WANApplication hosting in the Intelligent WAN
Application hosting in the Intelligent WANCisco DevNet
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxVasiliy Fomichev
 
IBM Impact session CICS & java a tale of liberty
IBM Impact session CICS & java a tale of libertyIBM Impact session CICS & java a tale of liberty
IBM Impact session CICS & java a tale of libertynick_garrod
 

Similar to ISTIO-Envoy-MutualTLS_v2.pptx (20)

Cisco CSR1000V, VMware, and RESTful APIs
Cisco CSR1000V, VMware, and RESTful APIsCisco CSR1000V, VMware, and RESTful APIs
Cisco CSR1000V, VMware, and RESTful APIs
 
Pass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityPass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network Security
 
Embracing SDN in the Next Gen Network
Embracing SDN in the Next Gen NetworkEmbracing SDN in the Next Gen Network
Embracing SDN in the Next Gen Network
 
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...
Решения конвергентного доступа Cisco. Обновление продуктовой линейки коммутат...
 
Design and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANsDesign and Deployment of Enterprise WLANs
Design and Deployment of Enterprise WLANs
 
Managing microservices with Istio Service Mesh
Managing microservices with Istio Service MeshManaging microservices with Istio Service Mesh
Managing microservices with Istio Service Mesh
 
Cisco Application eXtension Platform (AXP) - James Weathersby, Cisco
Cisco Application eXtension Platform (AXP) - James Weathersby, CiscoCisco Application eXtension Platform (AXP) - James Weathersby, Cisco
Cisco Application eXtension Platform (AXP) - James Weathersby, Cisco
 
Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...
 
Building Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSBuilding Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWS
 
Building Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWSBuilding Efficient, Scalable and Resilient Front-end logging service with AWS
Building Efficient, Scalable and Resilient Front-end logging service with AWS
 
Multi fabric sales motions jg v3
Multi fabric sales motions jg v3Multi fabric sales motions jg v3
Multi fabric sales motions jg v3
 
Microservice creation using spring cloud, zipkin, ribbon, zull, eureka
Microservice creation using spring cloud, zipkin, ribbon, zull, eurekaMicroservice creation using spring cloud, zipkin, ribbon, zull, eureka
Microservice creation using spring cloud, zipkin, ribbon, zull, eureka
 
SDN in the Enterprise
SDN in the EnterpriseSDN in the Enterprise
SDN in the Enterprise
 
CA Spectrum® Just Keeps Getting Better and Better
CA Spectrum® Just Keeps Getting Better and BetterCA Spectrum® Just Keeps Getting Better and Better
CA Spectrum® Just Keeps Getting Better and Better
 
CCNA_RSE_Chp7.pptx
CCNA_RSE_Chp7.pptxCCNA_RSE_Chp7.pptx
CCNA_RSE_Chp7.pptx
 
ISTIO Deep Dive
ISTIO Deep DiveISTIO Deep Dive
ISTIO Deep Dive
 
Application Centric Infrastructure (ACI), the policy driven data centre
Application Centric Infrastructure (ACI), the policy driven data centreApplication Centric Infrastructure (ACI), the policy driven data centre
Application Centric Infrastructure (ACI), the policy driven data centre
 
Application hosting in the Intelligent WAN
Application hosting in the Intelligent WANApplication hosting in the Intelligent WAN
Application hosting in the Intelligent WAN
 
SUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptxSUGCON EU 2023 - Secure Composable SaaS.pptx
SUGCON EU 2023 - Secure Composable SaaS.pptx
 
IBM Impact session CICS & java a tale of liberty
IBM Impact session CICS & java a tale of libertyIBM Impact session CICS & java a tale of liberty
IBM Impact session CICS & java a tale of liberty
 

Recently uploaded

Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneCall girls in Ahmedabad High profile
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 

Recently uploaded (20)

Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 

ISTIO-Envoy-MutualTLS_v2.pptx

  • 1. ISTIO & ENVOY – Security For Security Subcommittee
  • 2. Micro Service Architecture - Background EM IM1 IM2 IM3 IM4 IM5 Monolithic Application SLB/ADC/API-Gateway Internet Image Micro Service based EM IM1 IM2 IM3 IM4 IM5 Image ES ES ES IS1 IS1 IS1 IS1 IS4 IS4 IS5 IS5 SLB/ADC/API-Gateway Internet IS2 IS2 IS3 IS3 In monolithic application, entire application is scaled-out, waste of memory, no rolling upgrades, massive integration time, big maintenance. Micro Service architecture: • Each individual module is a micro service • Each module can scale-out independently • Typically each micro service is implemented as container
  • 3. Micro Service Architecture - Challenges ES ES ES IS1 IS1 IS1 IS1 IS4 IS4 IS5 IS5 SLB/ADC/API-Gateway Internet IS2 IS2 IS3 IS3 • Need for load balancing among internal hierarchy • Special load balancers – Expensive • Each consumer balancing its connections across producers. Independent LB decision. May load one instance of producers. • Special logic at each service. • Need for discovery of service instances • Special logic at the each service. • Need for health checks • Special logic at each service • Need for tracing/visibility • Special logic at each service • Need for network firewall capability • Special logic at each service • Authenticate and Authorize consumers • Special logic at each service level • Need for Mutual TLS among producers and consumers. • Special logic to get certificate enrolled. • Special logic to initiate/accept TLS connections
  • 4. Micro Service Architecture – Development Challenges ES ES ES IS1 IS1 IS1 IS1 IS4 IS4 IS5 IS5 SLB/ADC/API-Gateway Internet IS2 IS2 IS3 IS3 • Polyglot • Any special logic at each service level need to support multiple language bindings. • Coordination among all development teams • Third party micro services (binary) – Can’t put our special logic there. • In some instances, it was found that 50% of the logic is related to non-application specific. Let application service developers not worry about micro-service tax.
  • 5. Micro Service Architecture – Service Mesh technology ES ES ES IS1 IS1 IS1 IS4 IS4 IS5 IS5 Istio-ingress envoy Internet IS2 IS2 IS3 IS3 SC SC SC SC SC SC SC SC SC SC SC SC SC SC ISTIO Control Plane Pilot/Mixer/ CA SC (Side Car) – One for each Service instance (A container in each POD) - Envoy proxy - Service discovery, Load balancing, Failure handling, Circuit breaking (Limits), Fault injection (for troubleshooting), Health checks - Mutual TLS ISTIO Control plane: - Pilot: - Service discovery glue between Envoy and K8S - Traffic rule configuration - Security - Role based Access control (Pluggable RBAC engine, support for local RBAC, K8S RBAC adapters, but facility to add new adapters – Example AAF RBAC adapter) - Certificate Authority
  • 6. ONAP - Non-ISTIO to ISTIO ONAP SDC SO OOF SDNC APPC DCAE MC VFC POLICY DB MUSIC Non ISTIO AAF ONAP SDC SO OOF SDNC APPC DCAE MC VFC POLICY DB MUSIC ISTIO with Envoy (CNCF) • Certificate Enrolment client • Authentication & Authorization • Service Discovery/registration • TLS, Visibility etc… AAF
  • 7. Service to Envoy proxy – Security Concerns & Mitigation SVC1 Instance1 Envoy K8S POD 1 K8S POD2 Linux Kernel Name space 1 IP Tables Tproxy Name space 2 SVC2 Instance1 Envoy K8S POD 1 K8S POD2 Linux Kernel Name space 1 IP tables tproxy Name space 2 TLS ISTIO Pilot Pilot configures IP Tables to redirect the traffic coming from services to Envoy and Envoy to services. No configuration required at the service level to use Envoy as proxy Envoy acts as transparent proxy. Ensure that Source IP of the connection is maintained on both sides. Even though traffic is clear between instance and side car, it is not considered a security issue as both side car and service belong to same POD, hence same network name space. Clear traffic is never seen on the wire.
  • 8. ISTIO CA - Features • Can generate self signed CA root certificate • Can take externally generated CA certificate and private key • Support for certificate chain (CA certificate signed by Intermediate CA) • CA redundancy • Two types of user certificate issue methods • Native K8S based for K8S orchestrated services • Non-K8S orchestrated services (VMs/Baremetal) • Certificate renewal • SPIFFE naming convention Envoy: - Auto reload of renewed certificates/keys - Integration with PKCS11 based security - Authentication – Mutual TLS - Authorization - ISTIO RBAC or adapters to remote RBAC K8S Master ISTIO CA SVC SC 1. Create Service account and Deploy service 2. POD deploy ment event 3. Create user key/certificate (signed by CA cert) 4. Send key/cert using secret mount ISTIO CA VM/Baremetal 3. Generate Cert, Sign using CA key Node agent 1. Key pair generation and CSR 2. Send CSR 4. Send Cert
  • 9. Casablanca – ISTIO work • Rancher to instantiate ISTIO software components • Status : Currently manual installation of ISTIO components is done. • Migration path from NON-ISTIO to ISTIO • ISTIO Side car injection related changes • Securing the private keys of ISTIO CA and Envoy private keys. • Provide option to use either ISTIO RBAC and AAF CA RBAC – A way to choose the option (AAF CA RBAC is Stretch goal) • Any glue/tools to simplify the ISTIO deployment Any glue logic and scripts – Put it as part of MSB project. Goal – Entire ONAP using ISTIO all the time (No option to choose). Fix any gaps to make that happen.
  • 10. HW Security - Casablanca work ISTIO CA Go Crypto Crypto11 (PKCS11 Interface) Crypto11 (PKCS11 Interface) SSHSM TPM /SGX plugin Hardware • Secure CA private key • Distribute CA private key securely to the Hardware (TPM/SGX) – Started conversations with ISITO security group. Extend the work done on AAF CA to ISTIO CA – Note : Current AAF CA is only testing purpose only. Envoy proxy OpenSSL LibP11 SSHSM TPM /SGX plugin Hardware • Secure user private key • Envoy takes care of RBAC. • ISTIO RBAC is quite powerful, but if lacks features, can add new adapter to talk to ONAP RBAC engine (AAF) Since Mutual TLS/RBAC is implemented in one way (C++ in case of envoy), provides opportunity to do good job of HW security & Accelerating TLS, thereby universal security and improving performance
  • 11. Summary • Service mesh technologies take away the tax of Micro-Service architecture out of services and consolidate in side cars. - Less error prone - Faster development - Easy maintenance - Polyglot independent. • K8S native support • Security is one big piece of Service mesh - Enable Mutual TLS - Enable RBAC - Enables security without each developer putting effort independently in their projects - Provides opportunities to provide HW security and acceleration with one implementation.
  • 13. Overlap items • CA - AAF has CA and is being used by some services in Beijing release. - ISTIO has its own CA. • RBAC - AAF has RBAC and some services in Beijing release is already using AAF RBAC. - ISTIO has RBAC, which is simpler (Need to see if is good enough to satisfy ONAP requirements) • Three choices (Assuming that ISTIO Service mesh is chosen) • Choice 1: Use ISTIO CA and ISTIO RBAC across all ONAP services (Presented before) • Choice 2: Use ISTIO CA and use AAF RBAC • Choice 3: Use ISTIO CA and AAF CA together and use AAF RBAC (Being shown in next slide as it is superset)
  • 14. Choice 3 (Keeping services that use AAF CA ) CA Key Generation Station (Secure system) ISTIO CA AAF CA AAF RBAC S1 Side car S2 ISTIO Mixer AAF RBAC Plugin 1 2 2 3 3 4 5 6 5 7 1. ONAP Administrator creates CA key pair and self- signed CA certificate (or it could be CA key pair and signed by root/intermediate CA) 2. ONAP Administrator using CA CLI/GUI, upload the CA private key/certificate and any chain in both ISTIO CA instances and AAF CA instances. 3. When S1 or S2 is brought up by OOM, corresponding CA will issue service certificates. Services get its own key/certificate & CA chain. 4. TLS establishment : Based on peer ID, service (or its side car) authenticates using CA certificate it has. 5. Authorization: When there is HTTP operation, its method, URL and other operation specific information, requester ID is sent to the RBAC engine to figure out the roles and permissions. 6. RBAC plugin talks to AAF RBAC to get the permissions (in case of ISTIO) 7. If permissions are allowed for that operation, operation proceeds. Otherwise, operation is denied. CADI No implication (based on current understanding) on existing services that are using CADI for authentication & authorization Additional RBAC plugin development at the ISTIO is required
  • 15. Recommendation • Assumptions: • AAF RBAC is MUST • Recommendation for default setup • ISTIO CA • ISTIO Mixer with AAF RBAC plugin • Options: • If some deployment likes to use “ISTIO RBAC”, it should be possible. • If some deployment likes to use their own RBAC, ISTIO provides that option.
  • 16. s

Editor's Notes

  1. EM – Module with external interface IM – Internal Modules ES – External Service IS – Internal Service
  2. EM – Module with external interface IM – Internal Modules ES – External Service IS – Internal Service
  3. EM – Module with external interface IM – Internal Modules ES – External Service IS – Internal Service
  4. EM – Module with external interface IM – Internal Modules ES – External Service IS – Internal Service
  5. EM – Module with external interface IM – Internal Modules ES – External Service IS – Internal Service
  6. EM – Module with external interface IM – Internal Modules ES – External Service IS – Internal Service
  7. EM – Module with external interface IM – Internal Modules ES – External Service IS – Internal Service
  8. EM – Module with external interface IM – Internal Modules ES – External Service IS – Internal Service