In this workshop, participants will be shown the possibilities that a service mesh tool like Istio offers in terms of security. After a brief introduction to the service mesh, more and more security features are presented and implemented in each step. The starting point is the TLS/mTLS termination in the ingress gateway. From then on, all further communication within the service mesh is secured using mTLS. Outgoing communication is also checked and controlled with the help of the egress gateway. In addition, it is shown which request-based authorization checks can be taken over by the service mesh. The associated security best practices are listed and explained for each sub-aspect. Since faulty security settings can have fatal consequences, the options available for error analysis are shown for each security aspect.
The slides and the code examples together with the used Kubernetes/Istio scripts are available to the participants.