Michael Hofmann

Michael Hofmann

Ich bin freiberuflich als Berater, Coach, Referent und Autor tätig. Meine langjährigen Projekterfahrungen in den Bereichen Softwarearchitektur, Java Enterprise, DevOps und Cloud habe ich im deutschen und internationalen Umfeld gesammelt.

Service Mesh Security Workshop: Manage mTLS, AuthN and AuthZ with Istio

Abstract

In this workshop, the participants will be shown the possibilities that a service mesh tool like Istio offers in terms of security. After a brief introduction to the service mesh, more and more security features are presented and implemented in each step.

The starting point is the TLS/mTLS termination in the ingress gateway. From then on, all further communication within the service mesh is secured using mTLS. Outgoing communication is also checked and controlled with the help of the egress gateway. In addition, it is shown which request-based authorization checks can be taken over by the service mesh.

The associated security best practices are listed and explained for each sub-aspect. Since faulty security settings can have fatal consequences, the options available for error analysis are shown for each security aspect.

The slides and the code examples together with the used Kubernetes/Istio scripts are available to the participants.

Content

I. Fundamentals

  • Introduction to Service Mesh
  • Istio and Zero-Trust

II. Ingress Gateway with TLS and mTLS

  • Ingress Gateway with TLS and mTLS
  • Security Aspects of Ingress Gateway
  • Troubleshooting Ingress Gateway

III. Peer Authentication

  • Activate mTLS for entire mesh
  • Co-existence of different workloads (with and without mTLS)
  • Troubleshooting mTLS

IV. Request Authentication

  • End-User Authentication
  • Prepare JWT and JWKS
  • JWT claim based routing

V. Authorization

  • AuthorizationPolicy
  • Establish default deny-all rule
  • Explicit deny of a request
  • Test new policies with dry run
  • Security Best Practices

VI. Request Authorization

  • JWT claim based authorization
  • JWT claim based routing

VII. Egress Gateway

  • Controlled access to external services
  • Troubleshooting Egress Gateway

VIII. Istiod Certificate

  • Istio’s Certificate Management

Target audience and prerequisites

Developers, architects and security engineers who have high security requirements for their microservices in the cloud.

Procedure

All practical parts of the workshop will be shown by demos. Everybody who wants to work hands on can do this with the available code samples and scripts. The necessary installations will be presented two weeks before the workshop (laptop with kubectl, Docker Desktop, Istio). The workshop can be conducted on-site or remotely. Please get in touch for further questions.

Prepare for workshop

A detailed installation description for the audience can be found here: Prepare for workshop

Aktualisiert:

Ihnen gefällt vielleicht auch