Michael Hofmann

Michael Hofmann

Ich bin freiberuflich als Berater, Coach, Referent und Autor tätig. Meine langjährigen Projekterfahrungen in den Bereichen Softwarearchitektur, Java Enterprise, DevOps und Cloud habe ich im deutschen und internationalen Umfeld gesammelt.

Service Mesh Security Workshop with Istio Ambient: Manage mTLS, AuthN and AuthZ

Abstract

In this workshop, participants will be shown the possibilities that a service mesh tool like Istio Ambient offers in terms of security. Istio Ambient enables a new service mesh architecture that completely eliminates sidecars. After a brief introduction to the service mesh, more and more security features are presented and implemented in each step.

The starting point is the TLS/mTLS termination in the ingress gateway. From then on, all further communication within the service mesh is secured using mTLS. Outgoing communication is also checked and controlled with the help of the egress gateway. In addition, it is shown which request-based authorization checks can be taken over by the service mesh.

The associated security best practices are listed and explained for each sub-aspect. Since faulty security settings can have fatal consequences, the options available for error analysis are shown for each security aspect.

The slides and the code examples together with the Kubernetes/Istio scripts we will use in the workshop are available to participants.

Content

I. Fundamentals

  • Introduction to Service Mesh and Istio Ambient
  • Benefits of Istio Ambient compared to Istio (classic)
  • Istio Ambient and Zero-Trust

II. Ingress Gateway with TLS and mTLS

  • Ingress Gateway with TLS and mTLS
  • Security Aspects of Ingress Gateway
  • Troubleshooting Ingress Gateway

III. Peer Authentication

  • Activate mTLS for entire mesh
  • Co-existence of different workloads (with and without mTLS)
  • Troubleshooting mTLS

IV. Request Authentication

  • End-User Authentication
  • Prepare JWT and JWKS
  • JWT claim based routing

V. Authorization

  • AuthorizationPolicy
  • Establish default deny-all rule
  • Explicit deny of a request
  • Test new policies with dry run
  • Security Best Practices

VI. Request Authorization

  • JWT claim based authorization
  • JWT claim based routing

VII. Egress Gateway

  • Controlled access to external services
  • Troubleshooting Egress Gateway

VIII. Istiod Certificate

  • Istio’s Certificate Management

Target audience and prerequisites

Developers, architects and security engineers who have high security requirements for their microservices in Kubernetes clusters. Experience with Kubernetes is helpful.

Procedure

All practical parts of the workshop will be shown by demos. Everybody who wants to work hands on can do this with the available code samples and scripts. The workshop can be conducted on-site or remotely. Please get in touch for further questions.

Prepare for workshop

If you want to do the demos on your own, you have to prepare your laptop. A selection of possibilities togehter with a detailed installation description can be found here: Prepare for workshop

Aktualisiert:

Ihnen gefällt vielleicht auch