Service Mesh Workshop with Istio Ambient: Manage Security and Traffic Routing
Abstract
This workshop will demonstrate the security and traffic routing capabilities of a service mesh tool like Istio Ambient. Istio Ambient introduces a new service mesh architecture that eliminates the need for sidecars entirely. Following a brief introduction to service meshes, the security features and traffic routing capabilities will be presented and implemented at each stage.
The process begins with TLS/mTLS termination in the ingress gateway. From then on, all subsequent communication within the service mesh is secured using mTLS. Outgoing communication is also monitored and controlled by the egress gateway. Additionally, we demonstrate which request-based authorisation checks can be taken over by the service mesh.
The associated security best practices are listed and explained for each sub-aspect. Since incorrect security settings can have serious consequences, the options available for error analysis are presented for each security aspect.
In the second part of the workshop, we will combine multiple microservices with Istio Ambient to form a complex service mesh. Using concrete samples, we will learn how the necessary Istio rules interact with these services. Different real-world requirements, such as configuration, tracing, resilience and testing, will be shown in combination with best practices. Additionally, the workshop will demonstrate other features that Istio Ambient offers to prevent issues in the everyday use of distributed applications.
All participants will receive the slides and code samples, together with the relevant Kubernetes/Istio scripts. Special handouts will include an Istio cheat sheet and a collection of Istio best practices.
Content Part I
I. Fundamentals
- Introduction to Service Mesh and Istio Ambient
- Benefits of Istio Ambient compared to Istio (classic)
- Istio Ambient and Zero-Trust
II. Ingress Gateway with TLS and mTLS
- Ingress Gateway with TLS and mTLS
- Security Aspects of Ingress Gateway
- Troubleshooting Ingress Gateway
III. Peer Authentication
- Activate mTLS for entire mesh
- Co-existence of different workloads (with and without mTLS)
- Troubleshooting mTLS
IV. Request Authentication
- End-User Authentication
- Prepare JWT and JWKS
- JWT claim based routing
V. Authorization
- AuthorizationPolicy
- Establish default deny-all rule
- Explicit deny of a request
- Test new policies with dry run
- Security Best Practices
VI. Request Authorization
- JWT claim based authorization
- JWT claim based routing
VII. Egress Gateway
- Controlled access to external services
- Troubleshooting Egress Gateway
VIII. Istiod Certificate
- Istio’s Certificate Management
Content Part 2
IX. Create a Service Mesh
- Service configuration and deployment in Kubernetes
- Basic Istio rules for traffic management (Gateway, VirtualService, DestinationRule)
- Different ways to display a Service Mesh (Kiali, Jaeger, Prometheus, Grafana)
X. Additional functionality
- Request tracing and limit trace data, tracing on demand
- Metrics with Prometheus and Grafana; displaying own application metrics
- Alternatives of resilience (Service Mesh vs. service implementation)
- Testing resilience in a Service Mesh
XI. Service Mesh evolution and operations
- A/B testing with traffic shifting and traffic mirroring
- Canary releasing
Target audience and prerequisites
Developers, architects and security engineers who have high security requirements for their microservices in Kubernetes clusters. Experience with Kubernetes is helpful.
Procedure
All practical parts of the workshop will be shown by demos. Everybody who wants to work hands on can do this with the available code samples and scripts. The workshop can be conducted on-site or remotely. Please get in touch for further questions.
Prepare for workshop
If you want to do the demos on your own, you have to prepare your laptop with Minikube. A detailed installation description can be found here:
Prepare for workshop