@xeviknal
@kialiProject
@xeviknal
@kialiProject
New paradigm, new security concerns
Istio security features
Auto-discovery
Mutual TLS
RBAC
Audit
Q&A
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Lots of services to protect
Services are dynamic
Multiple workloads per service
Few components to protect
Pieces are very well-known
Almost static architecture
@xeviknal
@kialiProject
One point per service
Higher network usage
Few points to impersonate
@xeviknal
@kialiProject
Each service receives and sends data
Higher network usage
Few components to protect
@xeviknal
@kialiProject
Each service has at least one endpoint
Consumers need to be identified
Multiple workloads to protect
Few public points
Consumers are unknown
@xeviknal
@kialiProject
Each service may have unauthorized access
Few access points to log
PROTECTING
@xeviknal
@kialiProject
WITH
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Demo
apiVersion: v1
kind: ServiceAccount
metadata:
name: bookinfo-productpage
---
apiVersion: v1
kind: Service
metadata:
name: productpage
labels:
app: productpage
spec:
ports:
- port: 9080
name: http
selector:
app: productpage
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: productpage-v1
spec:
replicas: 1
template:
metadata:
labels:
app: productpage
version: v1
spec:
serviceAccountName: bookinfo-productpage
containers:
- name: productpage
image: istio/examples-bookinfo-productpage-v1:1.8.0
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9080
istioctl kube-inject -f  step1.yaml |kubectl apply -f
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Strong Identity - how?
cat chain-example.pem | openssl x509 -noout -text
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Are you who you say you are?
@xeviknal
@kialiProject
Demo
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "details-enable-mtls"
spec:
host: details
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
Authentication methods accepted on workload(s)Â
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "default"
spec:
peers:
- mtls:
mode: PERMISSIVE
Rules applied on client-side after routing
@xeviknal
@kialiProject
kubectl apply -f step3.yaml -n bookinfo
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Can ServiceA perform Action on ServiceB?
@xeviknal
@kialiProject
Demo
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: details-reviews-viewer
namespace: bookinfo
spec:
rules:
- services:
- "details.bookinfo.svc.cluster.local"
- "reviews.bookinfo.svc.cluster.local"
methods: ["GET"]
constraints:
- key: "destination.labels[version]"
values: ["v1"]
List of permissions:
@xeviknal
@kialiProject
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: bind-details-reviews
namespace: bookinfo
spec:
subjects:
- user: "cluster.local/ns/bookinfo/sa/bookinfo-productpage"
roleRef:
kind: ServiceRole
name: "details-reviews-viewer"
List of subjects attached to a role:
@xeviknal
@kialiProject
kubectl apply -f step5.yaml -n bookinfo
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Demo
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@twistlockteam
kubectl apply -f step4.yaml -n bookinfo
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Lab