@xeviknal
@kialiProject
@xeviknal
@kialiProject
New paradigm, new security concerns
Istio security features
Auto-discovery
Mutual TLS
RBAC
Audit
Q&A
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Lots of services to protect
Services are dynamic
Multiple workloads per service
Few components to protect
Pieces are very well-known
Almost static architecture
@xeviknal
@kialiProject
One point per service
Higher network usage
Few points to impersonate
@xeviknal
@kialiProject
Each service receives and sends data
Higher network usage
Few components to protect
@xeviknal
@kialiProject
Each service has at least one endpoint
Consumers need to be identified
Multiple workloads to protect
Few public points
Consumers are unknown
@xeviknal
@kialiProject
Each service may have unauthorized access
Few access points to log
PROTECTING
@xeviknal
@kialiProject
WITH
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Demo
apiVersion: v1 kind: ServiceAccount metadata: name: bookinfo-productpage --- apiVersion: v1 kind: Service metadata: name: productpage labels: app: productpage spec: ports: - port: 9080 name: http selector: app: productpage --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: productpage-v1 spec: replicas: 1 template: metadata: labels: app: productpage version: v1 spec: serviceAccountName: bookinfo-productpage containers: - name: productpage image: istio/examples-bookinfo-productpage-v1:1.8.0 imagePullPolicy: IfNotPresent ports: - containerPort: 9080
istioctl kube-inject -f step1.yaml |kubectl apply -f
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Strong Identity - how?
cat chain-example.pem | openssl x509 -noout -text
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Are you who you say you are?
@xeviknal
@kialiProject
Demo
apiVersion: "networking.istio.io/v1alpha3" kind: "DestinationRule" metadata: name: "details-enable-mtls" spec: host: details trafficPolicy: tls: mode: ISTIO_MUTUAL
Authentication methods accepted on workload(s)
apiVersion: "authentication.istio.io/v1alpha1" kind: "Policy" metadata: name: "default" spec: peers: - mtls: mode: PERMISSIVE
Rules applied on client-side after routing
@xeviknal
@kialiProject
kubectl apply -f step3.yaml -n bookinfo
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Can ServiceA perform Action on ServiceB?
@xeviknal
@kialiProject
Demo
apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRole metadata: name: details-reviews-viewer namespace: bookinfo spec: rules: - services: - "details.bookinfo.svc.cluster.local" - "reviews.bookinfo.svc.cluster.local" methods: ["GET"] constraints: - key: "destination.labels[version]" values: ["v1"]
List of permissions:
@xeviknal
@kialiProject
apiVersion: "rbac.istio.io/v1alpha1" kind: ServiceRoleBinding metadata: name: bind-details-reviews namespace: bookinfo spec: subjects: - user: "cluster.local/ns/bookinfo/sa/bookinfo-productpage" roleRef: kind: ServiceRole name: "details-reviews-viewer"
List of subjects attached to a role:
@xeviknal
@kialiProject
kubectl apply -f step5.yaml -n bookinfo
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Demo
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@twistlockteam
kubectl apply -f step4.yaml -n bookinfo
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Lab