@xeviknal
@kialiProject
@xeviknal
@kialiProject
Why are we here?
Istio architecture
Istio concepts
Routing Features
Security features
Q&A
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: mesh-arena-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
Expose Service Mesh to external traffic
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: ball-vs
spec:
hosts:
- ball
http:
- route:
- destination:
host: ball
subset: ball-v1
Routing rules to apply when a host is addressed (match, rewrite, weight)
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ball-dr
spec:
host: ball
subsets:
- name: ball-v1
labels:
version: v1
- name: ball-v2
labels:
version: v2
Policies defined for a service after routing has been defined (load balancing, circuit breaking)
@xeviknal
@kialiProject
Football simulation, only AI players
Each item, one microservice
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Lots of services to protect
Services are dynamic
Multiple workloads per service
Few components to protect
Pieces are very well-known
Almost static architecture
@xeviknal
@kialiProject
One point per service
Higher network usage
Few points to impersonate
@xeviknal
@kialiProject
Each service receives and sends data
Higher network usage
Few components to protect
@xeviknal
@kialiProject
Each service has at least one endpoint
Consumers need to be identified
Multiple workloads to protect
Few public points
Consumers are unknown
@xeviknal
@kialiProject
Each service may have unauthorized access
Few access points to log
PROTECTING
@xeviknal
@kialiProject
WITH
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Demo
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Strong Identity - how?
cat chain-example.pem | openssl x509 -noout -text
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Are you who you say you are?
@xeviknal
@kialiProject
Demo
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "ball-enable-mtls"
spec:
host: ball
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
Authentication methods accepted on workload(s)
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "default"
spec:
peers:
- mtls:
mode: PERMISSIVE
Rules applied on client-side after routing
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Can ServiceA perform Action on ServiceB?
@xeviknal
@kialiProject
Demo
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
name: details-reviews-viewer
namespace: bookinfo
spec:
rules:
- services:
- "details.bookinfo.svc.cluster.local"
- "reviews.bookinfo.svc.cluster.local"
methods: ["GET"]
constraints:
- key: "destination.labels[version]"
values: ["v1"]
List of permissions:
@xeviknal
@kialiProject
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
name: bind-details-reviews
namespace: bookinfo
spec:
subjects:
- user: "cluster.local/ns/bookinfo/sa/bookinfo-productpage"
roleRef:
kind: ServiceRole
name: "details-reviews-viewer"
List of subjects attached to a role:
@xeviknal
@kialiProject
@xeviknal
@kialiProject
Demo
@xeviknal
@kialiProject
@xeviknal
@kialiProject