►
From YouTube: A Tale of a Meshi Kafka: Securing Kafka Deployment When Istio Is... Ariel Shuper & Nikolas Mousouros
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
A Tale of a Meshi Kafka: Securing Kafka Deployment When Istio Is Used - Ariel Shuper, Portshift & Nikolas Mousouros, Marlow Navigation
Kafka is a commonly used message broker for microservices real-time data feeds. A standard setup allows any micro-service to read or write any messages to/from any topic. The need for security typically starts when multiple applications use the same Kafka broker in a cluster, or when confidential information is shared in the Kafka topics. Common security practices to use are authenticating subscribers and publishers, authorization policies for access control and data encryption. When Istio is being used with microservices that access Kafka topics, the envoy proxies is expected to offload these security elements. However, creating sustainable and consistent authorization policies when Istio is deployed isn't feasible, and tracking the microservices based on their IPs isn’t feasible because of their replacement. The session will present how to build an external authorization mechanism and simplify policy management for Kafka topics by using open source tools, like OPA and others
A
A
A
Who
am
I
so
my
name
is
ariel
schuper,
I'm
a
principal
product
manager
at
cisco,
used
to
be
a
vp
product
management
in
port
shift
port
shifted
the
cloud
native
security
vendor
before
working
in
port
shift.
I
was
the
head
of
serverless
solution
at
aqua
security,
and
before
that
I
led
the
cloud
security
solutions
in
checkpoints
of
technologies,
part
of
open
source
with
the
the
qb
project
that
we
in
port
shift
created
and
also
a
member
of
the
easter
security
working
group.
A
A
little
bit
about
port
shift.
We
are
were
founded
by
2018,
then
acquired
by
cisco,
beginning
of
november,
beginning
of
this
beginning
of
this
month,
focusing
on
cloud
native
security
platform
and,
more
specifically
on
integrating
it
with
service
mesh,
any
type
of
service
mesh,
and
that's
it
about
it.
B
I'm
nicolas
museros
I
worked
in
telecommunication,
currency
exchange,
commercial
companies
and
now
I'm
glad
to
be
part
of
two
organizations.
As
a
devops
engineer,
the
first
to
the
first
one
is
marlo
navigation,
and
now
I'm
trying
to
start
my
own
startup
business,
rtx
direct,
which
is
providing
cloud
native
services.
B
A
Thank
you
nicholas
and
let's
talk
about
get
into
the
details
and
let's
talk
about
a
little
bit
about
microservices
communication,
so
we
are
moving
to
microservices.
Okay,
microservices
usually
look
like
that.
We,
when
we're
working
in
distributed
applications,
we
start
breaking
down
monolithic
into
small
components.
We
want
each
of
them
to
communicate
with
with
each
other.
So
we
are
creating.
A
You
know
a
nice
communication
schema,
but
then,
eventually,
when
the
cluster
grows-
and
there
are
more
more
elements,
we
can
quickly
turn
into
this
famous
diagram
that
shows
the
lift
micro
services
communication
before
they
started
the
project
with
envoy
before
they
moved
to
service
mesh
and
the
idea
that
you
know
when
we
have
lots
of
micro
services.
A
lot
of
communication,
I'm
not
going
to
talk
about
whether
or
not
service
mesh
is
the
right
way
to
choose
it.
But
we
can
talk
about
lots
of
microchips
communicating
with
each
other.
A
We
can
use
it
like
the
mesh
in
synchronous
mechanism
that
everyone
can
communicate
with
everyone
synchronically,
but
you
can
also
use
asynchronous
communication
or
security
message.
Passing
with.
There
are
multiple
options:
kafka,
pachi,
kafka,
just
a
popular
one,
but
there
are
many
other
options
of
how
we
can
use
event
streaming
between
services,
which
are
not
synchronous.
A
Now
we
would
like
to
talk
about
apache
kafka.
You
know
as
a
popular
event
streaming
mechanism.
Apache
kafka
was,
you
know,
becoming
a
pop.
Very
popular
tool
was
donated
by
linkedin
to
the
open
source
community
in
2011
as
a
message
queue
quickly
turned
in
to
be
like
an
event
streaming,
so
we're
not
just
making
like
some
simple
computation
actions
on
messages.
We
can
run
multiple
actions
on
multiple
messages
simultaneously.
A
We
can
also
maintain
persistency
with
keeping
up
the
message.
There
are
many
benefits
to
to
apache
kafka
and
to
the
way
it
is
used
today
for
asynchronous
communication.
Now
our
focus
today
and
nikolas
will
uprise
it
a
little
bit
more.
When
you
talk
about
architecture
is
on
an
open
source.
Distribution
of
kubernetes
called
strimzy
and
strimsy
goal
is
to
simplify
the
process
of
running
kafka
in
kubernetes.
A
A
A
It's
important
to
know
that
kafka
does
require
some
level
of
security
by
by
nature
the
default
setting
is
that
you
know
the
different
configuration
allow
any
user
to
read
or
write
or
publish
or
subscribe
of
you
know
any
or
all
the
data.
So
you
can,
you
know,
publish
your
type
to
any
topic,
so
you
get
a
full
exposure.
A
The
communication
is
in
plain
text.
If
you
don't
do
anything
specifically
and
you
know,
and
you
go
and
configure
the
tls
between
your
users
and
their
brokers,
the
communication
is
in
plain
text.
So
if
someone
can
intercept
it
in
the
cluster,
I
can
get
exposed
to
all
the
communication.
There's
no
need
to
you,
know
decrypt.
It
users
can
delete
the
data
and
in
some
distributions,
the
secrets
or
credentials
are
stored
in
plain
text.
So
you
want
to
restrict
the
access
of
people
who
can
access
those?
A
You
know
the
zookeeper
location,
so
by
default.
There
are
many,
I
would
say,
security
challenges,
but
you
know,
given
the
maturity
of
the
product.
A
lot
of
them,
you
know,
were
taken
care
of
were
handled
more
specifically
talking
about
streamsi
kafka.
Looking
the
main
security
building
block,
so
the
authentication
use
user
authentication
can
can
be
managed,
kafka,
listeners
use
authentication,
so
they
can
ensure
secure
client
connection.
It
does
support
different
authentication,
different
authentication
options,
there's
a
dedicated
user
operator
that
can
simplify
some
of
them.
A
A
The
native
authorization
in
kafka
is
using
the
simple
acl
authorizers
it's
based
on
authentication
of
users,
and
then
you
allow,
if
you
have
users
authenticate
and
identified,
you
can
define
access
control
list
and
you
can
define
what
user
can
access.
What
resource
encryption
in
streams
is
with
tls.
A
So
the
communication
is
always
encrypted
in
the
main
control
elements
like
between
the
brokers,
the
zookeeper
nodes,
the
operator
and
the
exporter.
You
can,
you
know,
encrypting
the
user
traffic.
The
user
communication
with
the
brokers
is
something
that
that
is
required.
Users,
intervention
and
and
making
it
with
the
tls
option.
A
So-
and
I
was
talking
about
security
in
kubernetes
committees-
offer
a
rich
set
of
security
mechanism,
there's
a
lot
of
investment,
a
lot
of
work
and
also
coming
from
the
maturity
of
the
of
kubernetes
in
its
deployment.
There
are
multiple
options
for
security,
both
for
deployments
for
services
for
policies,
but
also
for
authentication
authorization,
and
you
know
powerful,
role-based
access
control.
A
A
This
lead
us
to
think
that
when
we
deploy
kafka
in
kubernetes
and
with
istio
will
be
in
a
much
better
stage,
because
the
kubernetes,
the
kafka
security
and
the
course,
although
there
are
you,
know
they
don't
match,
but
if
we're
using
it
with
kubernetes,
then
we
can
get
the
benefit
of
all
the
existing
tools,
especially
you
know
easter
can
used
like
it
does
today
can
contribute.
You
know
seamlessly
to
the
security
level,
because
it's
doing
it,
you
know
using
offloading
the
traffic,
not
touching
more,
defining
or
changing
anything
in
the
workload.
A
So
this
would
come
make
a
thing
that
the
security
security
situat,
the
security
status,
can
be
much
better.
Now.
What
we
discovered
and
also
together
with
marloy,
is
that
easter
and
kafka
are
not.
You
know
the
best
match,
or
I
would
say,
they're
not
a
match
made
in
heaven
and
it's
time
for
multiple
reasons
you
know,
but
when
you
come
to
think
about
it,
that
you
know
kafka
and
zookeeper
were
both
designed
to
have
all
the
required
resources
available
at
startup
time.
A
If
a
broker
tried
to
communicate
with
the
zookeeper
and
envoy
is
not
ready
or
not
available,
the
broker
will
crash.
We
also
saw
that
in
zookeeper
installation
it
binds
it
to
the
pod
ip,
but
nvo
uses
localhost
for
forwarding
traffic
and
the
result
can
be
connection
refused
errors
and
some
other
challenges
that
we
we
happen
to
found,
and
unfortunately,
this
leave
us.
You
know
with
situation
the
still
from
one
side
we
do
deploy
the
kafka.
A
A
Is
you
know
if
you
can
really
make
some
small
changes
or
do
something
which
some
have
already
in
the
work,
but
some
can
be
done.
So
what
are
the
requirement?
What
do
we
need
in
order
to
make
kafka
and
east
you
a
perfect
match
right,
so
in
order
to
create
what
we
call
a
kafka
friendly,
easter
kafka,
friendly
service
mesh,
something
that
will
let
us
you
know
to
benefit
from
all
the
security
controls
in
an
automated
and
smooth.
A
You
know
for
existing
users,
but
also,
more
importantly,
for
future
users,
which
are
deploying
you
want
to
connect.
You
know
with
the
kafka
cluster.
There
are
two
critical
elements
that
you
know
need
to
be
fixed
in
order
to
get
this
kafka
friendly
level
expectation.
One
of
it
which
is
already
in
the
work,
was
supposed
to
be
part
of
1.18
1.19,
but
I
believe
it
will
be
in
the
next
in
the
next
version.
Definitely
going
to
be
included
is
making
a
sidecar
first-class
citizen,
part
of
kubernetes.
Now.
A
What
do
I
mean
first-class
citizen,
making
sure
that
when
a
sidecar
container
like
envoy
is
deployed
with
every
pod,
you
know
make
sure
that
the
this
sidecar
is
up
before
the
regular
containers
are
up
and
making
sure
it's
shut
down.
Only
after
all,
the
other
containers
are
terminated
and
this
will
make
will
ensure
that
all
the
challenges
we
discussed
in
the
previous
slide
will
not
happen,
because
envoy
will
always
be
there.
So
we
can
both
zookeepers
and
the
brokers
can
establish
their
communication
without
worrying
about
it.
A
But
that's
not
it
there's
some
a
little
bit
more
tweaking
that
is
required,
and
you
know
thanks
to
the
flexibility
of
envoy
and
istio.
This
is
something
which
was
already
available
since
1.5,
and
this
is
adding
a
special
detection
to
kafka
traffic,
either
by
enhancing
the
current
kafka
filter,
because
today,
envoy
supports
a
filter
for
detecting
kafka
traffic,
but
there's
slightly
more
that
needs
to
be
done
or
creating
a
new
filter
or
a
new
proxy
for
envoy,
which
again
also
you
know,
post
1.5
is
much
simpler
to
do
now.
A
As
I
said
before,
so
one,
there
are
infrastructure
issues
which
are
being
mean
done
or
managing
kubernetes
already
part
of
the
release
plan,
and
it's
going
to
be,
you
know,
included
probably
in
the
next
version,
but
there
are
some
you
know,
modifications
to
envoy
which
are
required
in
order
to
make
it.
You
know
kafka
friendly.
A
If
we
can
use
similar
mechanisms
like
could
today
with
http
kind
of
a
proxy
that
allow
us
to
parse
the
kafka
stream
and
you
know,
send
it
for
authentication
and
authorization,
so
we
can
authorize
any
request
now.
This
can
be
done
either
by
enhancement
to
the
current
filter
or
by
using
the
new
webassembly
toolkit,
which
allowed
to
customize
and
create
customize
filters
for
envoy
like
an
on
demand,
and
then
you
know,
we
can
use
envoy
to
invoke
authorization
for
every
message
based
on
installation
properties.
A
We
can
of
course
authorize
it.
We
can
create
policies,
those
processes
will
authorize.
We
can,
of
course,
cache
the
results,
so
it's
not
gonna
be
like
every
request.
Only
for
a
new
connection
or
new
service,
which
is
something
that
will
allow
us,
you
know
to
benefit
from
a
fully
authorized
mechanism
that
allow
users
to
define
the
rules
envoy
can
enforce
it
can
create
it.
Just
like
we
do
today
with
our
http
communication.
A
Now
anybody
can
also
pass
authentication
information
to
kafka.
Authorizers
an
envoy
can
seamlessly
encrypt
encrypt
and
manage
all
the
certificates.
You
know
of
the
cluster
of
the
brokers
of
the
users.
There's
no
need
to
work
on
the
tls
certificates
for
the
users.
We
can
also
take
it
a
step
forward
and
do
all
the
ingress
in
the
egress
communication.
We
can
manage
them
and
using
the
service
mesh
policies
so
with
having
the
right
filters
and
some
little
to
help.
We
can
really
reach
level
of
very
kafka,
friendly
istio.
A
That
will
allow
us
to
benefit
from
all.
You
know
the
inherent
security
which
are
included
so
how's.
The
structure
is
going
to
look
like,
so
this
is
going
to
be
like
we're
going
to
inject
the
istio
or
the
endovoy
proxy
to
consumer
pods,
producer
pods
and
the
kafka
broker.
The
easter
control
plane
will
make
sure
that
everything
is
encrypted,
and
you
know
the
the
envoy
will
encrypt
the
traffic.
A
A
So,
what's
going
to
look
like
so
instead
of
using
the
regular
authentication,
we
can
of
course
use
the
easter
based
authentication.
The
android
proxy
will
extract
the
application
or
the
or
the
micro
service
identity
and
forward
it
and
afford
it
for
the
authorizer.
Just
like
you
know
it's
using
it
today.
A
A
Encryption
can
can
spread
around
the
entire
cluster,
so,
instead
of
keeping
it
only
specific
to
the
control,
we
can
run
it.
You
know
all
the
clustering
trip,
all
the
traffic
between
the
micro
services
and
the
brokers
or
even
the
internal
everything
can
be
managed.
You
know
rotating
certificates,
it's
gonna
be
a
much
easier
and
simpler
task
to
do
so.
All
in
all
with
having
with
you
know,
making
those
changes
you
know
we
can
make
istio
a
much
friendlier
to
kafka.
A
We
can
then
once
we
deploy
together,
we
can
use
all
those
mechanisms
which
today
are
not
very
advanced
in
kafka.
We
can
use
the
easter
mechanism
and
then
we
can
bring
the
kafka
to
the
same
level
of
security
like
any
other
regular
workload,
that's
running
in
in
kubernetes,
so
we
can
really
benefit
from
both
worlds
together.
A
But
that
brings
us
to
the
question:
what
do
we
do
until
that?
And
until
we
have
is
your
friendly?
What
can
be
an
intermediate
solution?
And
here
we
won't
talk
about
what
we
are
using
today
and
today
we're
using
the
open
policy
agent,
so
the
open
policy
agent
to
do
all
the
micro
services
authorization
just
on
a
nutshell:
the
open
policy
agent,
it's
a
popular
tool,
it
decouple
policy
decision
making
from
enforcement
decision.
A
A
We
use
the
same
architecture
and
use
the
same
plugin,
also
to
allow
people
to
communicate
and
define
their
authorization
rules,
and
then
the
opa
plugin
will
forward
it
to
port
shift.
Port
shift
will
based
on
based
act
like
just
the
opa
server
and
based
on
the
predefined
rules,
we'll
verify
what
users
can
access
what
you
know,
what
topic
what
broker
can
be
accessed?
We
are
focusing
on
on
topics
all
the
new
communication
going
to
be
authorized.
A
A
A
A
B
We
are
using
a
legacy
system
that
was
built
for
25
years.
It
kept
growing
and
became
complex,
and,
if
I
can
recall
correctly,
it
reached
its
end
of
life
support
in
2003,
not
only
that,
but
the
server
side
application
does
everything
it
receives.
Requests
executes,
domain
logic,
retrieves
and
updates
data
from
database
and
responds
back
to
the
client
modularity
within
the
application
is
typically
based
on
features
of
the
programming
language.
B
Even
a
small
change
of
to
the
application
requires
that
the
entire
monolithic
system
is
rebuilt
and
redeployed.
It
gets
difficult
for
change
not
to
affect
the
whole
system
as
much
as
it
grows
over
the
years.
It
gets
difficult
and
complex
to
maintain
and
in
order
to
scale
the
application,
we
would
simply
create
more
instances
of
that
process,
and
usually
it
is
not
possible
to
scale
the
components
in
primary.
B
So
moving
to
cloud
native
micro
services
and
google
networks
micro
services
with
the
google
nethers
natives
deployments,
we
can
get
view
on
different
metrics,
such
as
cpu
usage
and
ram
usage.
The
horizontal
product
scalers
give
us
the
ability
to
scale
the
number
of
instances
in
a
replication
controller
or
replica.
B
On
those
metrics,
we
can
also
use
the
same
metrics,
alongside
with
shell
checks
to
vertically
scale
our
infrastructure
when
needed,
even
that
we
prefer
scaling
horizontally
our
infrastructure
as
well
and
with
the
introduction
of
githubs
deployment,
configs
sharing,
charts,
we
save
a
lot
of
time.
We
have
better
versioning
and
obviously
much
easier
rolling
updates.
B
So
a
bit
about
our
this
is
a
small
representation
of
how
our
system
works.
We
still
need
to
get
data
from
our
legacy
system,
since
we
are
still
in
development,
so
we
have
stateless
apps
in
blue
color
that
issue
commands
and
events,
but
we
still
need
to
keep
the
state
somewhere.
So
we
decided
to
use
kafka
and
other
storage
services.
A
B
Freedom
in
so
many
ways,
for
example,
leveraging
all
the
kubernetes
concepts
that
I
already
talked
about.
We
are
able
to
use
githubs
to
to
easily
deploy
a
ton
of
kafka.
With
a
few
clicks,
we
parameterize
a
lot
of
the
configuration
it's
pretty
much
secure
in
comparison
with
other
services
and
has
a
great
community
that
is
always
willing
to
help.
B
B
B
So
the
port
shift
solution
gave
us
visibility
on
what
requests
are
made
with
tables
and
nice
graphs.
We
were
able
to
set
up
rules
on
a
very
user-friendly
environment.
We
are
able
to
add
rules
for
specific
microservices
and
specific
topics
and
moving
forward.
I
will
show
a
small
demo
of
how
easily
those
stuff
can
be
done.
B
B
B
A
A
A
B
B
A
B
B
B
B
A
B
B
B
B
B
B
B
B
B
A
A
In
the
meantime,
opensort
the
open
policy
agent
can
be
used
in
order
to
customize
a
lot
of
the
work
but
having,
but
nevertheless,
I'm
sure
in
the
near
future
we'll
be
able
to
benefit
from
the
meshi
kafka
and
make
a
serving
flesh
friendly
kafka.
So
that's
it.
Thank
you
very
much
for
joining.
Thank
you,
nicolas,
for
a
great
demo,
and
thank
you
for
doing
this
for
joining
and
will
be
available
for
in
the
next
few
minutes
for
a
few
questions
from
the
audience.