►
From YouTube: Leveraging Envoy to Implement Micro-Segmentation-Based Security Policies - Hermann Lueckhoff
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Leveraging Envoy to Implement Micro-Segmentation-Based Security Policies - Hermann Lueckhoff, JP Morgan Chase
JPMorgan Chase application security architecture follows least privilege network and micro-segmentation principles. For instance, incoming requests from external users need to be validated in a designated security zone before it can be forwarded to upstream endpoints in a different security zone. Communication between these segments is highly regulated and involves various identity providers and different levels of authentication and authorization checks including token validations and exchanges.
In this talk you will learn how we deal with these complexities leveraging standard Envoy routing capabilities as well as Envoy filters such as JWT Authentication and External Authorization. AWS X-Ray Tracer is leveraged for added observability. For our token exchange requirements we utilize the External Processor filter with a Golang gRPC implementation leveraging Unix Domain Sockets (UDS) for improved performance and robustness. After validating the authentication status for a given incoming request we mint new tokens and inject them into the upstream request. The External Processor filter also us a clean way to logically separate standard routing requirements from very specific token exchange needs.
Envoy has become a strategic tool for operating in an elevated security requirements and the resulting additional traffic management complexities. We have been able to replace expensive, inefficient, and hard to maintain custom proxy implementations with Envoy and the External Processor filter. As our teams investigate Istio adoption, Envoy provides us added long term viability since we should be able to port our custom extensions into a service mesh environment. We have realized substantial cost savings on top of improved performance, agility, resource efficiency, and maintainability. Based on initial interest from other teams we see our Envoy-centric traffic management approach as an evolving pattern in our broader organization.
A
Hello,
my
name
is
Thurman
lukoff
I'm
working
for
JPMorgan
I'm
super
happy
to
be
here
and
before
I
forget
it.
If,
if
anything,
I
want
to
get
across
today
is
really
saying,
thank
you
for
the
community.
Your
work
is
so
useful
for
us,
and
so
many
and
sometimes
really
unexpected
ways,
and
that's
really
the
main
topic
for
my
talk.
A
So
this
talk
is
not
so
much
about
technical
Wizardry.
It's
really
a
perspective
from
an
application
team
really
at
the
end
of
the
NY
food
chain
and
I
want
to
talk
about
a
few
application
patterns
where
NY
really
is,
is
very,
very
helpful
for
us
to
do
our
job
since
I'm
working
in
the
financial
industry.
A
We
have
a
very
healthy
sense
of
paranoia
when
it
comes
to
security,
so
security
is
front
and
center
and
I
want
to
talk
a
little
bit
about
how
Envoy
is
helpful
for
us
to
meet
our
company
internally
security
standards,
but
I
also
want
to
go
beyond
that
and
talk
a
little
bit
about
other
application
patterns
where
we
utilize
Envoy
and
where
it
has
been
yeah
again,
very,
very
useful
for
us.
So
for
us,
it's
really
not
only
about
I,
don't
know
service
match
and
and
the
things
that
are
in
the
current
discussion
for
us.
A
So,
if
we
look
at
our
company-wide
security
policy,
one
really
very
generic
pattern
is
segmenting
our
service
landscape
into
into
zones
and
these
zones
came
into
place
for
different
reasons.
Sometimes
you
have
historic
reasons.
These
are
applications
developed,
10
or
15
years
ago
on
different
platforms,
so
they
are
physically
located
in
different
clusters
and
different
server
Farms.
A
You
have
applications
that
have
different
security
requirements,
regulatory
requirements,
compliance
requirements,
so
they
are
separated
out
and
if
you
have
an
application
that
wants
to
consume
these
Services,
you
have
to
go
through
a
certain
step
or
sequence
of
steps.
So,
if
you
start
Downstream,
we
have
applications
coming
in
human
to
app.
We
have
app
to
app
on
the
right
side.
We
have
requests
coming
in
with
different
levels
of
authentication,
with
different
levels
of
authentication
through
different
idps.
A
So
we
have
a
huge
landscape
at
JPMorgan,
with
half
dozen
of
idps
or
IDC
based
older
ones,
Legacy
idps
and
we
have
to
deal
with
all
these
kind
of
requests
coming
with
different
kinds
of
tokens,
and
if
we,
if
we
start
Downstream,
we
we
get
a
request
coming
into
Zone
one.
The
first
thing
we
need
to
do
is
to
validate
this
this
token
and
of
course
we
can
use
a
prox
NY
here,
but
we
also
need
to
actually
exchange
these
tokens
before
we
send
it
Upstream
and
by
going
from
a
level
to
level.
A
Of
course,
we
go
through
to
Fireball,
so
we
have
a
very
regulated
tightly
regulated
process
to
open
up
fire
firewalls,
and
so
the
the
really
the
story
is,
if
you
go
from
Zone
to
Zone,
you
have
to
do
that
revalidation
every
time.
If
you
start
with
Zone
zero,
you
have
to
do
the
token
Exchange
and
yeah.
So
the
question
is
really:
how
can
we
do
that
in
an
efficient
way.
A
This
is
a
little
bit
going
more
into
the
details.
We
see
coming
in
a
requests
with
with
a
with
a
jot,
assuming
that
request
has
been
already
authenticated
and
then,
of
course,
once
the
request
hits
Envoy.
It
goes
to
the
filter
chain
and
I
just
point
out
here:
two
different
filters.
The
first
is
the
jot
validation
filter,
which
is
extremely
helpful
for
us,
because
we
have
all
these
kind
of
different
idps,
different
jot
validation,
configurations
that
we
have
to
validate.
A
This
filter
has
been
really
really
helpful
for
us.
It
allows
us
to
create
a
grpc
server
that
communicates
with
the
with
the
envoy
core
and
all
our
token
handling
token
exchange
logic
is,
is
part
of
that
grpc
server.
So
we
have
different
scenarios.
We
might
want
to
create
a
new
token
from
a
different
IDP
or
we
have
like
custom
self-signed
jots.
So
it
really
depends
on
the
use
case,
but
we
can
really
include
all
these
kind
of
different
variations
very,
very
convenient
conveniently
in
that
grpc
server.
A
What
is
really
great
is
that
this
Envoy
supports
UDS,
Unix
domain
services,
sockets,
sorry
and
the
really
really
nice
thing
about
it.
It's
so
simple
to
set
up
I
just
point
out
here,
the
the
the
the
Golan
code
is
it's
literally
one
line
of
code
that
you
have
to
change
going
from
socket
to
UDS
and
in
the
envoy
configuration
it
is
very
similar
and
UDS
is
just
a
little
bit
more
performant,
just
a
little
bit
more
secure,
just
a
little
bit
more
resource
efficient.
A
Looking
a
little
bit
into
this
grpc
server,
I
think
if
I
just
look
at
it
at
our
requirements
at
at
my
company,
I
think
there's
actually
a
potential
to
further
streamline
that
maybe
having
some
kind
of
Envoy
filter
not
only
for
the
validation
but
actually
for
token
Exchange,
and
we
are.
We
have
actually
started
to
think
about
a
way
to
parameterize
token
exchange
like
making
it
configurable,
for
instance,
defining
and
configuration
how
claims
from
incoming
jobs
float
into
the
the
outcoming
jobs
or
caching
Etc.
A
So
the
first
of
all,
first
of
all,
that
I
want
to
mention
is
cloud
migration,
so
we
started
out
in
a
private
Cloud,
kubernetes
environment
and
we
have
been
moving
ours,
our
services
incrementally
from
from
private
Cloud,
to
serve
to
public
cloud
and
it's
almost
trivial
but
of
course
having
all
the
traffic
going
through
through
Envoy
and
having
I
mean
being
able
to
configure
invoice
so
conveniently
to
go
from
left
to
the
right.
It's
been
tremendously
helpful
to
manage
this
migration,
which
was
a
half
year
effort.
A
A
little
bit
more
interesting
is
a
scenario
where
we
actually
unexpectedly
saw
a
lot
of
value
in
Envoy,
so
we
got
a
request
from
our
product
team,
saying
hey.
We
want
to
create
a
demo
system
for
our
application,
which,
by
the
way,
is
a
story
at
jpmorgan.com,
our
One
Stop
shop
for
Commercial
Real,
Estate
Investors
in
in
JPMorgan.
So
if
you
own
I,
don't
know
commercial
real
estate
property,
please
stop
by
and
yeah.
A
A
A
These
requests
to
different
I,
don't
know
feature
branch
deployments
and
more
mature
versions
of
the
foundation,
speed
space
and
similarly
team
two
has
its
own
envoid
and
can
do
the
same
thing
on
the
on
the
right
side
and
finally,
We
have
basically
the
the
main
Envoy,
the
main
application
Envoy.
That
really
then
points
to
the
Quality
Tollgate,
past
versions
of
the
services
in
the
different
applications
teams,
as
well
as
the
foundation
space.
A
So
to
conclude,
I
mean
Envoy
has
been
really
really
useful
for
us
in,
for
us
sometimes
really
unexpected
ways,
but
there
are
also
challenges,
and
let
me
actually
talk
first
about
the
challenges,
and
the
one
thing
I
really
want
to
mention.
First
and
foremost,
is
the
complexity
of
configuration
and
I.
Guess
it's
it's
easily
underestimated
in
a
community
that
is
so
deeply.
A
Yeah
steeped
into
into
Envoy,
but
for
normal
application
developers
it
can
be
really
really
challenging
to
do
even
simple
things
in
an
Envoy
configuration
and
since
everything
goes
through
Envoy,
it's
also
very
easy
to
screw
up
things
very
quickly
and
very
fundamentally
so.
For
us,
it
has
been
really
challenged
to
find
a
way
to
somehow
regulate
the
way.
How
we
deal
with
our
main
Envoy
configuration,
which
is
by
now
more
than
1200
lines
of
yaml
code
and
that's
by
itself,
is
already
a
challenge.
A
So
we
thought
about
different
ways.
So,
right
now
we
are
primarily
looking
into
building
a
simple
CLI
that
allows
to
to
execute
day-to-day
commands
like
adding
a
service,
removing
a
service,
rerouting
a
service
really
trying
to
avoid
a
normal
developer,
really
touching
the
the
domain
Envoy
yaml
file,
which
really
becomes
like,
like
a
I,
don't
know
almost
like
a
sacred
cow
in
our
development
environment.
A
So
this
is
really
the
kind
of
main
problem
for
us
and
I'm
really
curious
to
see
whether
there's
any
other
person
or
any
other
team
that
has
similar
issues
or
proposals
to
to
get
around
it.
But
the
benefits
are
really
really
very,
very
significant
and
very,
very
helpful
for
us
and
for
us
I
think
it's
not
really
about
wow
Envoy
is
amazing
and
it's
it's
mind
pending
is
really
the
All.
A
The
Small
Things
coming
together
well
thought
out
things
whether
it's
the
filters,
whether
it's
the
routing
rules,
the
configurability,
the
extensibility,
really
the
overall
package
makes
it
so
valuable
for
us
and
again
for
us
as
a
as
a
team
in
the
financial
services
it
all
starts
and
ends
with
security
and
dealing
with
our
company
internal
security
requirements.
Envoy
is
just
really
Priceless
and
we're
using
really
a
lot
of
the
filters
that
are
available
there.
A
I
think
for
the
for
the
istio.
There
is
there's
a
possibility
with
to
to
actually
include
filters,
which
is
a
little
bit
complicated,
but
still
it's
possible.
So
that
would
be
something
that
would
be
very,
very
useful
for
us.
So
then
we
don't
need
our
own
NY
instance
anymore.
We
could
actually
hook
directly
into
the
Envoy
Ingress
controller,
so
yeah,
so
that's,
that's
all
I
have
again.
Thank
you.
So
much
for
all
your
hard
work.
It's
it's
great
for
us
again!
A
It's
it's
not
really
at
the
Forefront
I
mean
Matt's,
saying
is
Envoy
getting
boring,
I,
don't
get
calls
and
Monday
morning
from
my
CDO
say:
Herman
how's
it
going
with
our
reverse
proxy
strategy.
It's
really
something
much
more
a
matter
of
saying
sustainable
engineering
and
I.
Think
in
that
way
it's
been
great
for
us.
Thank
you
very
much.
A
Yes,
we
looked
into
webassembly
and
yeah,
so
the
question
is
about
whether
we
have
looked
into
webassembly
and
yes,
we
have
been
looking
into
webassembly
for
us.
Webassembly
is
a
little
bit
problematic,
because
the
languages
that
we're
using,
which
is
mainly
Java
and
golang,
is
not
are
not
that
well
supported,
particularly
if
you
want
to
use
libraries.
So
for
us
the
grpc
server
approach
was
much
more
accessible
and
and
usable
yeah.
A
A
A
Yeah,
so
the
question
is:
do
we
run
our
own
control
plane
and
how
users
push
configurations
to
Envoy?
That's
exactly
the
kind
of
challenge
that
we
that
we
have
so
right
now
our
NY
is
just
a
kubernetes
part
and
we're
running
a
static,
config
map
configuration
and,
of
course,
the
changes
to
this
of
these
configurations
go
through
so
git
and
and
PRS,
but
it
is,
it
is
yeah,
really
the
the
kind
of
weak
spot,
I
would
say
right
now
and
the
more
developers
we
are
on
board
to
our
foundation
layer.
A
A
A
A
Yeah,
so
we
we
don't
do,
and
so
the
question
is:
how
do
we
push
our
configurations
into
our
runtime
system?
Are
we
doing
heart
restarts
or
are
we
just
pushing
the
configuration
and
I
mean?
In
our
case,
we
just
push
the
the
configuration
into
our
kubernetes
and
we
do
a
rolling
update,
but
we
don't
use
x,
our
dats
or
or
any
of
these
kind
of
more
fancy
mechanisms.