►
Description
Join us for Kubernetes Forums Seoul, Sydney, Bengaluru and Delhi - learn more at kubecon.io
Don't miss KubeCon + CloudNativeCon 2020 events in Amsterdam March 30 - April 2, Shanghai July 28-30 and Boston November 17-20! Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects
Istio Certificate Management Through Vault - Lei Tang & Yonggang Liu, Google
In this talk, we present the design and implementation of a new Istio certificate management system that uses Vault to securely manage Istio certificates. First, we introduce the identity system in Istio and the current architecture of Istio certificate management system. Next, we present the architecture of the new Vault-based Istio identity system with the details of its authentication and authorization mechanisms for issuing Istio certificates. We will go through a detailed example flow from a pod in Istio requesting a certificate to Vault signing the certificate request. Lastly, we will make a demo of the new Istio certificate management system.
To learn more click here: https://sched.co/FuKM
B
A
We're
both
from
Google
SEO
team,
so
nowadays
a
company
may
have
turns
off
for
services
and
the
services
they
typically
depend
on
each
other.
They
will
call
each
other
and
there's
a
service
owners
needed
to
manage
allayed
services,
for
example,
to
manage
their
security,
manages
their
traffic
collected
to
mandatory
data
and
the
displays
a
telemetry
data
called
her
control.
A
Seo
consists
of
four
control
plane
and
the
data
plane,
so
control,
plane,
marriages
or
policies
and
as
a
paper
plane
actually
enforce
the
services.
There
are
three
components,
is
a
control
plane.
One
is
pilot,
so
polar
to
get
to
the
Policy
Forum
as
an
operator,
and
the
interpreters
are
policies
and
translate
to
the
policies
into
American
vehicle.
So
Emily
is
Azure
data
plane,
so
these
configurations
are
pushed
to
the
Envoy
and
the
annual
actually
enforce
these
policies.
A
So
the
second
component
is
a
citadel
citadel
is
an
entity
that
manages
a
is
two
certificates
and
a
reserved
entity
is
mixer,
so
mixer
will
do
the
quarter
control
and
it
will
report
as
a
telemetry
data
collected
at
telemetry
data.
So
now
I
will
use
an
example
of
a
single
HTTP
request
to
see
well,
the
life
of
this
request.
First
interval,
which
internet
and
then
eventually
being
rich,
is
a
data
plane.
So
after
the
data
plane,
all
these
policies
are
enforced,
for
example,
security,
traffic
and
management.
A
So
security
is
critical
to
any
macro
service
and
service
mesh.
There
are
all
kinds
of
for
security
threats:
choice
on
how
the
attacker
may
try
to
Eva
stop
the
traffic.
The
attacker
may
try
to
access
our
service.
Sorry
Eva
aren't
authorized
in
the
and
the
inside
of
a
service,
Nash
they're
also
all
kinds
off
for
a
pass.
For
example,
a
service
we
try
to
access
another
service
that
is
not
authorized
a
tattoo.
A
So
mr.
security
is
based
on
decades
of
Google
production
security.
That
experiences,
in
particular
beyond
the
cop
and
the
application
layer,
transport
transporter
security,
so
in
traditional
network
a
parameter,
a
security
model.
If
the
access
is
a
form
I
P
address,
raisings
or
VPN
I
was
in
the
firewall,
then
the
access
is
granted.
A
So
this
access
model
parameter
recognizes
the
factors
after
the
security
swaps
may
also
come
in
from
disease
or
a
service
mesh.
So
beyond
the
court
appoint
under
this
network
perimeter
based
the
security
model
instead
beyond
the
cop
enforces
security
based
on
identities,
connection
state,
we
pass
the
attributes
based
on
a
comprehensive
list
of
was
a
contacts,
information
to
enforce
the
security.
A
Ii
still
provides
a
platform
to
help
user
to
secure
their
material
service
as
we
go
to
so
same
as
the
beyond
the
park.
Ii
still
has
no
trust
to
the
network,
and
so
there's
a
access
is
granted.
An
IRA
is
based
on
the
context,
so
the
contacts
may
include
identities,
connection
state,
for
example,
whether
the
connection
is
encrypted
or
not,
and
the
request
attributes,
for
example,
really
severe
Posse,
is
a
form
where
it's.
The
peer
link
is
where
the
peer
service
is.
Who
is
the
caller
so
based
on
a
comprehensive
list?
A
Our
four
contacts
information
this
case
is
a
secure
by
default,
so
the
services
owners
they
don't
need
to
change
a
lot
of
their
code.
The
service
enforcement
is
transparent
to
the
service
owner,
so
the
service
owner
can
focus
on
developing
their
energy
without
spending
time
manage
their
services
so
st.
as
their
application.
They
are
transported.
Security
is
to
encrypt
the
trafficker.
Regimes
are
serviced
match,
so
every
access
is
encrypted
and
authenticating
them.
Also
as
the
base
tones
or
contacts
information.
A
So
is
Q
inverse
context-aware
access
control,
so
the
contacts
can
be
the
identity
can
be.
The
location
can
be,
is
a
channel
state
and
is
this
contacts
information
they
can
be
in
holding
that
you
JSON
web
token?
So
there
is
a
request
that
comes
the
request,
will
be
a
company
that
buy
our
JSON
web
token.
A
It
can
also
be
obtained
er.
This
contact
information
can
also
be
attended
by
a
beta
plane
by
our
boy.
Our
same
time,
his
identity
can
be
also
represented
by
the
certificate.
He
still
follows
the
species
than
Dada
for
the
identity
is
a
certificate,
so
raises
this
identity,
zucchini
the
service
counter
of
a
workload
is
represented
alibis
or
name
space,
and
the
service
account
name
so
here
I
will
give
you
an
example
air
for
how
risky
Oh
conducts
complex
aware
access.
So
the
operator
F
is
a
mismatch
device.
A
The
policies,
the
security
policies
are
eventually
transmitted
either
to
pilot
and
a
pilot
interpret
these
policies
and
the
converters
and
tools
or
paper
plane
configurations
and
the
disability
that
two
or
more
so
when
I
request
the
calm.
So
the
requester
may
have
was
a
contacts.
Information
such
as
short
certificate
and
other
contacts,
information
obtained
deposit
data
plane,
the
data
plane
has
authentication,
filter,
authentication,
filter
there,
educators
or
contacts
information
and
the
decider.
Whether
this
is
valid
or
not.
A
If
it
is
attributes
this
contacts,
information
haven't
been
authenticated,
then
it's
possible
to
the
US
authorization
filter,
so
the
authorization
filter
they
are
pistols
are
authorized
Asian
policy
to
decide
whether
to
reject
the
access
or
quantities
of
access.
After
this
policy
enforcement,
the
request
is
for
to
the
partner
service.
So
the
popular
service
is
all
these
policy
enforcement.
It
is
transparent
to
the
pacano
Service
and
the
Park
Service
will
process
the
request
and
the
sender
battles
or
response.
A
Must
do
a
demo
of
misty
or
contacts
aware
access
control,
so
in
this
demo
the
vassals
are
access
is
granting
the
organizer
is
based
on
two
contacts:
information,
one
is
their
vices
and
the
user
belongs
to
a
specific
group.
So
if
it
is
an
user
is
not
in
this
group,
now,
access
were
denied
the
second.
The
contacts
information
is
whether
this
connection
is
encrypting
them
or
not.
It's
basically
protected
about
natural
cures
authentication.
A
A
The
benefit
here
is
that,
even
if
there
is
the
attacker
has
available,
Jorge
avoided
a
credential
that
hackers
still
will
be
able
to
access
the
sensitivity
service,
because
the
attacker
person
is
simply
having
the
hard
work.
This
multiple
contacts
information
to
match
the
policy.
The
attacker
must
be
calling
the
building
service
from
a
condo
service
account.
The
service
is
not
compromised.
All
these
only
have
a
very
short,
so
the
access
will
still
be
protected,
but
they
are
four
simple.
You
see
for
too
easy
for
simple
safety.
I
will
only
use
two
contacts.
A
A
A
A
Last
video
shows
that
even
this,
our
value,
the
job,
but
without
our
encrypted
channel
the
access
is
denied
here.
So
this
shows
a
couple
of
scenes.
So
first
thing
is
this:
Valley
the
contacts
information,
this
valley,
the
contacts
information,
are
to
information.
Why
is
such
the
channel
is
protected
by
military
TRS?
Another
is
this
thing
is
from
a
varied
group.
Then
the
access
is
granted,
but
if
the
attacker
happen
to
caters
our
valued
a
short
but
with
other
houses
or
another
contacts,
information
which
is
encrypted
a
channel,
then
it
affair.
C
C
B
Everyone
so
I
would
bring
something
new
to
you
guys.
Probably
every
one
of
you
read
about
there,
talks
about
our
securities
story
and
here
what
I
presented
our
next
step?
This
will
this
architecture
will
be
available
in
from
east
eel
1.2.
So
what
we
do
here
is
we
are
going
to
introduce
a
new
node
agent.
It
is
per
crew,
not
his
node,
and
what
it
does
is
it
exposes
their
SDS
API,
which
is
a
moist
secret
discovery
service,
API,
it's
a
new
API.
B
What
it
does
is
it
delivers
the
key
and
certificate
to
the
my
dynamically.
So
when
your
part
is
deployed
with
a
voice,
ID
car,
the
AMA
is
able
to
do
actually
call
into
that
SDS
API
unknown
agent
and
the
knowledge
and
forwards
that
as
the
that
requests
to
the
Citadel
along
with
their
communities
chart.
B
In
this
way,
the
caos
is
able
to
do
actually
authenticate
their
workloads
service
account
right
from
their
communities
dot
and
then,
after
the
authentication,
it
will
check
if
this
service
account
is
allowed
to
grab
a
certificate.
If
so,
it
will
issue
a
certificate
to
the
node
agent
and
not
a
to
number
for
that
certificate.
To
the
my
notice
that
that
SDS
API
between
this
pot
and
the
node
agent
is
through
the
UD,
the
UDS,
so
it's
secure
what
the
node
agent
solves
our
two
problems
right.
B
The
first
problem
is,
if
you
know
previously,
our
security
architecture,
the
serial
is
hooked
up
with
their
API
server
and
the
watch
has
their
service
account
creation
and
delusion
and
then
based
on
those
operations,
the
bill
generator
certificate
and
then
right
into
this
secret,
the
workload
the
workload
part
will
dynamically.
What's
the
certificate
it's
mounted
in
a
local
file
and
if
it's
changed,
it
will
restart
the
part,
I
restart
sorry,
you
started
the
Envoy
and
then
there's
a
restart
delay
there.
B
B
So
next
slide
I'm
going
to
talk
about
their
integration
with
external
CAS
right
we
have.
We
propose
three
approaches
here,
depending
on
how
our
system
is
designed.
What
you
want
the
first
one
is
their
signing
key
injection.
This
already
exists
in
our
current
system
way,
that
is,
it
allowed
the
user.
The
user
needs
to
manually
grab
the
key
answered
from
their
own
CA
and
then
put
that
key
insert
into
the
system
by
the
secret.
What
do
you
want
and
then
the
CA
will
see?
B
Okay,
there's
a
new
signing
key
insert
and
they
will
use
it
it's
manual
unless
you
write
a
script
and
second
one,
it's
the
other
integration.
It
allows
the
serial
tooted
Emily
called
to
your
API.
It
could
be
Acme,
it
could
be
your
own
CA
as
long
as
you
write
a
tab
turn
on
CL.
The
third
wise
note
agent
integration,
it's
able
to
get
rid
of
their
syllable
if
your
system
doesn't
want
to
use
sudo,
it
can't
you're
actually
hook
up
with
your
own
CA.
B
So
next
slides,
I'm
going
to
talk
about
each
of
them
right
also
has
to
have
some
time.
The
first
approach
is
signing
key
injection
I
hope
this
Rafa's
pretty
straightforward
the
person
there
he
needs
to
go
to
their
Eastern
OCA
and
then
grab
the
key
and
insert
from
dossier
and
then
insert
into
systems
through
the
secret
volume
on
see
they
all.
We
all
issue
the
certificates
through
their
existing
way,
using
the
node
agent
and
to
the
pass.
B
This
is
menu,
and
that's
why
we
propose
approach
to
through
this
approach
to
the
CEO
will
have
an
adapter
that
talks
to
their
eternal
CA
could
be
bought
right.
We
are
talking
about
world
here
so
later.
We
all
use
this
same
architecture
for
vault
integration.
It
could
be
less
encrypt
could
be
your
own
CA
and
the
good
thing
is
the
external
CA
doesn't
need
to
so.
B
It
just
represents
all
the
workloads
and
ask
for
the
certificate
to
their
external
CA,
but
if
you
don't
want
to
have
them
map
that
mechanism,
you
can
use
the
node
agent
directly
to
how
to
the
external
CA
the
difference
between
this
and
that
it's
not
only
there's
no
seer.
They
are
in
this
architecture,
but
also
your
external
CA
needs
to
do
actually
authenticate
the
kubernetes
shot.
B
B
A
Son
son
Oliver
to
introduce
East
your
certificate
management
architectures
and
the
different
designs,
so
here
I
will
actually
use
both
as
a
prototype
to
demo
how
East
you
CA
can
be
integrated
with
an
external
say,
a
to
issue
certificates
inside
the
SQL,
and
this
work
will
allow
an
organization
to
plug
in
their
own
CA
so
currently,
like
Oliver
has
introduced.
If
you
use
the
Citadel
to
manage
the
certificates,
which
is
a
clubby
pluggable
CA
than
an
organization
they
may
use
their
own
say
two
issues:
identity
certificates
inside
the
issue.
A
Okay,
next
I
will
presented
a
detailed
working
flow
for
integrator
SPOC.
A
waste
route
so
actually
go
back
to
a
little
bit.
So
Vout
is
open
source
tour
that
is
widely
used
by
micro
services
to
manage
their
secrets.
What
supports
user
HSN?
How
do
we,
our
security
module
to
store
the
the
private
keys
and
a
manager
is
a
private
key?
Is
security
and
let's
go
back
to
the
flow,
so
the
first
step
is:
will
the
m-word
of
a
workload
wants
to
get
a
certificate?
Is
a
sense?
A
And
there's
another
agent
will
generate
a
certificate
signing
request
and
the
forwarder
the
service
account
of
the
Amway
to
Citadel.
So
the
service
counter
here
is
a
kubernetes
service
economy.
It's
a
short
under
the
Citadel.
There
are
two
authentication
and
authorization
for
this
service
accountable
for
this
job,
but
contact
even
alleys,
API
server.
So
the
API
server
issues
a
short,
so
it
will
be
able
to
authenticate
as
a
short
after
the
authentication,
the
Citadel
will
to
our
authorization
share.
So
this
authorization
check
will
check
the
identity
from
sub
supporters.
A
A
So
after
the
authentication
and
authorization
artists
a
today,
our
Citadel
will
forwarders
our
certificate
signing
request,
and
it's
only
identity
to
vote.
So
vote
will
authenticate
and
authorize
based
on
the
service
account
of
a
citadel.
So
after
the
authentication
and
authorization
pass
vote
via
signs,
our
certificate
request
and
the
returns
Asylum
certificated
back
to
the
requester.
So
this
is
a
flow.
A
A
A
A
B
D
So
when
integrated,
let's
encrypt
the
plug-in
that,
were
you
gonna
tap
in
ease
into
Citadel,
it's
still
to
be
built.
Okay,
so
like
the
next
version
of
hto,
is
going
to
release
like
the
node,
the
node
agent
and
the
new
version
of
Citadel
and
then
we're
gonna,
build
I,
call
the
integrations
and
the
okay
awesome
right.
B
B
C
B
Money
class,
her
is
what
we
are
working
on
right
and
apparently
we
do
have
a
solution
for
e
ste
1.0,
which
is
to
through
their
first
approach
that
I
proposed
you
off
flood
generator.
She
answered
and
then
could
ask
he
answered.
That's
finding
key
inserted
into
multiple
CAS
each
CA,
sorry
SIA.
They
all
right
each
day
at
the
LA,
seeing
on
one
classroom
so
that
they
are
using
the
same,
sending
kids.
They
are
able
to
connect
to
each
other
automatically.
But
that's
not
sufficient
right.
C
C
B
Yeah
by
the
way,
so
we
we
are
planning
to
propose
a
multi-layer
PKI
of
to
the
open
source
part
of
Easter.
So
basically,
what
it
does
is
you
will
have
a
root.
Ca
that
is
running
could
be
running
in
VM
or
cluster,
and
then
you
have
intermediate
CAS
that
you
actually
talk
to
the
root
CA
and
then
your
intermediate
CAS
are
able
to
like
issue
certificates
further
or
close.
So
in
that
way
you
will
have
our
only
one
root
CA
and
then
you
will
have
multiple
in
a
meteor
CAS.