►
From YouTube: Improving Security with Istio
Description
#IstioCon2021
Presented at IstioCon 2021 by Alex Soto.
As we start to go toward cloud-native infrastructure and build our applications out of microservices, we must fully face the drawbacks and challenges to doing so. One of the most important aspect is securing (authentication and authorization) the services correctly.
In this session, we’ll show how Istio can simplify your security model when adopting (micro) services architecture.
We expect most developers haven’t adequately solved for these issues, so we’ll take it to step by step and build up a strong understanding of Istio and how it is used to secure the service mesh.
A
In
this
session
we're
going
to
see
how
we
can
improve
the
security
for
application
things
of
okay-
just
should
you,
you
know
all
of
the
session.
Is
it's
been
recorded,
so
you
can
watch
it
later.
I
think
so,
but
in
any
case
I've
got
two
links
for
you.
One
is
the
end
of
that
slash
issue
tutorial.
This
is
all
my
demo
is
there
with
you
know,
with
the
html
page
and
the
source
code
and
so
on.
A
A
So,
let's
start
first
of
all.
First
of
all,
let
me
let
me
explain
you
that
when
you
are
into
the
micro
services
architecture
and
usually,
we've
got
our
service.
My
service
that
can
be
deployed
can
be
written
in,
go
in
java
in
javascript,
springboard,
vertex
quarkx,
whatever
right,
and
then
we've
got
what
we
call
microservices.
A
These
are
some
of
cross-cutting
concerns.
I
like
to
call
it
cross-cutting
concerns
in
the
sense
that,
because
we
are
into
a
micro
service
architecture,
we
need
to
implement,
we
need
to
define
an
api.
We
need
to
find
a
way
to
discover
services
to
book
services,
elasticity
resiliency,
what's
happening
when
one
of
our
services
are
failing
the
pipeline.
We
need
to
be
able
to
deploy
our
services
independently,
authentication,
how
we
deal
with
the
authentication
between
services,
login,
monitoring
and
tracing.
A
So
usually,
what
we
end
up
when
we
are
into
the
microservice
architecture
is
having
something
like
this.
We've
got
in
case
of
java.
We've
got
the
the
container,
then
we've
got
the
java
guru
machine
and
then
we've
got
the
service
a
or
service
or
business
logic,
and
then
we've
got
all
these
cross
cutting
concerns.
A
All
these
micro
service
series
futures
implemented
inside
the
service,
maybe
in
form
of
a
library,
probably
if
you're
into
the
java
world,
you
are
using
districts
or
resident
4g
for
resiliency
or
maybe
you're,
using
the
for
the
api
for
tracing
and
the
same
for
metrics
and
that's
improvable
answer,
and
we
are
just
replicating
all
this
stuff
in
all
the
services
we
are
implementing,
but
things
of
kubernetes
and
openshift
and
offensive
at
the
end.
It's
just
an
implementation
of
kubernetes.
We've
got
that
some
of
these
micro
server
facilities
are
implemented
on
the
platform.
A
Ups
and
scale
downs
if
you're,
if
you're
a
part
of
communities
you're
also
using
openshift
monitoring,
login
and
pipeline,
are
also
fixed
but
notice
that
there
are
still
some
missing
pieces
here.
Resiliency
authentication,
printing,
for
example,
or
api-
and
this
is
exactly
what
is
issue
I
don't
want
to.
You
know-
go
deep
to
explain
what
is
this
here,
because
a
lot
of
previous
sessions
from
today
has
been
explained,
and
they
did
it
really
really
well.
A
So
before
istio
we've
got
all
these
microservices
implemented
inside
my
business
code
inside
my
service
after
istio,
we
are
putting
all
these
capabilities
inside
a
sidecar
container.
So
now
we've
got
a
pot
and
remember
that
the
pot
can
contain
more
than
one
container
and
with
istio.
What
we
are
doing
is
creating
a
sidecar
container
implementing
all
these
capabilities
inside
this
container,
so
an
easty
application
or
an
application
that
is
using
istio.
A
It
contains
a
pot
with
two
containers,
my
business
logic,
the
business
logic
that
I'm
implementing
the
services
implementing
and
a
cycle
container
that
are
implementing
all
these
capabilities
and
what's
happening
after
that,
is
that
all
the
network
traffic?
All
the
communications,
goes
through
the
sidecar
container.
So
when
I
want
to
make
a
request
from
service
a
to
service
v,
I'm
not
sending
the
request
directly
to
the
service
b.
A
What
I'm
doing
as
a
service
a
is
create,
making
a
request
to
the
sidecar
container,
my
sidecar
container,
then
the
sidekind
container
takes
the
request
and
send
it
to
the
sidecar
container
of
service
v,
this
sidecar
container
of
service
v.
It
just
makes
the
request
to
the
real
service
b
and
then,
of
course,
this
you
know,
make
more
calls
and
more
customer
calls.
A
All
these
capabilities,
cross-cutting
concerns
maker
service
series
are
all
of
them,
implemented
inside
the
site
car
container
and
since
all
the
traffic
is
intercepted
by
these
sidecar
containers,
I
can
start
manipulating
it
and
if
you
are
curious
about
what
is
this,
what
this
cycle
container
contains,
I
will
tell
you
that
it
contains
an
envoy
proxy,
so
things
of
istion
service
mesh,
which
is
code
independent.
It
means
that
if
you
are
using
java,
you
do
not
need
to
learn
any
libraries
for
implementing
resiliency
or
metrics
or
monitoring.
A
A
A
A
Let's
start,
let's
start
with
security,
and
these
are
the
the
topics
that
we're
going
to
cover
egress
blocking
mtls
and
encryption
access
control.
Remember
that
yeah
just
somewhat
tokens,
but
it's
not
called
gwt.
I
know
that
you
know
sometimes
people
say
jwt,
but
it
must
be
named
jot.
Okay,
so
I'm
going
to
when
I
refer
to
jot,
it's
gwt
token
right,
json
what
token,
and
also
we're
going
to
see
how
to
do
our
back
authorization.
A
So
most
of
the
communication
in
our
microservices
architecture
are
inbound
and
internal.
Usually
we
do
not
have
access
to
external
services.
For
example,
when
I
said,
external
services
are
services
that
are
out
of
or
control
it's
out
of,
all
company,
so
what
you
can
make
with
egress
is
blocking
any
traffic
that
goes
outside
our
architecture
outside
or
service
mesh.
A
The
reason
for
that
is
that,
well,
you
know
at
the
end,
you
don't
want
that
anyone
can
use
all
nodes
to
do
by
bitcoin
mining
right,
so
we
want
to
avoid
external
access
and
just
permit
the
traffic
and
a
specific
traffic
in
a
specific
part
in
a
specific
host
goes
outside
our
mesh.
This
is
erase
blocking
also
one
of
the
important
things
about
microservices
architecture
and
the
internal
traffic
is
that
we
might
think
that
it's
not
necessary
to
encrypt
traffic
between
our
internal
services.
A
So
if
I
got
my
service
customer,
my
service
preference
and
my
service
recommendation,
it's
like
okay,
you
know
it's
internal,
it's
in
my
backbone.
It's
my
cluster,
it's
fine
to
use
http,
because
at
the
end
it's
really
hard
to
use
https
right,
because
you
need
to
configure
the
certificates.
The
certificate
is
authority.
I
need
to
go
to
my
customer
code
and
change
it
and,
and
you
know,
and
deal
with
the
certificates
and
yeah
it's.
You
know
it's.
It's
really
painful
right.
A
A
You
want
to
authenticate
calls
between
services
probably
are
using
aja
token
right,
you've
got
token,
and
then
you
are
sending
this
token
in
the
authentication
heater
like
a
beer
token
and
you
send
it
to
the
other
service,
the
server
service,
you're
calling
and
then
these
other
services
are
going
to
validate.
The
token
said
that
it
has
not
been
modified,
that
it
contains
those
rules
or
the
groups
that
can
only
access
to
that
service,
and
so
on
that
the
token
has
not
been
expired.
A
You
know
all
these
kind
of
rules
and
then,
when
all
these
rules
has
been
passed,
they
are
correct.
Then
you
s
know
that
this
request
is
valid
and
you
can,
you
know,
make
your
your
logic
right
run
your
logic,
and
this
is
something
that
usually
you
implement
on
your
source
code.
But
again,
this
is
hard
to
maintain.
A
You
need
to
provide
a
public
key
to
verify
the
signatures,
the
or
the
signature
of
the
token
you
need
to
parse
the
token
you
need
to
validate
that
has
not
been
expired,
that
the
issue
is
the
current
one
and
so
on.
So
there
is
some
things
that
you
need
to
maintain
right
and
okay.
Istio
can
help
you
on
this
as
well,
and
that's
all
well,
I'm
joking.
Okay!
Now
it
comes
the
funny
part,
which
is
the
demo,
but
I'm
going
to
show
you
how
to
implement
this
on
istio.
A
So
let
me
go
here
to
my
my
cluster
notice
that
I've
got,
as
I
said
before,
customer
preference
and
now
I've
got
recommendation.
V1
recommendation,
d2
and
instrumentation
b3
and
I've
configured
a
virtual
service
to
make
that
all
the
request
goes
from
customer
preference
and
then
v3,
so
you
can
do
a
curl,
and
that
is
I'm
going
from
customer
preference
recommendation
and
see
here.
This
is
the
time,
but
this
time
it's
not
coming
from
lock
my
node
machine.
It's
coming
from
here,
it's
coming
from
a
rest.
A
Api
called
wall
clock
api
which
basically
is
a
json
file.
Well,
it's
a
you
know:
a
json
address
service
that
returns
a
current
type
so
now
notice
that
I
can
get
access
outside
because
by
default
with
istio,
at
least
in
the
version
that
I'm
using
of
this
tube
right,
any
outbound
traffic
is
permitted.
So
any
traffic
can
go
outside
the
mesh
to
fix
this.
A
You
need
to
do
you
need
to
run
this
next
common.
I
mean
that
if,
when
you
install
istio,
you
can
change
that,
but
in
this
case
I
always
install
it
as
allow
any,
and
now
I'm
just
changing,
I'm
replacing
this
configuration
value.
I'm
saying
that,
instead
of
allow
any
so
instead
of
saying,
I
want
to
allow
any
add-on
traffic
and
change
it
to
registry
only
now
what's
happening
when
I
do
a
call
well,
it
takes
a
bit
of
time
right,
but
no
worries
it's
going
to
work.
A
It
usually
takes
like
one
minute
or
so
because
it
needs
to
it
needs
to
update
the
configuration
of
all
the
you
know,
all
the
easter
east
geo
components,
and
in
this
case
I
think
that
it's
like
three
notes:
yeah
three
worker
notes
so
yeah
it
may
take,
and
it's
in
soft
carolina.
I
mean
it's
far
away
from
what
I
am
so
it
can
take
a
bit,
but
it
will
there.
A
A
A
I'm
applying
a
rule
for
allowing
this
traffic.
So
if
I
do
a
cut
of
this
file,
see
that
I'm
saying
hey,
there
is
a
new
service
entry
that
it's
coming
from
istio,
which
it's
you
know
here.
It's
a
metadata
with
egress
rule,
I'm
saying
the
host
is
12
clock
api.
The
port
is
the
18.
The
protocol
is
http,
so
any
service
that
is
trying
to
reach
world
clock
api
on
port
80
using
http
the
traffic
is
allowed
to
do.
A
A
Okay,
well,
it
doesn't
okay,
okay,
now,
of
course,
by
the
curl.
Again,
it's
not
working
okay.
This
is
for
the
year's
rule.
So
first
advice
always
make
your
always
block
oddball
traffic
and
create
the
egress
rules.
This
makes
your
application
safer,
so
anyone
can
go
out
of
your
mesh
without
permissions.
A
So
now
let
me
let
me
let
me
clean
all
the
rules
that
I've
got
and
just
cleaning
the.
This
is
an
escape
that
I've
got
to
remove
all
the
all
the
ecg
configuration.
So
you
we
get
it
a
clean,
a
clean,
I
would
say
a
clean,
actually
h2o
configuration.
Let
me
do
a
deployment
and
let
me
delete
this
deployment
because
I
don't
I
don't
need
it
anymore.
A
A
Let
me
see
here
notice
that
here
is
containers.
There
is
a
recommendation
container
that
it's
my
business
code
and
then
here
there
is
an
easter
proxy
container,
which
of
course
it's
an
istio.
It's
a
you
know
it's
a
it's
a
proxy
container,
it's
ambode
proxy.
Okay.
Now,
even
though
call
again
see
that
I'm
getting
customer
profit
recommendation,
b1
customer
preference
recommendation
v2.
A
Okay,
now,
let's
start
blocking
right,
how
they
access
the
access
control
of
these
services.
Basically,
I
want
to
implement
this,
so
I
only
want
to
make
available
communication
between
customer
to
preference
and
preference
to
recommendation
and
not
any
other
communication.
So
let
me
do
keep
call
click
apply.
Oops,
there's
f
is
two
access
files,
oops.
A
Wait
and
it's
authorization,
sorry
now
authorization
policies
deny
all
so.
Basically
now
I'm
saying
no
communication
between
services
is
permitted.
So
now,
when
I
do
a
wait
and
get
that
airbag
access,
the
knight
okay,
it
say:
no,
you
cannot
access
anything
but
what's
happening.
If
I
do
this,
so
I'm
going
to
say
well,
not
all
the
traffic,
I
permit
you
the
traffic
to
customer
now,
I'm
getting
customer,
but
then
I've
got
the
error
back
because
I
cannot
access
preference.
A
Then
it
says
it's
customer
preference.
It's
behaving
strange
this
thing
today,
yeah
now
it's
customer,
then
it's
preference
and
then
it
says
airbag
denied
because
it's
the
recommendation,
but
that
it's
failing
now.
Finally,
I
can
apply
this
and
now,
of
course,
it's
going
to
work
all
the
time
and
if
you
want
to
see
how
this
file
looks
like,
I
can
look
at.
A
And
see
that
I'm
saying
that
I
recommend
that
if
the
source
comes
from
the
preference
service
account
and
preference
service
account,
is
the
service
account
type
to
preference
service
and
the
operation
is
scared,
then
do
not
block
it
in
other.
Any
other
case
then
block
it
for
the
reason
now
with
curve
it
works,
and
even
I
can
show
you
that
I'm
not
saying
you
something
that
it's
not
true.
I
can
go
to
the
recommendation
recommendation,
but
I'm
going
to
go
inside.
A
A
Of
course,
I'm
getting
an
access
denied
because
remember
that
I
said
that
the
communication
can
only
go
from
customer
to
preference
and
preference
to
recommendation,
and
now
I'm
trying
to
go
from
recommendation
to
preference,
and
this
is
forbidden,
so
I'm
gonna
airbag
access
the
night
okay.
So
this
is
the
second
rule
that
you
need
to
learn
from
eastern
security.
First
one
remember
it
was
like
the
egress
so
block
all
traffic
outside
all
the
communication
outside
your
mesh.
The
second
one
is
that
make
clear
rules
on
which
services
can
call
which
ones
right.
A
So
if
customer
can
only
call
preference
then
make
a
referring
and
forfeit
any
any
other
communication.
Then
let's
go
to
the
next
example.
The
next
example
is
about
mpls
by
default,
and
this
is
a
secret
by
default.
Istio
enables
mtls
in
the
communication
between
services.
So
now,
when
I
was
doing
this.
A
Customer
and
preference
the
communication
between
the
services
are
done
with
https,
but,
and
here
is
the
key
point-
customer
and
preference
services.
My
business
logic
has
no
clue
that
it's
in
https,
because
from
the
point
of
view
of
customer,
is
doing
a
request
using
https
and
this
request
using
https.
A
Okay,
it's
done
because
nothing
is
configured
but
the
istio
proxy
takes
this
http
request
and
convert
it
to
https
and
sends
the
request
from
service
a
to
service
b
from
customer
to
preference
using
https.
Okay.
Now
let
me
show
you
one
thing:
let
me
first
of
all
disable
mpls,
so
you
can
see
that
what
I'm
saying
is
true,
I'm
going
to
disable
mpls
okay.
Now,
if
I
do
this
call,
which
is
istio,
ctl,
experimental,
blah,
blah
blah.
A
Okay,
again
here
you
will
see,
but
basically
you
should
not
see
that
I'm
checking
the
house.
Z
says:
okay,
the
aussie
is
to
check
all
the
authorization
things
for
the
customer
service
says
that
there
is
no
mtli,
so
mtls
is
disabled.
Now
it
means
that
communication
between
customer
and
preference
is
done
using
http.
A
A
Okay,
I
think
that
is
this
one
and
I'm
going
to
save
it
in
capture
one
pickaxe.
Okay,
now
I'm
just
running
case
need
to
sniff
all
the
traffic
between
customer
and
preference.
Okay,
now
I'm
sniffing
the
traffic
and
I'm
doing
the
call.
Of
course
nothing
happened,
apparently
because
everything
worked,
but
remember
that
I
am
sniffing.
I
am
capturing
the
traffic
between
customer
and
preference
and
any
attacker
could
do
that.
I'm
just
doing
it
just
with
this.
A
Here
this
this
this
frame,
this
one
okay,
it
says
that
I
said
I
sent
a
get
using
http
to
this
destination,
and
here
you
can
see
the
content.
Okay,
if
I
go
over
here,
where
is
the
content
here?
Preference
blah
blah
blah
blah
and
then
here
is
the
plane,
and
here
you
see
that
this
preference
recommendation
right.
So
the
content
is
there,
anyone
can
access,
so
you
should
always
always
enable
mtls
by
default.
A
It
is,
but,
as
I
show
you
how
to
change
that
by
using
your
ctl
experiment
and
check
it,
if
not,
if
it's
disabled,
then
what
you
can
do
is
this
you
can
enable
by
using
this
file,
that
I
can
show
you
right
now
notice
that
I'm
just
saying
that
my
name
is
tutorial.
I
want
to
use
npls
in
mode
permanency
now,
if
I
run
it
again,
this
experimental
out.
A
A
A
Okay,
here
it
is
I'm
going
to
open
pica
2,
run
it,
and
now
that
is
that
traffic
of
https
is
never
captured
by
default
by
case
need,
and
because
of
that
there
is
no
no
traces,
no
frames.
Regarding
the
communication,
the
content,
the
preference
recommendation.
Okay.
So
if
you
want
to
enable
mtls,
you
know
how
to
do
it
with
this
ml
file
and
if
you
want
to
inspect,
if
the
traffic
is
encrypted
or
not,
you
can
just
use
ksnif
and
then,
as
needed
traffic
put
it
inside.
A
Why
shark
and
inspect
all
the
choices,
then,
if
you're
wondering
how
case
nif
works.
Basically,
you
need
to
set
here
the
istio
proxy,
because
it's
the
traffic
that
we
want
to
sniff-
and
here
is
the
ip
of
the
container
we
want
to.
You
know
sniff
the
traffic.
Now
we
are
almost
at
the
end.
Let
me
clean
everything
and
let's
go
to
the
authentication
and
authorization.
One
of
the
things
that
we
need
to
do
with
microservices
is
authenticate
and
authorized
services
using
java
json
web
token
right.
A
So
we
want
to
send
a
token
from
service
a
to
service
b
and
validate
that
this
service
that
this
token
has
not
been
modified,
has
not
been
changed.
It's
not
expired,
and
so
on
this
logic,
usually
it's
on
it's
on
on
service
side,
so
you
put
it
on
your
business
large
and
your
business
logic
on
your
container,
but
with
istio
we
can
leverage
this
to
the
osteoproxy.
A
A
A
A
A
A
This
token
now
it
works
because
the
token
is
valid,
but
here
I'm
just
saying
that
I
want
to
provide
a
token
that
is
valid.
I'm
not
doing
every
back
at
all,
I'm
not
doing
a
draw
based
access
control
what's
happening.
If
we
want
to
do
a
rule
based
access
control.
Yes,
you
can
do
it
notice,
I'm
going
to
apply
this
yaml
file,
I'm
going
to
do
a
cat,
and
now
I'm
saying
that
I
only
allow
traffic
to
reach
customer.
A
A
Now,
if
I
do
exactly
the
same
thing
it
will
it
fails.
There
is
no
wait.
Now
it
fails
yeah.
It's
this
update
refresh
time
right.
It
fails
because
the
token
this
token,
this
token
okay,
does
not
have
a
claim
with
name
raw
of
type
customer.
But
if
I
do
this
and
I
create
the
token
a
valid
token,
this
token
contains
the
draw
and
I
do
a
curve
now
it
works
all
the
time
because
this
token
contains
a
claim
of
type
customer.