►
From YouTube: Know your peers
Description
#IstioCon2021
Presented at IstioCon 2021 by Alex Van Boxel.
It’s lonely in your pod, but finally, you receive that long-awaited knock on the port… but can you trust that inbound request?
This session dives into an essential aspect of a service mesh: trust. We’ll dive into how certificates work into Istio, use peer authentication, and explain concepts like SPIFFE identifiers. Peer thrust can also be leveraged in the application architecture.
A mesh is not only for cluster administrators but also for architects and developers, making it well worth to highlight those patterns.
A
A
So
there
is
a
lot
like
a
lot
of
text
on
these
slides
and
that
I
know
that
is
against
the
rules
of
presentations,
but
it
will
make
the
slides
more
usable
afterwards.
So
don't
look
too
much
to
this
to
the
text.
The
the
keywords
are
highlighted
and
for
the
rest,
you
don't
have
to
bother
I'll,
probably
tell
you
what's
on
the
slides.
A
So,
what's
the
goal
of
this
talk,
so
it
is
actually
to
gain
some
deeper
understanding
on
identity
within
the
istio
ecosystem
and
having
that
knowledge
will
hopefully
help
you,
or
at
least
developers
that
will
deploy
on
these
networks,
help
them
design
their
architecture.
Knowing
that
they're
a
lot
of
things
that
they
can
actually
rip
out
of
their
codes
and
just
rely
on
so
and
what
is
it
not?
It
is
not.
It
doesn't
talk
about
any
of
the
hottest
new
features.
A
All
the
things
I'm
gonna
tell
you
is
is
already
there
from
day
one.
It
is
actually
just
about
the
underlying
plumbing,
and
it's
actually
a
talk
that
I
would
have
hoped
that
I've
got
before,
starting
with
the
istio,
but
there
were
no
talks
at
that
time.
So
because
the
first
time
I
was
involved
with
this
still
it
was
version
0.3.
A
So
it
is
actually
to
make
sure
to
overcome
your
fears
right,
not
knowing
what
that
this
makes
everything
kind
of
magic,
and
there
is
a
long
quote
that
I'm
not
going
to
quote
of
an
astronaut
not
is
described
in
a
book.
That's
when
you
do
not
know
any
of
the
concepts.
Everything
is
scared,
and
actually
this
this
is
scary.
A
If
you
see
it
like
the
first
time,
if
you
turn
it
around,
it
even
looks
like
a
rocket
so
and
all
those
astonished
they
they
like
to
understand
a
bit
what's
in
the
rocket
right,
so
they
feel
comfort
and
comfortable
working
with
it.
So
here
this
is
the
purpose
of
this
talk
as
well.
If
you
want
to
talk
about
identity
in
istia,
there's
no
way
around
spiffy
spiffy
is
is
a
cloud
native
identity,
spec.
A
A
There
are
already
kind
of
a
lot
of
other
products
using
it
and
it
has
also
its
own
own
implementation.
But
the
spf
is
it's:
it's
a
spec
so
full
out
it's
secure
production,
identity
framework
for
everybody,
so
I
need
to
google
it
every
time
because
nobody
really
remembers
it.
Everybody
knows
it's
just
like
like
spfis.
A
A
You
could
talk
about
that
in
within
your
your
network,
every
5,
000
machines.
Everyone
has
a
new,
unique,
unique
id,
so
you
could
take
that
as
as
an
identifier,
it's
kind
of
tricky
when
you
go
cross-cloud.
So
if
you're
on
google
then
and
aws
and
azure,
you
have
like
you're
multi-cloud
how
they're
they're
not
really
compatible
they're,
they
all
look
different.
A
A
It
works
across
clouds
right,
there's,
an
app
is
an
ip,
but
not
every
ip
is
directly
accessible.
Sometimes
you
have
like
nets
or
translation
between
ip
addresses.
If
you're,
a
really
big
network,
then
again
it
it,
it
can
gets,
gets,
gets
tricky
and
the
more
and
more
you
cloud
native
you
go
the
more
and
more
you're.
Also
talking
about
hosts
going
away,
you're
talking
actually
about
processes
right
on
kubernetes.
A
The
way
you
you
want.
You
want
to
cast
a
lot
of
processes
on
on
on
your
notes,
bend
back
everything
and
those
nodes
go
away,
so
the
processors
can
go
to
another
hosts.
So
the
only
thing
what
you
actually
care
about
when
talking
about
an
identity
is
how
do
we
identify
that
process,
not
that
process
running
on
that
host
or
not
platform?
No
that's
that
process.
A
A
And
it's
pretty
simple?
It
just
says
it's
a
uniform
uniform
resource
identifier
uri.
It
really
looks
a
lot
like
your
url
that
you
type
in
your
browser,
although
not
a
lot
of
people,
do
that
anymore.
They
just
google
it,
but
it's
like
http
host
name,
slash
part
speaker
just
looks
like
that,
so
it
starts
with
its
its
beginning,
spiffy
and
then
slash
so
that
identifies
that
this
uri
is
the
spf
identifier
and
what
you
have
in
http
as
a
host
name.
There.
A
You
have
your
trust
domain,
so
that
part
doesn't
identify
any
machines.
No,
it
is
kind
of
a
domain.
It's
like
scoped
every
every
host,
no
every
name
within
that
trust
domain
is
kind
of
trusted.
So
it's
it's
handed
out
by
a
certain
a
certain
authority,
and
after
that
you,
you
have
a
part.
So
this
is
actually
a
valid
spf
identifier.
A
A
You
could
go
here
right
here,
so
saying:
okay,
we
have
like
a
payment
system
and
that
one
has
its
postgres
database,
another
component,
something
like
that.
You
could
have
a
mechanism
that
that
creates
those
those
spots
like
that,
like
grouped
per
service
for
you,
for
example,
payments
postgres,
your
shopping,
cart,
brush
class,
something
else,
and
so,
but
but
actually
in
the
istio
world.
They've
chosen
a
more
a
more
stable
kind
of
system.
A
It's
it's
an
important
thing
to
remember
that
the
incubernatus,
the
is
the
service
account
that
is
used
to
identify
your
process.
So
a
good
weight
is
a
good
way
to
to
freeze
to
to
get
stable
identifiers.
Is
that
you
give
each
kind
of
service
a
stable,
its
own
service
account
already
talked
about
the
truster
bain
right,
that's
the
first
part.
A
A
A
And
how
do
we
do
that?
There
are
two
two
parts
in
spec,
two,
two
different
implementations
right.
So
it's
it's
kind
of
using
spiffy
using
a
lot
of
things
that
already
kind
of
exist.
So
it's
it
uses
or
the
swt
token,
so
a
lot
of
web
developers
and
so
really
like
it
just
put
that
in
your
authorization.
It's
just
a
json
object,
putting
an
authorization
header
and
you
can
decode
it.
There's
certain
rules.
A
A
So
I'm
going
to
go
now
to
the
deep
redo
x,
509,
but
be
sure
to
check
out
the
spf
spec
and
it's
kind
of
sister
project
spire,
there's
an
implementation,
more
tailored
to
words
vms,
and
they
actually
work
because
they
they
have
known
their
own
spiffy
identifier,
but
it
works
fine.
They
talk
to
each
other
because
they
they
kind
of
know
how
to
search
who's
who
so
x509.
A
It's
been
updated
a
few
times,
but
it
was
first
published
in
like
like
32
years
ago
and
it's
actually
still
still
valid
valid
technology
for
the
youngsters
around
here,
probably
it's
older
than
some
of
you,
but
it's
still
used
everywhere,
so
your
browser
and
for
for
securing
networks,
people
that
come
into
contact
with
those
low-level
kind
of
certificates.
This.
This
is
common
way
to
distribute
your
your
your
certificates,
which
you
just
spend
them
encoded
binary
plop.
A
A
A
lot
of
things,
what
is
the
name
or
the
signature
an
important
part
there
is
the
public
key
and
we're
going
to
dive
into
that
directly
and
the
signature
so
almost
well.
Every
certificate
has
a
public
key
and
it
is
signed
by
and
generally
somebody
else,
and
it
has
some
interesting
attributes
and
like
like
here.
If
you,
if
you
look
deeply,
you
will
see
a
spf
identifier.
A
Talking
about
certificates
right
so
to
the
right
that
is
kind
of
each
workload
will
have
a
will,
have
a
certificate
and
it
will
be
signed
by
something
that
istio
knows
and,
and
that
has
its
own
certificates,
that
certificate
always
comes
kind
of
the
one
that
owns
it
always
has
the
private
key.
That
is
not
part
of
the
certificate
that
lives
outside
it.
So
you
so
the
one
that
owns
the
certificate
always
has
boats.
The
certificate
is
public.
Everybody
can
can
have
that
certificate,
because
it's
even
pasta
but
passed
around
that
public
key.
A
That's
the
only
thing
that
needs
to
be
seen
so
to
react.
Your
workload
will
have
that
certificate
that
identifies
that
the
name
the
name
of
the
certificate
it
will
have
that
that
spiffy
identifier
in
that
x509
data
and
it
will
have
the
public
key
and
istio-
will
actually
sign
it
and
we'll
go
deeper
in
how
it
will
sign
it
with
its
private
key
and
everybody
in
the
network
or
in
the
trust
that
can
can
can
look
up
that
trust
by
just
verifying
that
signature
with
the
public.
A
A
Your
easter
and
your
cluster
will
have
an
intermediate,
that's
the
middle
part
and-
and
you
yourself
will
learn
the
certificates
and
you
can
nicely
see
who
is
signing
the
private
key
he's
signing
the
one
in
the
middle
and
the
one
in
the
middle.
The
intermediate
will
sign
yours
and,
in
the
other
way
around,
you
can
verify
everything
to
the
root.
So
you
can
verify
the
signature
by
the
public.
Key
of
your
intermediate
and
intermediates
can
be
checked
with
the
public
one
from
the
russet
one
special
one
at
self
science.
A
A
So
there
are
two
parts
in
your
network,
so
the
the
signing
certificates
or
the
intermediate.
There
are
some
rules
that
spiffy
says
like
your
you.
Your
signing
certificate
may
not
be
used
for
for
a
workload,
it
can
itself
be
a
spf
identifier,
but
you
still
cannot
assign
it.
In
generally,
it's
like
just
the
speaker,
identifier
with
the
trust
domain
and
there's
no
part
component
and
the
leaf
once
for
your
workloads.
A
So
I
want
to
go
through
the
through
the
messages,
how
everything
is
kind
of
built
up,
because
this
is
how
two
workloads-
interchange,
those
certificates-
and
it's
pretty
interesting
to
know-
and
I
come
back
after
it
is
something
you
you
need
to
be
kind
of
aware
of
is
kind
of
what
the
implications
are
right.
So
so
your
clients,
you
want
to
start
kind
of
a
secured
connection,
so
you
start
with
a
client
here,
client,
hello,
you
say:
oh,
these
are
the
ciphers
that
I
support.
A
These
are
the
completion
algorithm,
here's,
some
random
stuff
and
the
server,
so
each
block
is
kind
of
a
message.
Server
will
respond
with
with
a
lot
of
other
messages.
It's
just
saying
with
the
server
hello,
okay,
this
is
the
cypher.
I'm
gonna
pick
I'm
in
control.
This
is
a
compression.
I
know
that
you
understand
this.
This
is
what's
what
we're
gonna
pick
and
here's
some
random
randoms
crypto
stuff
again,
so
the
server
is
always
in
control
on
the
cipher.
A
A
So
it's
intermediate
certificate.
It
will
also
send
some
some
server
exchange
things.
That's
not
important
in
this
story,
but
in
empty
ls,
because
we're
kind
of
we're
we
want
to
trust
the
client
right,
we'll
both
be
directional
trusting.
It
will
ask
for
the
the
client's
certificates
in
this
message.
So
that's
not
what
not
happening
when
you're
on
the
web,
when
you're
just
browsing
only
the
server
kind
of
tells
the
client
here.
That's
my
here's.
My
thing,
that's,
who
I
am
in
mtls
here.
A
The
server
wants
to
know
who
the
client
is,
and
that
happens
here
right.
So
then,
at
the
client
you
it's
it's
client's,
turn
right
it
will.
It
will
verify
that
the
signatures,
all
the
509
bits
are,
are
correct
right,
so
it
it
has
the
root
certificate.
So
you
can
check
all
those
things
so
it
can
can
build
the
trusts
but
yeah.
Then
it
says,
like
I
heard,
an
annoying
server
wants
to
know
me.
Okay,
I'll
prepare
my
certificates,
I'm
gonna
send
it
to
the
server
at
this
moment.
A
A
You
can.
You
can
see
that
kind
of
it's
kind
of
a
ping
pong,
certainly
in
the
beginning.
So
this
is
why
well
worth
to
know
that
it's
good,
that
you
keep
connections
open
right
and
that
you
work
like
if
you
you
want
to
have
your
ssl
pipe
open
and
do
not
do
that
for
like
if
you
want
to
send
five
bits
like
star
start
start
all
over,
because
all
the
handshaking
goes
over
and
over
and
it
will
make
it
very
slow
for
five
bits.
It's
like
more.
A
A
An
important
building
block
so
after
kind
of
all
the
ssl
parts,
because
we've
still
talked
about
kind
of
implementation,
who's
doing
it
who's
doing
actually
the
artwork
so
and
that's
the
envoy,
so
within
istio
envoy,
is
actually
the
the
real,
the
real
worker.
So
if
you
have
like
easter
as
an
end
call
on
it
and
then
an
envoy
would
be
really
the
work,
so
the
the
typical,
if
you
see
the
typical
istio
diagram
right,
it's
everybody
will
should
have
slides
like
this.
A
Like
this,
you
will
see
envoy
and
invoice,
so
I've
left
out
the
control
plane
because
we're
going
to
talk
about
that
later
on,
but
every
workload
has
its
own
envoy.
You
have
like
ingress
and
egress,
maybe
even
multiple
ones.
That's
also
just
an
envoy,
and
always
it's
all
small
blue
box,
and
that's
kind
of
the
this,
your
agent
that
is
running
next
to
it.
A
A
A
Oh
worlds,
so
it
just
sends
out
plain
data
plain
if
you're
talking
http
just
plain
out,
but
it's
very
important
that
that
you
have
that
feedback
cycle
so
envoy
will
send
like
a
lot
of
headers
to
the
application
and
the
x4
client
certificate
is
an
important
one
because
it
just
says
what
a
certificate
looks
like
from
from
the
client.
So
these
are
the
ones
that
it's,
it's
all
part
of
the
envoy
documentation.
A
A
That's
my
own
certificate
to
make
sure
that
that
I
did
kind
of
make
the
this
this
or
my
proxies
make
this
a
header
is
a
secure
hash,
the
subject
or
the
and
the
uri,
and
that
is
the
uri
from
the
client.
So
I
actually
can
identify
who
the
client
was
an
application-wise.
You
can
do
some
stuff
with
it,
so
in
istio,
how
does
that
all
those
things
come
together?
So
you
have
the
now
one
one
big
monolith:
now
they
still
demon
with
some
some
interesting
components
so
bringing
it
all
together.
A
A
A
So
looking
at
a
non-mesh
artery,
that's
how
you
could
kind
of
build
an
application,
so
you
have
the
you
so
so
the
job
token
from
outside
comes
in
it
identifies
the
human,
but
a
problem
not
to
rush
world
is
kind
of
that
you
need
kind
of.
If
you
pass
from
the
presentation
layer
to
a
payment
service,
you
cannot
use
the
job
token
from
the
user,
because
you
want
to
actually
establish
kind
of
a
trust
between
your
presentation
and
the
payment
service.
So
you
probably
use
a
job
to
open.
For
that.
A
I
don't
know
how
do
you
pass
along
and
the
identity
from
frame
recorder?
You
can
do
that
in
extra
headers
or
something
but
there's
not
no
real,
real
good
standards
so
in
the
istio
mesh
world.
Well,
it
looks
like
this
kind
of
grand
that
it
looks
like
a
lot
scarier,
but
as
an
engineer's
view,
it's
only
this
it
doesn't.
A
It
can
really
use
the
job
token,
because
you
don't
have
to
establish
trust
between
your
pres
presentation
layer
and
your
payment
service,
because
that's
done
so,
I
was
saying
kind
of
and
yes,
ingress
right,
so
ingress
right
that
job
token,
so
that
jet
token
we're
not
handling
it.
In
initial
on
how
you
get
that
jojo,
okay,
that's
generally
kind
of
application,
specific
or
something,
but
it
just
passes
through
the
trust
is-
is
due
due
to
mtls.
Anyway,
it
goes
to
your
presentation
layer
there.
A
A
But
then,
if
you
go
to
the
payment
service
like
in
the
example
right,
you
can
just
pass
through
the
same
jaw
token
you
don't
have
to
translate
it
anyway,
anyhow,
just
pass
it
through.
It
goes
to
the
envoy
proxy.
The
trust
is
between
the
presentation
and
the
payment.
Anyway,
you
do
have,
though,
the
possibility
to
have
extra
policies
on
the
request
or
on
the
pier.
So
I
have
a
quick
example,
the
only
crd
that
I
have
here,
so
that's
authorization
policy
that
actually
uses
both.
A
So
you
can
you
can,
if
you,
that
is
that's
a
snapshot
from
documentation,
but
if
you
you
could
select
your
payment
service
and
in
the
from
section,
that's
that
is
using
like
the
spf
identifier.
So
cluster
local
default
sleep.
If
it
comes
from
that
it
is
a
get
operation
and
the
job
token
can
be
validated.
So
if
the
request
art
claim
is
from
a
google
account,
so
it
is
from
from
documentation.
A
So
that
is
the
chat
part
and
the
workload
you
can
actually
allow
it
or
block
it
at
the
service
level,
but
but
as
with
the
x4
certificate.
So
if
that
you
can
block
it,
so
you
have
a
possibility
of
of
operators
or
security
people
to
set
those
those
security
levels,
or
you
have
the
opportunity
in
your
application
to
do
something
with
your
job
token
or
use
the
x
forward.
Client
header,
in
your
application.
A
If,
if
you
want
to
be
a
workload
aware,
so
we
have
like
a
use
case
internally
that
really
needs
to
know
what
what
the
workload
is
and
what
namespace
it
is
to
do
certain
actions.
So
you
have
the
possibility
that,
but
the
nice
thing
is,
you
really
have
the
choice
you
can
use
both
in
a
mesh,
but
you
have
all
available
in
application.