►
Description
Featuring Christian Posta. Istio ambient mesh is a new sidecarless data plane for Istio that brings some desirable operational benefits, but how does it impact security? In this talk, we will dig into the implementation of Istio ambient and understand how we maintain the properties of zero trust and even improve the security posture of the mesh overall.
A
A
Thank
you
all
for
sticking
around
and
sorry
for
some
of
the
technical
difficulties
here,
I'm
going
to
be
doing
something
a
little
off
script,
I'm
going
to
be
running
this
presentation
from
somebody
else's
computer.
Hopefully
it'll
it'll
work
out
right
that
obviously
rules
out
any
kind
of
demo
that
I
was
going
to
do,
but
we're
going
to
talk
today
about
istio
security,
but
now
specifically
in
terms
of
ambient
mesh,
so
we
released
ambient
mesh,
as
you
may
have
known,
we've
been
talking
about
it
quite
a
bit
today.
A
It's
pretty
exciting
alternative
data
plane
aside
carless
data
plane
for
istio,
but
I
want
to
go
into
a
little
bit
more
depth
around
how
we
maintain
some
of
the
properties
of
zero
trust
for
the
surface
mesh,
because
a
big
part
of
our
our
journey
into
kind
of
improving
the
operation
ability
of
a
service
mesh.
We
did
not
want
to
trade
off
or
give
up
any
of
the
benefits
of
security
and
and
the
zero
trust
capabilities
that
you
get
in
a
service
mesh.
A
A
A
Some
of
the
networking
I
know.
Lawrence
did
a
great
talk
about
so
how
the
networking
Works
in
an
ambient
and
I'm
going
to
take
the
security
angle
of
of
this
topic,
but
to
set
the
stage.
We
have
to
remember
that
istio
ambient
is
an
alternative
or
optional
data
plane
for
for
istio
that
runs
in
a
sidecar
list
mode.
So
that
means
there
are
no
side
cars
being
injected
into
the
workloads
that
things
run
transparently,
as
you
know,
even
even
more
transparently
than
than
what
you
see
with
the
sidecars,
and
to
do
that.
A
We
can
also
enforce
authorizations
at
this
level,
so
service
a
can
or
cannot
talk
to
service
based
on
its
its
identity,
and
so
we
use
the
cryptographic
identity
that
you
would
see
in
istio's
sidecar
model.
We
also
use
that
same
that
same
method
in
the
ambient
data
plane
as
well.
You'll
see
in
these
these
two
layers
that
the
secure
overlay
layer
is
like
I,
said,
focus
on
layer
four
and
is
much
closer
to
being
pushed
into
the
the
realm
of
the
cni
than
it
is.
A
You
know
an
application
layer,
sidecar
or
L7
proxy,
the
L7
capabilities
we
still
have
around
and
those
run
in
the
Waypoint
proxies
and
those
are
opt-in.
If
you
need
layer,
7
capabilities,
then
istio
ambient
can
be
configured
to
Route
traffic
through
those
Waypoint
proxies
and
then
apply
things
like
header
based
routing
or
request
level
retries
and
anything
that
requires
parsing.
The
the
stream
and
understanding
what's
happening,
for
example
in
http.
A
Another
thing
that
that
we'll
we'll
cover
and
we'll
touch
on
here
is
that
we've
also
tried
to
reduce
the
attack
surface
of
the
mesh
data
plane
itself.
You
know
when
it's
running
with
the
application,
so
when
it's
running
close
to
the
applications,
then
that'll
make
more
sense
as
as
we
go
along
here.
A
So
first
of
all,
let's
just
look
at
the
data
path
of
of
istio
Ambien,
how
it,
how
it
kind
of
works.
So
your
application
workloads
they're
running
in
a
cluster,
but
this
could
also
be
extended
out
to
running
in
a
VM
all
right.
Now
we're
going
to
be
talking
a
little
bit
more
kubernetes
Centric,
but
these
These
are.
This
is
not
tied
to
just
kubernetes,
so
your
workloads
are
running
and
through
the
redirection,
magic
that
Lawrence
talked
about
earlier.
A
The
traffic
goes
from
the
workload
which
thinks
it's
talking
in
this
case
service
a
to
service
B.
It
thinks
you're
talking
to
service
B,
but
through
that
redirection
mechanism
or
ebpf,
which
is
what
Lorna's
talked
about.
The
the
traffic
will
be
routed
to
this,
this
Z
tunnel
component
or
agent
that
runs
in
the
same
node
as
as
the
workloads
that
z-tunnel
agent
will
determine.
What
is
that
workload?
That's
that
that's
making
the
originating
call,
and
then
it
will
establish
a
mutual
TLS
tunnel.
A
A
So
that's
in
the
that's
in
the
case
where
there's
no
layer,
seven
needed
or
you
don't
opt
into
the
layer.
7
capabilities
with
with
you
know
the
Waypoint
proxies,
and
this
obviously
becomes
a
lot
faster.
If
you
don't
need
all
the
layer,
7
parsing,
then
don't
then
don't
do
it.
It
becomes
faster
if
you
just
stay
in
the
secure
overlay
layer
or
just
here
in
the
in
layer.
A
A
A
We
know
working
with
our
our
customers.
Working
with
you
know
massive
deployments
of
istio.
We
know
that
things
like
up
updating
the
control
plane
for
whatever
reason,
whether
it's
new
versions
or
patches
cves
have
cropped
up,
and
this
is
going
to
become.
You
know
something
that
I
point
out
a
little
bit
later,
that
you
know
simplifying
how
you
actually
roll
out
these
cve
patches
and
the
updates
and
upgrades
to
istio
is
that's.
That's
the
operationalization
that
I'm
talking
about
these
things
around
yeah.
A
In
some
past
we
can
improve
performance
in
some
and
you
know,
and
we
can
for
large
Services
specifically,
we
can
really
reduce
the
cost
of
provisioning
memory
and
CPU
because
we
save
on
amortization
of
those
resources.
That's
those
are
nice,
but
those
are
not
the
main
reasons
why
we
built
ambient
it's
for
simplifying
day
two
operations.
A
So,
let's
take
a
little
bit
closer
look
at
how
this
all
works,
so
when
workload
a
tries
to
talk
to
B,
it
is
going
to
communicate
over
the
network,
like
I
said,
and
it's
going
to
be
trapped
and
redirected
to
the
Z
tone,
the
z-tunnel
that
runs
as
an
agent
or
a
Daemon
on
on
the
Node
and
what
the
Z
tunnel
is
going
to
do
it's
going
to
look
at
what
is
this?
What
is
the
destination
that
it
needs
to
send
this?
A
This
connection,
to
you,
know
the
the
TCP
packets
too,
and
it's
going
to
it.
It'll
have
a
list
because
istio's
control
plane
is
also
you
know,
involved
here,
see
this
control
plane
is
updating
the
Z
tunnel
to
tell
it
where
the
various
workloads
work,
just
like
it
does
today
in
in
the
sidecar
model
right
istio's
control
plane
is
updating,
endpoints
and
updating
destinations
about
where
the
various
Services
might
run.
A
So
you'll
note
here
that
I
think
you
can
see
the
colors
here
right
that
the
red
connections
that
happen
on
the
Node
are
unencrypted,
that
the
green
arrows
between
the
workloads
over
the
network
are
our
encrypted
Mutual
TLS
and
then
again
on
the
other
side,
where,
where
the
traffic
actually
gets
to
the
the
workload,
you
know.
That's
a
that's
a
red
arrow
again
now,
if
you
include
the
Waypoint
proxy
oop,
actually
I,
just
literally
wrote,
These
slides
an
hour
ago,
I
don't
know
the
order
of
them.
A
Yet
if
you
have
this
Mutual
TLS
in
place,
you
can
also
write
Network
policy
or
authorization
policy
about
what
services
are
allowed
to
talk
with
which
other
services,
so
the
Z
tunnel
on
the
receiving
side,
the
destination
side
can
say.
Oh
I,
see
a
connection
coming
in
from
service
a
but
I
have
a
policy
in
place.
That
says
a
can't
talk
to
B
A
can't
talk
to
this
service,
so
at
the
Z
tunnel
we
can
enforce
authorization
policies
based
on
this
cryptographic
identity.
A
So
we
can
get
authentication
and
authorization
just
by
deploying
the
the
ambient
z-tel
data
plane.
Now,
if
you
need
to
do
more
sophisticated
checks,
like
you
know,
does
it
have
this
jot
token?
Are
these
claims
in
there
and
have
these
headers,
that's
all
layer,
7
stuff,
so
that
would
have
to
be
done
in
the
Waypoint
process.
That
would
not
be
able
to
be
done
in
the
in
the
zeton
or
in
the
secure
overlay.
A
In
the
sidecar
approach,
if
you're
familiar
with
istio,
what
the
sidecar
does
so,
the
sidecar
actually
runs
a
proxy
and
a
little
agent
that
runs
with
the
proxy
and
that
little
agent
as
it's
bootstrapping,
the
sidecar,
the
actual
proxy,
is
taking
its
identity.
Token
that
gets
mounted
in
in
a
pod.
If
we're
thinking
through
kubernetes
right,
it
takes
its
service
account
token
and
it
calls
the
istod
control
plane
with
a
certificate
signing
request,
and
it
says:
hey
here's
this
token
sign
this
request.
A
I'm
service,
a
issue,
control
plane,
says:
okay,
yeah
I'm
validating
you,
look
like
service
a
let's
sign
the
certificate,
but
in
the
ambient
mode
the
workloads
don't
have
a
sidecar.
They
don't
have
an
agent
that
runs
with
them,
so
that
that
agent,
that
process
actually
happens
in
the
Z
tunnel.
Now
so
the
Z
tunnel
will
say
here.
This
is
my
token.
This
is
my
identity.
A
A
So,
in
effect,
if
you
have
a
lot
of
workloads
running
on
that
node
you'll
see
that
the
Z
tunnel
is,
you
know
it
has
the
certificates
for
each
of
those
workloads
as
workloads
go
away.
Those
get
cleaned
up
and
you're
left
with
a
set
of
certificates
and
identity
material
that
is
relevant
for
the
workloads
that
are
running
on
the
Node.
At
that
time,.
A
And
in
this
case,
since
it's
this
is
the
service
B
Waypoint
proxy
it'll
actually
be
the
the
identity
on
both
sides
will
be
for
service
B,
which
probably
stop
saying
B,
but
both
sides
will
have
the
same
identity,
there'll
be
different
certificates.
If
you
look
at
the
serial
numbers,
it'll
be
different,
but
they
and
they'll
have
a
diff
they'll
be
rotated
individually
and
all
that.
But
they
both
represent
the
same
identity,
because
it's
just
the
B
Waypoint
proxy.
Talking
to
the
B
service
through
the
zetone.
A
Okay,
so
that's
those
are
the
components
of
some
of
the
you
know
the
steps
that
have
to
happen
to
be
able
to
get
the
certificate
material
to
establish
the
connections.
Now,
let's
take
a
look
at
some
of
the
you
know
the
implications
of
this
and
how
we
maintain
some
of
the
zero
trust
properties,
a
big
part
of
of
maintaining
that
zero
trust
is
that
nobody
can
intercept
the
traffic
over
the
network.
A
A
A
A
I,
don't
know
how
many
of
you
are
Enterprise
developers.
I
spent
my
time
in
the
writing.
Java
applications
and
Enterprise
back
in
the
day
I
mean,
and
we
would
pull
in
some
weird
libraries
that
did
some
cool
stuff,
so
we
didn't
have
to
do
it,
but
I
mean
we
pulled
stuff
off
the
internet
all
the
time
and
and
put
together
these
applications,
and
not
surprisingly,
that's
that's
a
that's
an
area
of
attack.
A
So
the
second
is
the
data
plane
itself.
The
data
plane
is,
you
know,
the
the
the
connections,
the
requests
these
are
going
through,
the
data
plane
in
the
service
mesh,
whether
that's
a
sidecar
or
whether
it's
somewhere
else,
whether
it's
an
API
Gateway,
so
traffic's
coming
into
and
through
this
data
plane.
So
that
is
an
area
of
attack
as
well.
A
The
third
is
the
infrastructure
on
which
the
workloads
are
running,
the
node,
the
hosts,
the
Linux
Linux
machines,
where,
where
these
are
running,
another
Avenue
of
of
attack,
so
the
the
first
point
is
that
wherever
you
have
complex
code
and
algorithms,
typically,
you
know
think
about
things
of
business
logic
that
you
have
to
write
for
some
of
the
domains
in
the
Enterprises
that
you're
working.
This
is
there's
a
lot
of
complexity
that
happens
in
there.
A
A
So
what
we
see
is
the
the
app
deployed
with
the
data
plane
of
the
service
mesh
deployed
right
next
to
it,
and
if
we
have,
if
we
start
looking
at
the
areas
of
of
attack
and
which
one,
what
has
some
of
the
biggest
surface,
it's
the
application
and
if
that
gets
compromised,
then
everything
in
that
pod.
You
know
again
thinking
through
kubernetes.
Everything
in
that
pod
becomes
compromised.
A
A
If
we
look
at
the
ambient
approach,
so
we
specifically,
we
separate
we're
not
running
side
cars,
we're
not
running
components
of
the
service
mesh
data
plane
with
the
applications
we've
separated
them
out,
and
in
that
case,
if
we,
if
we
see
a
vulnerability
in
the
application,
you
know
that
is
still
separate.
They
don't
that
doesn't
automatically
translate
to
a
vulnerability
and
being
able
to
attack
and
get
to
the
the
Z
tunnel
or
the
Oco
ambient
data
plane.
So
we
have
that
separation
between
these
components.
A
A
Envoy
proxy
is
an
extremely
performant
and
feature-rich
proxy
that
can
be
used
at
the
edge
it
can
be
used
as
a
sidecar
and
is
very
frequently
used
as
a
sidecar
and
service
mesh
implementations.
But
if
you
look
at
all
the
capabilities
it
has,
that
is,
that
is
complexity
that
is
being
introduced
into
the
into
the
deployment
and
that's
why?
If
you
looked
at
the
previous
slide,
where
we
had
ambient
running
as
a
Daemon
set
on
the
Node
away
from
the
application
so
separated
from
the
applications,
the
attack
surface
of
that
Z
tunnel
was
significantly
slimmer.
A
Now,
that
is
in
flight,
that
z-tunnel
component
probably
shouldn't
be
Envoy
and
there's
work
in
the
community
to
opt
significantly
optimize
this
this
component.
To
give
it
exactly
this,
what
I've
pictured
here
the
surface
area
should
be
sculpt
down.
It
should
be
as
limited
and
small
as
possible
because
it's
just
handling
connections
and
mutual
TLS,
so
in
the
in
the
ambient
data
plane
implementation.
A
It's
not
just
another
workload.
It
needs
to
be
treated
as
as
a
secured
shared
component.
Just
like
you
would
any
cni
agent,
the
agents
that
run
for
your
cni
on
those
on
your
on
your
nodes
and
your
hosts.
They
exhibit
a
very
similar
security
profile.
All
right.
If
their
compromise,
you
lose
the
whole
node.
A
The
second
thing
is
around
operational
and
and
upgrades
like
I
said.
The
number
one
thing
that
we
focused
on
for
istio
ambient
is
around
simplifying
how
you
do
upgrades
minimizing
the
impact
or
removing
completely.
If
you
can,
the
impact
two
applications,
because
it
shouldn't
be
this
complex,
orchestrated
thing
to
upgrade
your
service
mesh,
you
should
be
able
to
update
the
components
independently
and
separately
from
your
applications
and
just
like
other
components
that
are
shared
on
the
layer,
4
path
of
of
your
service
mesh
down
into
the
Linux
kernel.
A
These
are
software.
There's
going
to
be
bugs,
there's
going
to
be
cves,
you
got
to
be
able
to
find
them
and
Patch
them
as
quickly
as
possible
and
do
that
without
interrupting
and
taking
down
your
your
applications.
So,
just
like
you
would
patch
your
cni,
just
like
you
would
patch
your
cubelet.
Just
like
you
would
Pat
your
Linux
kernel.
We
want
to
treat
the
Z
tunnel
component
along
the
same
lines
as
a
critical
shared
component.
A
Which
is
that's
that's
life
and
then
the
last,
so
we
looked
at
the
applications.
We
looked
at
the
the
data,
plane
components
and,
lastly,
we
want
to
look
at
the
node
itself
and
basically
this
is
not
going
to
be
very
service
mesh
specific
if
your
node
gets
compromised
in
your
kubernetes
cluster.
That's
a
very
serious!
You
know
security
problem
you'll.
If
you
get
access
to
the
node,
it
doesn't
matter
if
you're
inside
car
mode
or
ambient
mode
or
whatever.
A
A
A
We've
we've
had
this
quite
a
few
times,
but
so
basically,
if
you
go
back
to
the
slide
where
we
saw
the
traffic
from
outside
comes
into
the
comes
into
the
a
node
and
it
might
come
in
encrypted
because
it's
a
mutual
TLS
in
the
sidecar
mode
that
Mutual
TLS
connection
will
end
it
at
the
pod
in
the
ambient
world.
That
Mutual
TLS
connection
will
end
on
the
Z
tunnel,
and
then
the
traffic
from
the
Z
tunnel
will
be
plain
text
to
the
to
the
workload.
A
But
then
actually,
if,
if
we
look
back
at
the
at
the
sidecar
mode,
we
also
saw
that
in
in
sidecar
world,
where
now
I
don't
remember
exactly
which
slide
that
would
be,
but
actually
we'll
look
at
we'll.
Just
look
at
this
slide
in
the
sidecar
World
traffic
when
it
leaves
the
sidecar
and
goes
to
an
application.
A
It
is
also
unencrypted
all
right
so
now
the
the
question
it
really
is:
is
it
more
secure
in
the
sidecar
world,
because
the
mutual
chaos
is
going
all
the
way
to
the
to
the
sidecar
versus
ambient,
where
it's
just
going
to
the
Z
tunnel,
but
in
the
zetano
world
the
traffic
going
from
Z
ton
of
the
workload
is
unencrypted
in
sidecar
World
sidecar,
the
application
is
unencrypted
all
right.
So
we
do
get
this
question
in
quite
a
bit
and
oh
here's
it
just
kept
going
here.
A
Here's
a
here's,
a
good
illustration
of
that.
Here's,
the
sidecar
mode.
You
know
across
the
across
the
network.
It's
it's
secure
on
the
host
when
it
gets
to
the
side
car
that
traffic
between
the
side,
car
and
the
application
is,
is
plain
text
and
ambient
mode
across
the
network.
It's
it's
mutual
TLS
into
the
node
it
it
becomes
plain
text,
and
so
then,
that
question
is:
is
one
more
secure
than
the
other?
It
really
just
comes
down
to
doesn't
make
sense
to
secure
the
traffic
on
localhost.
A
And
if
you
look
at
the
various
attack
vectors
and
like
what
can
happen,
if,
like
we
said
earlier,
if
you
get,
if
you
compromise
the
node,
none
of
this
matters,
whether
it's
insecure
and
secure,
whatever
that
it
doesn't
matter
and
and
then
then
it
just
comes
down
to
well
who
let's
say
you,
don't
compromise
and
know
who
has
access
to
be
able
to
do
things
like
TCP
dump
and
capture
traffic
and
all
that
stuff?
This
now
just
comes
down
to
basic
Linux
Administration.
All
right
Linux
is
a.
A
Is
a
multi-user,
highly
contended
Linux
secure,
Linux?
You
know
it's
operating
system
that
is
built
for
these
use
cases.
You
know
that
now
this
just
becomes
a
a
Linux
Administration
problem,
so
is
it
more
secure
inside
car
mode?
We
don't
think
so
because
if
you,
if
you
get
access
to
the
site,
to
the
node
you're,
going
to
be
able
to
NS,
enter
into
any
of
the
containers
and
look
at
any
of
the
any
of
the
traffic,
whether
it's
in
ambient
mode
or
sidecar
mode.
A
Who
knows
how?
How
frequently
or
how
often
or
what
the
schedule
is
for
how
applications
get
updated,
but
from
a
platform
perspective
we
need
to
be.
You
know
we
need
to
be
consistent
in
patching
and
able
to
do
that
without
disrupting
our
our
applications,
so
I'll
leave
I'll
leave
with
some
some
takeaways
I
highly
highly
encourage
if
you
get
a
chance
to
do
the
Hands-On
workshops.
A
Some
some
other
things
that
we're
giving
away
like
like
books
like
this
Theo
and
being
explained.
It's
you
know
action.
Those
will
be
given
away
at
the
various
Booth
book,
signings
and
then
yeah
I
mean,
if
you
can't
make
it
to
the
Hands-On
in
person.
Workshops
here
go
to
solo
Academy.
These
are
all
online.
A
We
use
instruct
as
our
as
our
platform
and
they're
self-paced
and,
and
you
can
get
real,
hands-on
experience
with
without
cutting
yourself
too
hard,
because
these
are
these
are
so
you
know
kind
of
built
for
people
to
actually
walk
through
and
be
successful
with
them.
That's
all
I
have
I'm
happy
to
take
a
couple
questions.