►
From YouTube: Multi-cluster Service Mesh Identity and Access Control
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
A
A
So
the
way
istio
identity
works
is
that
the
sidecar
proxy
that
runs
with
the
workload
is
asking
for
a
certificate
to
be
signed
by
histo
and
then
is
using
this
certificate
to
prove
its
identity
when
it
communicates
with
other
workloads.
So
it's
it's
a
really
important
concept
about.
You
know
how
this
service
to
service
authentication
work,
and
even
if
you
enable
everything
when
you
install
this,
to
keep
in
mind
that
the
mutual
tls
authentication
is
not
automatically
enforced,
so
you
have
to
really
enforce
it
by
creating
creating
a
peer
authentication
object.
A
So
if
you
and
that's
why
I
wanted
to
cover
this,
this
part
in
more
details
in
this
access
control,
video,
because
obviously
it
has
a
big
impact
on
access
control,
because
the
access
control
in
istio
is
based
on
the
service
accounts.
So
if
you
don't
change
this
domain
and
you
just
keep
one
trust
domain,
that
is
the
same
for
all
the
clusters,
then
there
is
no
way
you
can
create
access
control
rules
that
will
take
into
consideration
the
unique
identity
of
of
each
service.
A
A
A
You
can
manage
the
traffic
easily.
You
can
even
simplify
the
way
one
service
on
one
side
can
talk
to
a
service
on
another
site.
We
went
through
that
in
the
in
the
second
video,
so
we
won't
cover
that
in
details.
Now
you
also
want
to
have
these
shared
routes
so
that
one
service
here
can
validate
the
identity
of
another
service
that
is
under
the
site.
A
So
you
can
do
a
lot
of
things
with
serious
measure,
but
basically
it
really
simplifies
your
life
when
you
have
this
multi-cluster
deployment
and
it
does
that
by
leveraging
two
different
services,
one,
that's
called
the
discovery
service
and
the
other
one.
That's
called
the
networking
service,
so
the
discovery
service
will
discover
automatically
all
the
workloads.
So
here,
for
example,
that
cluster
is
not
aware
of
what's
running
in
this
cluster.
A
So
you
create
traffic
policy
like
we've
seen
in
the
previous
video,
where
you
can
say,
I
want
to
send
this
percentage
of
requests
to
the
local
review
service
and
this
percentage
to
the
remote
review
service.
But
you
can
also
easily
create
access
policies
that
will
be
applied
globally
and
that's
what
we
will
focus
on
in
this
in
this
video.
So,
let's
jump
into
the
demo
here.
A
So
what
we
are
going
to
to
check
first
is
what
is
the
current
state
and
the
current
state
is
that
we
didn't
enable
airbag.
So
I
should
be
able
now
to
access
any
any
workload.
I
should.
I
should
have
everything
just
working
now,
so
I'm
going
to
jump
in
the
in
the
cluster
here
and
I
was
deploying
it.
I
don't
know
if
it's
ready.
Yeah,
it
is
so
we
see
here.
A
I
have
access
to
the
product
page
service
that
has
access
to
the
review
service
that
acts
access
to
the
rating
service,
because
everything
is
is
working
well
now.
So
the
first
thing
I'm
going
to
do
here
is
that
I'm
going
to
enforce
airbag,
so
I
created
the
virtual
mesh
before
and
here
I'll
just
modify
it
so
that
I
have
like
airbag
enabled
globally.
So
I
just
going
to
do
that
here,
just
like
creating
this
new
rule
and
very
quickly,
I
should
be
able
to
see
here
that
I
will
get
like
a
denied.
A
So
let
me
check
here
yeah,
you
start
to
have
some
services
that
cannot
talk
to
the
other
services
you
see,
and
even
the
istio
ingress
gateway
itself
cannot
even
talk
to
the
product
page
anymore.
So
I
have
denied
everything.
So
the
goal
here
will
be
to
allow
the
communication,
but
only
the
communication
we
want.
A
So
if
I
go
there-
and
I
see
when
I
enable
airbag-
what
it
did
in
fact
is
that
it
created
these
autoresolution
policies,
so
it
created
one
with
the
spec
that
is
empty,
which
means
that
and
in
this
your
name
system
namespace,
which
means
that
nothing
is
allowed.
Basically,
that's
that's
what
it
means,
and
then
it's
created
this
authorization
policy
just
here
on
cluster
2
and
created
the
same
one
here
on
oops,
where
I
am
on
cluster
three
to
just
allow
access
to
the
eco
ingress
gateway
itself.
A
But
then
this
regression
gateway
cannot
talk
to
the
product
page.
So
we
are
in
this
stage
we
can
access
the
student
gateway,
but
we
cannot
do
anything
apart
from
that.
So
what
we
are
going
to
do
now
is
that
we
are
going
to
create
what
we
call
an
access
policy
and
the
access
policy
will
tell.
I
want
the
istio
ingress
gateway
service
account,
so
the
steering
wheel
gateway
on
kind
2
to
be
able
to
access
any
service
with
the
label
service
product
page
in
the
default
namespace.
A
That's
the
service
account
of
my
product
page,
and
these
are
the
services
I
want
to
allow.
So
I
just
going
to
create
this
hole
and
very
quickly
again,
I
should
be
able
to
access
them,
but
you
see,
the
rating
service
is
not
available,
because
I
didn't
allow
the
review
service
to
talk
to
the
rating
service,
but
again
just
to
summarize
what
we've
just
done
before.
A
We
upload
that
communication
here
and
now,
we've
allowed
this
communication
there
so
that
the
product
page
can
talk
to
details
and
review
and
the
way
it
worked
is
that
we
created
a
single
access
policy,
but
it
created
the
authorization
policy
for
both
because
that's
one
pair
target-
and
here
we
we
just
use
that
source.
So
now.
The
next
step
is
to
upload
the
details,
the
review
service,
to
talk
to
the
rating
service,
and
we
can
see
that
here
we
just
have
the
review
service
account
on
kind
2.
That
can
talk
to
the
rating
service
here.
A
Then
I
should
be
able
to
see
them
very
quickly.
Yeah,
I
can
see
them
so
that
shows
you
how
to
do
it
very
simply
in
the
local
side,
but
the
value
really
comes
when
you
start
to
do
that
globally.
So
you
remember
last
time
we
spoke
about
this
multi-cluster
traffic
and
how
you
I
can
some
of
the
requests
from
public
page
going
to
reviews
here
and
some
going
to
the
reviews
on
the
second
site.
A
So
we
are
going
to
do
the
same
here.
So
let
me
go
back
to
the
slide
quickly.
That's
the
current
state.
I
can
access
the
product
page
and
the
product
page
can
access
the
rating
and
the
access
policy.
The
last
one
I
created
just
created
this
authorization
policy
here
and
now
what
we
want
is
to
be
able
to
access
the
other
one
here.
A
So
I'm
going
to
apply
that's
full
and
that's
again
I
encourage
you
to
watch
the
second
video
if
you
want
to
understand
that
because
it
does
a
lot
of
this
of
thing
behind
the
scene
to
make
it
easy
in
in
real
life.
If
you
have
just
the
twist
to
you-
and
you
have
to
do
that
by
yourself-
you
have
to
create
five
or
six
different
objects
just
to
express
that.
A
A
Where
in
one
location,
you
can
use
simple
objects
that
are
called
access
policies
to
express
globally,
which
services
can
talk
to
which
services?
And
you
see
here-
we
are
like
going
to
the
product
page,
which
is
like
on
the
first
side.
If
we
would
try
to
go
on
the
second
side
here,
I
still
have
an
access
denied,
because
I
didn't
do
anything
there.
I
didn't
allow
the
ingress
gateway
of
this
site
to
talk
to
the
ingress
gateway
the
product
page
at
all.
A
So
that's
that's
what
we
cover
now.
We
still
have
like
other
videos
coming
one
where
we
speak
about
different
service
mesh
technology.
So
basically
we'll
show
you
that
this
kind
of
access
control
that
you
apply
with
ecu
you
could
use
service
mesh
up
to
apply
them
also
with
other
technology
like
osm.
I
think
we
will
use
osm
for
that
one.
We
still
have
also
to
go
through.
You
know
how
to
manage
failover
and
we
will
even
add
probably
another
topic
about.
You
know
how
you
secure
the
edge.
A
So
I'm
going
to
to
work
on
that
and
and
just
to
summarize
about
our
portfolio-
that's
how
it
looks
like
we
focused
here
on
the
service
mesh
up
here.
We,
as
I
said
I
have
a
pro.
We
will
probably
have
a
topic
on.
You
know
how
you
can
secure
the
edge.
You
can
do
that
with
the
steering
wheel
gateway,
but
it's
quickly
quite
limited.
So
we
will
show
you
how
you
can
do
that
with
a
proper
api
gateway
like
glue.
A
You
have
also
like
a
developer
portal
that
is
available
in
both
cases,
if
you
use
istio
or
if
you
use
glue
you're
able
to
expose
your
api
with
the
developer
portal,
let
your
user
get
the
access
key.
We
discovered
the
api
with.
You
know,
open
api
specs
and
we
create
all
the
routing
behind
the
scenes.