►
From YouTube: Multi-cluster Service Mesh Identity and Access Control
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
Hi
welcome
everyone
to
this
new
video
on
this
series
about
service
mesh
hub.
I
am
duni
geno
director
of
field
engineering
at
solo,
and
you
can
find
some
information
about
me
and
also
my
youtube
channel,
where
you
can
find
many
different
recording.
A
A
We
went
through
multi
traffic,
multi-cluster
traffic
and
in
this
video
we'll
focus
on
how
you
manage
access
control
globally,
we
covered
the
federated
identity
in
the
first
video,
but
I
thought
we
didn't
go
deep
enough
to
really
understand
what
we
need
to
understand
for
this
global
access
control
so
we'll
go
through
it
again,
but
a
little
bit
deeper
at
that
time.
A
So
the
way
istio
identity
works
is
that
the
sidecar
proxy
that
runs
with
the
workload
is
asking
for
a
certificate
to
be
signed
by
histo
and
then
is
using
this
certificate
to
prove
its
identity
when
it
communicates
with
other
workloads.
So
it's
it's
a
really
important
concept
about.
You
know
how
this
service
to
service
authentication
work,
and
even
if
you
enable
everything
when
you
install
this,
to
keep
in
mind
that
the
mutual
tls
authentication
is
not
automatically
enforced,
so
you
have
to
really
enforce
it
by
creating
creating
a
peer
authentication
object.
A
But
when
this
peer
detection
object
is
created
and
meteor
tls
is
in
place,
the
way
it
works
is
that
the
client-side
invoice
start
the
mutual
tls
and
check
with
the
server
side
envoy
and
that's
where
these
certificates
are
used
to
prove
the
identity
of
the
two
component
of
the
client
on
the
server
and
for
that
they
need
like
a
unique
id
and
unique
identifier,
and
spiffy
is
used
for
that.
A
So
spiffy
is
the
secure
production
identity
framework
for
everyone,
so
it's
a
set
of
open
source
standards
and
in
spiffy
standard
you
have
this
notion
of
a
spiffy
id
and
the
spiffy
id
would
look
like
this
uri
here,
which
is
like
composed
of
the
truss
domain
and
the
workload
identifier.
A
When
you
deploy
istio
and
that's
fine,
if
you
have
one
cluster,
but
when
you
start
to
have
a
multi-cluster
deployment,
then
that
means
that
there
is
no
way
to,
for
example,
if
you
have
this
pods
that
is
started
with
the
sales
account
pod
sa
in
the
default
namespace,
the
spf
id
will
be
like
that,
and
there
is,
there
would
be
no
way
to
differentiate
that
service
from
the
same
one
running
on
another
cluster
with
the
same
service
account
the
same
namespace
and
perhaps
even
there
are
different
workloads.
A
So
if
you
and
that's
why
I
wanted
to
cover
this,
this
part
in
more
details
in
this
access
control,
video,
because
obviously
it
has
a
big
impact
on
access
control,
because
the
access
control
in
istio
is
based
on
the
service
accounts.
So
if
you
don't
change
this
domain
and
you
just
keep
one
trust
domain,
that
is
the
same
for
all
the
clusters,
then
there
is
no
way
you
can
create
access
control
rules
that
will
take
into
consideration
the
unique
identity
of
of
each
service.
A
And
what
we
are
going
to
do
here
is
that
to
do
a
demo
of
this
global
access
control
with
two
clusters
that
are
deployed
through
this,
you
know
replicated
control,
plane
model
which
is
the
most
popular
one,
where
basically,
you
have
an
istio
control
pane
on
each
side
and
when
the
services,
when
you
want
to
have
service
to
service
communication
across
the
cluster,
then
it
goes
through
this
istio
ingress
gateway
and
obviously,
if
you
have
empty
lace,
enabled
you
want
that
guy
to
have
a
unique
identity
that
he
can
prove
to
this
other
guy
here,
which
has
its
own
identity
as
well.
A
A
But
you
have
this
notion
of
authorization
policies
in
in
istio
that
allows
you
to
define
which
workload
can
talk
to
which
workload
and
it's
not
always
straightforward
to
to
use
them
when,
when
you
need
to
have
multiple
services,
communicating
with
the
same
service
or
things
like
that,
because
you
need
to
add
some
more
information
in
the
same
object-
and
that's
that's
not
always
like
easy
to
do,
but
we
we
will
go
through
that
in
the
in
the
next
slide
as
well.
A
So
the
service
mesh
up
project
is
really
allowing
you
to
simplify
everything
here
so
that
you
can
do
things
like
that.
You
can
have
your
communication
coming
from
one
site
and
you
know
going
through
the
different
micro
services.
A
You
can
manage
the
traffic
easily.
You
can
even
simplify
the
way
one
service
on
one
side
can
talk
to
a
service
on
another
site.
We
went
through
that
in
the
in
the
second
video,
so
we
won't
cover
that
in
details.
Now
you
also
want
to
have
these
shared
routes
so
that
one
service
here
can
validate
the
identity
of
another
service
that
is
under
the
site.
A
So
you
can
do
a
lot
of
things
with
serious
measure,
but
basically
it
really
simplifies
your
life
when
you
have
this
multi-cluster
deployment
and
it
does
that
by
leveraging
two
different
services,
one,
that's
called
the
discovery
service
and
the
other
one.
That's
called
the
networking
service,
so
the
discovery
service
will
discover
automatically
all
the
workloads.
So
here,
for
example,
that
cluster
is
not
aware
of
what's
running
in
this
cluster.
A
So
you
create
traffic
policy
like
we've
seen
in
the
previous
video,
where
you
can
say,
I
want
to
send
this
percentage
of
requests
to
the
local
review
service
and
this
percentage
to
the
remote
review
service.
But
you
can
also
easily
create
access
policies
that
will
be
applied
globally
and
that's
what
we
will
focus
on
in
this
in
this
video.
So,
let's
jump
into
the
demo
here.
A
What
you
see
is
that
we
have
like
three
clusters
deployed
with
kind
and
we
have
like
kind
one
where
we
have
the
size
mesh
up
running
and
then
we
have
kind
two
and
kind
three
where
we
have
easter
running
and
that
has
been
deployed
and
the
virtual
mesh
has
been
created.
A
And
if
I
move
forward,
then
what
we
did
is
that
when,
when
we
created
this
virtual
mesh,
it
has
created
this
new
root
set
and
it
has
used
a
third
agent
deployed
by
virtual
mesh
by
service
mesh
herb
on
the
two
clusters
here
and
it
has
signed
these
certificates
created
on
each
cluster
with
this
common
root
cells,
and
these
new
sets
are
basically
intermediate
certain
the
chain
so
that
you
would
have
like
the
workload
set
signed
with
this
chain
so
that
you
have
like
the
chain
will
be
the
the
workload
search.
A
So
what
we
are
going
to
to
check
first
is
what
is
the
current
state
and
the
current
state
is
that
we
didn't
enable
airbag.
So
I
should
be
able
now
to
access
any
any
workload.
I
should.
I
should
have
everything
just
working
now,
so
I'm
going
to
jump
in
the
in
the
cluster
here
and
I
was
deploying
it.
I
don't
know
if
it's
ready.
Yeah,
it
is
so
we
see
here.
A
I
have
access
to
the
product
page
service
that
has
access
to
the
review
service
that
acts
access
to
the
rating
service,
because
everything
is
is
working
well
now.
So
the
first
thing
I'm
going
to
do
here
is
that
I'm
going
to
enforce
airbag,
so
I
created
the
virtual
mesh
before
and
here
I'll
just
modify
it
so
that
I
have
like
airbag
enabled
globally.
So
I
just
going
to
do
that
here,
just
like
creating
this
new
rule
and
very
quickly,
I
should
be
able
to
see
here
that
I
will
get
like
a
denied.
A
So
let
me
check
here
yeah,
you
start
to
have
some
services
that
cannot
talk
to
the
other
services
you
see,
and
even
the
istio
ingress
gateway
itself
cannot
even
talk
to
the
product
page
anymore.
So
I
have
denied
everything.
So
the
goal
here
will
be
to
allow
the
communication,
but
only
the
communication
we
want.
A
So
if
I
go
there-
and
I
see
when
I
enable
airbag-
what
it
did
in
fact
is
that
it
created
these
autoresolution
policies,
so
it
created
one
with
the
spec
that
is
empty,
which
means
that
and
in
this
your
name
system
namespace,
which
means
that
nothing
is
allowed.
Basically,
that's
that's
what
it
means,
and
then
it's
created
this
authorization
policy
just
here
on
cluster
2
and
created
the
same
one
here
on
oops,
where
I
am
on
cluster
three
to
just
allow
access
to
the
eco
ingress
gateway
itself.
A
But
then
this
regression
gateway
cannot
talk
to
the
product
page.
So
we
are
in
this
stage
we
can
access
the
student
gateway,
but
we
cannot
do
anything
apart
from
that.
So
what
we
are
going
to
do
now
is
that
we
are
going
to
create
what
we
call
an
access
policy
and
the
access
policy
will
tell.
I
want
the
istio
ingress
gateway
service
account,
so
the
steering
wheel
gateway
on
kind
2
to
be
able
to
access
any
service
with
the
label
service
product
page
in
the
default
namespace.
A
So
what
it
did
when
I
created
this
access
policy,
it
translated
it
in
an
authorization
policy,
and
you
see
the
authorization
policy
contains
this
kind
2,
which
is
the
the
the
trust
domain
that
we
have
on
this
cluster
and
kind
three,
the
trust
domain
that
we
have
in
the
user
cluster
we
deployed
it
with
separated
trust
domain
and
and,
as
you
can
see
like
everything
is
done
in
a
simple
way
and
you
define
all
these
policies
in
the
single
cluster,
which
is
the
cluster
where
service
mesh
hub
is
running.
A
Even
if
you
have
10
different
clusters
with
service
mesh,
then
you
just
define
all
your
rules
in
one
location
and
they
are
enforced
in
the
cluster
that
you
you
target
and
now,
if
I
want
to
allow
the
product
service
to
talk
to
the
details
and
the
reviews,
then
that
will
be
very
similar
like
you
can
see.
A
That's
the
service
account
of
my
product
page,
and
these
are
the
services
I
want
to
allow.
So
I
just
going
to
create
this
hole
and
very
quickly
again,
I
should
be
able
to
access
them,
but
you
see,
the
rating
service
is
not
available,
because
I
didn't
allow
the
review
service
to
talk
to
the
rating
service,
but
again
just
to
summarize
what
we've
just
done
before.
A
We
upload
that
communication
here
and
now,
we've
allowed
this
communication
there
so
that
the
product
page
can
talk
to
details
and
review
and
the
way
it
worked
is
that
we
created
a
single
access
policy,
but
it
created
the
authorization
policy
for
both
because
that's
one
pair
target-
and
here
we
we
just
use
that
source.
So
now.
The
next
step
is
to
upload
the
details,
the
review
service,
to
talk
to
the
rating
service,
and
we
can
see
that
here
we
just
have
the
review
service
account
on
kind
2.
That
can
talk
to
the
rating
service
here.
A
Then
I
should
be
able
to
see
them
very
quickly.
Yeah,
I
can
see
them
so
that
shows
you
how
to
do
it
very
simply
in
the
local
side,
but
the
value
really
comes
when
you
start
to
do
that
globally.
So
you
remember
last
time
we
spoke
about
this
multi-cluster
traffic
and
how
you
I
can
some
of
the
requests
from
public
page
going
to
reviews
here
and
some
going
to
the
reviews
on
the
second
site.
A
So
we
are
going
to
do
the
same
here.
So
let
me
go
back
to
the
slide
quickly.
That's
the
current
state.
I
can
access
the
product
page
and
the
product
page
can
access
the
rating
and
the
access
policy.
The
last
one
I
created
just
created
this
authorization
policy
here
and
now
what
we
want
is
to
be
able
to
access
the
other
one
here.
A
So
I'm
going
to
apply
that's
full
and
that's
again
I
encourage
you
to
watch
the
second
video
if
you
want
to
understand
that
because
it
does
a
lot
of
this
of
thing
behind
the
scene
to
make
it
easy
in
in
real
life.
If
you
have
just
the
twist
to
you-
and
you
have
to
do
that
by
yourself-
you
have
to
create
five
or
six
different
objects
just
to
express
that.
A
A
Where
in
one
location,
you
can
use
simple
objects
that
are
called
access
policies
to
express
globally,
which
services
can
talk
to
which
services?
And
you
see
here-
we
are
like
going
to
the
product
page,
which
is
like
on
the
first
side.
If
we
would
try
to
go
on
the
second
side
here,
I
still
have
an
access
denied,
because
I
didn't
do
anything
there.
I
didn't
allow
the
ingress
gateway
of
this
site
to
talk
to
the
ingress
gateway
the
product
page
at
all.
A
So
that's
that's
what
we
cover
now.
We
still
have
like
other
videos
coming
one
where
we
speak
about
different
service
mesh
technology.
So
basically
we'll
show
you
that
this
kind
of
access
control
that
you
apply
with
ecu
you
could
use
service
mesh
up
to
apply
them
also
with
other
technology
like
osm.
I
think
we
will
use
osm
for
that
one.
We
still
have
also
to
go
through.
You
know
how
to
manage
failover
and
we
will
even
add
probably
another
topic
about.
You
know
how
you
secure
the
edge.
A
So
I'm
going
to
to
work
on
that
and
and
just
to
summarize
about
our
portfolio-
that's
how
it
looks
like
we
focused
here
on
the
service
mesh
up
here.
We,
as
I
said
I
have
a
pro.
We
will
probably
have
a
topic
on.
You
know
how
you
can
secure
the
edge.
You
can
do
that
with
the
steering
wheel
gateway,
but
it's
quickly
quite
limited.
So
we
will
show
you
how
you
can
do
that
with
a
proper
api
gateway
like
glue.
A
You
have
also
like
a
developer
portal
that
is
available
in
both
cases,
if
you
use
istio
or
if
you
use
glue
you're
able
to
expose
your
api
with
the
developer
portal,
let
your
user
get
the
access
key.
We
discovered
the
api
with.
You
know,
open
api
specs
and
we
create
all
the
routing
behind
the
scenes.
A
So
it
really
makes
your
life
a
lot
easier
when
you
want
to
expose
apis
to
the
outside
world,
and
we
we
are
also
very
active
in
this-
was
me
web
assembly
topic
where,
in
the
in
the
near
future,
you'll
be
able
to
easily
build
your
own
android
filters
and
distribute
them
across
your
environment,
which
can
be
again
distributed
to
this
envoy
sidecar
proxy
running
on
istio,
but
also
applying
them
to
glue,
because
glue
is
also
based
on
on
android.
A
So
I
hope
you
enjoyed
the
video
and,
and
hopefully
you'll
you'll,
have
a
look
at
the
next
ones
as
well.
Thank
you
very
much.