Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
solo.io / Gloo Platform / 18 Jul 2023
solo.io / Gloo Platform / 18 Jul 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Simplifying Egress Traffic Security with Gloo Platform and Istio

Description

In this video, we explore how to secure the traffic leaving your Kubernetes cluster through an Egress Gateway using Istio and the Gloo Platform. While Istio provides robust features, configuring it for Egress traffic can be complex. That's where the Gloo Platform comes in, making the process easier and more efficient.

We'll show you step-by-step how to:

👉 Automate Egress Gateway Deployment: Just like setting up Ingress Gateways, we'll use the Gateway lifecycle manager to automate the deployment of the Egress Gateway quickly.

👉 Originate TLS Traffic from the Gateway: Securely send traffic outside the cluster by defining the external service through the Gloo Platform.

👉 Implement Network Policies: Prevent malicious users from bypassing the Egress Gateway by configuring CNI-level Network policies to enforce traffic routing through the Gateway.

👉 Leverage Cilium CNI for Network Policy Enforcement: See how Cilium CNI is utilized to enforce network policies and ensure full control over Egress traffic.

👉 Simplify Istio Resource Configuration: With the Gloo Platform's help, creating the necessary Istio resources (service entries, gateways, destination rules, virtual services, etc.) becomes a breeze.

👉 Apply Layer 7 Policies: Enhance security by defining access policies and deciding who can communicate with specific external services.

👉 Understand Enforcement Layers: Learn how the Gloo Platform translates access policies into Istio authorization policies or network policies based on your requirements.

👉 Test Egress Traffic: Watch us test the setup by accessing an external service through the Egress Gateway and observing the logs.

By the end of this video, you'll have a clear understanding of how the Gloo Platform streamlines the configuration of Egress Gateways and enables seamless integration with Cilium CNI for robust network policies. Don't miss this opportunity to enhance your knowledge and implement efficient Egress traffic security in your Kubernetes clusters.

If you found this video helpful, be sure to like and subscribe for more informative content on Kubernetes, Istio, and other cloud native technologies. Hit the notification bell to stay updated on our latest uploads. Thank you for watching, and we'll see you in the next video!

A

With istio,, you can also secure the traffic leaving your cluster through an egress gateway.

A

You can even originate traffic, the tls traffic, that's coming from the gateway,.

A

But all of this is not so straightforward, as you need to know istio quite well to be able.

A

To create the corresponding service entries,, the gateways,, the destination rules, virtual.

A

Services, and so on, so we'll show how it's a lot easier to do this with the gloo platform.

A

You should also be aware that it's easy to bypass this egress gateway if a malicious user wanted to,.

A

And to prevent that,, you need to configure some some cni level network policies to enforce.

A

That the traffic always goes through the egress gateway,, so we'll show you how to do both easily.

A

So we're going to show in gloo platform where you can see istio running in both.

A

Clusters, we also have cilium cni deployed,, which is going to enforce the network policy.

A

So right now we don't have an egress gateway,, so just like we did before with the ingress.

A

Gateways,, we will use the gateway lifecycle manager to tell the platform to automate the.

A

Deployment of this egress gateway., it's going to be pretty quick because we already have.

A

The operator running so as soon as you apply it a few seconds later, it's already running.

A

I can also create a virtual gateway now to listen to incoming traffic. Coming from the.

A

Other pods to send traffic outside,, and here you can decide which services you want to.

A

Be exposed through this egress gateway. in this case, it's we're just going to use httpbin.org,.

A

And now for the network policy, we will create this in the bookinfo front, ends.

A

Namespace,, and what this is doing is that for the services that are running in this namespace, so.

A

For example, product page in our case,, you can now talk to any other pods in the namespace.

A

But cannot talk to anything outside of the cluster,, so it can talk to the egress.

A

Gateway because it's another pod in the cluster, but it can't talk to httpbin directly.

A

It can also talk to this ip address, because this ip address corresponds with the remote clusters.

A

East-West gateway for east-west traffic between the kubernetes clusters,, so these are all.

A

The things that we're allowing with this network policy. so, let's create this network policy. That's.

A

Going to be enforced by cilium, and now, let's try it.. If I try to access this http bin service.

A

And we're going to access it through the product, page pod,, and you can see that I get no response,.

A

And that's because the the packets are dropped by the cni,. So just like we expect, the the pod is.

A

Not able to access http bin because the network policy is restricted, access.

A

So what I need to do now is: I need to create this external service,.

A

This is the service registry element that represents httpbin.org, and I can define.

A

That the request be sent plain text by the user on product page,.

A

And that's going to be originating the tls communication. That's going.

A

To go through the gateway that I have defined, before.

A

So when we do this, it's going to create a lot of that istio resources for you.

A

Automatically,, like the ones we talked about earlier, the virtual services for the gateway,, the the egress gateway,, it's going to create a destination rule.

A

Okay, so this is the destination rule.. It's going to create the service entry, and all.

A

This complexity is being managed by the gloo platform,, so the user just has to create the.

A

External service, to make it possible for your pods to access.

A

This this endpoint., so now, if I run the same command again,, it should work because.

A

We should go through the egress gateway and I can check that here by looking at the logs.

A

I can see that I can access the service correctly and I can check the logs of the egress gateway.

A

And everything is working perfectly., so that's just the start.. We can actually do much more.

A

We can now apply layer, 7 policies, for example,. We can create an access policy to tell who.

A

Should talk to this http bin service, so for example, in here we're saying the product.

A

Page bin service should be able to talk to the external service through the gateway,.

A

And we can also define other layer 7 things. Like, say we only want to allow get requests,.

A

And over here we can have this enforcement layer option where we can decide when we create an.

A

Access policy, if we want that..., if that policy, to be translated by the platform to it into.

A

An istio authorization policy with mesh = to true or network policies, with cni = to true.

A

So, if we're..., so, if we have just authorization,, if we have just mesh and it won't create a.

A

Network policy, you know just created at the gateway level in the mesh.

A

So now we'll create this rule, and now I should be able to.... I should still be.

A

Able to access http bin, like we were doing before, because we were doing a get request,.

A

But if I try to change this..., a post, request,.

A

We should get a access denied, as you can see, 403 r-bac access, denied.

A

So you can see how we use the platform to simplify the configuration of deploying the egress gateway.

A

Itself,, but also the configuration of all the various egress rules., it's all very simple and we.

A

Were able to leverage the cni in conjunction with the service mesh, to make sure we have full control...

A

Defense in depth, basically of the egress traffic, with full granularity that we saw and expect.