►
From YouTube: Zero Trust Made Easy with Gloo Platform
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
A
With
istio,
you
can
apply
authorization
policies
that
are
enforced
by
the
Target
service,
so
you
define
authorization
policies
and
the
control
plane
is
going
to
configure
the
proxy
in
each
pod
to
enforce
them.
But
that
means
that
if
you
have
hundreds
of
services,
you
need
to
Define
hundreds
of
authorization
policies
which
can
be
quite
complicated
and
error
prone
in
glue
platform.
A
So,
let's
take
a
look
so
first,
if
I
try
right
now
to
access
from
a
pod
that
is
not
in
the
mesh,
so
one
that's
called
not
in
mesh
and
if
I
try
to
access
the
the
review
service.
That
is
in
the
book
info
workspace
right
now,
it's
going
to
work
because
I
didn't
Define
any
security
policies
to
prevent
that.
A
I
can
also
access
the
review
service,
because
by
default
any
service
can
communicate
with
any
other
service,
even
if
they're
in
the
not
in
the
mesh
or
in
the
mesh.
You
know
if
they're
in
the
mesh
they
get
Mutual
TLs,
but
they
can
still
communicate
if
they're,
not
in
the
mesh.
You
don't
get
Mutual
DLS,
but
you
can
still
also
communicate
and
that's
because
we
don't
have
any
parent
authentication
objects
and
then
pure
authentication.
A
You
can
look
to
see
how
it
works
in
this
in
this
dock,
but
then
there's
multiple
modes
and
by
default
it's
permissive,
but
you
can
also
make
it
strict
mode
by
setting
up
your
authentication
policies
in
the
HTO
system
namespace
and
then,
in
which
case,
only
a
mutual
TLS
traffic
is
allowed.
But
again,
the
problem
is
the
same:
you'd
have
to
have
create
unless
you
want
to
have
globally
accepted
peer
authentication
role,
you're
going
to
have
to
create
multiple
rules
to
have
granular
control
over
your
over
your
applications.
A
You'll
have
to
do
this
in
different
places.
So
that's
another
thing
that
we
simplify
with
glue
platform.
So
let's
have
a
look
and
let's
see
it
in
action,
so
we're
going
to
update
my
workspace
settings
for
the
book
info
workspace,
so
we're
importing
Services
already
from
the
Gateway
services
and
we
export
the
Gateway,
but
here
I'm,
going
to
enable
service,
isolation
and
trim
proxy
config
and
I'm
going
to
show
you
what
the
second
action
does
in
a
minute.
A
In
the
in
the
book
info
workspace
and
all
the
service
accounts
of
all
the
namespaces
of
my
gateway,
workspace
I
can
access
the
product
page
service,
but
if
I
look
at
the
ratings,
for
example,
I
can
see
that
it's
only
the
service
account
of
my
book
info
services,
because
I
didn't
export
that
one.
So
that's
good.
A
That
means
that
now
we
have
all
the
right
security
policies
in
place
by
just
changing
a
single
parameter
in
my
workspace
settings
but,
like
we
said,
if
you're
in
permissive
mode,
someone
who
is
not
in
the
mesh
could
still
access
the
services
and
that's
why
what
Google
platform
will
do
is
we'll
create
these
peer
authorization
policies,
peer
authentication
policies
automatically,
so
in
a
granular
fashion,
by
service
by
service,
we
can
Define
that
we
want
to
have
a
strict
mtls.
So
it's
not
going
to
impact
any
other
services
in
the
other
workspaces.
A
So
you
can
decide
one
by
one,
which
workspace
is
ready
to
apply
zero
trust.
You
know
any
workspace
can
do
it
now
and
they
don't
have
to
wait
for
the
other
workspaces.
And
the
last
thing
we'll
do
is
an
optimization.
The
trim
proxy
config,
which
glue
will
create
sidecar
objects
and
what
sidecar
objects
do
is
it
allows
the
control,
plane,
istio
D,
to
know
it
that
it
should
configure
every
sidecar
in
a
way
that
every
sidecar
is
only
aware
of
what
other
services
that
it's
allowed
to
talk
to.
A
So
it's
an
optimization.
So,
for
example,
if
I
have
a
thousand
services
in
my
cluster
instead
of
every
sidecar
proxy
to
be
able
to
talk
to
all
like
other
999
other
services,
the
sidecar
resource
will
be
make
it
smarter
so
that
it
only
knows
about
what
other
services
it's
allowed
to
talk
to.
So
it's
less
memory,
less
resources,
and
so
on
so
automatically
glue.
Does
all
of
this,
for
you.
A
And
now
we
can
validate
that
so
now,
if
we
try
to
access
the
review
service
from
a
service
that
is
not
in
the
mesh,
it's
going
to
be
rejected,
but
because
mtls
is
mandatory,
we
have
strict
enabled
and
it
cannot
establish
mtls
connection
to
to
this
other
Sun
and
then
for
the
other
one,
the
the
one
that's
in
the
mesh,
but
it's
not
in
a
service.
That's
allowed
to
talk
to
reviews
because
it's
not
part
of
the
180
workspace.
A
A
So,
for
example,
you
can
configure
it
in
a
way
that
I
don't
want
all
these
services
to
be
able
to
talk
to
any
others,
because
I,
because
ratings
should
not
be
accessed
by
the
product
paid
service
directly.
So
in
that
case
you
can
create
access
policies,
and
here
we
can
say:
I
will
only
want
gateways
to
be
able
to
access
the
product
page
service
and
then
I
can
create
another
access
policy.
A
Where
I
can
say.
I
only
want
the
product
page
service
to
be
able
to
access
the
details
and
reviews
and
finally,
we'll
create
another
one.
Where
you
can.
We
can
say
product
page
reviews,
only
reviews
to
be
able
to
access
ratings,
so
you
can
validate
that
these
services
are
supposed
to
are
supposed
to
have
access
to
the
other
ones
can
have
access
and
so
on.
So,
for
example,
we'll
just
run
these
multiple
commands
to
show
product
page
to
delete
to
details
is
allowed
and
reviews
to
product
page
product.
A
Page
review
should
be
allowed
and
product
page
to
to
ratings,
it
should
be
denied,
and
if
we
look
at
the
authorization
policies,
you
can
see
that
now
you
have
more,
you
have
more
fine-grained
policies
in
place.
You
can
see
reviews
that
can
only
be
accessed
by
the
product
page
service
that
are
that
can
run
on
both
cluster
one
and
cluster
two.
A
So
it's
not
like
any
services
in
the
workspace
can
talk
together
each
other
anymore
by
default.
So
you
can
really
get
control
of
and
get
a
full
zero
trust
processor
at
the
workspace
level,
without
access
without
creating
all
these
various
rules.
And
if
you
wanted
more
fine-grained
access,
then
you
can
accomplish
that
by
creating
explicit
access
policies.