SlideShare une entreprise Scribd logo

Securing Microservices with Istio

Daniel Berg
Daniel Berg

This was used in a presentation at All Things Open 2017 in Raleigh, NC. It describes the ability to manage microservices using the joint Istio project from IBM, Google, and Lyft. In this presentation we explore the overall value and architecture of Istio and walk through key mechanisms for using Istio to drive highly secure microservices.

Technologie
1  sur  17
Télécharger pour lire hors ligne
Securing Microservices with Istio Dan Berg @dancberg Lin Sun @linsun_unc
Problem Statement IT’s shift to a modern distributed architecture has left enterprises unable to monitor, manage or secure their services in a consistent way.
http://istio.io Introducing Istio
Intelligent Routing and Load Balancing Control traffic between services with dynamic route configuration, conduct A/B tests, release canaries, and gradually upgrade versions using red/black deployments.
Resilience Across Languages and Platforms Increase reliability by shielding applications from flaky networks and cascading failures in adverse conditions.
Secure Access with Fleet Wide Policy Enforcement Apply organizational policy to the interaction between services, ensure access policies are enforced and enable secure communication between services.
In-Depth Telemetry and Reporting Understand the dependencies between services, the nature and flow of traffic between them and quickly identify issues with distributed tracing.
Components of Istio 1. Envoy proxy, to mediate all inbound and outbound traffic for all services in the service mesh. Leverages Envoy features such as dynamic service discovery, load balancing, TLS termination, HTTP/2 & gRPC proxying, circuit breakers, health checks, staged rollouts with %-based traffic split, fault injection, and rich metrics.
 2. Pilot: Programming envoys and responsible for service discovery, registration and load balancing
 3. Istio-Auth provides strong service-to-service and end-user authentication using mutual TLS, with built-in identity and credential management
 4. Mixer is responsible for enforcing access control and usage policies across the service mesh and collecting telemetry data from the Envoy proxy and other services.

Our sidecar of choice - Envoy A C++ based L4/L7 proxy Low memory footprint Battle-tested @ Lyft 100+ services 10,000+ VMs 2M req/s Plus an awesome team willing to work with the community! Goodies: ❖ HTTP/2 & gRPC ❖ Zone-aware load balancing w/ failover ❖ Health checks, circuit breakers, timeouts, retry budgets ❖ No hot reloads - API driven config updates Istio’s contributions: ❖ Transparent proxying w/ SO_ORIGINAL_DST ❖ Traffic routing and splitting ❖ Request tracing using Zipkin ❖ Fault injection
Putting it all together svcA Envoy Pod Service A svcB Envoy Service B Pilot Control Plane API Mixer Discovery & Config data to Envoys Policy checks, telemetry Control flow during request processing Istio-Auth TLS certs to Envoy Traffic is transparently intercepted and proxied. App is unaware of Envoy’s presence HTTP/1.1, HTTP/2, gRPC, TCP with or without TLS Envoy HTTP/1.1, HTTP/2, gRPC, TCP with or without TLS Internet Ingress gateway
Istio - Security at Scale spiffe.io
Resiliency Istio adds fault tolerance to your application without any changes to code Resilience features ❖ Timeouts ❖ Retries with timeout budget ❖ Circuit breakers ❖ Health checks ❖ AZ-aware load balancing w/ automatic failover ❖ Control connection pool size and request load // Circuit breakers destination: serviceB.example.cluster.local
 policy:
 - tags:
 version: v1
 circuitBreaker:
 simpleCb:
 maxConnections: 100
 httpMaxRequests: 1000
 httpMaxRequestsPerConnection: 10
 httpConsecutiveErrors: 7
 sleepWindow: 15m
 httpDetectionInterval: 5m

Resiliency Testing Systematic fault injection to identify weaknesses in failure recovery policies HTTP/gRPC error codes Delay injection svcA Envoy Service A svcB Envoy Service B svcC Envoy Service C Timeout: 100ms Retries: 3 300ms Timeout: 200ms Retries: 2 400ms
Traffic Splitting svcA Envoy Pod Service A svcB Envoy ServiceB http://serviceB.example Pod Labels: version: v1.5 env: us-prod svcB Envoy Pod Labels: version: v2.0-alpha, env:us-staging serviceB.example.cluster.local Traffic routing rules 99% 1% Rules API Istio-Manager Traffic control is decoupled from infrastructure scaling // A simple traffic splitting rule destination: serviceB.example.cluster.local match:
 source: serviceA.example.cluster.local
 route:
 - tags:
 version: v1.5 env: us-prod weight: 99 - tags:
 version: v2.0-alpha env: us-staging weight: 1
svcA Service A svcB Service B version: v1 Pod 3 Pod 2 Pod 1 Content-based traffic steering svcA Service A svcB Service B version: v1 Pod 3 Pod 2 Pod 1 User-agent: *Android* svcB’ version: canary Pod 4 User-agent: *iPhone* Traffic Steering // Content-based traffic steering rule destination: serviceB.example.cluster.local
 match:
 httpHeaders:
 user-agent:
 regex: ^(.*?;)?(iPhone)(;.*)?$
 precedence: 2
 route:
 - tags:
 version: canary
Demo Time
Thank You! RedHat Pivotal WeaveWorks Tigera Datawire Scytale (SPIFFE) MicroSoft Uber (Jaeger) … and you! Community Partners

Recommandé

Istio Service Mesh
Istio Service MeshIstio Service Mesh
Istio Service MeshLuke Marsden
 
Istio on Kubernetes
Istio on KubernetesIstio on Kubernetes
Istio on KubernetesDaneyon Hansen
 
Istio service mesh introduction
Istio service mesh introductionIstio service mesh introduction
Istio service mesh introductionKyohei Mizumoto
 
Ambassador Kubernetes-Native API Gateway
Ambassador Kubernetes-Native API GatewayAmbassador Kubernetes-Native API Gateway
Ambassador Kubernetes-Native API GatewayAmbassador Labs
 
ISTIO Deep Dive
ISTIO Deep DiveISTIO Deep Dive
ISTIO Deep DiveYong Feng
 
Connecting All Abstractions with Istio
Connecting All Abstractions with IstioConnecting All Abstractions with Istio
Connecting All Abstractions with IstioVMware Tanzu
 
Istio By Example (extended version)
Istio By Example (extended version)Istio By Example (extended version)
Istio By Example (extended version)Josef Adersberger
 
Istio
Istio Istio
Istio Arun prasath
 

Recommandé

Istio Service Mesh
Istio Service MeshIstio Service Mesh
Istio Service MeshLuke Marsden
 
Istio on Kubernetes
Istio on KubernetesIstio on Kubernetes
Istio on KubernetesDaneyon Hansen
 
Istio service mesh introduction
Istio service mesh introductionIstio service mesh introduction
Istio service mesh introductionKyohei Mizumoto
 
Ambassador Kubernetes-Native API Gateway
Ambassador Kubernetes-Native API GatewayAmbassador Kubernetes-Native API Gateway
Ambassador Kubernetes-Native API GatewayAmbassador Labs
 
ISTIO Deep Dive
ISTIO Deep DiveISTIO Deep Dive
ISTIO Deep DiveYong Feng
 
Connecting All Abstractions with Istio
Connecting All Abstractions with IstioConnecting All Abstractions with Istio
Connecting All Abstractions with IstioVMware Tanzu
 
Istio By Example (extended version)
Istio By Example (extended version)Istio By Example (extended version)
Istio By Example (extended version)Josef Adersberger
 
Istio
Istio Istio
Istio Arun prasath
 
Application Rollout - Istio
Application Rollout - Istio Application Rollout - Istio
Application Rollout - Istio Mandar Jog
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Codemotion
 
Istio a service mesh
Istio a service meshIstio a service mesh
Istio a service meshChandresh Pancholi
 
The Simply Complex Task of Implementing Kubernetes Ingress - Velocity NYC
The Simply Complex Task of Implementing Kubernetes Ingress - Velocity NYCThe Simply Complex Task of Implementing Kubernetes Ingress - Velocity NYC
The Simply Complex Task of Implementing Kubernetes Ingress - Velocity NYCAmbassador Labs
 
The elegant way of implementing microservices with istio
The elegant way of implementing microservices with istioThe elegant way of implementing microservices with istio
The elegant way of implementing microservices with istioInho Kang
 
Istio : Service Mesh
Istio : Service MeshIstio : Service Mesh
Istio : Service MeshKnoldus Inc.
 
Microservices With Istio Service Mesh
Microservices With Istio Service MeshMicroservices With Istio Service Mesh
Microservices With Istio Service MeshNatanael Fonseca
 
Istio Service Mesh
Istio Service MeshIstio Service Mesh
Istio Service MeshLew Tucker
 
A sail in the cloud
A sail in the cloudA sail in the cloud
A sail in the cloudKamesh Sampath
 
Service mesh with istio
Service mesh with istioService mesh with istio
Service mesh with istioWisnuPrabowo20
 
Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesUsing Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesAlcide
 
Kong API
Kong APIKong API
Kong APIPatrick Pierson
 
Introduction to Istio Service Mesh
Introduction to Istio Service MeshIntroduction to Istio Service Mesh
Introduction to Istio Service MeshGeorgios Andrianakis
 
Linkerd – Service mesh with service Discovery backend
Linkerd – Service mesh with service Discovery backendLinkerd – Service mesh with service Discovery backend
Linkerd – Service mesh with service Discovery backendLeandro Totino Pereira
 
The rise of Layer 7, microservices, and the proxy war with Envoy, NGINX, and ...
The rise of Layer 7, microservices, and the proxy war with Envoy, NGINX, and ...The rise of Layer 7, microservices, and the proxy war with Envoy, NGINX, and ...
The rise of Layer 7, microservices, and the proxy war with Envoy, NGINX, and ...Ambassador Labs
 
Microservice creation using spring cloud, zipkin, ribbon, zull, eureka
Microservice creation using spring cloud, zipkin, ribbon, zull, eurekaMicroservice creation using spring cloud, zipkin, ribbon, zull, eureka
Microservice creation using spring cloud, zipkin, ribbon, zull, eurekaBinit Pathak
 
Managing Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesManaging Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesIftach Schonbaum
 
Manage your APIs and Microservices with an API Gateway
Manage your APIs and Microservices with an API GatewayManage your APIs and Microservices with an API Gateway
Manage your APIs and Microservices with an API GatewayThibault Charbonnier
 
istio: service mesh for all
istio: service mesh for allistio: service mesh for all
istio: service mesh for allMandar Jog
 
Kong
KongKong
KongTroublemaker Khunpech
 
Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Ram Vennam
 
Introduction to Istio for APIs and Microservices meetup
Introduction to Istio for APIs and Microservices meetupIntroduction to Istio for APIs and Microservices meetup
Introduction to Istio for APIs and Microservices meetupDaniel Ciruli
 

Contenu connexe

Tendances

Application Rollout - Istio
Application Rollout - Istio Application Rollout - Istio
Application Rollout - Istio Mandar Jog
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Codemotion
 
The Simply Complex Task of Implementing Kubernetes Ingress - Velocity NYC
The Simply Complex Task of Implementing Kubernetes Ingress - Velocity NYCThe Simply Complex Task of Implementing Kubernetes Ingress - Velocity NYC
The Simply Complex Task of Implementing Kubernetes Ingress - Velocity NYCAmbassador Labs
 
The elegant way of implementing microservices with istio
The elegant way of implementing microservices with istioThe elegant way of implementing microservices with istio
The elegant way of implementing microservices with istioInho Kang
 
Istio : Service Mesh
Istio : Service MeshIstio : Service Mesh
Istio : Service MeshKnoldus Inc.
 
Microservices With Istio Service Mesh
Microservices With Istio Service MeshMicroservices With Istio Service Mesh
Microservices With Istio Service MeshNatanael Fonseca
 
Istio Service Mesh
Istio Service MeshIstio Service Mesh
Istio Service MeshLew Tucker
 
Service mesh with istio
Service mesh with istioService mesh with istio
Service mesh with istioWisnuPrabowo20
 
Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesUsing Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesAlcide
 
Introduction to Istio Service Mesh
Introduction to Istio Service MeshIntroduction to Istio Service Mesh
Introduction to Istio Service MeshGeorgios Andrianakis
 
Linkerd – Service mesh with service Discovery backend
Linkerd – Service mesh with service Discovery backendLinkerd – Service mesh with service Discovery backend
Linkerd – Service mesh with service Discovery backendLeandro Totino Pereira
 
The rise of Layer 7, microservices, and the proxy war with Envoy, NGINX, and ...
The rise of Layer 7, microservices, and the proxy war with Envoy, NGINX, and ...The rise of Layer 7, microservices, and the proxy war with Envoy, NGINX, and ...
The rise of Layer 7, microservices, and the proxy war with Envoy, NGINX, and ...Ambassador Labs
 
Microservice creation using spring cloud, zipkin, ribbon, zull, eureka
Microservice creation using spring cloud, zipkin, ribbon, zull, eurekaMicroservice creation using spring cloud, zipkin, ribbon, zull, eureka
Microservice creation using spring cloud, zipkin, ribbon, zull, eurekaBinit Pathak
 
Managing Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesManaging Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesIftach Schonbaum
 
Manage your APIs and Microservices with an API Gateway
Manage your APIs and Microservices with an API GatewayManage your APIs and Microservices with an API Gateway
Manage your APIs and Microservices with an API GatewayThibault Charbonnier
 
istio: service mesh for all
istio: service mesh for allistio: service mesh for all
istio: service mesh for allMandar Jog
 

Tendances (20)

Application Rollout - Istio
Application Rollout - Istio Application Rollout - Istio
Application Rollout - Istio
 
Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)Stop reinventing the wheel with Istio by Mete Atamel (Google)
Stop reinventing the wheel with Istio by Mete Atamel (Google)
 
Istio a service mesh
Istio a service meshIstio a service mesh
Istio a service mesh
 
The Simply Complex Task of Implementing Kubernetes Ingress - Velocity NYC
The Simply Complex Task of Implementing Kubernetes Ingress - Velocity NYCThe Simply Complex Task of Implementing Kubernetes Ingress - Velocity NYC
The Simply Complex Task of Implementing Kubernetes Ingress - Velocity NYC
 
The elegant way of implementing microservices with istio
The elegant way of implementing microservices with istioThe elegant way of implementing microservices with istio
The elegant way of implementing microservices with istio
 
Istio : Service Mesh
Istio : Service MeshIstio : Service Mesh
Istio : Service Mesh
 
Microservices With Istio Service Mesh
Microservices With Istio Service MeshMicroservices With Istio Service Mesh
Microservices With Istio Service Mesh
 
Istio Service Mesh
Istio Service MeshIstio Service Mesh
Istio Service Mesh
 
A sail in the cloud
A sail in the cloudA sail in the cloud
A sail in the cloud
 
Service mesh with istio
Service mesh with istioService mesh with istio
Service mesh with istio
 
Using Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your ServicesUsing Istio to Secure & Monitor Your Services
Using Istio to Secure & Monitor Your Services
 
Kong API
Kong APIKong API
Kong API
 
Introduction to Istio Service Mesh
Introduction to Istio Service MeshIntroduction to Istio Service Mesh
Introduction to Istio Service Mesh
 
Linkerd – Service mesh with service Discovery backend
Linkerd – Service mesh with service Discovery backendLinkerd – Service mesh with service Discovery backend
Linkerd – Service mesh with service Discovery backend
 
The rise of Layer 7, microservices, and the proxy war with Envoy, NGINX, and ...
The rise of Layer 7, microservices, and the proxy war with Envoy, NGINX, and ...The rise of Layer 7, microservices, and the proxy war with Envoy, NGINX, and ...
The rise of Layer 7, microservices, and the proxy war with Envoy, NGINX, and ...
 
Microservice creation using spring cloud, zipkin, ribbon, zull, eureka
Microservice creation using spring cloud, zipkin, ribbon, zull, eurekaMicroservice creation using spring cloud, zipkin, ribbon, zull, eureka
Microservice creation using spring cloud, zipkin, ribbon, zull, eureka
 
Managing Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on KubernetesManaging Microservices With The Istio Service Mesh on Kubernetes
Managing Microservices With The Istio Service Mesh on Kubernetes
 
Manage your APIs and Microservices with an API Gateway
Manage your APIs and Microservices with an API GatewayManage your APIs and Microservices with an API Gateway
Manage your APIs and Microservices with an API Gateway
 
istio: service mesh for all
istio: service mesh for allistio: service mesh for all
istio: service mesh for all
 
Kong
KongKong
Kong
 

Similaire à Securing Microservices with Istio

Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Ram Vennam
 
Introduction to Istio for APIs and Microservices meetup
Introduction to Istio for APIs and Microservices meetupIntroduction to Istio for APIs and Microservices meetup
Introduction to Istio for APIs and Microservices meetupDaniel Ciruli
 
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Weaveworks
 
Transparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABTransparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABBenith T
 
Laurent Curnier – Monaco DataPlatform - LaurentCURNIER_.pptx
Laurent Curnier – Monaco DataPlatform - LaurentCURNIER_.pptxLaurent Curnier – Monaco DataPlatform - LaurentCURNIER_.pptx
Laurent Curnier – Monaco DataPlatform - LaurentCURNIER_.pptxFIWARE
 
NUVX Technologies general solutions
NUVX Technologies general solutionsNUVX Technologies general solutions
NUVX Technologies general solutionsNUVX
 
IRJET - Implementation of VPN, AWS Cloud Enabled Real Time Water Pollution Sy...
IRJET - Implementation of VPN, AWS Cloud Enabled Real Time Water Pollution Sy...IRJET - Implementation of VPN, AWS Cloud Enabled Real Time Water Pollution Sy...
IRJET - Implementation of VPN, AWS Cloud Enabled Real Time Water Pollution Sy...IRJET Journal
 
EastNets Resilient SWIFT Solutions
EastNets Resilient SWIFT SolutionsEastNets Resilient SWIFT Solutions
EastNets Resilient SWIFT SolutionsEastNets
 
21st Docker Switzerland Meetup - ISTIO
21st Docker Switzerland Meetup - ISTIO21st Docker Switzerland Meetup - ISTIO
21st Docker Switzerland Meetup - ISTIONiklaus Hirt
 
How to Make Istio Work with Your App
How to Make Istio Work with Your AppHow to Make Istio Work with Your App
How to Make Istio Work with Your AppKarenBruner
 
How to Make Istio Work with Your App
How to Make Istio Work with Your AppHow to Make Istio Work with Your App
How to Make Istio Work with Your AppStackRox
 
What’s New: Splunk App for Stream and Splunk MINT
What’s New: Splunk App for Stream and Splunk MINTWhat’s New: Splunk App for Stream and Splunk MINT
What’s New: Splunk App for Stream and Splunk MINTSplunk
 
Ubiquity iot arpan pal
Ubiquity iot arpan palUbiquity iot arpan pal
Ubiquity iot arpan palArpan Pal
 
Network Security
Network SecurityNetwork Security
Network SecuritySantosh K L
 
Tracing of voip traffic in the rapid flow internet backbone
Tracing of voip traffic in the rapid flow internet backboneTracing of voip traffic in the rapid flow internet backbone
Tracing of voip traffic in the rapid flow internet backboneeSAT Journals
 
Agile integration: Decomposing the monolith
Agile integration: Decomposing the monolith Agile integration: Decomposing the monolith
Agile integration: Decomposing the monolith Judy Breedlove
 
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...Splunk
 

Similaire à Securing Microservices with Istio (20)

Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019
 
Introduction to Istio for APIs and Microservices meetup
Introduction to Istio for APIs and Microservices meetupIntroduction to Istio for APIs and Microservices meetup
Introduction to Istio for APIs and Microservices meetup
 
Jvvnl 071108
Jvvnl 071108Jvvnl 071108
Jvvnl 071108
 
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
Security & Resiliency of Cloud Native Apps with Weave GitOps & Tetrate Servic...
 
Transparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LABTransparent proxy - SIP - 2014 - NCC LAB
Transparent proxy - SIP - 2014 - NCC LAB
 
Laurent Curnier – Monaco DataPlatform - LaurentCURNIER_.pptx
Laurent Curnier – Monaco DataPlatform - LaurentCURNIER_.pptxLaurent Curnier – Monaco DataPlatform - LaurentCURNIER_.pptx
Laurent Curnier – Monaco DataPlatform - LaurentCURNIER_.pptx
 
NUVX Technologies general solutions
NUVX Technologies general solutionsNUVX Technologies general solutions
NUVX Technologies general solutions
 
IRJET - Implementation of VPN, AWS Cloud Enabled Real Time Water Pollution Sy...
IRJET - Implementation of VPN, AWS Cloud Enabled Real Time Water Pollution Sy...IRJET - Implementation of VPN, AWS Cloud Enabled Real Time Water Pollution Sy...
IRJET - Implementation of VPN, AWS Cloud Enabled Real Time Water Pollution Sy...
 
Sangfor wan optimization data sheet 2015
Sangfor wan optimization data sheet 2015Sangfor wan optimization data sheet 2015
Sangfor wan optimization data sheet 2015
 
EastNets Resilient SWIFT Solutions
EastNets Resilient SWIFT SolutionsEastNets Resilient SWIFT Solutions
EastNets Resilient SWIFT Solutions
 
21st Docker Switzerland Meetup - ISTIO
21st Docker Switzerland Meetup - ISTIO21st Docker Switzerland Meetup - ISTIO
21st Docker Switzerland Meetup - ISTIO
 
How to Make Istio Work with Your App
How to Make Istio Work with Your AppHow to Make Istio Work with Your App
How to Make Istio Work with Your App
 
How to Make Istio Work with Your App
How to Make Istio Work with Your AppHow to Make Istio Work with Your App
How to Make Istio Work with Your App
 
What’s New: Splunk App for Stream and Splunk MINT
What’s New: Splunk App for Stream and Splunk MINTWhat’s New: Splunk App for Stream and Splunk MINT
What’s New: Splunk App for Stream and Splunk MINT
 
Ubiquity iot arpan pal
Ubiquity iot arpan palUbiquity iot arpan pal
Ubiquity iot arpan pal
 
Network Security
Network SecurityNetwork Security
Network Security
 
Istio
IstioIstio
Istio
 
Tracing of voip traffic in the rapid flow internet backbone
Tracing of voip traffic in the rapid flow internet backboneTracing of voip traffic in the rapid flow internet backbone
Tracing of voip traffic in the rapid flow internet backbone
 
Agile integration: Decomposing the monolith
Agile integration: Decomposing the monolith Agile integration: Decomposing the monolith
Agile integration: Decomposing the monolith
 
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...
Splunk MINT for Mobile Intelligence and Splunk App for Stream for Enhanced Op...
 

Plus de Daniel Berg

Cloud-Native Applications with Microservices and Containers
Cloud-Native Applications with Microservices and ContainersCloud-Native Applications with Microservices and Containers
Cloud-Native Applications with Microservices and ContainersDaniel Berg
 
Developing Hybrid Cloud Applications
Developing Hybrid Cloud ApplicationsDeveloping Hybrid Cloud Applications
Developing Hybrid Cloud ApplicationsDaniel Berg
 
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...Daniel Berg
 
InterConnect 2015: 3540 Release and Deploy Headliner
InterConnect 2015: 3540 Release and Deploy HeadlinerInterConnect 2015: 3540 Release and Deploy Headliner
InterConnect 2015: 3540 Release and Deploy HeadlinerDaniel Berg
 
InterConnect 2015: 3962 Docking DevOps
InterConnect 2015: 3962 Docking DevOpsInterConnect 2015: 3962 Docking DevOps
InterConnect 2015: 3962 Docking DevOpsDaniel Berg
 
Innovate 2014 - DevOps Technical Strategy
Innovate 2014 - DevOps Technical StrategyInnovate 2014 - DevOps Technical Strategy
Innovate 2014 - DevOps Technical StrategyDaniel Berg
 
Innovate 2014 DevOps: Release and Deploy Keynote
Innovate 2014 DevOps: Release and Deploy KeynoteInnovate 2014 DevOps: Release and Deploy Keynote
Innovate 2014 DevOps: Release and Deploy KeynoteDaniel Berg
 
Cloud Foundry Summit 2014 - IBM Bluemix DevOps Services lightning talk
Cloud Foundry Summit 2014 - IBM Bluemix DevOps Services lightning talkCloud Foundry Summit 2014 - IBM Bluemix DevOps Services lightning talk
Cloud Foundry Summit 2014 - IBM Bluemix DevOps Services lightning talkDaniel Berg
 
[IBM Pulse 2014] #1579 DevOps Technical Strategy and Roadmap
[IBM Pulse 2014] #1579 DevOps Technical Strategy and Roadmap[IBM Pulse 2014] #1579 DevOps Technical Strategy and Roadmap
[IBM Pulse 2014] #1579 DevOps Technical Strategy and RoadmapDaniel Berg
 
Dops 1033 dev-ops_review_final
Dops 1033 dev-ops_review_finalDops 1033 dev-ops_review_final
Dops 1033 dev-ops_review_finalDaniel Berg
 
Pulse 2013: DevOps Review and Roadmap
Pulse 2013: DevOps Review and RoadmapPulse 2013: DevOps Review and Roadmap
Pulse 2013: DevOps Review and RoadmapDaniel Berg
 

Plus de Daniel Berg (11)

Cloud-Native Applications with Microservices and Containers
Cloud-Native Applications with Microservices and ContainersCloud-Native Applications with Microservices and Containers
Cloud-Native Applications with Microservices and Containers
 
Developing Hybrid Cloud Applications
Developing Hybrid Cloud ApplicationsDeveloping Hybrid Cloud Applications
Developing Hybrid Cloud Applications
 
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...
InterConnect 2015: 3045 Hybrid Cloud - How to get a return from an investment...
 
InterConnect 2015: 3540 Release and Deploy Headliner
InterConnect 2015: 3540 Release and Deploy HeadlinerInterConnect 2015: 3540 Release and Deploy Headliner
InterConnect 2015: 3540 Release and Deploy Headliner
 
InterConnect 2015: 3962 Docking DevOps
InterConnect 2015: 3962 Docking DevOpsInterConnect 2015: 3962 Docking DevOps
InterConnect 2015: 3962 Docking DevOps
 
Innovate 2014 - DevOps Technical Strategy
Innovate 2014 - DevOps Technical StrategyInnovate 2014 - DevOps Technical Strategy
Innovate 2014 - DevOps Technical Strategy
 
Innovate 2014 DevOps: Release and Deploy Keynote
Innovate 2014 DevOps: Release and Deploy KeynoteInnovate 2014 DevOps: Release and Deploy Keynote
Innovate 2014 DevOps: Release and Deploy Keynote
 
Cloud Foundry Summit 2014 - IBM Bluemix DevOps Services lightning talk
Cloud Foundry Summit 2014 - IBM Bluemix DevOps Services lightning talkCloud Foundry Summit 2014 - IBM Bluemix DevOps Services lightning talk
Cloud Foundry Summit 2014 - IBM Bluemix DevOps Services lightning talk
 
[IBM Pulse 2014] #1579 DevOps Technical Strategy and Roadmap
[IBM Pulse 2014] #1579 DevOps Technical Strategy and Roadmap[IBM Pulse 2014] #1579 DevOps Technical Strategy and Roadmap
[IBM Pulse 2014] #1579 DevOps Technical Strategy and Roadmap
 
Dops 1033 dev-ops_review_final
Dops 1033 dev-ops_review_finalDops 1033 dev-ops_review_final
Dops 1033 dev-ops_review_final
 
Pulse 2013: DevOps Review and Roadmap
Pulse 2013: DevOps Review and RoadmapPulse 2013: DevOps Review and Roadmap
Pulse 2013: DevOps Review and Roadmap
 

Dernier

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Dernier (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Securing Microservices with Istio

  • 1. Securing Microservices with Istio Dan Berg @dancberg Lin Sun @linsun_unc
  • 2. Problem Statement IT’s shift to a modern distributed architecture has left enterprises unable to monitor, manage or secure their services in a consistent way.
  • 4. Intelligent Routing and Load Balancing Control traffic between services with dynamic route configuration, conduct A/B tests, release canaries, and gradually upgrade versions using red/black deployments.
  • 5. Resilience Across Languages and Platforms Increase reliability by shielding applications from flaky networks and cascading failures in adverse conditions.
  • 6. Secure Access with Fleet Wide Policy Enforcement Apply organizational policy to the interaction between services, ensure access policies are enforced and enable secure communication between services.
  • 7. In-Depth Telemetry and Reporting Understand the dependencies between services, the nature and flow of traffic between them and quickly identify issues with distributed tracing.
  • 8. Components of Istio 1. Envoy proxy, to mediate all inbound and outbound traffic for all services in the service mesh. Leverages Envoy features such as dynamic service discovery, load balancing, TLS termination, HTTP/2 & gRPC proxying, circuit breakers, health checks, staged rollouts with %-based traffic split, fault injection, and rich metrics.
 2. Pilot: Programming envoys and responsible for service discovery, registration and load balancing
 3. Istio-Auth provides strong service-to-service and end-user authentication using mutual TLS, with built-in identity and credential management
 4. Mixer is responsible for enforcing access control and usage policies across the service mesh and collecting telemetry data from the Envoy proxy and other services.

  • 9. Our sidecar of choice - Envoy A C++ based L4/L7 proxy Low memory footprint Battle-tested @ Lyft 100+ services 10,000+ VMs 2M req/s Plus an awesome team willing to work with the community! Goodies: ❖ HTTP/2 & gRPC ❖ Zone-aware load balancing w/ failover ❖ Health checks, circuit breakers, timeouts, retry budgets ❖ No hot reloads - API driven config updates Istio’s contributions: ❖ Transparent proxying w/ SO_ORIGINAL_DST ❖ Traffic routing and splitting ❖ Request tracing using Zipkin ❖ Fault injection
  • 10. Putting it all together svcA Envoy Pod Service A svcB Envoy Service B Pilot Control Plane API Mixer Discovery & Config data to Envoys Policy checks, telemetry Control flow during request processing Istio-Auth TLS certs to Envoy Traffic is transparently intercepted and proxied. App is unaware of Envoy’s presence HTTP/1.1, HTTP/2, gRPC, TCP with or without TLS Envoy HTTP/1.1, HTTP/2, gRPC, TCP with or without TLS Internet Ingress gateway
  • 11. Istio - Security at Scale spiffe.io
  • 12. Resiliency Istio adds fault tolerance to your application without any changes to code Resilience features ❖ Timeouts ❖ Retries with timeout budget ❖ Circuit breakers ❖ Health checks ❖ AZ-aware load balancing w/ automatic failover ❖ Control connection pool size and request load // Circuit breakers destination: serviceB.example.cluster.local
 policy:
 - tags:
 version: v1
 circuitBreaker:
 simpleCb:
 maxConnections: 100
 httpMaxRequests: 1000
 httpMaxRequestsPerConnection: 10
 httpConsecutiveErrors: 7
 sleepWindow: 15m
 httpDetectionInterval: 5m

  • 13. Resiliency Testing Systematic fault injection to identify weaknesses in failure recovery policies HTTP/gRPC error codes Delay injection svcA Envoy Service A svcB Envoy Service B svcC Envoy Service C Timeout: 100ms Retries: 3 300ms Timeout: 200ms Retries: 2 400ms
  • 14. Traffic Splitting svcA Envoy Pod Service A svcB Envoy ServiceB http://serviceB.example Pod Labels: version: v1.5 env: us-prod svcB Envoy Pod Labels: version: v2.0-alpha, env:us-staging serviceB.example.cluster.local Traffic routing rules 99% 1% Rules API Istio-Manager Traffic control is decoupled from infrastructure scaling // A simple traffic splitting rule destination: serviceB.example.cluster.local match:
 source: serviceA.example.cluster.local
 route:
 - tags:
 version: v1.5 env: us-prod weight: 99 - tags:
 version: v2.0-alpha env: us-staging weight: 1
  • 15. svcA Service A svcB Service B version: v1 Pod 3 Pod 2 Pod 1 Content-based traffic steering svcA Service A svcB Service B version: v1 Pod 3 Pod 2 Pod 1 User-agent: *Android* svcB’ version: canary Pod 4 User-agent: *iPhone* Traffic Steering // Content-based traffic steering rule destination: serviceB.example.cluster.local
 match:
 httpHeaders:
 user-agent:
 regex: ^(.*?;)?(iPhone)(;.*)?$
 precedence: 2
 route:
 - tags:
 version: canary