Service mesh implementations help move critical application networking functionality out of the applications and into the infrastructure. With a service mesh like Istio, for example, you can move complicated traffic routing, resiliency aspects, and top-line metric collection out of the application code. This helps you build complicated distributed systems a bit more safely. But can Istio help with solving security issues? Christian Posta explores some of the ways Istio helps you build more secure systems with mutual TLS, OAuth 2.0, and JSON Web Token verification. Security starts with defining trust boundaries and establishing identities. Istio helps do this by leveraging SPIFEE to assign identity and lay the foundation for zero-trust application networking. Istio then leverages this identity to take over the issuance and management of workload identity documents (e.g., x509 certificates), which can then be used to provide client authentication and mTLS. Istio also helps with OAuth flows, JWT verification, RBAC/ABAC, and much more. You may be drawn into using Istio for its traffic management functionality, but most customers Christian works with find themselves much more interested in the security aspects once they learn what they can do with it. Join in to see for yourself.

1. COME FOR THE TRAFFIC ROUTING,
STAY FOR THE SECURITY
Christian Posta
@christianposta
Chief Architect, Red Hat

2. Christian Posta
Chief Architect, cloud-native appdev
Twitter: @christianposta
Blog: http://blog.christianposta.com
Email: christian@redhat.com
Slides: http://slideshare.net/ceposta
• Author “Microservices for Java developers”
• Committer/contributor lots of open-source projects
• Worked with large Microservices, web-scale,
unicorn company
• Blogger, speaker

3. https://puppet.com/resources/whitepaper/state-of-devops-report

4. New challenges in a cloudy, services world
• Service discovery
• Retries
• Timeouts
• Load balancing
• Rate limiting
• Thread bulk heading
• Circuit breaking

5. …continued
• Routing between services (adaptive, zone-aware)
• Deadlines
• Back pressure
• Outlier detection
• Health checking
• Traffic shaping
• Request shadowing

6. …continued
• Edge/DMZ routing
• Surgical / fine / per-request routing
• A/B rollout
• Internal releases / dark launches
• Fault injection
• Stats, metric, collection
• Logging
• Tracing

7. A service mesh is decentralized application-
networking infrastructure between your services
that provides resiliency, security, observability,
and routing control.
A service mesh allows your applications to function
without having to know intimate details of underlying
infrastructure, topology, and provider specifics.
Time for definitions:

8. Meet Istio.io
http://istio.io
An open-source implementation of service mesh

10. http://bit.ly/istio-tutorial

11. Fine-grained traffic routing
• Safely test new deployments in production with traffic mirroring
and diff/compare tools
• Controlled release strategy (decouple deployment and release)
• Canary releases
• Graduated releases
• Build A/B testing on top

12. Fine-grained traffic routing
• Low-risk monolith to microservices Part I/II/III
• Traffic shadowing with Istio: reduce the risk of code release
• Advanced traffic-shadowing patterns with Istio
• http://blog.christianposta.com

13. So we asked some of our
customers what features of Istio
would be most desired/prioritized

15. Policy (server) and Destination Rule (client)

16. Policy (server) and Destination Rule (client)

17. Istio mutual TLS

18. Istio mutual TLS

19. Istio Mutual TLS
What policy governs a service How do client’s call a service

20. Istio end-user identity verification

21. Istio JWT verification

22. We are just scratching the surface!

23. Follow up links
• http://istio.io
• https://preliminary.istio.io
• https://preliminary.istio.io/docs/concepts/security/
• https://preliminary.istio.io/docs/tasks/security/
• https://kiali.org
• http://blog.christianposta.com

24. DEMO TIME!

25. Demo!
http://bit.ly/istio-tutorial

26. Thanks
@christianposta
http://blog.christianposta.com/