1 / 19

What has a Service Mesh ever done for me?

What has a Service Mesh ever done for me?. Continuous Lifecycle London - 14/05/2019. luke@control-plane.io. @lukeb0nd. Who am I?. Luke Bond Co-founder of ControlPlane London-based Kubernetes and container security consultancy Co-organiser Istio London meetup

cnorris
Download Presentation

What has a Service Mesh ever done for me?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What has a Service Mesh ever done for me? Continuous Lifecycle London - 14/05/2019 luke@control-plane.io @lukeb0nd

  2. Who am I? • Luke Bond • Co-founder of ControlPlane • London-based Kubernetes and container security consultancy • Co-organiser Istio London meetup • Come from a programming background, moved into containers and DevOps Andrew Martin sends his apologies! 👋

  3. In This Talk... • What is a service mesh? • What is Istio? • What does all this have to do with continuous delivery? • Istio and security • How Istio works • How to move to Istio

  4. The Problem Statement Companies want to release more often and with greater confidence, to get features in customers' hands faster and to encourage rapid experimentation and innovation within their company. Companies that fail to do this risk being overtaken by a more nimble competitor.

  5. Easier Said Than Done, Right?

  6. Transformation Challenges On-premise has its advantages • Physical segregation from public Internet • Physical controls • Dedicated hardware This has influenced the design of legacy applications...

  7. Back to the Problem Statement • Enterprises need to move faster • Enterprises need to move to the cloud • Enterprises’ legacy software can’t be easily discarded • Moving legacy software to the cloud presents security risks What Enterprise needs is an upgrade path to the cloud that doesn’t depend upon a complete and successful digital transformation. It needs to work with what they’ve got.

  8. What is Service Mesh? • Application-aware networking infrastructure • An integration point for policy, traffic management and tracing • Provide features such as: • Intelligent routing and load-balancing • Cryptographic workload identity • Network policy enforcement • In-depth telemetry and reporting These may sound like network infrastructure on layers 2, 3 and 4, but in fact it reaches up to L7 • Application • Presentation • Session • Transport • Network • Data Link • Physical OSI Model

  9. What is Istio? • Istio is a Kubernetes Service Mesh project from Google and IBM • Control Plane: • Central policy configuration • Certificate authority, service identity and credential management • Interface with underlying orchestrator • Push policy configuration to fleet of sidecar proxies • Data Plane • Fleet of Envoy sidecar proxies enforcing policy • The connected Envoy proxies alone form a service mesh • Istio is the complete package for management that service mesh

  10. Istio Architecture Mixer - policy & telemetry hub Pilot - pushes config to proxies Citadel - CA and service ID API - configure & observe

  11. Why use Istio? • Istio provides the following features (from Istio docs): • Automatic load balancing for HTTP, gRPC, WebSocket, and TCP traffic. • Fine-grained control of traffic behavior with rich routing rules, retries, failovers, and fault injection. • A pluggable policy layer and configuration API supporting access controls, rate limits and quotas. • Automatic metrics, logs, and traces for all traffic within a cluster, including cluster ingress and egress. • Secure service-to-service communication in a cluster with strong identity-based authentication and authorization. • ...all without changing your application* • The application doesn’t need to know it’s on Istio

  12. Istio and Continuous Delivery • Istio’s traffic control features enable some CD use cases: • Blue/green deployments • Canary releases • A/B testing • Supported by Istio’s visibility into your applications • Istio provides all the primitives to build these deployment systems • Or use Flagger, the progressive delivery Kubernetes operator https://github.com/weaveworks/flagger

  13. Flagger Progressive Delivery Operator https://github.com/weaveworks/flagger

  14. Istio and Security • Istio’s design builds on Zero Trust Networking concepts • Cryptographic workload identity • Mutual TLS • Short-lived credentials • Network policy expressed at application level • Bolstered by trusted workload identity and mTLS WEB DB API

  15. Istio and Security How does Istio fit into the wider security picture?

  16. A Secure Cloud-Native Pipeline • Git commit signing • Secure your supply-chain with in-toto • Scan container images for vulnerabilities • Sign metadata for policy compliance evidence • Static analysis on Kubernetes YAML with https://kubesec.io (come to the ControlPlane booth at KubeCon for stickers!) • Network security testing (Kubernetes, Istio, and Linux hosts) for DevSecOps workflows with https://netassert.io • De-couple build from deployment with GitOps • Check policy compliance in Kubernetes Admission Controller • Run Istio

  17. How to Move to Istio • Can adopt silently without using all the features • Instantly benefit from the improved telemetry • Adopt features “a la carte” • Then network policy • Canary releases with Flagger

  18. Links • https://istio.io/docs/concepts/what-is-istio/ • https://blog.aquasec.com/istio-kubernetes-service-mesh • https://blog.aquasec.com/istio-kubernetes-security-zero-trust-networking • https://blog.aquasec.com/istio-service-mesh-traffic-control • https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/ • https://in-toto.github.com • https://kubesec.io • https://mikegerwitz.com/papers/git-horror-story

  19. Thanks! Slides here: http://bit.do/eSins luke@control-plane.io @lukeb0nd

More Related