IstioSummit 2021 - IstioCon 2021
Transcript of IstioSummit 2021 - IstioCon 2021
![Page 1: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/1.jpg)
Collibra | Engineering
Alex Van Boxel
IstioSummit 2021Know Your PeersKnok, knok, who’s there?
![Page 2: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/2.jpg)
Collibra | Engineering 2
Know Your Peers
This is against all presentation rules… but hey, it makes the slides useful afterwards.
Slide disclaimer: They contain a lot of text. Keywords are highlighted.
![Page 3: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/3.jpg)
Collibra | Engineering 3
What’s the goal of this talk?
Gain a deeper understanding on
how identity works within a
service mesh. How to leverage
this knowledge in your application
architecture.
Know Your Peers
![Page 4: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/4.jpg)
Collibra | Engineering 4
Know Your Peers
What will you not learn in this talk?
You will not learn the hottest new
istio features. Just a bit of behind
the curtain plumbing.
![Page 5: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/5.jpg)
Collibra | Engineering 5
Know Your Peers
― Chris Hadfield, An Astronaut's Guide to Life on Earth
Fear comes from not knowing what to expect...
![Page 6: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/6.jpg)
Collibra | Engineering 6
Know Your Peers
![Page 7: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/7.jpg)
Collibra | Engineering 7
Know Your Peers
istiod
Workload
envoyproxy
Workload
envoyproxyenvo
ypr
oxy
envo
ypr
oxy
![Page 8: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/8.jpg)
Collibra | Engineering 8
Know Your Peers
istiod
envo
ypr
oxy
envo
ypr
oxy
Workload
envoyproxy
Workload
envoyproxy
![Page 9: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/9.jpg)
Collibra | Engineering 9
The Cloud Native Identity
SPIFFE
![Page 10: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/10.jpg)
Collibra | Engineering 10
I need to Google it every time. nobody really remembers this really
Secure Production Identity Framework for Everyone
![Page 11: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/11.jpg)
Collibra | Engineering 11
SPIFFE
PlatformPlatform
![Page 12: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/12.jpg)
Collibra | Engineering 12
SPIFFE
Host
Platform
Host
Platform
![Page 13: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/13.jpg)
Collibra | Engineering 13
SPIFFE
Host
Platform
Proc
ess
Proc
ess
Proc
ess
Proc
ess
Proc
ess
Host
Platform
Proc
ess
Proc
ess
Proc
ess
Proc
ess
Proc
ess
![Page 14: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/14.jpg)
Collibra | Engineering 14
SPIFFE
Host
Platform
Proc
ess
Proc
ess
Proc
ess
Proc
ess
Proc
ess
Host
Platform
Proc
ess
Proc
ess
Proc
ess
Proc
ess
Proc
ess
![Page 15: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/15.jpg)
Collibra | Engineering 15
SPIFFE
SPIFFE ID The core of the spec: How to
name your workloads! This is
called a SPIFFE identifier (or
SPIFFE-ID). It’s always a Uniform
Resource Identifier (URI).
![Page 16: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/16.jpg)
Collibra | Engineering 16
SPIFFE
SPIFFE ID is an URI
Trust Domain
spiffe://cluster.local
![Page 17: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/17.jpg)
Collibra | Engineering 17
SPIFFE
SPIFFE ID must have a path component for workloads
Trust Domain
spiffe://cluster.local/884b38b9-821c-4ddc
Path
![Page 18: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/18.jpg)
Collibra | Engineering 18
SPIFFE
SPIFFE ID can have hierarchy
Trust Domain
spiffe://cluster.local/payment/postgresql
Path w/Hierarchy
![Page 19: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/19.jpg)
Collibra | Engineering 19
spiffe://cluster.local/ns/treactor/sa/atom-o
SPIFFE
SPIFFE ID in istio
Trust Domain Service Account
Namespace
![Page 20: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/20.jpg)
Collibra | Engineering 20
SPIFFE
Trust Domain, a perimeter from workload identities
An important part of the
SPIFFE-ID is the trust domain.
By default it’s cluster.local in Istio,
but when having multiple cluster
or domains it well worth thinking
about it. Trust can be established
between different trust domains.
![Page 21: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/21.jpg)
Collibra | Engineering 21
SPIFFE
It's not enough to have a consistent naming convention
Nice to have a naming convention, but how do I trust that identity?
![Page 22: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/22.jpg)
Collibra | Engineering 22
SPIFFE
SPIFFE Verifiable Identity Documentaka SVID
An SVID (SPIFFE Verifiable
Identity Document) is a
SPIFFE-ID signed by an
authority. There are two existing
implementations right now.
![Page 23: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/23.jpg)
Collibra | Engineering 23
SPIFFE
JWT SPIFFE Verifiable Identity Document
A JWT tokens can be an SVID if
it complies to certain rules, but
let’s ignore this type as we want
to use the JWT token for the
application layer.
![Page 24: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/24.jpg)
Collibra | Engineering 24
SPIFFE
X.509 SPIFFE Verifiable Identity Document
Istio uses X.509 SVID for identity over mTLS.
![Page 25: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/25.jpg)
Collibra | Engineering 25
SPIFFE
SPIFFE Specification, what does it contain?
The SPIFFE Identity and Verifiable Identity Document aka SPIFFE-ID
The SPIFFE Workload API
SPIFFE Verifiable Identity Document aka SVID
![Page 26: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/26.jpg)
Collibra | Engineering 26
SPIFFE
SPIRE is hosted at the same site where the SPIFFE specification is hosted
Be sure to check out SPIRE for your non-mesh workloads
![Page 27: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/27.jpg)
Collibra | Engineering 27
Certificates in the context of SPIFFE
X.509
![Page 28: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/28.jpg)
Collibra | Engineering 28
X.509
It’s not because it’s old that it’s broken!
X.509 specification was first published at November 25, 1988
![Page 29: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/29.jpg)
Collibra | Engineering 29
X.509
X.509 Example-----BEGIN CERTIFICATE-----
MAbCCzCCAbCgAwIBAgICEAxdCgYIKoZI030EAwIwXALXMAkGA1UEBhMCQkUxETAP
BgNVBAoMCENvbGxpYnJhMRswGQYAVBQLDBJDb2xsaWJyYSBBdXRob3JpdHkxHjAc
BgNVBAMMFUNatIstioSummitF1Ghvcl0eSBYMDAeFw0yMDExMjMxMTU2MzZaFw0y
MTEyMDMxMTU2MzZaMEMxCzAJBgNVBAYTAkJFMREwDwYDVISTIOhDb2xsaWJyYTES
MBAGA1UECwwJVGVsZW1ldHJ5MQ0wCwYDVQQDDARzaW5rMFkwEwYHKoZIzj0CAQYI
KoZIzj0DAQcDQgAEr3qNb45rpiY5xJ09R8C1A+SzN/ge39CcBJ8EaMuY8Yp9tMXF
4BTxqU/XDDZm7NepPTMNvVbO48Fii7fXg7qM86N6MHgwdgYSPIFFEQH/BGwwaoYp
c3BpZmZlOi8vdGVsZW1ldHJ5LmNvbGxpYnJhY2xvdWQuY29tL3NpbmuCIHNpbmsu
dGVsZW1ldHJ5LmNvbGxpYnJhY2xvdWQuY29thwSC0x/shwQjux92gglsb2NhbGhv
cALEXvanBOXELgYIKoZIzj0EAwIDSQAwRgIhAIaeYILh5WRg81Eysyqv/C8uF2Ja
tDm9ku689mjRJUFAAiEAkU9JvHVcP2Vv5ZF1jHZSua8zV0u8dAGplqEurugOOGI=
-----END CERTIFICATE-----A common way you will see X.509 certificates being moved around: PEM encoded
![Page 30: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/30.jpg)
Collibra | Engineering 30
X.509
X.509 Example Version: 3 (0x2)
Serial Number: 4103 (0x1007)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = BE, O = Example, OU = Authority, CN = Authority X0
Validity
Not Before: Nov 23 11:56:36 2020 GMT
Not After : Dec 3 11:56:36 2021 GMT
Subject: C = BE, O = Example, OU = Unit, CN = Something
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
X509v3 extensions:
X509v3 Subject Alternative Name: critical
URI:spiffe://trust.domain.link/x, DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:86:9e:60:82:e1:e5:64:60:f3:51:32:b3:2a:
-----BEGIN CERTIFICATE-----
My favorite OpenSSL command
> openssl x509 -text -in any-certificate.crt
![Page 31: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/31.jpg)
Collibra | Engineering
X.509
Name
Public Key
Signers Name
Signature
other X.509 data
Name
Public Key
Private Key
other X.509 data
![Page 32: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/32.jpg)
Collibra | Engineering
X.509
Name
Public Key
Signers Name
Signature
other X.509 data
Name
Public Key
Private Key
other X.509 data
![Page 33: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/33.jpg)
Collibra | Engineering
X.509
Name
Public Key
Signers Name
Signature
other X.509 data
Name
Public Key
Signers Name
Signature
Private Key
other X.509 data
Name
Public Key
Signers Name
Signature
Private Key
other X.509 data
![Page 34: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/34.jpg)
Collibra | Engineering
X.509
Name
Public Key
Signers Name
Signature
other X.509 data
Name
Public Key
Signers Name
Signature
other X.509 data
Name
Public Key
Signers Name
Signature
other X.509 data
![Page 35: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/35.jpg)
Collibra | Engineering
X.509
Name
Public Key
Signers Name
Signature
Private Key
other X.509 data
![Page 36: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/36.jpg)
Collibra | Engineering
X.509
Name
Public Key
Signers Name
Signature
Private Key
other X.509 data
![Page 37: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/37.jpg)
Collibra | Engineering 37
X.509
SPIFFE IDin Subject Alternative Name extension
SPIFFE ID is set as a URI type in Subject Alternative Name (SAN), only one URI SAN is allowed, but other information can be encoded in, like IP and DNS names.
...
X509v3 extensions:
X509v3 Subject Alternative Name: critical
URI:spiffe://trust.domain/x, DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:86:9e:60:82:e1:e5:64:60:f3:51:32:b3:2a:
-----BEGIN CERTIFICATE-----
![Page 38: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/38.jpg)
Collibra | Engineering 38
X.509
Signing Certificates
While an SVID is nothing more than an X.509, some restrictions apply. A signing certificate needs to have CA set to true and the keyCertSign in the key usage extension set. Signing Certificates should never be used to identify workloads.
![Page 39: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/39.jpg)
Collibra | Engineering 39
X.509
Leaf Certificates A leaf certificate is used to identify a resource or caller, it’s used in authentication.The SPIFFE IDs MUST have a non-root path component.
![Page 40: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/40.jpg)
Collibra | Engineering 40
X.509
TLS HandshakeServer and Client throwing X.509 stuff at each other
![Page 41: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/41.jpg)
Collibra | Engineering 41
X.509
ClientHello
ServerHello
Certificate
ServerKeyExchange
CertificateRequest
ServerHelloDone
Hey, me “the client” knows:
● cipher suites● compression algorithms
and here is some random crypto stuff
![Page 42: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/42.jpg)
Collibra | Engineering 42
X.509
ClientHello
ServerHello
Certificate
ServerKeyExchange
CertificateRequest
ServerHelloDone
Ok, me “the server” will pick:
● this cipher suite● this compression
and here is some random crypto stuff
![Page 43: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/43.jpg)
Collibra | Engineering 43
X.509
ClientHello
ServerHello
Certificate
ServerKeyExchange
CertificateRequest
ServerHelloDone
Here is my certificate, now you know who I am. BTW, my certificate includes my “public key”. Oh, and I’ll throw in the intermediate certificates as well.
![Page 44: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/44.jpg)
Collibra | Engineering 44
X.509
ClientHello
ServerHello
Certificate
ServerKeyExchange
CertificateRequest
ServerHelloDone
We’re talking about mTLS right: I demand that you send me your certificate! I can validate it against these trusted root certificates!
![Page 45: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/45.jpg)
Collibra | Engineering 45
X.509
Certificate
ClientKeyExchange
CertificateVerify
ChangeCipherSpec
Finished
ServerHelloDone
My turn… let’s validate the certificates I got from the server:
● verify the signatures, names and X.509 bits
● verify that the certificate we got is the one for the server we assumed we connected to.
![Page 46: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/46.jpg)
Collibra | Engineering 46
X.509
Certificate
ClientKeyExchange
CertificateVerify
ChangeCipherSpec
Finished
ServerHelloDone
Ok, that annoying server want to know who I am… here is my certificate. Maybe it’s best to send the intermediates as well so it can validate it against the known trusted root CA.
![Page 47: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/47.jpg)
Collibra | Engineering 47
X.509
Certificate
ClientKeyExchange
CertificateVerify
ChangeCipherSpec
Finished
ServerHelloDone
Let’s prove to the server, we really own the certificates. Let’s sign all the previous messages with our private key, the server can verify it with the public key in the certificate message.
![Page 48: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/48.jpg)
Collibra | Engineering 48
X.509
ChangeCipherSpec
Finished
Finished
Let’s wrap up, do I trust the client? OK, I got the verify message that the client signed. I got the public key in the certificate. Now I only need to verify the I trust that public key… though following the chain till the shared trusted CA.
![Page 49: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/49.jpg)
Collibra | Engineering
X.509
Name
Public Key
Signers Name
Signature
other X.509 data
Name
Public Key
Signers Name
Signature
other X.509 data
Name
Public Key
Signers Name
Signature
other X.509 data
![Page 50: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/50.jpg)
Collibra | Engineering 50
X.509
ChangeCipherSpec
Finished
ApplicationData
ApplicationData
OK, we’ve finished the handshake. GO, GO, GO!
![Page 51: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/51.jpg)
Collibra | Engineering 51
X.509
ApplicationData
ApplicationData
We totally trust each other. We now have an encrypted and possibly compressed channel.
![Page 52: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/52.jpg)
Collibra | Engineering 52
X.509
The TLS handshake wrap-up.
After the handshake, istio or
better the envoy proxy (at both
sides of the channel) knows who
the other party is. With that
information decisions can be
made.
![Page 53: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/53.jpg)
Collibra | Engineering 53
Steps for introduction this to the platform
Envoy
![Page 54: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/54.jpg)
Collibra | Engineering 54
Envoy
It sits between each all your network traffic, twice!
In the Istio ant colony, envoy is the worker ant
![Page 55: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/55.jpg)
Collibra | Engineering 55
Envoy
Workload
envoyproxy
Workload
envoyproxyen
voy
prox
y
envo
ypr
oxy
![Page 56: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/56.jpg)
Collibra | Engineering 56
Envoy
because application want to know
x-forward-client-cert proxy header indicating certificate information
![Page 57: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/57.jpg)
Collibra | Engineering 57
● By: our Subject Alternative Name (URI type)
● Hash: The SHA 256 digest of the current client certificate.
● Cert: The entire client certificate in URL encoded PEM format.
● Chain: The entire client certificate chain (including the leaf certificate)
● Subject: The Subject field of the current client certificate.
● URI: The URI type SAN field of the current client certificate.
● DNS: The DNS type SAN field of the current client certificate.
Envoy
x-forward-client-cert supported the following keys:
![Page 58: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/58.jpg)
Collibra | Engineering 58
By=spiffe://cluster.local/ns/my-namespace/sa/my-service [*1]
;
Hash=cbb4cb46004bdbce15856...78e823fcedfad364 [*2]
;
Subject=\"\" [*3]
;
URI=spiffe://cluster.local/ns/client-namespace/sa/client-service [*4]
Envoy
x-forward-client-cert example:
![Page 59: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/59.jpg)
Collibra | Engineering 59
Steps for introduction this to the platform
Istio
![Page 60: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/60.jpg)
Collibra | Engineering 60
Istio
istiod
Workload
envoyproxy
Workload
envoyproxyenvo
ypr
oxy
envo
ypr
oxy
![Page 61: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/61.jpg)
Collibra | Engineering 61
Istio
Bringing istio’s control plain into the mix
Bringing it all together, how?
![Page 62: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/62.jpg)
Collibra | Engineering 62
Istio
Identity ManagementWorkload
istioagent
envoyproxy
istiod
As the istio-agent start, along
with the pod, a key and CSR
(certificate signing request) is
generated.
![Page 63: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/63.jpg)
Collibra | Engineering 63
Istio
Identity ManagementWorkload
istioagent
envoyproxy
istiod
The CSR is send to the istiod. A
CSR already contains most of
the information that should be in
certificate. Information like
public key and SPIFFE ID are
the most important once.
![Page 64: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/64.jpg)
Collibra | Engineering 64
Istio
Identity ManagementWorkload
istioagent
envoyproxy
istiod
If istiod is certain that the CSR is
coming from the correct agent it
will create the certificate and
signs it. Validation of agent is
done though use of the
kubernetes token passed along
the CSR request.
![Page 65: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/65.jpg)
Collibra | Engineering 65
Istio
Identity ManagementWorkload
istioagent
envoyproxy
istiod
The certificate is send back to
istio-agent, the CSR is no long
needed.
![Page 66: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/66.jpg)
Collibra | Engineering 66
Istio
Identity ManagementWorkload
istioagent
envoyproxy
istiod
Through SDS, an envoy “Secure
Discovery Service” protocol the
private key and certificate is
send to the proxy. Now the proxy
is ready to prove it’s identity.
![Page 67: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/67.jpg)
Collibra | Engineering 67
Istio
Identity ManagementWorkload
istioagent
envoyproxy
Now the workload can pretend
that it lives in an unsecure world
and start communicating
unencrypted. The proxy will
secure the connection using
the certificate/key pair.
![Page 68: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/68.jpg)
Collibra | Engineering 68
Istio
Identity ManagementWorkload
istioagent
envoyproxy
Remember, this is mutual TLS
(mTLS): The same mechanism
is used for clients and servers.
The control plan is not required
until the key and certificate
needs rotation.
![Page 69: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/69.jpg)
Collibra | Engineering 69
Istio
Identity ManagementWorkload
istioagent
envoyproxy
istiod
Key takeaways
● Identity is established at pod
startup
● Uses Kubernetes service
account token
● No control plane needed after
identity has been established
![Page 70: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/70.jpg)
Collibra | Engineering 70
Steps for introduction this to the platform
Application Architecture
![Page 71: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/71.jpg)
Collibra | Engineering 71
Application Architecture
Authorization decisions can be taken by combining both
Let’s differentiate between Peer- and Request Authentication
![Page 72: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/72.jpg)
Collibra | Engineering 72
Application Architecture
Peer Authentication
Peer authentication, the mechanism istio manages best. This is what we’ve been talking about during this talk. Who is the workload that is talking to us? Generally we’re mostly talking about services, not persons.
![Page 73: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/73.jpg)
Collibra | Engineering 73
Application Architecture
Request Authentication
Authentication on each individual request. Requests can be multiplexed over a single pipe, that has been authenticated through peer authn. Best reserved for authenticating persons.
![Page 74: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/74.jpg)
Collibra | Engineering 74
Application Architecture
PaymentPresentation
None mesh authn A user is authenticated via a standard JWT token to a presentation layer
![Page 75: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/75.jpg)
Collibra | Engineering 75
Application Architecture
PaymentPresentation
None mesh authn
The presentation layer needs some information from the payment service, It needs to know from what service the call came, so another JWT token?
![Page 76: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/76.jpg)
Collibra | Engineering 76
Application Architecture
PaymentPresentation
None mesh authnLooks easy… but how do we manage the keys for the JWT tokens? How to encode the original caller? Encode it in another header?!
![Page 77: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/77.jpg)
Collibra | Engineering 77
Application Architecture
Payment
envoyproxy
Presentation
envoyproxyen
voy
prox
y
Mesh authn
Granted, the mesh picture looks scary in comparison. But...
![Page 78: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/78.jpg)
Collibra | Engineering 78
Application Architecture
PaymentPresentation
Engineers view
… what a developer needs to worry about is only the services that he writes and “handle” the JWT. If the source workload is important, the application can check the x-forward-client-cert header.
![Page 79: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/79.jpg)
Collibra | Engineering 79
Application Architecture
Bring it all together
Full end-to-end example, using Request- and Peer Authn
![Page 80: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/80.jpg)
Collibra | Engineering 80
Application Architecture
Payment
envoyproxy
Presentation
envoyproxyen
voy
prox
y
Mesh Auth
The user crosses the mesh boundary, walks in through the gateway with it’s JWT token.
![Page 81: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/81.jpg)
Collibra | Engineering 81
Application Architecture
Payment
envoyproxy
Presentation
envoyproxyen
voy
prox
y
Mesh Auth
Although you can expose workloads directly you can leverage the gateway to manage public TLS termination, and switch to mesh mTLS. The JWT passes right through.
![Page 82: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/82.jpg)
Collibra | Engineering 82
Application Architecture
Payment
envoyproxy
Presentation
envoyproxyen
voy
prox
y
Mesh Auth
Trust exist though every service in the mesh, including the gateway. Routing to the presentation layer. The presentation layer can use the JWT to validate the user.
![Page 83: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/83.jpg)
Collibra | Engineering 83
Application Architecture
Payment
envoyproxy
Presentation
envoyproxyen
voy
prox
y
Mesh Auth
The presentation layer needs some information from the payment service. It does that call to the payment service and passes the original JWT token.
![Page 84: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/84.jpg)
Collibra | Engineering 84
Application Architecture
Payment
envoyproxy
Presentation
envoyproxyen
voy
prox
y
Mesh Auth
Opportunity exist to lock down access only from the presentation layer though policies (peer) defined by istio.
![Page 85: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/85.jpg)
Collibra | Engineering 85
Application Architecture
Payment
envoyproxy
Presentation
envoyproxyen
voy
prox
y
Mesh Auth
Policies (request) for the JWT tokens can also be pushed to the mesh. All with application independent audit trail. Ideal for the polyglot world.
![Page 86: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/86.jpg)
Collibra | Engineering 86
Application Architecture
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
spec:
selector:
matchLabels:
app: httpbin
version: v1
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/sleep"]
to:
- operation:
methods: ["GET"]
when:
- key: request.auth.claims[iss]
values: ["https://accounts.google.com"]
OK, got to show one policy file, too keep it an Istio talk. This is taken right out of the documentation and shows combining both Peer- and Request Authentication and taking Authorization decisions.
![Page 87: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/87.jpg)
Collibra | Engineering 87
Application Architecture
Payment
envoyproxy
Presentation
envoyproxyen
voy
prox
y
Mesh Auth
Both the x-forward-client-cert header and the JWT token in the authentication header can be used to make informed decisions in the application.
![Page 88: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/88.jpg)
Collibra | Engineering 88
BIP-1 explained
Thank youQuestions?
![Page 89: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/89.jpg)
Collibra | Engineering
Name
Public Key
Signers Name
Signature
Private Key
other X.509 data
Name
Public Key
Signers Name
Signature
Private Key
other X.509 data
Name
Public Key
Signers Name
Signature
Private Key
other X.509 data
![Page 90: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/90.jpg)
Collibra | Engineering 90
![Page 91: IstioSummit 2021 - IstioCon 2021](https://reader031.fdocuments.in/reader031/viewer/2022012915/61c63bf144272e7b5c7a9647/html5/thumbnails/91.jpg)
Collibra | Engineering 91
Payment
envoyproxy
Presentation
envoyproxyen
voy
prox
y
Mesh Auth
text