Automate mTLS communication with GoPay partners with Istio Vijay Dhama, Gojek Zufar Dhiyaulhaq, Gojek Agenda ● GoPay & Istio ● Before mutual TLS ● Implementing mutual TLS ○ Centralized Certificate

microservices with istio step by step JianFeng Ding, LuYao Zhong #IstioCon Agenda ● Istio identity ● mTLS in Isito ● Secure ingress traffic ● Authorize ingress traffic ● Authorize in mesh traffic ● Summary generated automatically with Istio identity 1) Apply peer-authentication to enable server side mTLS mTLS in Istio - PeerAuthenticati on Using ingress port and ingress host to send request: can access side and auto-mTLS is on by default Access productpage 1) Apply peer-authentication to enable server side mTLS mTLS in Istio - PeerAuthenticati on mTLS http http http http mTLS http #IstioCon

版本的限制，目前有一 些应用程序与 Service Mesh 还不兼容。详参阅社区的相关链接。 OSSM-1655 Kiali 仪表板在 SMCP 中启用 mTLS 后显示错误。 在 SMCP 中启用 spec.security.controlPlane.mtls 设置后，Kiali 控制台会显示以下错误消息 No subsets defined。 OSSM-1505 只有在 OpenShift Container 上部署的网格不兼容。 MAISTRA-1959 迁移到 2.0 Prometheus 提取（spec.addons.prometheus.scrape 设置为 true）在启用 mTLS 时无法正常工作。另外，当禁用 mTLS 时，Kiali 会显示无关的图形数据。 可通过将端口 15020 从代理配置中排除来解决这个问题，例如： MAISTRA-1314 Red Hat OpenShift Service 提供服务发现、配置和证书管理。它将高级别路由规则转换为 Envoy 配置，并在运行时将其传播到 sidecar。 Istiod 可以充当证书颁发机构 (CA)，在 data plane 中生成支持安全 mTLS 通信的证书。您还 可以使用外部 CA 来实现这一目的。 OpenShift Container Platform 4.8 Service Mesh 28 Istiod 负责将 sidecar

CA 选项支持。(TRACING-3462) 修复了在使用 oc adm catalog mirror CLI 命令时对断开连接的环境的支持。(TRACING-3523) 修复了没有部署网关时的 mTLS。(TRACING-3510) 1.1.4.3. 已知 已知问题 问题 目前，当与 Tempo Operator 一起使用时，Jaeger UI 只显示在最后 15 分钟内发送了 trace 的服 (s390x)架构中会失败。(TRACING-3545) 目前，在未部署网关时，Tempo 查询前端服务不得使用内部 mTLS。这个问题不会影响 Jaeger Query API。解决办法是禁用 mTLS。(TRACING-3510) 临时 临时解决方案 解决方案 禁用 mTLS，如下所示： 1. 运行以下命令，打开 Tempo Operator ConfigMap 进行编辑： OpenShift Container Platform 4.14 分布式追踪 分布式追踪 6 1 安装 Tempo Operator 的项目。 2. 通过更新 YAML 文件来禁用 Operator 配置中的 mTLS： 3. 运行以下命令来重启 Tempo Operator pod： 缺少在受限环境中运行 Tempo Operator 的镜像。Red Hat OpenShift distributed tracing

Info Payments Product Info Proxy Proxy Proxy Proxy + k8s Istio mTLS mTLS mTLS ✓ Security ✓ Visibility ✓ Traffic Shaping ✓ Latency ✓ Single Point of Failure Adoption Product Info Proxy Proxy Proxy Book Order Proxy + k8s Istio mTLS mTLS mTLS + k8s + k8s Istio Istio Validation Webhooks ● Allow configuration

Ingress Token exchange 1. Istio authentication and authorization policies for every service: mTLS to defend against data exfiltration; deny by default. Credential (token, cookie, etc) 2. Exchange Exchange external credential to internal token to defend against token replay attacks. Internal JWT mTLS Edge security Cluster security best practices: access control Service 2 Service 1 1. Ensure traffic Verify Demo: mesh security lifecycle Sleep Proxy Httpbin Proxy Namespace foo mTLS Demo Security Lifecycle Concepts Secure Monitor Enforce Verify Demo: mesh security lifecycle

Spanner LVS(四层负载) DNS 网络控制面 LDC1 Spanner Spanner APP APP APP APP Keycenter HTTP1 TLS1.2 MMTP Mtls MQTT HTTP2 TLS1.3 QUIC 国密 硬件加速 安全合规 Spanner LVS(四层负载) DNS LDC2 Spanner Spanner APP APP APP 首次全流量支撑双十一大促 2013 • 支持蚂蚁LDC架构，三地五中心容灾架构 • 全面上线SSL加速卡，提供软硬件一体加速方案 2015 • All in 无线，通信通道全面升级（MMTP，MTLS协议） 2016 • 安全防护能力提升，WAF，流量镜像 2018至 今 • 通信协议，架构，安全再次升级（物联终端接入，QUIC协议，国密，可信计算， 海外加速，云原生）金融级三地五中心容灾架构（LDC） Cavium Nitrox软硬件一体解决方案 SSL握手性能 提升3倍 • 对Spanner实现了异步化改造 • 对openssl进行了异步化引擎改造 • 实现多芯片卡的负载均衡协议实现的改造-MTLS MTLS：1) 轻量级TLS库，小于50k；2) 优化的TLS协议 0-RTT • 减少握手延迟 • 代价：握手前发送的数据不能 保证防重放攻击，因此要求应 用程序自己保证防重放攻击 Small

communication using mTLS between all services • Configurable short-lived certificates • On the fly certificate renewals with no service downtime • Unified simplified configuration to enable mTLS for all services certificate renewal may require client application restarts Challenges – Client certificates 7 • mTLS provided by Istio • Server certificate provided by Istio Proxy sidecar container • Each Kafka client

workloads, devices, etc. Encrypting inter-CNF traffic via mutual TLS (mTLS) Option to encrypt intra-CNF traffic via mTLS Autonomous PKI service for certificate lifecycle management at scale What CA ● Enable ECC certificates ● Configure workload certificate TTLs ● Enable strict mutual TLS (mTLS) instead of auto ● Use dedicated egress gateways Tuning Istio to Meet 5G Security Requirements

it was a service in your mesh ■ Traffic redirect and forward ■ Retry, timeout, fault injection, mtls policies ■ VM service, multicluster Istio mesh support ● Service + Endpoints ○ Usually for internal V1.6-1.8 Better VM Workload Abstraction ● Workload Entry ○ single non-Kubernetes workload ○ mTLS using service account ○ work with an Istio ServiceEntry ● Workload Group ○ a collection of non-K8s the app) ■ Circuit detection and outlier detection (reliability) etc. ■ Pervasive security (via mtls) ■ Extensibility (to cherry pick extensions) [1] Service Mesh use cases for Telco and Edge – Google