Cloud_Native_Security_Con-Ztunnel Security .pdf

1、solo.ioWhats a Zero-Trust Tunnel?Exploring Security and Simpler Operations with Istio Ambient Mesh2|Copyright 2022Jim Bartonjameshbartonjimsolo.iohttps:/ Engineer-North America Solo3|Copyright 2022virtualized6ixmarino.wijaysolo.io https:/www.twitch.tv/virtualized6ix https:/marinow.hashnode.dev https

2、:/ Platform Advocate-DevRel SoloOrganizer-KubeHuddle TorontoAmbassador-EddieHub Inc.Marino Wijay4|Copyright 2020CONFIDENTIALA 30,000 FT overview of Ambient Mesh5|Copyright 2022Istio enables Zero-Trust SecurityPPPPPPPPPPPPPPPPPPL4 ProxyPPPPPPPPPPPPPPPPPPIstio Security with Sidecar ProxyIstio Security

3、 with Ambient MeshL4 ProxyL7 ProxyAll traffic goes through ProxyProxy manages mTLS,IdentityProxy manages L7 Application Filters|PoliciesAll traffic goes through ProxyL4 Proxy manages mTLS,IdentityL7 Proxy manages L7 Application Filters|Policies6|Copyright 2022Introducing Istio Ambient MeshZero Trust

4、 SecurityReduce CostsSimplify OperationsImprove PerformanceProxy per NodeMulti-Tenant ProxyLightweight(L4)Proxy implementation(uProxy)Mesh is Transparent to ApplicationsDecouple Proxy from ApplicationsSimplify Adding new AppsSimplify App UpdatesuProxy is L4 vs L7uProxy can use acceleration in OS(eBP

5、F)7|Copyright 2022How does Istio ambient work?Separate mesh capabilities into L4 and L7Adopt only the capabilities you needRemove the data plane from the workload(no sidecar)Leverage more capabilities in the CNIReduce attack surface of data plane8|Copyright 2022How does it work(secure overlay only)?

6、9|Copyright 2022How does it work(secure overlay+L7)?10|Copyright 2022BenefitsNo more race conditions between workload containers and sidecar/init-container,etcDont need to inject Pods/alter deployment resourcesUpgrades are out of band/transparent from the applicationLimited risk