CloudNativeSecurityCon_2023-MultiServiceNoMesh.pdf

1、Multi-Service Without A MeshEvan AndersonWhy This Talk?Use existing,mature technologies“The hard way”building understanding by building a thingIts not as easy as it should beWe can make it better!Multi-ServiceSo,you want a platform for microservices:What does that mean?Can I just slap someKubernetes

2、 on it?Im not ready for a Service MeshWe Can Do This!IngressDB OperatorDeploymentServiceWhat About Security?Users connect over the internet.Probably need TLS?cert-manager to the rescue!Annotate each resource(Ingress or Gateway)to provision certs If you need other APIs(VirtualService,HTTPProxy,etc)yo

3、ull need to wire up the Certificate resources yourselfEncryption!=SecureWeve ensured that bad people on the internet cant intercept our communications but,they can still connect as normal users!We dont want an Ingress,we want an API Gateway Authentication Rate Limits&DoS protection API Keys/Feature

4、AccessWhat About On-Cluster?NetworkPolicy allows us to enforce L4(TCP)firewall rules If our CNI implements itSome CNI implementations also implement encryption?Service IdentityWe also want to be able to control which services are exposed to which peers.Even over REST and gRPC!We need a way to identi

5、fy callersin a dynamic network environmentCan we use ServiceAccountsfor this?CRUDOrdersReadAddressesCRUDAddressesServiceAccounts to the RescueKubernetes automatically mounts an OpenID token for the Pods ServiceAccount into the pod unless you setautomountServiceAccountToken:falseon the service accoun

6、t.You can use this token to prove your apps identity.DONT DO THISThat is a bearer token anyone who has it can authenticate to the apiserver as the ServiceAccount in question!Token Projection for IdentityEnter Service Account Projection!Allows applications to mount an OpenID Connecttoken correspondin