Securing Microservices with Istio

Dan Berg@dancberg

Lin Sun@linsun_unc

Problem Statement

IT’s shift to a modern distributed architecture has left enterprises unable to monitor, manage or secure their services in a consistent way.

http://istio.io

Introducing Istio

Intelligent Routing and Load Balancing

Control traffic between services with dynamic

route configuration, conduct A/B tests, release

canaries, and gradually upgrade versions using

red/black deployments.

Resilience Across Languages and Platforms

Increase reliability by shielding

applications from flaky networks and

cascading failures in adverse conditions.

Secure Access with Fleet Wide Policy Enforcement

Apply organizational policy to

the interaction between services,

ensure access policies are

enforced and enable secure

communication between

services.

In-Depth Telemetry and Reporting

Understand the dependencies between services, the nature and flow of traffic between them and quickly identify issues with distributed tracing.

Components of Istio

1. Envoy proxy, to mediate all inbound and outbound traffic for all services in the service mesh. Leverages Envoy features such as dynamic service discovery, load balancing, TLS termination, HTTP/2 & gRPC proxying, circuit breakers, health checks, staged rollouts with %-based traffic split, fault injection, and rich metrics.

2. Pilot: Programming envoys and responsible for service discovery, registration and load balancing

3. Istio-Auth provides strong service-to-service and end-user authentication using mutual TLS, with built-in identity and credential management

4. Mixer is responsible for enforcing access control and usage policies across the service mesh and collecting telemetry data from the Envoy proxy and other services.

Our sidecar of choice - Envoy

A C++ based L4/L7 proxy

Low memory footprint

Battle-tested @ Lyft

100+ services

10,000+ VMs

2M req/s

Plus an awesome team willing to work with the community!

Goodies:❖ HTTP/2 & gRPC❖ Zone-aware load balancing w/ failover❖ Health checks, circuit breakers, timeouts, retry

budgets❖ No hot reloads - API driven config updates

Istio’s contributions:❖ Transparent proxying w/ SO_ORIGINAL_DST❖ Traffic routing and splitting❖ Request tracing using Zipkin❖ Fault injection

Putting it all together

svcA

Envoy

Pod

Service A

svcB

Envoy

Service B

Pilot

Control Plane API

Mixer

Discovery & Config data to Envoys

Policy checks, telemetry

Control flow during request processing Istio-Auth

TLS certs to Envoy

Traffic is transparently intercepted and proxied. App is

unaware of Envoy’s presence

HTTP/1.1, HTTP/2, gRPC, TCP with or without TLS

Envoy

HTTP/1.1, HTTP/2, gRPC, TCP with or

without TLS

Internet

Ingress gateway

Istio - Security at Scale

spiffe.io

ResiliencyIstio adds fault tolerance to your application without any changes to code

Resilience features❖ Timeouts❖ Retries with timeout budget❖ Circuit breakers❖ Health checks❖ AZ-aware load balancing w/

automatic failover❖ Control connection pool size and

request load

// Circuit breakers

destination: serviceB.example.cluster.local policy: - tags: version: v1 circuitBreaker: simpleCb: maxConnections: 100 httpMaxRequests: 1000 httpMaxRequestsPerConnection: 10 httpConsecutiveErrors: 7 sleepWindow: 15m httpDetectionInterval: 5m

Resiliency Testing

Systematic fault injection to identify weaknesses in failure recovery policiesHTTP/gRPC error codes

Delay injection

svcA

Envoy

Service A

svcB

Envoy

Service B

svcC

Envoy

Service C

Timeout: 100msRetries: 3300ms

Timeout: 200msRetries: 2400ms

Traffic Splitting

svcA

Envoy

Pod

Service A

svcB

Envoy

Serv

ice

B

http://serviceB.example

Pod Labels: version: v1.5env: us-prod

svcB

Envoy

Pod Labels:version: v2.0-alpha, env:us-staging

serviceB.example.cluster.local

Traffic routing rules

99%

1%

Rules API

Istio-Manager

Traffic control is decoupled from infrastructure scaling

// A simple traffic splitting rule

destination: serviceB.example.cluster.localmatch: source: serviceA.example.cluster.local route: - tags: version: v1.5 env: us-prod weight: 99- tags: version: v2.0-alpha env: us-staging weight: 1

svcA

Service AsvcB

Service Bversion: v1

Pod 3Pod 2

Pod 1

Content-based traffic steering

svcA

Service A

svcB

Service B

version: v1

Pod 3Pod 2

Pod 1

User-agent: *Android*

svcB’

version: canary

Pod 4

User-agent: *iPhone*

Traffic Steering// Content-based traffic steering rule

destination: serviceB.example.cluster.local match: httpHeaders: user-agent: regex: ^(.*?;)?(iPhone)(;.*)?$ precedence: 2 route: - tags: version: canary

Demo Time

Thank You!RedHat

Pivotal

WeaveWorks

Tigera

Datawire

Scytale (SPIFFE)

MicroSoft

Uber (Jaeger)

… and you!

Community Partners