Athenz With Istio Single Access Control Model In Cloud Infrastructures

3.9K Views

February 25, 21

スライド概要

KubeCon + CloudNativeCon North America 2018
https://kccna18.sched.com/event/GrZx/athenz-with-istio-single-access-control-model-in-cloud-infrastructures-tatsuya-yano-yahoo-japan-corporation

profile-image

2023年10月からSpeaker Deckに移行しました。最新情報はこちらをご覧ください。 https://speakerdeck.com/lycorptech_jp

シェア

またはPlayer版

埋め込む »CMSなどでJSが使えない場合

(ダウンロード不可)

関連スライド

各ページのテキスト
1.

Athenz with Istio: Single Access Control Model in Cloud Infrastructures

2.

Agenda • What is Athenz? • Service Authentication • Authorization • Multi-cloud in Yahoo Japan • How do we integrate with Istio? • Why Istio? • Benefit of using Athenz with Istio

3.

About • Tatsuya Yano • Platform Developer, Yahoo Japan Corporation • Contributor to Athenz • Open Source Summit Japan (https://sched.co/FDjp)

4.

Athenz: Open Source System Created by Yahoo Inc. • Service Authentication • Provide secure identity in the form short lived x.509 certificate to every workload / service in modern environments • Authorization • Provides fine-grained Role Based Access Control (RBAC)

5.

Service Authentication

6.

Authentication • User Authentication • AD / LDAP / Kerberos / etc • Service Authentication • Instances within a service with a unique identity to enable secure communication • IP / Networks ACLs / iptable • Headless/Automation users • Shared secrets • Mutual TLS with x.509 certificates

7.

Certificate Based Authentication • • • • Every instance / service in your cloud has its own identity Stronger security by Mutual TLS Authentication Zero-trust security Short Lived Certificates

8.

Copper Argos • Generalized model for authorized service providers to launch other service identities in an authorized way through a callback-based verification model. Providers OpenStack Amazon EC2 Kubernetes AWS ECS Screwdriver AWS Lambda

9.

Bootstrapping Athenz Identity

10.

Authorization

11.

Athenz Data Model

12.

Domain data example (YAML)

13.

Authorization Centralized Access Control

14.

Authorization Decentralized Access Control

15.

Advantages of Athenz • To provide service identity X.509 certificates for services running in common providers like Kubernetes, OpenStack or AWS that can be used for mutual TLS authentication. • To have precise and frequently configurable access controls with single source of truth.

16.

Athenz in Yahoo Japan

17.

How do we integrate with Istio?

18.

Why use Istio? • • • • • Automatic load balancing. Fine-grained control of traffic behavior. A pluggable policy layer and configuration API. Automatic metrics, logs, and traces for all traffic. Secure service-to-service communication. Referred from: https://istio.io/docs/concepts/what-is-istio/

19.

Benefits of using Athenz with Istio • Istio is in CNCF landscape. • Service mesh strongly supports microservices architecture. + • Athenz enables single access control model in multi cloud.

20.

Basics of Istio Mixer

21.

Example integration: Athenz Istio Mixer adapter Referred from: https://istio.io/blog/2017/adapter-model/

22.

Example integration: Athenz Istio Mixer adapter

23.

Other use-case: Simplified mTLS authN/Z using Istio/Athenz

24.

Simplified mTLS authN/Z using Istio/Athenz Kubernetes API Athenz Istio Auth Controller translates Athenz defined roles/policies into Istio CRs - ServiceRole and ServiceRolebinding Watch ServiceRole and ServiceRoleBinding Setup a watch on namespaces Fetch role/policy information from Athenz https://github.com/yahoo/k8s-athenz-istio-auth Athenz Istio Auth Controller Create/update/delete Istio CRs ServiceRole and ServiceRolebinding based on fetched Athenz data

25.

Prototype Demo

26.

Future plans • Currently • On Premises and AWS Provisioning • Planned • Provide Athenz servers with Docker images • Helm charts • Productionize Athenz x509 certificate provisioning • Productionize the authorization flow using Istio Envoy

27.

Resources • Website : http://www.athenz.io • Github: https://github.com/yahoo/athenz • Slack Channel: https://athenz.slack.com/ • Discussion Group: • Google Group: Athenz-Users • Questions or Comments: • Tatsuya Yano: [email protected]

28.

Join Us http://www.athenz.io

29.

Thank you

30.

Q&A