SlideShare ist ein Scribd-Unternehmen logo

Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient Mesh.pptx.pdf

‱
‱
M
MichaelOLeary82

Operationalizing Multi Cluster Istio and Lessons Learned and Developing Ambient Mesh

Technologie
1 von 45
Downloaden Sie, um offline zu lesen
Operationalizing Multi Cluster Istio: Lessons Learned and Developing Ambient Mesh Kevin Dorosh Engineer @ Solo.io Istio Contributor
01 02 03 04 05 06 2 Istio Intro Securing traffic Resilience Ambient Mesh Ambient Mesh Demo Brief Multicluster Considerations What this talk will cover
3 Connectivity & communication challenges
4 Solo.io solves API connectivity & communication challenges
5 Communication without Istio frontend backend
6 Istio ‱ Service discovery / Load balancing ‱ Secure service-to-service communication ‱ Traffic control / shaping / shifting ‱ Policy / Intention based access control ‱ Traffic metric collection ‱ Service resilience ‱ API / programmable interface frontend backend Istio
7 Istio Architecture https://istio.io/latest/docs/concepts/security/
8 Secure outbound traffic Application Cloud Services API Endpoints Malicious website
9 Find external services using the Kiali service graph
10 Find external services using Prometheus https://istio.io/latest/blog/2019/monitoring-external-service-traffic/
11 Find external services using Envoy access logging [2021-03-17T13:52:48.695Z] "GET /headers HTTP/1.1 -" 200 - "-" "-" 0 2128 63 62 "-" "curl/7.52.1" "66e67f6d-4fa9-41e1-a103-1078b62221a5" "httpbin.org" "54.91.118.50:80" PassthroughCluster 10.44.0.7:34694 54.91.118.50:80 10.44.0.7:34692 - allow_any log for HTTP: curl http://httpbin.org/headers [2021-03-17T13:56:04.611Z] "- - -" 0 - - - "-" 930 5818 153 - "-" "-" "-" "-" "54.91.118.50:443" PassthroughCluster 10.44.0.7:47868 54.91.118.50:443 10.44.0.7:47866 - - log for HTTPS/TCP: spec: meshConfig: accessLogFile: /dev/stdout frontend
12 Create ServiceEntries for external services apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: httpbin-ext spec: hosts: - httpbin.org ports: - number: 80 name: http protocol: HTTP resolution: DNS location: MESH_EXTERNAL $ istioctl proxy-config endpoints ratings-v1-fd78f799f-gj8td | grep httpbin 34.199.75.4:80 HEALTHY OK outbound|80||httpbin.org 34.231.30.52:80 HEALTHY OK outbound|80||httpbin.org 54.166.163.67:80 HEALTHY OK outbound|80||httpbin.org 54.91.118.50:80 HEALTHY OK outbound|80||httpbin.org https://istio.io/latest/docs/reference/config/networking/service-entry/
13 Block undefined external endpoints myapp envoy Change outboundTrafficPolicy to REGISTRY_ONLY NOTE: Traffic can be configured to bypass envoy using annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges traffic.sidecar.istio.io/excludeOutboundPorts spec: meshConfig: outboundTrafficPolicy: mode: REGISTRY_ONLY https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/
14 Direct external traffic thru egress gateways myapp envoy curl http://httpbin.org/headers Egress GW httpbin.org ‱ Dedicated traffic exit points ‱ Only Egress gateways can run on internet enabled nodes ‱ Meet compliance requirements ‱ Use Network Policies on workloads to prevent bypassing the egress gateway https://istio.io/latest/blog/2019/egress-traffic-control-in-istio-part-1/ https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/
15 Encrypting traffic frontend backend frontend backend fake-backend
16 Istio Identity $ istioctl dashboard envoy productpage-v1-5d9b4c9849-l8jjq.default http://localhost:15000
17 Istio mutual TLS mode apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: istio-system # can be granular spec: mtls: mode: PERMISSIVE # or STRICT ‱ Change PERMISSIVE to STRICT after onboarding all your workloads to the mesh ‱ Can be disabled at the port level frontend backend Another App
18 Verify secure traffic using Kiali
19 Verify secure traffic using Envoy access logging format: "[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL% %DOWNSTREAM_TLS_VERSION%" %RESPONSE_CODE% 
 $ kubectl logs reviews-v1-6549ddccc5-f28vj -c istio-proxy [2021-03-17T00:52:08.689Z] "GET /reviews/0 HTTP/1.1 TLSv1.2" 200 - "-" "-" 0 295 8 7 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) Add %DOWNSTREAM_TLS_VERSION% to your access log formatting: Check the proxy logs:
20 Check for envoy listeners $ istioctl pc listener reviews-v1-6549ddccc5-f28vj | grep inbound 0.0.0.0 15006 Trans: tls; Addr: *:9080 Cluster: inbound|9080|| PERMISSIVE: $ istioctl pc listener reviews-v1-6549ddccc5-f28vj | grep inbound 0.0.0.0 15006 Trans: tls; App: Istio HTTP Plain; Addr: *:9080 Cluster: inbound|9080|| 0.0.0.0 15006 Trans: raw_buffer; Addr: *:9080 Cluster: inbound|9080|| STRICT:
21 Controlling workload access catalog orders GET GET PUT POST PUT ui database
22 AuthorizationPolicy apiVersion: "security.istio.io/v1beta1" kind: "AuthorizationPolicy" metadata: name: "database-viewer" namespace: default spec: selector: matchLabels: app: database action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/default/sa/myapp-orders"] to: - operation: methods: ["GET"] paths: ["/data"] orders PUT database Can also target Ingress Gateway Optional Can also support IP blocks Or DENY https://istio.io/latest/docs/reference/config/security/authorization-policy/
23 Use access logs to create your rules $ kubectl logs reviews-v2-76c4865449-6wblx -c istio-proxy 
 [2021-03-17T02:27:18.143Z] “POST /reviews/0 HTTP/1.1 TLSv1.2" 200 - "-" "-" 0 379 29 28 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36" "2dc83abd-71e1-40f5-9a6d-5f02dfceaa78" "reviews:9080" "127.0.0.1:9080" inbound|9080|| 127.0.0.1:59238 10.44.0.8:9080 10.44.0.9:37276 outbound_.9080_._.reviews.default.svc.cluster.local default 
 [2021-03-17T02:29:31.493Z] "GET /ratings/0 HTTP/1.1 -" 200 - "-" "-" 0 48 3 2 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36" "a51c2b7b-a8e3-417e-8566-4258b734c287" "ratings:9080" "10.44.0.7:9080" outbound|9080||ratings.default.svc.cluster.local 10.44.0.8:51176 10.56.48.22:9080 10.44.0.8:56738 - default https://istio.io/latest/docs/tasks/observability/logs/access-log/ IP of pod sending the request (kubectl get pods -o wide) method Outbound traffic going to ratings Inbound traffic
24 Debugging Authorization Policies $ istioctl x authz check mydatabasepod ACTION AuthorizationPolicy RULES ALLOW database-viewer.default 1 ALLOW _anonymous_match_nothing_ 1 $ curl —-request POST database:9080 RBAC: access denied $ kubectl logs mydatabasepod -c istio-proxy [2021-03-17T19:31:34.595Z] "GET / HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "-" "curl/7.52.1" "8510e2fd-53f7-4a5a-95da-8796d90c51a2" “database:9080" "-" - - 10.44.1.8:9080 10.44.0.7:51260 outbound_.9080_._.database.default.svc.cluster.local - Response to caller when denied: Check what policies are applied on a pod: Access log entry on the server sidecar:
25 Request Authentication JWT catalog orders GET POST ui
Request Authentication apiVersion: "security.istio.io/v1beta1" kind: "RequestAuthentication" metadata: name: "jwt-example" spec: selector: matchLabels: app: orders jwtRules: - issuer: "example-provider" jwksUri: "https://example-provider.com/jwks.json" ui JWT orders https://istio.io/latest/docs/tasks/security/authorization/authz-jwt/
27 Improve application resilience frontend backend
Timeouts, circuit breaking and rate limiting apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - route: - destination: host: reviews subset: v2 timeout: 0.5s apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: httpbin spec: host: httpbin trafficPolicy: connectionPool: tcp: maxConnections: 1 http: http1MaxPendingRequests: 1 maxRequestsPerConnection: 1 outlierDetection: consecutive5xxErrors: 1 interval: 1s baseEjectionTime: 3m maxEjectionPercent: 100 apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: filter-local-ratelimit-svc namespace: istio-system spec: workloadSelector: labels: app: productpage configPatches: - applyTo: HTTP_FILTER listener: filterChain: filter: name: "envoy.http_connection_manager" patch: 
 stat_prefix: http_local_rate_limiter token_bucket: max_tokens: 10 tokens_per_fill: 10 fill_interval: 60s 
 https://istio.io/latest/docs/tasks/traffic-management/request-timeouts/ https://istio.io/latest/docs/tasks/traffic-management/circuit-breaking/ https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/
Istio Ambient Mesh
Istio - The Industry’s Leading Service Mesh 2017 Istio Launched 2022 Ambient Mesh Launched Data Plane Enhancements 2019-20 7 New Community Releases 1000s Production Customers ~ 1000 Community Contributors 2022 CNCF 2019-2022
Introducing Istio Ambient Mesh 31 | Copyright © 2022 A new, open source contribution to the Istio project, that defines a new sidecar-less data plane. Solo.io and Google are the lead contributors to Istio Ambient Mesh. Cost Reduction Simplify Operations Improve Performance
What is Istio Ambient Mesh? P P P P P P P P P P P P P P P P P P Proxy Istio Sidecar Data Plane 1 Pod/Container = 1 Proxy Ambient Mesh Data Plane 1 Node = 1 Proxy Move from Sidecar Proxy per-pod architecture to a Proxy per-node architecture. “Making the Mesh Transparent to Applications” ● Reduced Compute Cost ● Improve Business Continuity ● Increase Business Flexibility ● Simplified Operations ● Reduced Maintenance ● Simplified Upgrades ● Easier to Add Applications ● Less Day-2-Day Complexity ● Adapt to Application Needs ● Offer SLAs for Applications ● Many Apps = 1 Platform Application Team ● Mesh is transparent to Apps ● Applications won’t break ● Flexible Performance Available ● Manage Security vs Performance Business Owner Platform Team
Istio enables Zero-Trust Security P P P P P P P P P P P P P P P P P P L4 Proxy P P P P P P P P P P P P P P P P P P Istio Security with Sidecar Proxy Istio Security with Ambient Mesh L4 Proxy L7 Proxy ● All traffic goes through Proxy ● Proxy manages mTLS, Identity ● Proxy manages L7 Application Filters | Policies ● All traffic goes through Proxy ● L4 Proxy manages mTLS, Identity ● L7 Proxy manages L7 Application Filters | Policies
Istio enables Service Mesh ïŹ‚exibility P P P P P P P P P P P P P P P P P P Proxy Istio Sidecar Data Plane 1 Pod/Container = 1 Proxy Ambient Mesh Data Plane 1 Node = 1 Proxy Istio Control Plane Cost Flexibility Operational Flexibility Performance Flexibility
Architecture: Visualizing ztunnel
Architecture: Visualizing ztunnel
HBONE - The protocol used to connect nodes HTTP Based Overlay Network Encapsulation protocol source: https://www.solo.io/blog/understanding-istio-ambient-ztunnel-and-secure-overlay/
Latest Ambient Developments Rust Ztunnel source: https://www.solo.io/blog/rust-ztunnel-istio-ambient-mesh/ https://www.semanticscholar.org/paper/A-work-stealing-scheduling-framework-supporting-Wang-Ji/2b956f8fcd744c4aaf8b0a ed417f4706cc046545
Ambient Mesh Demo
Multicluster Considerations
41 | Copyright © 2022
42 | Copyright © 2022
43 | Copyright © 2022
44 | Copyright © 2022
Thank You!

Empfohlen

Logging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & KibanaLogging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & KibanaAmazee Labs
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThreatConnect
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Hacking_SharePoint_FINAL
Hacking_SharePoint_FINALHacking_SharePoint_FINAL
Hacking_SharePoint_FINALIan Naumenko, CISSP, CRISC
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 

Empfohlen

Logging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & KibanaLogging with Elasticsearch, Logstash & Kibana
Logging with Elasticsearch, Logstash & KibanaAmazee Labs
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThe Diamond Model for Intrusion Analysis - Threat Intelligence
The Diamond Model for Intrusion Analysis - Threat IntelligenceThreatConnect
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Hacking_SharePoint_FINAL
Hacking_SharePoint_FINALHacking_SharePoint_FINAL
Hacking_SharePoint_FINALIan Naumenko, CISSP, CRISC
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesMichaƂ Czeraszkiewicz
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfTeymur Kheirkhabarov
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...Mauricio Velazco
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMElasticsearch
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinelMarius Sandbu
 
Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Ram Vennam
 
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Hello Cloud
 

Weitere Àhnliche Inhalte

Was ist angesagt?

Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...Mauricio Velazco
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMJerod Brennen
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMElasticsearch
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with SplunkSplunk
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter HimselfSergey Soldatov
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxJasonOstrom1
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinelMarius Sandbu
 

Was ist angesagt? (20)

HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
SANS Threat Hunting Summit 2018 - Hunting Lateral Movement with Windows Event...
 
Hacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAMHacking identity: A Pen Tester's Guide to IAM
Hacking identity: A Pen Tester's Guide to IAM
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptxBSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
BSidesDFW2022-PurpleTeam_Cloud_Identity.pptx
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Azure sentinel
Azure sentinelAzure sentinel
Azure sentinel
 

Ähnlich wie Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient Mesh.pptx.pdf

Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Ram Vennam
 
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Hello Cloud
 
Consul First Steps
Consul First StepsConsul First Steps
Consul First StepsMarc Cluet
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
Istio Service Mesh for Developers and Platform Engineers
Istio Service Mesh for Developers and Platform EngineersIstio Service Mesh for Developers and Platform Engineers
Istio Service Mesh for Developers and Platform EngineersSaiLinnThu2
 
Managing microservices with Istio Service Mesh
Managing microservices with Istio Service MeshManaging microservices with Istio Service Mesh
Managing microservices with Istio Service MeshRafik HARABI
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays
 
Sprint 137
Sprint 137Sprint 137
Sprint 137ManageIQ
 
Behind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by ExnessBehind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by ExnessMaxim Gaponov
 
Zaragoza dev ops-activiti-khd-20181212
Zaragoza dev ops-activiti-khd-20181212Zaragoza dev ops-activiti-khd-20181212
Zaragoza dev ops-activiti-khd-20181212Angel Borroy LĂłpez
 
GE Predix æ–°æ‰‹ć…„é—š 蔔锎 物联眑_IoT
GE Predix æ–°æ‰‹ć…„é—š 蔔锎 物联眑_IoTGE Predix æ–°æ‰‹ć…„é—š 蔔锎 物联眑_IoT
GE Predix æ–°æ‰‹ć…„é—š 蔔锎 物联眑_IoTKai Zhao
 
Upgrading_your_microservices_to_next_level_v1.0.pdf
Upgrading_your_microservices_to_next_level_v1.0.pdfUpgrading_your_microservices_to_next_level_v1.0.pdf
Upgrading_your_microservices_to_next_level_v1.0.pdfVladimirRadzivil
 
Service mesh from linkerd to conduit (cloud native taiwan meetup)
Service mesh from linkerd to conduit (cloud native taiwan meetup)Service mesh from linkerd to conduit (cloud native taiwan meetup)
Service mesh from linkerd to conduit (cloud native taiwan meetup)Chia-Chun Shih
 
Microservices With Istio Service Mesh
Microservices With Istio Service MeshMicroservices With Istio Service Mesh
Microservices With Istio Service MeshNatanael Fonseca
 
Spring boot microservice metrics monitoring
Spring boot microservice metrics monitoringSpring boot microservice metrics monitoring
Spring boot microservice metrics monitoringOracle Korea
 
Spring Boot - Microservice Metrics Monitoring
Spring Boot - Microservice Metrics MonitoringSpring Boot - Microservice Metrics Monitoring
Spring Boot - Microservice Metrics MonitoringDonghuKIM2
 
ISTIO Deep Dive
ISTIO Deep DiveISTIO Deep Dive
ISTIO Deep DiveYong Feng
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?Tomasz Jakubowski
 
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0Krishna-Kumar
 

Ähnlich wie Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient Mesh.pptx.pdf (20)

Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019Istio Triangle Kubernetes Meetup Aug 2019
Istio Triangle Kubernetes Meetup Aug 2019
 
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
 
Consul First Steps
Consul First StepsConsul First Steps
Consul First Steps
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
Istio Service Mesh for Developers and Platform Engineers
Istio Service Mesh for Developers and Platform EngineersIstio Service Mesh for Developers and Platform Engineers
Istio Service Mesh for Developers and Platform Engineers
 
Managing microservices with Istio Service Mesh
Managing microservices with Istio Service MeshManaging microservices with Istio Service Mesh
Managing microservices with Istio Service Mesh
 
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannotapidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
apidays LIVE Paris - Multicluster Service Mesh in Action by Denis Jannot
 
Sprint 137
Sprint 137Sprint 137
Sprint 137
 
Behind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by ExnessBehind the Code 'September 2022 // by Exness
Behind the Code 'September 2022 // by Exness
 
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
Javantura v6 - Istio Service Mesh - The magic between your microservices - Ma...
 
Zaragoza dev ops-activiti-khd-20181212
Zaragoza dev ops-activiti-khd-20181212Zaragoza dev ops-activiti-khd-20181212
Zaragoza dev ops-activiti-khd-20181212
 
GE Predix æ–°æ‰‹ć…„é—š 蔔锎 物联眑_IoT
GE Predix æ–°æ‰‹ć…„é—š 蔔锎 物联眑_IoTGE Predix æ–°æ‰‹ć…„é—š 蔔锎 物联眑_IoT
GE Predix æ–°æ‰‹ć…„é—š 蔔锎 物联眑_IoT
 
Upgrading_your_microservices_to_next_level_v1.0.pdf
Upgrading_your_microservices_to_next_level_v1.0.pdfUpgrading_your_microservices_to_next_level_v1.0.pdf
Upgrading_your_microservices_to_next_level_v1.0.pdf
 
Service mesh from linkerd to conduit (cloud native taiwan meetup)
Service mesh from linkerd to conduit (cloud native taiwan meetup)Service mesh from linkerd to conduit (cloud native taiwan meetup)
Service mesh from linkerd to conduit (cloud native taiwan meetup)
 
Microservices With Istio Service Mesh
Microservices With Istio Service MeshMicroservices With Istio Service Mesh
Microservices With Istio Service Mesh
 
Spring boot microservice metrics monitoring
Spring boot microservice metrics monitoringSpring boot microservice metrics monitoring
Spring boot microservice metrics monitoring
 
Spring Boot - Microservice Metrics Monitoring
Spring Boot - Microservice Metrics MonitoringSpring Boot - Microservice Metrics Monitoring
Spring Boot - Microservice Metrics Monitoring
 
ISTIO Deep Dive
ISTIO Deep DiveISTIO Deep Dive
ISTIO Deep Dive
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
 

Mehr von MichaelOLeary82

BOS K8S Meetup - Finetuning LLama 2 Model on GKE.pdf
BOS K8S Meetup - Finetuning LLama 2 Model on GKE.pdfBOS K8S Meetup - Finetuning LLama 2 Model on GKE.pdf
BOS K8S Meetup - Finetuning LLama 2 Model on GKE.pdfMichaelOLeary82
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfK8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfMichaelOLeary82
 
Adopting Karpenter for Cost and Simplicity at Grafana Labs.pdf
Adopting Karpenter for Cost and Simplicity at Grafana Labs.pdfAdopting Karpenter for Cost and Simplicity at Grafana Labs.pdf
Adopting Karpenter for Cost and Simplicity at Grafana Labs.pdfMichaelOLeary82
 
Sampling strategies with Otel.pptx
Sampling strategies with Otel.pptxSampling strategies with Otel.pptx
Sampling strategies with Otel.pptxMichaelOLeary82
 
KubeConNA23 Recap.pdf
KubeConNA23 Recap.pdfKubeConNA23 Recap.pdf
KubeConNA23 Recap.pdfMichaelOLeary82
 
Platform Engineering using GitOps, Boston Kubernetes Meetup
Platform Engineering using GitOps, Boston Kubernetes MeetupPlatform Engineering using GitOps, Boston Kubernetes Meetup
Platform Engineering using GitOps, Boston Kubernetes MeetupMichaelOLeary82
 

Mehr von MichaelOLeary82 (6)

BOS K8S Meetup - Finetuning LLama 2 Model on GKE.pdf
BOS K8S Meetup - Finetuning LLama 2 Model on GKE.pdfBOS K8S Meetup - Finetuning LLama 2 Model on GKE.pdf
BOS K8S Meetup - Finetuning LLama 2 Model on GKE.pdf
 
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdfK8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
K8 Meetup_ K8s secrets management best practices (Git Guardian).pdf
 
Adopting Karpenter for Cost and Simplicity at Grafana Labs.pdf
Adopting Karpenter for Cost and Simplicity at Grafana Labs.pdfAdopting Karpenter for Cost and Simplicity at Grafana Labs.pdf
Adopting Karpenter for Cost and Simplicity at Grafana Labs.pdf
 
Sampling strategies with Otel.pptx
Sampling strategies with Otel.pptxSampling strategies with Otel.pptx
Sampling strategies with Otel.pptx
 
KubeConNA23 Recap.pdf
KubeConNA23 Recap.pdfKubeConNA23 Recap.pdf
KubeConNA23 Recap.pdf
 
Platform Engineering using GitOps, Boston Kubernetes Meetup
Platform Engineering using GitOps, Boston Kubernetes MeetupPlatform Engineering using GitOps, Boston Kubernetes Meetup
Platform Engineering using GitOps, Boston Kubernetes Meetup
 

KĂŒrzlich hochgeladen

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 

KĂŒrzlich hochgeladen (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls đŸ„° 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 

Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient Mesh.pptx.pdf

  • 1. Operationalizing Multi Cluster Istio: Lessons Learned and Developing Ambient Mesh Kevin Dorosh Engineer @ Solo.io Istio Contributor
  • 2. 01 02 03 04 05 06 2 Istio Intro Securing traffic Resilience Ambient Mesh Ambient Mesh Demo Brief Multicluster Considerations What this talk will cover
  • 4. 4 Solo.io solves API connectivity & communication challenges
  • 6. 6 Istio ‱ Service discovery / Load balancing ‱ Secure service-to-service communication ‱ Traffic control / shaping / shifting ‱ Policy / Intention based access control ‱ Traffic metric collection ‱ Service resilience ‱ API / programmable interface frontend backend Istio
  • 8. 8 Secure outbound traffic Application Cloud Services API Endpoints Malicious website
  • 9. 9 Find external services using the Kiali service graph
  • 10. 10 Find external services using Prometheus https://istio.io/latest/blog/2019/monitoring-external-service-traffic/
  • 11. 11 Find external services using Envoy access logging [2021-03-17T13:52:48.695Z] "GET /headers HTTP/1.1 -" 200 - "-" "-" 0 2128 63 62 "-" "curl/7.52.1" "66e67f6d-4fa9-41e1-a103-1078b62221a5" "httpbin.org" "54.91.118.50:80" PassthroughCluster 10.44.0.7:34694 54.91.118.50:80 10.44.0.7:34692 - allow_any log for HTTP: curl http://httpbin.org/headers [2021-03-17T13:56:04.611Z] "- - -" 0 - - - "-" 930 5818 153 - "-" "-" "-" "-" "54.91.118.50:443" PassthroughCluster 10.44.0.7:47868 54.91.118.50:443 10.44.0.7:47866 - - log for HTTPS/TCP: spec: meshConfig: accessLogFile: /dev/stdout frontend
  • 12. 12 Create ServiceEntries for external services apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: httpbin-ext spec: hosts: - httpbin.org ports: - number: 80 name: http protocol: HTTP resolution: DNS location: MESH_EXTERNAL $ istioctl proxy-config endpoints ratings-v1-fd78f799f-gj8td | grep httpbin 34.199.75.4:80 HEALTHY OK outbound|80||httpbin.org 34.231.30.52:80 HEALTHY OK outbound|80||httpbin.org 54.166.163.67:80 HEALTHY OK outbound|80||httpbin.org 54.91.118.50:80 HEALTHY OK outbound|80||httpbin.org https://istio.io/latest/docs/reference/config/networking/service-entry/
  • 13. 13 Block undefined external endpoints myapp envoy Change outboundTrafficPolicy to REGISTRY_ONLY NOTE: Traffic can be configured to bypass envoy using annotations: traffic.sidecar.istio.io/excludeOutboundIPRanges traffic.sidecar.istio.io/excludeOutboundPorts spec: meshConfig: outboundTrafficPolicy: mode: REGISTRY_ONLY https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/
  • 14. 14 Direct external traffic thru egress gateways myapp envoy curl http://httpbin.org/headers Egress GW httpbin.org ‱ Dedicated traffic exit points ‱ Only Egress gateways can run on internet enabled nodes ‱ Meet compliance requirements ‱ Use Network Policies on workloads to prevent bypassing the egress gateway https://istio.io/latest/blog/2019/egress-traffic-control-in-istio-part-1/ https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway/
  • 16. 16 Istio Identity $ istioctl dashboard envoy productpage-v1-5d9b4c9849-l8jjq.default http://localhost:15000
  • 17. 17 Istio mutual TLS mode apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default namespace: istio-system # can be granular spec: mtls: mode: PERMISSIVE # or STRICT ‱ Change PERMISSIVE to STRICT after onboarding all your workloads to the mesh ‱ Can be disabled at the port level frontend backend Another App
  • 19. 19 Verify secure traffic using Envoy access logging format: "[%START_TIME%] "%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL% %DOWNSTREAM_TLS_VERSION%" %RESPONSE_CODE% 
 $ kubectl logs reviews-v1-6549ddccc5-f28vj -c istio-proxy [2021-03-17T00:52:08.689Z] "GET /reviews/0 HTTP/1.1 TLSv1.2" 200 - "-" "-" 0 295 8 7 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) Add %DOWNSTREAM_TLS_VERSION% to your access log formatting: Check the proxy logs:
  • 20. 20 Check for envoy listeners $ istioctl pc listener reviews-v1-6549ddccc5-f28vj | grep inbound 0.0.0.0 15006 Trans: tls; Addr: *:9080 Cluster: inbound|9080|| PERMISSIVE: $ istioctl pc listener reviews-v1-6549ddccc5-f28vj | grep inbound 0.0.0.0 15006 Trans: tls; App: Istio HTTP Plain; Addr: *:9080 Cluster: inbound|9080|| 0.0.0.0 15006 Trans: raw_buffer; Addr: *:9080 Cluster: inbound|9080|| STRICT:
  • 22. 22 AuthorizationPolicy apiVersion: "security.istio.io/v1beta1" kind: "AuthorizationPolicy" metadata: name: "database-viewer" namespace: default spec: selector: matchLabels: app: database action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/default/sa/myapp-orders"] to: - operation: methods: ["GET"] paths: ["/data"] orders PUT database Can also target Ingress Gateway Optional Can also support IP blocks Or DENY https://istio.io/latest/docs/reference/config/security/authorization-policy/
  • 23. 23 Use access logs to create your rules $ kubectl logs reviews-v2-76c4865449-6wblx -c istio-proxy 
 [2021-03-17T02:27:18.143Z] “POST /reviews/0 HTTP/1.1 TLSv1.2" 200 - "-" "-" 0 379 29 28 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36" "2dc83abd-71e1-40f5-9a6d-5f02dfceaa78" "reviews:9080" "127.0.0.1:9080" inbound|9080|| 127.0.0.1:59238 10.44.0.8:9080 10.44.0.9:37276 outbound_.9080_._.reviews.default.svc.cluster.local default 
 [2021-03-17T02:29:31.493Z] "GET /ratings/0 HTTP/1.1 -" 200 - "-" "-" 0 48 3 2 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36" "a51c2b7b-a8e3-417e-8566-4258b734c287" "ratings:9080" "10.44.0.7:9080" outbound|9080||ratings.default.svc.cluster.local 10.44.0.8:51176 10.56.48.22:9080 10.44.0.8:56738 - default https://istio.io/latest/docs/tasks/observability/logs/access-log/ IP of pod sending the request (kubectl get pods -o wide) method Outbound traffic going to ratings Inbound traffic
  • 24. 24 Debugging Authorization Policies $ istioctl x authz check mydatabasepod ACTION AuthorizationPolicy RULES ALLOW database-viewer.default 1 ALLOW _anonymous_match_nothing_ 1 $ curl —-request POST database:9080 RBAC: access denied $ kubectl logs mydatabasepod -c istio-proxy [2021-03-17T19:31:34.595Z] "GET / HTTP/1.1" 403 - rbac_access_denied_matched_policy[none] - "-" 0 19 0 - "-" "curl/7.52.1" "8510e2fd-53f7-4a5a-95da-8796d90c51a2" “database:9080" "-" - - 10.44.1.8:9080 10.44.0.7:51260 outbound_.9080_._.database.default.svc.cluster.local - Response to caller when denied: Check what policies are applied on a pod: Access log entry on the server sidecar:
  • 26. Request Authentication apiVersion: "security.istio.io/v1beta1" kind: "RequestAuthentication" metadata: name: "jwt-example" spec: selector: matchLabels: app: orders jwtRules: - issuer: "example-provider" jwksUri: "https://example-provider.com/jwks.json" ui JWT orders https://istio.io/latest/docs/tasks/security/authorization/authz-jwt/
  • 28. Timeouts, circuit breaking and rate limiting apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews spec: hosts: - reviews http: - route: - destination: host: reviews subset: v2 timeout: 0.5s apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: httpbin spec: host: httpbin trafficPolicy: connectionPool: tcp: maxConnections: 1 http: http1MaxPendingRequests: 1 maxRequestsPerConnection: 1 outlierDetection: consecutive5xxErrors: 1 interval: 1s baseEjectionTime: 3m maxEjectionPercent: 100 apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: filter-local-ratelimit-svc namespace: istio-system spec: workloadSelector: labels: app: productpage configPatches: - applyTo: HTTP_FILTER listener: filterChain: filter: name: "envoy.http_connection_manager" patch: 
 stat_prefix: http_local_rate_limiter token_bucket: max_tokens: 10 tokens_per_fill: 10 fill_interval: 60s 
 https://istio.io/latest/docs/tasks/traffic-management/request-timeouts/ https://istio.io/latest/docs/tasks/traffic-management/circuit-breaking/ https://istio.io/latest/docs/tasks/policy-enforcement/rate-limit/
  • 30. Istio - The Industry’s Leading Service Mesh 2017 Istio Launched 2022 Ambient Mesh Launched Data Plane Enhancements 2019-20 7 New Community Releases 1000s Production Customers ~ 1000 Community Contributors 2022 CNCF 2019-2022
  • 31. Introducing Istio Ambient Mesh 31 | Copyright © 2022 A new, open source contribution to the Istio project, that defines a new sidecar-less data plane. Solo.io and Google are the lead contributors to Istio Ambient Mesh. Cost Reduction Simplify Operations Improve Performance
  • 32. What is Istio Ambient Mesh? P P P P P P P P P P P P P P P P P P Proxy Istio Sidecar Data Plane 1 Pod/Container = 1 Proxy Ambient Mesh Data Plane 1 Node = 1 Proxy Move from Sidecar Proxy per-pod architecture to a Proxy per-node architecture. “Making the Mesh Transparent to Applications” ● Reduced Compute Cost ● Improve Business Continuity ● Increase Business Flexibility ● Simplified Operations ● Reduced Maintenance ● Simplified Upgrades ● Easier to Add Applications ● Less Day-2-Day Complexity ● Adapt to Application Needs ● Offer SLAs for Applications ● Many Apps = 1 Platform Application Team ● Mesh is transparent to Apps ● Applications won’t break ● Flexible Performance Available ● Manage Security vs Performance Business Owner Platform Team
  • 33. Istio enables Zero-Trust Security P P P P P P P P P P P P P P P P P P L4 Proxy P P P P P P P P P P P P P P P P P P Istio Security with Sidecar Proxy Istio Security with Ambient Mesh L4 Proxy L7 Proxy ● All traffic goes through Proxy ● Proxy manages mTLS, Identity ● Proxy manages L7 Application Filters | Policies ● All traffic goes through Proxy ● L4 Proxy manages mTLS, Identity ● L7 Proxy manages L7 Application Filters | Policies
  • 34. Istio enables Service Mesh ïŹ‚exibility P P P P P P P P P P P P P P P P P P Proxy Istio Sidecar Data Plane 1 Pod/Container = 1 Proxy Ambient Mesh Data Plane 1 Node = 1 Proxy Istio Control Plane Cost Flexibility Operational Flexibility Performance Flexibility
  • 37. HBONE - The protocol used to connect nodes HTTP Based Overlay Network Encapsulation protocol source: https://www.solo.io/blog/understanding-istio-ambient-ztunnel-and-secure-overlay/
  • 38. Latest Ambient Developments Rust Ztunnel source: https://www.solo.io/blog/rust-ztunnel-istio-ambient-mesh/ https://www.semanticscholar.org/paper/A-work-stealing-scheduling-framework-supporting-Wang-Ji/2b956f8fcd744c4aaf8b0a ed417f4706cc046545
  • 41. 41 | Copyright © 2022
  • 42. 42 | Copyright © 2022
  • 43. 43 | Copyright © 2022
  • 44. 44 | Copyright © 2022