SlideShare une entreprise Scribd logo

Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)

T
Torin Sandall

The Istio service mesh provides a highly extensible platform to connect, manage, and secure microservices. Istio’s highly extensible nature is one of the main selling points as it allows you to enforce your own organization-specific policies across large fleets of microservices. At the same time, new technology always has a learning curve, and with all this extensibility and generality the task can be quite daunting. In this talk, Limin Wang (Software Engineer at Google) and Torin Sandall (Technical Lead of the Open Policy Agent project) explain how Istio’s Mixer works and lead a deep dive into Mixer Adapter development. The talk shows (with demos) how the Mixer Adapter model enables custom policy enforcement and how the model is used to integrate third party policy engines like the Open Policy Agent. This talk is targeted at platform engineers interested in using the Istio service mesh to enforce custom policies in their microservices. The talk also provides new ideas about the kinds of policies that can be enforced in Istio today.

Technologie
1  sur  24
Télécharger pour lire hors ligne
Istio’s Mixer: Policy Enforcement with Custom Adapters Limin Wang, Software Engineer, Google Torin Sandall, Software Engineer, Styra
Outline ● Istio and policy (how to enforce your custom policy in Istio) ● Integrate Open Policy Agent to Istio (demo)
What is Istio? An open platform to connect, manage, secure microservices •Istio provides: • Traffic management • Observation • Policy Enforcement • Service Identity and Security • And more … istio.io github.com/istio
Istio Architecture HTTP/1.1, HTTP/2, gRPC, TCP with or without TLS svcA Envoy Pod Service A svcB Envoy Service B Pilot Control Plane API Mixer Discovery & Config data to Envoys Policy checks, telemetry Control flow during request processing Istio-Auth TLS certs to Envoy
Policies in Istio ● Route rules ○ Load balancing, traffic splitting, request timeout, retry, fault injection ● Quota policies ● Monitoring policies ○ Metrics, logging, tracing ● Security policies ○ Service-to-service mTLS authentication ○ Simple authorization: denier, white/black list, expression language (ABAC)
Policies in Istio (cont.) ● Upcoming security policies ○ Authentication policy ■ Enable/disable mTLS per service ■ End user authentication ○ Authorization policy ■ Role Based Access Control (RBAC) ■ Open Policy Agent ■ Expression language with richer semantics ○ Audit policy
Example Policy (RBAC) kind: ServiceRole apiVersion: config.istio.io/v1alpha2 metadata: name: review-product-viewer namespace: default spec: rules: - services: [“reviews”] methods: [“GET”, “HEAD”] - services: [“products”] paths: [“/books”, “/books/*”] methods: [“GET”, “HEAD”] kind: ServiceRoleBinding apiVersion: config.istio.io/v1alpha2 metadata: name: example-role-binding namespace: default spec: subjects: - name: “istio-ingress-service-account” roleRef: kind: ServiceRole name: review-product-viewer More information on Istio RBAC Design Doc.
Extend Policy System through Mixer ● Mixer is the central point for policy evaluation and extensibility. ● Mixer provides the following core features: ○ Precondition and quota checking (Check) ○ Telemetry reporting (Report) ● Mixer achieves high extensibility by having a general purpose plug-in model - the plug-ins are known as Adapters. Mixer List Memquota Statsd Stackdriver Prometheus Denier
Mixer’s Adapters ● Mixer is an attribute-processing and routing machine. ○ Attributes => Instances => Adapters => (Backends) Envoy Mixer Infra Backends Infra Backends Infra Backends Infra Backends Infra Backends Attributes Backend-Specific Protocols Policy& Config Operator
How to Provide a Custom Adapter ● Determine your adapter type (check/quota/report) ● Determine the runtime input to your adapter ○ Template: adapter input schema ○ You can apply multiple templates ■ Built-in templates, or your custom templates ● Determine how to configure your adapter. ○ Handler: configured adapter ● Determine the business logic for your adapter to handle runtime input. More information on https://github.com/istio/istio/blob/master/mixer/doc/adapters.md
Example: A Toy Adapter Build an adapter to verify a string is present in a list (simplified built-in ListEntry adapter). ● Adapter type: check ● Adapter input: built-in listEntry template ● Adapter configuration: a list of strings. ● How the adapter handles runtime input: looks up the value in a list of strings. ... package listEntry; option (istio.mixer.v1.template.template_variety) = TEMPLATE_VARIETY_CHECK; message Template { // Specifies the entry to verify in the list. string value = 1; }
Steps to Build a Custom Adapter Step 1. Write basic adapter skeleton code (online tutorial or build-in adapters) ... func GetInfo() adapter.Info { return adapter.Info{ Name: "listChecker", Description: "Checks whether a string is in the list", SupportedTemplates: []string{ listentry.TemplateName, }, NewBuilder: func() adapter.HandlerBuilder { return &builder{} }, DefaultConfig: &config.Params{}, } }
Steps to Build a Custom Adapter Step 2. Write adapter configuration. package adapter.listChecker.config; message Params { repeated string list = 1; } Step 3. Validate adapter configuration. func (b *builder) SetAdapterConfig(cfg adapter.Config) { b.conf = cfg.(*config.Params) } func (b *builder) Validate() (ce *adapter.ConfigErrors) { // Check if the list is empty if b.conf.List == nil { ce = ce.Append(“list”, “list cannot be empty”) } return }
Steps to Build a Custom Adapter func (b *builder) Build(context context.Context, env adapter.Env) (adapter.Handler, error) { return &handler{list: b.conf.List}, nil } func (h *handler) HandleListEntry(ctx context.Context, inst *listentry.Instance) (adapter.CheckResult, error) { code := rpc.OK for _, str := range h.list { if inst.Value == str { code = rpc.NOT_FOUND break } } return adapter.CheckResult{ Status: rpc.Status{Code: int32(code)}, }, nil } Step 4. Write business logic for your adapter.
Configure Policy Using Custom Adapter apiVersion: “config.istio.io/v1alpha2” kind: listentry metadata: name: srcVersion spec: value: source.labels[“version”] 1. Create an instance of listentry template. apiVersion: “config.istio.io/v1alpha2” kind: listChecker metadata: name: versionChecker spec: list: [“v1”, “v2”] 2. Create a handler of listChecker adapter. apiVersion: “config.istio.io/v1alpha2” kind: rule metadata: name: checkVersion spec: match: destination.labels[“app”] == “ratings” actions: - handler: versionChecker.listChecker instances: - srcVersion.listentry 3. Create a checkVersion policy istioctl create -f *.yaml 4. Apply the policy!
+ ● Overview: Open Policy Agent ● OPA Adapter ● Demo
•General-purpose policy engine • Offload authorization decisions •Declarative Policy Language (Rego) • Is X allowed to call operation Y on resource Z? •Library or Daemon • In-memory policies and data • Zero runtime dependencies • Implemented in Go •Don’t roll your own authorization engine! Policy (Rego) Data (JSON) Open Policy Agent (OPA)
•Adapter type: Check •Attributes: (authz template) • Subject: map<string, value> • Action: map<string, value> • Standalone adapter • No external dependencies •Fail closed (deny) in case of error(s) • To be configurable in future Envoy Mixer check(attributes) OPA adapter OPA incoming request allow/deny Mixer’s OPA Adapter
apiVersion: config.istio.io/v1alpha2 kind: rule metadata: name: authz spec: actions: - handler: opa-handler instances: - authz-instance Mixer config (1/3): Rule Mixer OPA adapter OPA Istio Config Store istioctl
apiVersion: config.istio/v1alpha2 kind: authz metadata: name: authz-instance spec: subject: user: source.uid | “” action: namespace: target.namespace | “default” service: target.service | “” path: target.path | “” method: request.method | “” Mixer config (2/3): Instance Mixer OPA adapter OPA Istio Config Store istioctl
apiVersion: config.istio.io/v1alpha2 kind: opa metadata: name: opa-handler spec: checkMethod: authz.allow policy: | package authz default allow = false allow { is_read } is_read { input.action.method = “GET” } Mixer config (3/3): Handler Mixer OPA adapter OPA Istio Config Store istioctl
Demo
Conclusion •Use Istio to enforce wide range of policy across your microservices •Plugin framework makes it easy to add adapters • Authorization, quota, telemetry, … •Come join us! • istio-users@googlegroups.com • Istio working groups (Security, Integrations, …) • More information: istio.io, github.com/istio
Questions?

Recommandé

Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy AgentNordic APIs
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Torin Sandall
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy AgentTorin Sandall
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
 
OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineTorin Sandall
 
OAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLOAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLPrabath Siriwardena
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case SurveyTorin Sandall
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man
 

Recommandé

Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy AgentNordic APIs
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Torin Sandall
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy AgentTorin Sandall
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
 
OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineTorin Sandall
 
OAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLOAuth 2.0 Integration Patterns with XACML
OAuth 2.0 Integration Patterns with XACMLPrabath Siriwardena
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case SurveyTorin Sandall
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man
 
Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep DiveTorin Sandall
 
Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPAKnoldus Inc.
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentVMware Tanzu
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsIago López Galeiras
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing AuthorizationTorin Sandall
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to VaultKnoldus Inc.
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
 
Producer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache KafkaProducer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache KafkaJiangjie Qin
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryAndy Robbins
 
Gatekeeper: API gateway
Gatekeeper: API gatewayGatekeeper: API gateway
Gatekeeper: API gatewayChengHui Weng
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesTorin Sandall
 
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming ApplicationsRunning Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming ApplicationsLightbend
 
Monitoring with Prometheus
Monitoring with PrometheusMonitoring with Prometheus
Monitoring with PrometheusShiao-An Yuan
 
Architecting for the Cloud using NetflixOSS - Codemash Workshop
Architecting for the Cloud using NetflixOSS - Codemash WorkshopArchitecting for the Cloud using NetflixOSS - Codemash Workshop
Architecting for the Cloud using NetflixOSS - Codemash WorkshopSudhir Tonse
 
Oak, the architecture of Apache Jackrabbit 3
Oak, the architecture of Apache Jackrabbit 3Oak, the architecture of Apache Jackrabbit 3
Oak, the architecture of Apache Jackrabbit 3Jukka Zitting
 
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionKong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionFIWARE
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
FIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Tizen Web Application Checker
Tizen Web Application CheckerTizen Web Application Checker
Tizen Web Application CheckerRyo Jin
 
viWave Study Group - Introduction to Google Android Development - Chapter 23 ...
viWave Study Group - Introduction to Google Android Development - Chapter 23 ...viWave Study Group - Introduction to Google Android Development - Chapter 23 ...
viWave Study Group - Introduction to Google Android Development - Chapter 23 ...Ted Chien
 

Contenu connexe

Tendances

Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPAKnoldus Inc.
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentVMware Tanzu
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsIago López Galeiras
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing AuthorizationTorin Sandall
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to VaultKnoldus Inc.
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
 
Producer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache KafkaProducer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache KafkaJiangjie Qin
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryAndy Robbins
 
Gatekeeper: API gateway
Gatekeeper: API gatewayGatekeeper: API gateway
Gatekeeper: API gatewayChengHui Weng
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesTorin Sandall
 
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming ApplicationsRunning Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming ApplicationsLightbend
 
Monitoring with Prometheus
Monitoring with PrometheusMonitoring with Prometheus
Monitoring with PrometheusShiao-An Yuan
 
Architecting for the Cloud using NetflixOSS - Codemash Workshop
Architecting for the Cloud using NetflixOSS - Codemash WorkshopArchitecting for the Cloud using NetflixOSS - Codemash Workshop
Architecting for the Cloud using NetflixOSS - Codemash WorkshopSudhir Tonse
 
Oak, the architecture of Apache Jackrabbit 3
Oak, the architecture of Apache Jackrabbit 3Oak, the architecture of Apache Jackrabbit 3
Oak, the architecture of Apache Jackrabbit 3Jukka Zitting
 
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionKong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionFIWARE
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
FIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 

Tendances (20)

Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep Dive
 
Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPA
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy Agent
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweights
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
 
Producer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache KafkaProducer Performance Tuning for Apache Kafka
Producer Performance Tuning for Apache Kafka
 
BloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active DirectoryBloodHound: Attack Graphs Practically Applied to Active Directory
BloodHound: Attack Graphs Practically Applied to Active Directory
 
Gatekeeper: API gateway
Gatekeeper: API gatewayGatekeeper: API gateway
Gatekeeper: API gateway
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in Kubernetes
 
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming ApplicationsRunning Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
Running Kafka On Kubernetes With Strimzi For Real-Time Streaming Applications
 
Monitoring with Prometheus
Monitoring with PrometheusMonitoring with Prometheus
Monitoring with Prometheus
 
Architecting for the Cloud using NetflixOSS - Codemash Workshop
Architecting for the Cloud using NetflixOSS - Codemash WorkshopArchitecting for the Cloud using NetflixOSS - Codemash Workshop
Architecting for the Cloud using NetflixOSS - Codemash Workshop
 
Oak, the architecture of Apache Jackrabbit 3
Oak, the architecture of Apache Jackrabbit 3Oak, the architecture of Apache Jackrabbit 3
Oak, the architecture of Apache Jackrabbit 3
 
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in ProductionKong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
Kong, Keyrock, Keycloak, i4Trust - Options to Secure FIWARE in Production
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
FIWARE Training: API Umbrella
FIWARE Training: API UmbrellaFIWARE Training: API Umbrella
FIWARE Training: API Umbrella
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 

Similaire à Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)

Tizen Web Application Checker
Tizen Web Application CheckerTizen Web Application Checker
Tizen Web Application CheckerRyo Jin
 
viWave Study Group - Introduction to Google Android Development - Chapter 23 ...
viWave Study Group - Introduction to Google Android Development - Chapter 23 ...viWave Study Group - Introduction to Google Android Development - Chapter 23 ...
viWave Study Group - Introduction to Google Android Development - Chapter 23 ...Ted Chien
 
Altitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, Ever
Altitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, EverAltitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, Ever
Altitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, EverFastly
 
Putting microservices on a diet with Istio
Putting microservices on a diet with IstioPutting microservices on a diet with Istio
Putting microservices on a diet with IstioQAware GmbH
 
Backend Development - Django
Backend Development - DjangoBackend Development - Django
Backend Development - DjangoAhmad Sakhleh
 
Complex Event Processor 3.0.0 - An overview of upcoming features
Complex Event Processor 3.0.0 - An overview of upcoming features Complex Event Processor 3.0.0 - An overview of upcoming features
Complex Event Processor 3.0.0 - An overview of upcoming features WSO2
 
Operator SDK for K8s using Go
Operator SDK for K8s using GoOperator SDK for K8s using Go
Operator SDK for K8s using GoCloudOps2005
 
Apache StreamPipes – Flexible Industrial IoT Management
Apache StreamPipes – Flexible Industrial IoT ManagementApache StreamPipes – Flexible Industrial IoT Management
Apache StreamPipes – Flexible Industrial IoT ManagementApache StreamPipes
 
Building Push Triggers for Logic Apps
Building Push Triggers for Logic AppsBuilding Push Triggers for Logic Apps
Building Push Triggers for Logic AppsBizTalk360
 
ApacheCon2019 Talk: Improving the Observability of Cassandra, Kafka and Kuber...
ApacheCon2019 Talk: Improving the Observability of Cassandra, Kafka and Kuber...ApacheCon2019 Talk: Improving the Observability of Cassandra, Kafka and Kuber...
ApacheCon2019 Talk: Improving the Observability of Cassandra, Kafka and Kuber...Paul Brebner
 
How to Improve the Observability of Apache Cassandra and Kafka applications...
How to Improve the Observability of Apache Cassandra and Kafka applications...How to Improve the Observability of Apache Cassandra and Kafka applications...
How to Improve the Observability of Apache Cassandra and Kafka applications...Paul Brebner
 
.NET Fest 2018. Антон Молдован. One year of using F# in production at SBTech
.NET Fest 2018. Антон Молдован. One year of using F# in production at SBTech.NET Fest 2018. Антон Молдован. One year of using F# in production at SBTech
.NET Fest 2018. Антон Молдован. One year of using F# in production at SBTechNETFest
 
Observability and its application
Observability and its applicationObservability and its application
Observability and its applicationThao Huynh Quang
 

Similaire à Istio's mixer policy enforcement with custom adapters (cloud nativecon 17) (20)

Tizen Web Application Checker
Tizen Web Application CheckerTizen Web Application Checker
Tizen Web Application Checker
 
viWave Study Group - Introduction to Google Android Development - Chapter 23 ...
viWave Study Group - Introduction to Google Android Development - Chapter 23 ...viWave Study Group - Introduction to Google Android Development - Chapter 23 ...
viWave Study Group - Introduction to Google Android Development - Chapter 23 ...
 
Codeigniter
CodeigniterCodeigniter
Codeigniter
 
Mulesoft lisbon_meetup_asyncapis
Mulesoft lisbon_meetup_asyncapisMulesoft lisbon_meetup_asyncapis
Mulesoft lisbon_meetup_asyncapis
 
Altitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, Ever
Altitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, EverAltitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, Ever
Altitude NY 2018: Leveraging Log Streaming to Build the Best Dashboards, Ever
 
About QTP 9.2
About QTP 9.2About QTP 9.2
About QTP 9.2
 
About Qtp_1 92
About Qtp_1 92About Qtp_1 92
About Qtp_1 92
 
About Qtp 92
About Qtp 92About Qtp 92
About Qtp 92
 
Putting microservices on a diet with Istio
Putting microservices on a diet with IstioPutting microservices on a diet with Istio
Putting microservices on a diet with Istio
 
Backend Development - Django
Backend Development - DjangoBackend Development - Django
Backend Development - Django
 
Complex Event Processor 3.0.0 - An overview of upcoming features
Complex Event Processor 3.0.0 - An overview of upcoming features Complex Event Processor 3.0.0 - An overview of upcoming features
Complex Event Processor 3.0.0 - An overview of upcoming features
 
Operator SDK for K8s using Go
Operator SDK for K8s using GoOperator SDK for K8s using Go
Operator SDK for K8s using Go
 
Apache StreamPipes – Flexible Industrial IoT Management
Apache StreamPipes – Flexible Industrial IoT ManagementApache StreamPipes – Flexible Industrial IoT Management
Apache StreamPipes – Flexible Industrial IoT Management
 
Building Push Triggers for Logic Apps
Building Push Triggers for Logic AppsBuilding Push Triggers for Logic Apps
Building Push Triggers for Logic Apps
 
Monitoring with Prometheus
Monitoring with PrometheusMonitoring with Prometheus
Monitoring with Prometheus
 
ApacheCon2019 Talk: Improving the Observability of Cassandra, Kafka and Kuber...
ApacheCon2019 Talk: Improving the Observability of Cassandra, Kafka and Kuber...ApacheCon2019 Talk: Improving the Observability of Cassandra, Kafka and Kuber...
ApacheCon2019 Talk: Improving the Observability of Cassandra, Kafka and Kuber...
 
How to Improve the Observability of Apache Cassandra and Kafka applications...
How to Improve the Observability of Apache Cassandra and Kafka applications...How to Improve the Observability of Apache Cassandra and Kafka applications...
How to Improve the Observability of Apache Cassandra and Kafka applications...
 
.NET Fest 2018. Антон Молдован. One year of using F# in production at SBTech
.NET Fest 2018. Антон Молдован. One year of using F# in production at SBTech.NET Fest 2018. Антон Молдован. One year of using F# in production at SBTech
.NET Fest 2018. Антон Молдован. One year of using F# in production at SBTech
 
Observability and its application
Observability and its applicationObservability and its application
Observability and its application
 
ql.io at NodePDX
ql.io at NodePDXql.io at NodePDX
ql.io at NodePDX
 

Dernier

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Dernier (20)

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)

  • 1. Istio’s Mixer: Policy Enforcement with Custom Adapters Limin Wang, Software Engineer, Google Torin Sandall, Software Engineer, Styra
  • 2. Outline ● Istio and policy (how to enforce your custom policy in Istio) ● Integrate Open Policy Agent to Istio (demo)
  • 3. What is Istio? An open platform to connect, manage, secure microservices •Istio provides: • Traffic management • Observation • Policy Enforcement • Service Identity and Security • And more … istio.io github.com/istio
  • 4. Istio Architecture HTTP/1.1, HTTP/2, gRPC, TCP with or without TLS svcA Envoy Pod Service A svcB Envoy Service B Pilot Control Plane API Mixer Discovery & Config data to Envoys Policy checks, telemetry Control flow during request processing Istio-Auth TLS certs to Envoy
  • 5. Policies in Istio ● Route rules ○ Load balancing, traffic splitting, request timeout, retry, fault injection ● Quota policies ● Monitoring policies ○ Metrics, logging, tracing ● Security policies ○ Service-to-service mTLS authentication ○ Simple authorization: denier, white/black list, expression language (ABAC)
  • 6. Policies in Istio (cont.) ● Upcoming security policies ○ Authentication policy ■ Enable/disable mTLS per service ■ End user authentication ○ Authorization policy ■ Role Based Access Control (RBAC) ■ Open Policy Agent ■ Expression language with richer semantics ○ Audit policy
  • 7. Example Policy (RBAC) kind: ServiceRole apiVersion: config.istio.io/v1alpha2 metadata: name: review-product-viewer namespace: default spec: rules: - services: [“reviews”] methods: [“GET”, “HEAD”] - services: [“products”] paths: [“/books”, “/books/*”] methods: [“GET”, “HEAD”] kind: ServiceRoleBinding apiVersion: config.istio.io/v1alpha2 metadata: name: example-role-binding namespace: default spec: subjects: - name: “istio-ingress-service-account” roleRef: kind: ServiceRole name: review-product-viewer More information on Istio RBAC Design Doc.
  • 8. Extend Policy System through Mixer ● Mixer is the central point for policy evaluation and extensibility. ● Mixer provides the following core features: ○ Precondition and quota checking (Check) ○ Telemetry reporting (Report) ● Mixer achieves high extensibility by having a general purpose plug-in model - the plug-ins are known as Adapters. Mixer List Memquota Statsd Stackdriver Prometheus Denier
  • 9. Mixer’s Adapters ● Mixer is an attribute-processing and routing machine. ○ Attributes => Instances => Adapters => (Backends) Envoy Mixer Infra Backends Infra Backends Infra Backends Infra Backends Infra Backends Attributes Backend-Specific Protocols Policy& Config Operator
  • 10. How to Provide a Custom Adapter ● Determine your adapter type (check/quota/report) ● Determine the runtime input to your adapter ○ Template: adapter input schema ○ You can apply multiple templates ■ Built-in templates, or your custom templates ● Determine how to configure your adapter. ○ Handler: configured adapter ● Determine the business logic for your adapter to handle runtime input. More information on https://github.com/istio/istio/blob/master/mixer/doc/adapters.md
  • 11. Example: A Toy Adapter Build an adapter to verify a string is present in a list (simplified built-in ListEntry adapter). ● Adapter type: check ● Adapter input: built-in listEntry template ● Adapter configuration: a list of strings. ● How the adapter handles runtime input: looks up the value in a list of strings. ... package listEntry; option (istio.mixer.v1.template.template_variety) = TEMPLATE_VARIETY_CHECK; message Template { // Specifies the entry to verify in the list. string value = 1; }
  • 12. Steps to Build a Custom Adapter Step 1. Write basic adapter skeleton code (online tutorial or build-in adapters) ... func GetInfo() adapter.Info { return adapter.Info{ Name: "listChecker", Description: "Checks whether a string is in the list", SupportedTemplates: []string{ listentry.TemplateName, }, NewBuilder: func() adapter.HandlerBuilder { return &builder{} }, DefaultConfig: &config.Params{}, } }
  • 13. Steps to Build a Custom Adapter Step 2. Write adapter configuration. package adapter.listChecker.config; message Params { repeated string list = 1; } Step 3. Validate adapter configuration. func (b *builder) SetAdapterConfig(cfg adapter.Config) { b.conf = cfg.(*config.Params) } func (b *builder) Validate() (ce *adapter.ConfigErrors) { // Check if the list is empty if b.conf.List == nil { ce = ce.Append(“list”, “list cannot be empty”) } return }
  • 14. Steps to Build a Custom Adapter func (b *builder) Build(context context.Context, env adapter.Env) (adapter.Handler, error) { return &handler{list: b.conf.List}, nil } func (h *handler) HandleListEntry(ctx context.Context, inst *listentry.Instance) (adapter.CheckResult, error) { code := rpc.OK for _, str := range h.list { if inst.Value == str { code = rpc.NOT_FOUND break } } return adapter.CheckResult{ Status: rpc.Status{Code: int32(code)}, }, nil } Step 4. Write business logic for your adapter.
  • 15. Configure Policy Using Custom Adapter apiVersion: “config.istio.io/v1alpha2” kind: listentry metadata: name: srcVersion spec: value: source.labels[“version”] 1. Create an instance of listentry template. apiVersion: “config.istio.io/v1alpha2” kind: listChecker metadata: name: versionChecker spec: list: [“v1”, “v2”] 2. Create a handler of listChecker adapter. apiVersion: “config.istio.io/v1alpha2” kind: rule metadata: name: checkVersion spec: match: destination.labels[“app”] == “ratings” actions: - handler: versionChecker.listChecker instances: - srcVersion.listentry 3. Create a checkVersion policy istioctl create -f *.yaml 4. Apply the policy!
  • 16. + ● Overview: Open Policy Agent ● OPA Adapter ● Demo
  • 17. •General-purpose policy engine • Offload authorization decisions •Declarative Policy Language (Rego) • Is X allowed to call operation Y on resource Z? •Library or Daemon • In-memory policies and data • Zero runtime dependencies • Implemented in Go •Don’t roll your own authorization engine! Policy (Rego) Data (JSON) Open Policy Agent (OPA)
  • 18. •Adapter type: Check •Attributes: (authz template) • Subject: map<string, value> • Action: map<string, value> • Standalone adapter • No external dependencies •Fail closed (deny) in case of error(s) • To be configurable in future Envoy Mixer check(attributes) OPA adapter OPA incoming request allow/deny Mixer’s OPA Adapter
  • 19. apiVersion: config.istio.io/v1alpha2 kind: rule metadata: name: authz spec: actions: - handler: opa-handler instances: - authz-instance Mixer config (1/3): Rule Mixer OPA adapter OPA Istio Config Store istioctl
  • 20. apiVersion: config.istio/v1alpha2 kind: authz metadata: name: authz-instance spec: subject: user: source.uid | “” action: namespace: target.namespace | “default” service: target.service | “” path: target.path | “” method: request.method | “” Mixer config (2/3): Instance Mixer OPA adapter OPA Istio Config Store istioctl
  • 21. apiVersion: config.istio.io/v1alpha2 kind: opa metadata: name: opa-handler spec: checkMethod: authz.allow policy: | package authz default allow = false allow { is_read } is_read { input.action.method = “GET” } Mixer config (3/3): Handler Mixer OPA adapter OPA Istio Config Store istioctl
  • 22. Demo
  • 23. Conclusion •Use Istio to enforce wide range of policy across your microservices •Plugin framework makes it easy to add adapters • Authorization, quota, telemetry, … •Come join us! • istio-users@googlegroups.com • Istio working groups (Security, Integrations, …) • More information: istio.io, github.com/istio