《Cloud_Native_Security_Con-Ztunnel Security .pdf》由会员分享,可在线阅读,更多相关《Cloud_Native_Security_Con-Ztunnel Security .pdf(23页珍藏版)》请在三个皮匠报告上搜索。
1、solo.ioWhats a Zero-Trust Tunnel?Exploring Security and Simpler Operations with Istio Ambient Mesh2|Copyright 2022Jim Bartonjameshbartonjimsolo.iohttps:/ Engineer-North America Solo3|Copyright 2022virtualized6ixmarino.wijaysolo.io https:/www.twitch.tv/virtualized6ix https:/marinow.hashnode.dev https
2、:/ Platform Advocate-DevRel SoloOrganizer-KubeHuddle TorontoAmbassador-EddieHub Inc.Marino Wijay4|Copyright 2020CONFIDENTIALA 30,000 FT overview of Ambient Mesh5|Copyright 2022Istio enables Zero-Trust SecurityPPPPPPPPPPPPPPPPPPL4 ProxyPPPPPPPPPPPPPPPPPPIstio Security with Sidecar ProxyIstio Security
3、 with Ambient MeshL4 ProxyL7 ProxyAll traffic goes through ProxyProxy manages mTLS,IdentityProxy manages L7 Application Filters|PoliciesAll traffic goes through ProxyL4 Proxy manages mTLS,IdentityL7 Proxy manages L7 Application Filters|Policies6|Copyright 2022Introducing Istio Ambient MeshZero Trust
4、 SecurityReduce CostsSimplify OperationsImprove PerformanceProxy per NodeMulti-Tenant ProxyLightweight(L4)Proxy implementation(uProxy)Mesh is Transparent to ApplicationsDecouple Proxy from ApplicationsSimplify Adding new AppsSimplify App UpdatesuProxy is L4 vs L7uProxy can use acceleration in OS(eBP
5、F)7|Copyright 2022How does Istio ambient work?Separate mesh capabilities into L4 and L7Adopt only the capabilities you needRemove the data plane from the workload(no sidecar)Leverage more capabilities in the CNIReduce attack surface of data plane8|Copyright 2022How does it work(secure overlay only)?
6、9|Copyright 2022How does it work(secure overlay+L7)?10|Copyright 2022BenefitsNo more race conditions between workload containers and sidecar/init-container,etcDont need to inject Pods/alter deployment resourcesUpgrades are out of band/transparent from the applicationLimited risk profile for opting i
7、nto mesh featuresReduced blast radius of application vulnerabilitiesReduced blast radius of application vulnerabilitiesCost savings with reduced data plane componentsMaintain isolated tenancy,customization,configurationMaintain the foundations of zero-trust network securityImproved performance11|Cop
8、yright 2020CONFIDENTIALTaking a closer look at Istio Ambientsecure-overlay layer12|Copyright 2022mTLS with Istio Ambient13|Copyright 2022Authorization Policy with Istio Ambient14|Copyright 2022How ztunnel gets certificates15|Copyright 2022How ztunnel gets certificates16|Copyright 202216|Copyright 20
9、22How communication is secured through waypoint proxy17|Copyright 2022App compromise(ambient)18|Copyright 2022Smaller exposure for secure overlay/ztunnel19|Copyright 2022Node compromise(ambient)20|Copyright 2022Istio Ambient Mesh Demonstration21|Copyright 2022RecapData plane deployment topology diff
10、ers fromSidecarImprovement in security posture by separating data plane component from applicationsAmbient reduces attack surface of data plane running on node with workloads for secure-overlay layerZtunnel component needs to be treated similarly as any other shared-node component(CNI,kubelet,etc)Operational improvements to Istio greatly improve CVE patching strategy22|Copyright 2022Download the Free Ambient Bookhttp:/bit.ly/ambient-book Come visit Solo.io at Booth G18 in the Exhibit HallFree hands-on workshops:https:/academy.solo.io Want to learn more?Thank You!