Automate mTLS communication with GoPay partners with Istio Vijay Dhama, Gojek Zufar Dhiyaulhaq, Gojek Agenda ● GoPay & Istio ● Before mutual TLS ● Implementing mutual TLS ○ Centralized Certificate

microservices with istio step by step JianFeng Ding, LuYao Zhong #IstioCon Agenda ● Istio identity ● mTLS in Isito ● Secure ingress traffic ● Authorize ingress traffic ● Authorize in mesh traffic ● Summary generated automatically with Istio identity 1) Apply peer-authentication to enable server side mTLS mTLS in Istio - PeerAuthenticati on Using ingress port and ingress host to send request: can access side and auto-mTLS is on by default Access productpage 1) Apply peer-authentication to enable server side mTLS mTLS in Istio - PeerAuthenticati on mTLS http http http http mTLS http #IstioCon

Info Payments Product Info Proxy Proxy Proxy Proxy + k8s Istio mTLS mTLS mTLS ✓ Security ✓ Visibility ✓ Traffic Shaping ✓ Latency ✓ Single Point of Failure Adoption Product Info Proxy Proxy Proxy Book Order Proxy + k8s Istio mTLS mTLS mTLS + k8s + k8s Istio Istio Validation Webhooks ● Allow configuration

Ingress Token exchange 1. Istio authentication and authorization policies for every service: mTLS to defend against data exfiltration; deny by default. Credential (token, cookie, etc) 2. Exchange Exchange external credential to internal token to defend against token replay attacks. Internal JWT mTLS Edge security Cluster security best practices: access control Service 2 Service 1 1. Ensure traffic Verify Demo: mesh security lifecycle Sleep Proxy Httpbin Proxy Namespace foo mTLS Demo Security Lifecycle Concepts Secure Monitor Enforce Verify Demo: mesh security lifecycle

communication using mTLS between all services • Configurable short-lived certificates • On the fly certificate renewals with no service downtime • Unified simplified configuration to enable mTLS for all services certificate renewal may require client application restarts Challenges – Client certificates 7 • mTLS provided by Istio • Server certificate provided by Istio Proxy sidecar container • Each Kafka client

workloads, devices, etc. Encrypting inter-CNF traffic via mutual TLS (mTLS) Option to encrypt intra-CNF traffic via mTLS Autonomous PKI service for certificate lifecycle management at scale What CA ● Enable ECC certificates ● Configure workload certificate TTLs ● Enable strict mutual TLS (mTLS) instead of auto ● Use dedicated egress gateways Tuning Istio to Meet 5G Security Requirements

it was a service in your mesh ■ Traffic redirect and forward ■ Retry, timeout, fault injection, mtls policies ■ VM service, multicluster Istio mesh support ● Service + Endpoints ○ Usually for internal V1.6-1.8 Better VM Workload Abstraction ● Workload Entry ○ single non-Kubernetes workload ○ mTLS using service account ○ work with an Istio ServiceEntry ● Workload Group ○ a collection of non-K8s the app) ■ Circuit detection and outlier detection (reliability) etc. ■ Pervasive security (via mtls) ■ Extensibility (to cherry pick extensions) [1] Service Mesh use cases for Telco and Edge – Google

intended to enforce that all communications to and from the control plane be secured by the service mesh, mTLS, and in particular, no plaintext commu- nication should be possible. This feature was enabled by default to represent a production environment, the “controlPlaneAuthP olicy” is set to “NONE” instead of “mTLS”: mesh: |- ... defaultConfig: controlPlaneAuthPolicy: NONE ... In any case, Istio should not plaintext endpoints exposed via its control plane and should enforce all network communications use mTLS (or at minimum, TLS) for communi- cations within the istio-system namespace / control plane. As mentioned

Performance Comparison Refactored istio benchmarking tool ◦ Two pods run on the same node Configurations ◦ mTLS enabled ◦ Number of Envoy workers: 2 ◦ Response payload size: 1KB Latency ◦ 11-17% improvement Istio

Takeaways ● Identify the problems and improvements ● POCs for all known use-cases and features say mTLS, Outlier detection etc,. ● Passthrough mode downgrades gRPC/http2 protocol to Http/1.1 ● Tune connection