8 Istio Security: Effortlessly secure

In the previous chapters, we learned all about getting traffic securely into the cluster and we put into practice the benefits gained from adopting a service mesh, which injects high-level networking capabilities into the service proxies, enabling features such as monitoring, tracing, resiliency, and the fine-grained control on routing ingress traffic to our workloads. Another capability provided out of the box is being “secure by default”. Which improves developer productivity and massively increases security by protecting against eavesdropping, man-in-the-middle attacks, reply attacks, etc.

In this chapter, we’ll see what it means to “secure by default”, how it works, how service-to-service and end-user authentication is implemented, and the access control that we have over services in the service mesh. But before getting to the features we’ll take a refresher in security topics and investigate how the landscape shifted when comparing monolithic applications and microservice-based ones.

8.1  Application Security refresher

8.1.1  Traffic encryption via TLS and End-user authentication

8.1.2  Service to service authentication

8.1.3  Authorization

8.1.4  Comparison of security in Monoliths and Microservices

8.2  SPIFFE - Secure Production Identity Framework for Everyone

8.2.1  SPIFFE ID - Workload Identity

8.2.2  Workload API

8.2.3  Workload Endpoint

8.2.4  SPIFFE Verifiable Identity Document

8.2.5  How Istio implements SPIFFE

8.2.6  Step by step bootstrapping of Workload Identity

8.3  Auto mTLS in Action

8.3.1  Reset our workspace

8.3.2  Setting up the environment

8.3.3  Understanding Istio’s Peer Authentication resource

8.4  Authorizing Service to service traffic

8.4.1  Understanding Authorization in Istio