9 Securing microservice communication

 

This chapter covers

  • Handling service-to-service authentication and authorization in the service mesh
  • Handling end-user authentication and authorization

In chapter 4, we covered admitting traffic into the mesh, including some ways to secure that traffic. Here, we take a closer look at transparently improving the security posture of a services-based architecture by using the capabilities of the service mesh.

Istio is secure by default. In this chapter, we see what that means, how it works, how service-to-service and end-user authentication are implemented, and the access control we have over services in the service mesh. Before getting to the features, we give a brief refresher of security topics; see appendix C for more detailed information about how security works in Istio.

9.1 The need for application-networking security

Application security comprises all activities that contribute to protecting application data that is of critical value and should not be compromised, stolen, or otherwise accessed by an unauthorized user. To protect user data, we need the following:

  • Authentication and authorization of the user before allowing access to a resource
  • Encryption of data in transit to prevent it from being eavesdropped on while it’s passing through multiple networking devices to reach the client requesting the data

9.1.1 Service-to-service authentication

9.1.2 End-user authentication

9.1.3 Authorization

9.1.4 Comparison of security in monoliths and microservices

9.1.5 How Istio implements SPIFFE

9.1.6 Istio security in a nutshell

9.2 Auto mTLS

9.2.1 Setting up the environment

9.2.2 Understanding Istio’s PeerAuthentication resource

9.3 Authorizing service-to-service traffic

9.3.1 Understanding authorization in Istio

9.3.2 Setting up the workspace

9.3.3 Behavior changes when a policy is applied to a workload