12 Securing microservices with Istio service mesh

 

This chapter covers

  • Terminating TLS at the Istio Ingress gateway
  • Securing service-to-service communications with mTLS in an Istio environment
  • Securing service-to-service communications with JWT in an Istio environment
  • Enforcing RBAC with Istio
  • Managing keys in an Istio deployment

In chapter 6, we discussed how to secure service-to-service communications with certificates; and in chapter 7, we extended that discussion to use JWTs to secure service-to-service communications. Then in chapters 10 and 11, we discussed how to deploy a set of microservices as Docker containers in Kubernetes and to secure service-to-service communications with JWT over mTLS. In all of these cases, each microservice by itself had to worry about doing security processing. Or in other words, each microservice embedded a set of Spring Boot libraries to do security processing. This violates one key aspect of microservices architecture, the single responsibility principle, under which a microservice should be performing only one particular function.

12.1 Setting up the Kubernetes deployment

12.1.1 Enabling Istio autoinjection

12.1.2 Clean up any previous work

12.1.3 Deploying microservices

12.1.4 Redeploying Order Processing and STS as NodePort Services

12.1.5 Testing end-to-end flow

12.2 Enabling TLS termination at the Istio Ingress gateway

12.2.1 Deploying TLS certificates to the Istio Ingress gateway

12.2.2 Deploying VirtualServices

12.2.3 Defining a permissive authentication policy

12.2.4 Testing end-to-end flow

12.3 Securing service-to-service communications with mTLS

12.4 Securing service-to-service communications with JWT

12.4.1 Enforcing JWT authentication

12.4.2 Testing end-to-end flow with JWT authentication

12.4.3 Peer authentication and request authentication

12.4.4 How to use JWT in service-to-service communications

12.4.5 A closer look at JSON Web Key

12.5 Enforcing authorization