KubeCon + CloudNativeCon North America 2018

Athenz with Istio Single Access Control Model in Cloud Infrastructures

1. Athenz with Istio: Single Access Control Model in Cloud Infrastructures
2. Agenda • What is Athenz? • Service Authentication • Authorization • Multi-cloud in Yahoo Japan • How do we integrate with Istio? • Why Istio? • Benefit of using Athenz with Istio
3. About • Tatsuya Yano • Platform Developer, Yahoo Japan Corporation • Contributor to Athenz • Open Source Summit Japan (https://sched.co/FDjp)
4. Athenz: Open Source System Created by Yahoo Inc. • Service Authentication • Provide secure identity in the form short lived x.509 certificate to every workload / service in modern environments • Authorization • Provides fine-grained Role Based Access Control (RBAC)
5. Service Authentication
6. Authentication • User Authentication • AD / LDAP / Kerberos / etc • Service Authentication • Instances within a service with a unique identity to enable secure communication • IP / Networks ACLs / iptable • Headless/Automation users • Shared secrets • Mutual TLS with x.509 certificates
7. Certificate Based Authentication • • • • Every instance / service in your cloud has its own identity Stronger security by Mutual TLS Authentication Zero-trust security Short Lived Certificates
8. Copper Argos • Generalized model for authorized service providers to launch other service identities in an authorized way through a callback-based verification model. Providers OpenStack Amazon EC2 Kubernetes AWS ECS Screwdriver AWS Lambda
9. Bootstrapping Athenz Identity
10. Authorization
11. Athenz Data Model
12. Domain data example (YAML)
13. Authorization Centralized Access Control
14. Authorization Decentralized Access Control
15. Advantages of Athenz • To provide service identity X.509 certificates for services running in common providers like Kubernetes, OpenStack or AWS that can be used for mutual TLS authentication. • To have precise and frequently configurable access controls with single source of truth.
16. Athenz in Yahoo Japan
17. How do we integrate with Istio?
18. Why use Istio? • • • • • Automatic load balancing. Fine-grained control of traffic behavior. A pluggable policy layer and configuration API. Automatic metrics, logs, and traces for all traffic. Secure service-to-service communication. Referred from: https://istio.io/docs/concepts/what-is-istio/
19. Benefits of using Athenz with Istio • Istio is in CNCF landscape. • Service mesh strongly supports microservices architecture. + • Athenz enables single access control model in multi cloud.
20. Basics of Istio Mixer
21. Example integration: Athenz Istio Mixer adapter Referred from: https://istio.io/blog/2017/adapter-model/
22. Example integration: Athenz Istio Mixer adapter
23. Other use-case: Simplified mTLS authN/Z using Istio/Athenz
24. Simplified mTLS authN/Z using Istio/Athenz Kubernetes API Athenz Istio Auth Controller translates Athenz defined roles/policies into Istio CRs - ServiceRole and ServiceRolebinding Watch ServiceRole and ServiceRoleBinding Setup a watch on namespaces Fetch role/policy information from Athenz https://github.com/yahoo/k8s-athenz-istio-auth Athenz Istio Auth Controller Create/update/delete Istio CRs ServiceRole and ServiceRolebinding based on fetched Athenz data
25. Prototype Demo
26. Future plans • Currently • On Premises and AWS Provisioning • Planned • Provide Athenz servers with Docker images • Helm charts • Productionize Athenz x509 certificate provisioning • Productionize the authorization flow using Istio Envoy
27. Resources • Website : http://www.athenz.io • Github: https://github.com/yahoo/athenz • Slack Channel: https://athenz.slack.com/ • Discussion Group: • Google Group: Athenz-Users • Questions or Comments: • Tatsuya Yano: tatyano@yahoo-corp.jp
28. Join Us http://www.athenz.io
29. Thank you
30. Q&A