Athenz with Istio: Single Access Control Model in Cloud Infrastructures
Agenda • What is Athenz? • Service Authentication • Authorization • Multi-cloud in Yahoo Japan • How do we integrate with Istio? • Why Istio? • Benefit of using Athenz with Istio
About • Tatsuya Yano • Platform Developer, Yahoo Japan Corporation • Contributor to Athenz • Open Source Summit Japan (https://sched.co/FDjp)
Athenz: Open Source System Created by Yahoo Inc. • Service Authentication • Provide secure identity in the form short lived x.509 certificate to every workload / service in modern environments • Authorization • Provides fine-grained Role Based Access Control (RBAC)
Authentication • User Authentication • AD / LDAP / Kerberos / etc • Service Authentication • Instances within a service with a unique identity to enable secure communication • IP / Networks ACLs / iptable • Headless/Automation users • Shared secrets • Mutual TLS with x.509 certificates
Certificate Based Authentication • • • • Every instance / service in your cloud has its own identity Stronger security by Mutual TLS Authentication Zero-trust security Short Lived Certificates
Copper Argos • Generalized model for authorized service providers to launch other service identities in an authorized way through a callback-based verification model. Providers OpenStack Amazon EC2 Kubernetes AWS ECS Screwdriver AWS Lambda
Bootstrapping Athenz Identity
Domain data example (YAML)
Authorization Centralized Access Control
Authorization Decentralized Access Control
Advantages of Athenz • To provide service identity X.509 certificates for services running in common providers like Kubernetes, OpenStack or AWS that can be used for mutual TLS authentication. • To have precise and frequently configurable access controls with single source of truth.
Athenz in Yahoo Japan
How do we integrate with Istio?
Why use Istio? • • • • • Automatic load balancing. Fine-grained control of traffic behavior. A pluggable policy layer and configuration API. Automatic metrics, logs, and traces for all traffic. Secure service-to-service communication. Referred from: https://istio.io/docs/concepts/what-is-istio/
Benefits of using Athenz with Istio • Istio is in CNCF landscape. • Service mesh strongly supports microservices architecture. + • Athenz enables single access control model in multi cloud.
Basics of Istio Mixer
Example integration: Athenz Istio Mixer adapter Referred from: https://istio.io/blog/2017/adapter-model/
Example integration: Athenz Istio Mixer adapter
Other use-case: Simplified mTLS authN/Z using Istio/Athenz
Simplified mTLS authN/Z using Istio/Athenz Kubernetes API Athenz Istio Auth Controller translates Athenz defined roles/policies into Istio CRs - ServiceRole and ServiceRolebinding Watch ServiceRole and ServiceRoleBinding Setup a watch on namespaces Fetch role/policy information from Athenz https://github.com/yahoo/k8s-athenz-istio-auth Athenz Istio Auth Controller Create/update/delete Istio CRs ServiceRole and ServiceRolebinding based on fetched Athenz data
Future plans • Currently • On Premises and AWS Provisioning • Planned • Provide Athenz servers with Docker images • Helm charts • Productionize Athenz x509 certificate provisioning • Productionize the authorization flow using Istio Envoy
Resources • Website : http://www.athenz.io • Github: https://github.com/yahoo/athenz • Slack Channel: https://athenz.slack.com/ • Discussion Group: • Google Group: Athenz-Users • Questions or Comments: • Tatsuya Yano: firstname.lastname@example.org
Join Us http://www.athenz.io