Secure Istio Gateway Traffic with TLS Encryption on Amazon EKS
Рет қаралды 4,864
Күн бұрынIn this video, I discuss and demonstrate how you can mitigate the risks of network interception attacks by encrypting the traffic that comes into the Istio service mesh with TLS. This video is a follow-up to a previous video titled Using Istio Gateway to Route Traffic to Microservices on Amazon EKS (link provided below).
As much as a single point of entry provides a superior measure of security to multiple entries into your Kubernetes cluster, there are still other security risks to be aware of and address, like network traffic interceptions. I'll walk you through a modification of the previous solution which entails swapping out the Classic Load Balancer controlled by the Istio ingress gateway, with an Application Load Balancer controlled by the AWS Load Balancer controller. This ALB has an ACM public TLS/SSL certificate attached to it for encrypted traffic between clients and the load balancer. In addition, the Istio ingress gateway service is updated (from LoadBalancer to NodePort) and has a self-signed certificate attached to it to secure traffic between the ALB and the ingress gateway. This will ensure that traffic entering the mesh from outside of the cluster is encrypted and secured.
#kubernetes #istio #servicemesh
Previous Video: • Using Istio Gateway to...
AWS Load Balancer Controller: kubernetes-sigs.github.io/aws...
Managing Sensitive Data in Kubernetes with Sealed Secrets and External Secrets Operator (ESO): • Managing Sensitive Dat...
Timestamps:
00:00 - Introduction
00:52 - Securing the Istio ingress gateway
01:04 - Network traffic interceptions
02:00 - Basic overview of TLS/SSL encryption and interaction between client and server
03:30 - Walk-through/overview of new solution architecture with AWS ACM certificate, ALB created by AWS Load Balancer controller, and updated Istio ingress gateway
06:43 -Walk-through of ALB ingress and Istio gateway resources
11:28 - Demo
Other resources:
aws.amazon.com/blogs/containe...
Connect:
GitHub: github.com/LukeMwila
Twitter: / luke9ine
Medium: / outlier.developer
LinkedIn: / lukonde-mwila-25103345
If you found this video helpful, please like the video and subscribe to the channel!
@ranrubin7377 2 ай бұрын
Thanks for the video, I'm new to Istio and it's very helpful. You've changed the Istio ingress controller service to NodePort and created another service of LoadBalancer. Why not changing the Istio ingress controller service to LoadBalancer with ALB annotation and avoid the need to another service?
@rajasundra Жыл бұрын
Thanks for your video i got a clear understanding, just have a doubt, from ALB to Istio Gateway, openssl is used. is that fine or do we have to use the public certificate.
@TimHavens Жыл бұрын
I've enjoyed many of your video's recently, as I'm working on a similar topic. I feel like I've just missed something obvious but Question: Is the code you used for this example posted online?
@LukondeMwila Жыл бұрын
Hi Tim, thanks a lot for the feedback. I haven't yet done so. I'll respond to this comment again once I have the repo with source code up.
@bellaj7165 Жыл бұрын
Hello. Thanks for the information. but If u don't mind, I wonder one things about TLS communication from ALB to ingress gateway in which is set the self signed certificate. Actually ALB instances don't have any ca certs to verify the self-signed certificated. How could are they communicated?
@DamienMalakay Жыл бұрын
great video but the guy clearly doesn't reply on his content, I see 2 comments below and still no reply
Lukonde Mwila
Рет қаралды 4,2 М.
Lukonde Mwila
Рет қаралды 5 М.
Anton Putra
Рет қаралды 30 М.
IMESH
Рет қаралды 7 М.
Tech Primers
Рет қаралды 27 М.
Cloud Quick Labs
Рет қаралды 759
Photographer Army
Рет қаралды 5 МЛН
Myphoneacc
Рет қаралды 14 МЛН