When securing your container workloads in Kubernetes, it's important to have defence in depth. This. means having layers of security. As important as it is to have mTLS enabled in the Istio service mesh, you should also implement access control between services. To do this in Istio, you make use of Authorization Policies. After we've validated the identity of a service, we should check whether or not it's permitted to carry out the desired action when communicating with another service. With Istio Authorization Policies, you can define access control rules at different levels or scopes. It could be for the entire mesh, a specific namespace, or a specific workload depending on your use case. The envoy sidecar proxy is what's actually responsible for executing this. So when the service proxy intercepts incoming requests, it will use the Istio Authorization Policy to verify if the sender has the right permissions to execute the operation.
In this video, I'll show you how to use Istio Authorization Policies.
#kubernetes #istio #servicemesh
Timestamps:
00:00 - Introduction
00:15 - Authentication (AuthN) vs Authorization (AuthZ)
00:21 - Authorization (AuthZ) explained
00:50 - Overview of using Istio Authorization policies for secure communication between services in Istio
01:51 - Demo on how to implement Istio Authorization Policies for microservice workloads in Kubernetes
Repositories with source code:
github.com/LukeMwila/istio-ga...
github.com/LukeMwila/microser...
Other relevant videos:
Using Istio Gateway to Route Traffic to Microservices on Amazon EKS - • Using Istio Gateway to...
Secure Istio Gateway Traffic with TLS Encryption on Amazon EKS - • Secure Istio Gateway T...
How to Configure mTLS in Istio for Secure Kubernetes Workload Communication - • How to Configure mTLS ...
Connect:
GitHub: github.com/LukeMwila
Twitter: / luke9ine
Medium: / outlier.developer
LinkedIn: / lukonde-mwila-25103345
If you found this video helpful, please like the video and subscribe to the channel!