Move Auth, Policy, and Resilience to the Platform
ceposta
169 views
61 slides
Jun 25, 2024
Slide 1 of 61
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
About This Presentation
Developer's time is the most crucial resource in an enterprise IT organization. Too much time is spent on undifferentiated heavy lifting and in the world of APIs and microservices much of that is spent on non-functional, cross-cutting networking requirements like security, observability, and res...
Slide Content
1 | Copyright © 2022
Reducing Developer Overload:
Moving Auth, Policy, and Resilience to the Platform
Reducing Developer Overload:
Moving Auth, Policy, and Resilience to the Platform
2 | Copyright © 2022
CHRISTIAN POSTA
VP, Global Field CTO, Solo.io
@christianposta
[email protected]
/in/ceposta
CHRISTIAN POSTA
VP, Global Field CTO, Solo.io
@christianposta
[email protected]
/in/ceposta
3 | Copyright © 2022
https://solo.io
https://solo.io
4 | Copyright © 2022
Digital Experiences… Driven by APIs and Services
Digital Experiences… Driven by APIs and Services
5 | Copyright © 2022
Silos - Conway’s Law
Silos - Conway’s Law
6 | Copyright © 2022
“Ticket Ops” to Drive Changes to APIs and Services
“Ticket Ops” to Drive Changes to APIs and Services
7 | Copyright © 2022
Platform Engineering
●Cross functional team
●Infrastructure integration
●Golden paths for delivery
●Internal Dev Portals
●Tenancy for teams
Platform engineering:
●Accelerate business value
●Improve efficiencies
●Increase compliance
●Reduce costs/lockin
Platform engineering outcomes:
Platform Engineering
●Cross functional team
●Infrastructure integration
●Golden paths for delivery
●Internal Dev Portals
●Tenancy for teams
Platform engineering:
●Accelerate business value
●Improve efficiencies
●Increase compliance
●Reduce costs/lockin
Platform engineering outcomes:
8 | Copyright © 2022
You don’t start with pipes, electrical, doors
and locks, but eventually you need them.
You don’t start with pipes, electrical, doors
and locks, but eventually you need them.
9 | Copyright © 2022
Internal Developer Platforms are like a House
Internal Developer Platforms are like a House
10 | Copyright © 2022
●Kubernetes / containers
●Microservices architecture
●Public cloud
●CI / CD / ArgoCD / GitOps
●Platform orchestration
●Metric collection
(CPU, Network, Memory)
Foundations
●Kubernetes / containers
●Microservices architecture
●Public cloud
●CI / CD / ArgoCD / GitOps
●Platform orchestration
●Metric collection
(CPU, Network, Memory)
Foundations
11 | Copyright © 2022
Platform Strategy
Platform Strategy
12 | Copyright © 2022
T-Mobile: 25% of time spent on non-functional reqs;
75% incidents caused by network misconfiguration
T-Mobile: 25% of time spent on non-functional reqs;
75% incidents caused by network misconfiguration
13 | Copyright © 2022
The platform is not finished.
We need to modernize networking.
The platform is not finished.
We need to modernize networking.
14 | Copyright © 2022
Outdated Assumptions and Network Control
Outdated Assumptions and Network Control
15 | Copyright © 2022
Policy Bit Rot
Policy Bit Rot
16 | Copyright © 2022
Policy Bit Rot
Policy Bit Rot
17 | Copyright © 2022
18 | Copyright © 2022
Inefficiencies and Bottlenecks
Inefficiencies and Bottlenecks
19 | Copyright © 2022
Build it into the Code!
Build it into the Code!
20 | Copyright © 2022
JWT Unravels your API Gateway!
JWT Unravels your API Gateway!
21 | Copyright © 2022
●Distributed implementation
●Declarative configuration
●Standard interfaces/integration
●Dynamic configuration
●Fine-grained, request-level auth/rate limit/policy
enforcement
●Traffic control, circuit breaking, routing
●Metrics, logging, distributed tracing
Modern Networking Needs for Internal Dev Platform
●Distributed implementation
●Declarative configuration
●Standard interfaces/integration
●Dynamic configuration
●Fine-grained, request-level auth/rate limit/policy
enforcement
●Traffic control, circuit breaking, routing
●Metrics, logging, distributed tracing
Modern Networking Needs for Internal Dev Platform
22 | Copyright © 2022
The House is not Finished!
The House is not Finished!
23 | Copyright © 2022
Finishing the house
Finishing the house
24 | Copyright © 2022
You need Plumbing, Electrical, Locks on Doors, etc
You need Plumbing, Electrical, Locks on Doors, etc
25 | Copyright © 2022
Modern Networking Solves Auth, Policy, Resilience
●Locks on doors
○zero-trust, workload/request authentication,
authorization, policy enforcement
●Air conditioning / thermostat
○load balancing, timeouts, retries, circuit breaking
●Electrical / Piping
○traffic control, load balancing, routing
●CO, fire, smoke detectors, cameras
○metrics, distributed tracing, logging
Modern Networking Solves Auth, Policy, Resilience
●Locks on doors
○zero-trust, workload/request authentication,
authorization, policy enforcement
●Air conditioning / thermostat
○load balancing, timeouts, retries, circuit breaking
●Electrical / Piping
○traffic control, load balancing, routing
●CO, fire, smoke detectors, cameras
○metrics, distributed tracing, logging
26 | Copyright © 2022
Application Networking
Application Networking
27 | Copyright © 2022
Istio Service Mesh
https://istio.io
●mTLS, mutual authentication,
encryption
●Network, L7 observability
●Traffic control, resilience, failover
●Blue-green, canary release
●Driven by declarative configuration
Istio Service Mesh
https://istio.io
●mTLS, mutual authentication,
encryption
●Network, L7 observability
●Traffic control, resilience, failover
●Blue-green, canary release
●Driven by declarative configuration
28 | Copyright © 2022
Improve
Performance
Simplify
Operations
Cost
Reduction
https://istio.io/latest/blog/2022/introducing-ambient-mesh/
Istio Ambient Mode
A sidecar-less implementation of Istio Service Mesh
Production ready as of Istio 1.22 (May 2024)
Improve
Performance
Simplify
Operations
Cost
Reduction
https://istio.io/latest/blog/2022/introducing-ambient-mesh/
Istio Ambient Mode
A sidecar-less implementation of Istio Service Mesh
Production ready as of Istio 1.22 (May 2024)
29 | Copyright © 2022
Demo
Demo
30 | Copyright © 2022
Istio Ambient Mode
Pure L4 mode only, no L7
Istio Ambient Mode
Pure L4 mode only, no L7
31 | Copyright © 2022
Istio Ambient Mode
Istio Ambient Mode
32 | Copyright © 2022
Istio Ambient Mode
L7 goes through “waypoint” proxy, in the network;
L7 policies (retry, traffic splitting, canary, fine-grained authz, etc) applied here.
Istio Ambient Mode
L7 goes through “waypoint” proxy, in the network;
L7 policies (retry, traffic splitting, canary, fine-grained authz, etc) applied here.
33 | Copyright © 2022
Istio Ambient Mode
L7 goes through “waypoint” proxy (Envoy), in the network;
Deploy multiple replicas of proxy for traffic sizing, high availability, etc.
Istio Ambient Mode
L7 goes through “waypoint” proxy (Envoy), in the network;
Deploy multiple replicas of proxy for traffic sizing, high availability, etc.
34 | Copyright © 2022
Service Mesh For Less!
Service Mesh For Less!
35 | Copyright © 2022
Istio Ambient Mode
https://bit.ly/ambient-book
Istio Ambient Mode
https://bit.ly/ambient-book
36 | Copyright © 2022
Auth, Policy, and Resilience
Auth, Policy, and Resilience
37 | Copyright © 2022
Location
Singapore
Revenue
Approaching $1BDigital Banking
Industry
From Zero to 4th Largest Bank in
Singapore within 2 Years Requires Trust
CASE STUDY
A Joint Venture between a Top 3 Bank in the UK
(Operating in Asia) and Singapore Largest Loyalty
Program launched one of Singapore’s first Digital Native
Banks. The ambitious growth goals for the bank meant
there was no time to waste selecting the technologies
that would underpin the business.
Regulators in Singapore keep strong standards on
financial institutions, including the need to maintain a
99.95% uptime or greater as well as ensuring strong
security across the banks infrastructure.
With the help of Solo.io and Gloo, the bank was able to
onboard 100K customers in the first 10 days of operating
Business Goals
Key tenants of the modernization initiative:
● Unified Stack - From Identity to Mesh, to CNI
and GraphQL
● Multi-Cluster Orchestration
● GitOps deployments
● Event-Driven, Real Time Architecture
Region
APJ
Benchmark Scale
● 100% Containerized
● 9 EKS Clusters in
Production
● 400 to 600 Concurrent
Pods During Peak
Processing
● Mandate to meet 99.95%
Uptime
Customer Growth
100K
First 10
Days
450K
First 5
Months
1M+
Today
Differentiators
● Single Solution providing
significant cost savings
through consolidation of
disparate tools
● Multi-Cluster Mesh Enables
transparent failover and
ability to treat EKS clusters
as “cattle”
● Unified Stack allows Bank to
implement a trust “Defense
in Depth” model from
Identity to Network Policy
Competition
Location
Singapore
Revenue
Approaching $1BDigital Banking
Industry
From Zero to 4th Largest Bank in
Singapore within 2 Years Requires Trust
CASE STUDY
A Joint Venture between a Top 3 Bank in the UK
(Operating in Asia) and Singapore Largest Loyalty
Program launched one of Singapore’s first Digital Native
Banks. The ambitious growth goals for the bank meant
there was no time to waste selecting the technologies
that would underpin the business.
Regulators in Singapore keep strong standards on
financial institutions, including the need to maintain a
99.95% uptime or greater as well as ensuring strong
security across the banks infrastructure.
With the help of Solo.io and Gloo, the bank was able to
onboard 100K customers in the first 10 days of operating
Business Goals
Key tenants of the modernization initiative:
● Unified Stack - From Identity to Mesh, to CNI
and GraphQL
● Multi-Cluster Orchestration
● GitOps deployments
● Event-Driven, Real Time Architecture
Region
APJ
Benchmark Scale
● 100% Containerized
● 9 EKS Clusters in
Production
● 400 to 600 Concurrent
Pods During Peak
Processing
● Mandate to meet 99.95%
Uptime
Customer Growth
100K
First 10
Days
450K
First 5
Months
1M+
Today
Differentiators
● Single Solution providing
significant cost savings
through consolidation of
disparate tools
● Multi-Cluster Mesh Enables
transparent failover and
ability to treat EKS clusters
as “cattle”
● Unified Stack allows Bank to
implement a trust “Defense
in Depth” model from
Identity to Network Policy
Competition
38 | Copyright © 2022
Workload Identity and Authentication
Workload Identity and Authentication
39 | Copyright © 2022
Secure Production Identity Framework (for Everyone)
•Intended to solve the “universal workload identity problem”
•Independent of application type, network, or platform/cloud
•Specified with URI strings
•Verified via signed credentials (x509, JWT, etc)
•API and workflow for attestation built into SPIFFE
implementations
•Intended to eliminate passwords, other secrets, etc
Secure Production Identity Framework (for Everyone)
•Intended to solve the “universal workload identity problem”
•Independent of application type, network, or platform/cloud
•Specified with URI strings
•Verified via signed credentials (x509, JWT, etc)
•API and workflow for attestation built into SPIFFE
implementations
•Intended to eliminate passwords, other secrets, etc
40 | Copyright © 2022
Who is Service A?
Who is Service A?
41 | Copyright © 2022
Identity for Workloads
Identity for Workloads
42 | Copyright © 2022
Network Policy Based on Stable Workload Identity
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-traffic-between-workloads
namespace: your-namespace
spec:
selector:
matchLabels:
app: your-app
action: ALLOW
rules:
- from:
- source:
principals:
["cluster.local/ns/your-namespace/sa/first-service-account" ]
to:
- operation:
principals:
["spiffe://example.org/ns/your-namespace/sa/second-service-account" ]
Network Policy Based on Stable Workload Identity
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-traffic-between-workloads
namespace: your-namespace
spec:
selector:
matchLabels:
app: your-app
action: ALLOW
rules:
- from:
- source:
principals:
["cluster.local/ns/your-namespace/sa/first-service-account" ]
to:
- operation:
principals:
["spiffe://example.org/ns/your-namespace/sa/second-service-account" ]
43 | Copyright © 2022
Demo
Demo
44 | Copyright © 2022
IstioCon (2023)
IstioCon (2023)
45 | Copyright © 2022
Traffic Control
Powerful load balancing
IN THE NETWORK
●Fine-grained, request-based load
balancing
●Region/Zone/Subset aware load
balancing
●Retry/Timeout/Circuit breaker
●% based traffic splitting
●Header based traffic splitting
Traffic Control
Powerful load balancing
IN THE NETWORK
●Fine-grained, request-based load
balancing
●Region/Zone/Subset aware load
balancing
●Retry/Timeout/Circuit breaker
●% based traffic splitting
●Header based traffic splitting
46 | Copyright © 2022
Global Routing / Failover
Global Routing / Failover
47 | Copyright © 2022
Circuit Breaker - Degrade gracefully when services are
overwhelmed
Circuit Breaker - Degrade gracefully when services are
overwhelmed
48 | Copyright © 2022
Demo
Demo
49 | Copyright © 2022
Tying it all together
Tying it all together
50 | Copyright © 2022
Offload Auth, Policy, and Resilience to the Platform!
Offload Auth, Policy, and Resilience to the Platform!
51 | Copyright © 2022
●Get code into production, safely!
●Increasing the release safety and velocity with:
○High availability
○Global routing
○Failover
○Resiliency
■either planned, unplanned
■migrations, re-deployments
●Canary releasing, blue/green, A/B testing
●Reducing MTTR
○Metrics, distributed tracing, logging
●Reduce change failure rate
Accelerating Business Value
●Get code into production, safely!
●Increasing the release safety and velocity with:
○High availability
○Global routing
○Failover
○Resiliency
■either planned, unplanned
■migrations, re-deployments
●Canary releasing, blue/green, A/B testing
●Reducing MTTR
○Metrics, distributed tracing, logging
●Reduce change failure rate
Accelerating Business Value
52 | Copyright © 2022
●Declarative configuration fits IaC automation, tenancy
●Better resource utilization / scale
●Eliminate silos, reduce ticket ops, reduce UI click Ops
●Reduce dependencies on other teams (self service)
●Teams to focus on business logic not complexity of networking
●Integrations with standard interfaces
●Reduce reliance on large proprietary vendor stacks with heavy
license fees
●Smart traffic, networking control for zonal, region, data center
networking costs
Improve Efficiency, Reduce Costs
●Declarative configuration fits IaC automation, tenancy
●Better resource utilization / scale
●Eliminate silos, reduce ticket ops, reduce UI click Ops
●Reduce dependencies on other teams (self service)
●Teams to focus on business logic not complexity of networking
●Integrations with standard interfaces
●Reduce reliance on large proprietary vendor stacks with heavy
license fees
●Smart traffic, networking control for zonal, region, data center
networking costs
Improve Efficiency, Reduce Costs
53 | Copyright © 2022
●Zero trust network
○Encryption, authentication, authorization
○Central requirements for PCI-DSS, HIPPA, GDPR, etc
●Eliminate bespoke code for security, routing, load balancing
○Especially across multiple languages, frameworks, etc
○Easier to audit and understand
●Eliminate centralized bottlenecks, UI clicking, and
●Drive everything through Git so it’s trackable and auditable
●Organizational policy enforcement based on durable workload ID
○Not ephemeral IP addresses or network segments
Increase Compliance
●Zero trust network
○Encryption, authentication, authorization
○Central requirements for PCI-DSS, HIPPA, GDPR, etc
●Eliminate bespoke code for security, routing, load balancing
○Especially across multiple languages, frameworks, etc
○Easier to audit and understand
●Eliminate centralized bottlenecks, UI clicking, and
●Drive everything through Git so it’s trackable and auditable
●Organizational policy enforcement based on durable workload ID
○Not ephemeral IP addresses or network segments
Increase Compliance
54 | Copyright © 2022
Resources
●https://istio.io
●https://envoyproxy.io
●https://academy.solo.io
●See QR codes in slides!
Resources
●https://istio.io
●https://envoyproxy.io
●https://academy.solo.io
●See QR codes in slides!
55 | Copyright © 2022
Please Reach Out!
VP, Global Field CTO, Solo.io
@christianposta
[email protected]
/in/ceposta
Please Reach Out!
VP, Global Field CTO, Solo.io
@christianposta
[email protected]
/in/ceposta
Thank You!
57 | Copyright © 2022
Location
Singapore
Revenue
Approaching $1BDigital Banking
Industry
From Zero to 4th Largest Bank in
Singapore within 2 Years Requires Trust
CASE STUDY
A Joint Venture between a Top 3 Bank in the UK
(Operating in Asia) and Singapore Largest Loyalty
Program launched one of Singapore’s first Digital Native
Banks. The ambitious growth goals for the bank meant
there was no time to waste selecting the technologies
that would underpin the business.
Regulators in Singapore keep strong standards on
financial institutions, including the need to maintain a
99.95% uptime or greater as well as ensuring strong
security across the banks infrastructure.
With the help of Solo.io and Gloo, the bank was able to
onboard 100K customers in the first 10 days of operating
Business Goals
Key tenants of the modernization initiative:
● Unified Stack - From Identity to Mesh, to CNI
and GraphQL
● Multi-Cluster Orchestration
● GitOps deployments
● Event-Driven, Real Time Architecture
Region
APJ
Benchmark Scale
● 100% Containerized
● 9 EKS Clusters in
Production
● 400 to 600 Concurrent
Pods During Peak
Processing
● Mandate to meet 99.95%
Uptime
Customer Growth
100K
First 10
Days
450K
First 5
Months
1M+
Today
Differentiators
● Single Solution providing
significant cost savings
through consolidation of
disparate tools
● Multi-Cluster Mesh Enables
transparent failover and
ability to treat EKS clusters
as “cattle”
● Unified Stack allows Bank to
implement a trust “Defense
in Depth” model from
Identity to Network Policy
Competition
Location
Singapore
Revenue
Approaching $1BDigital Banking
Industry
From Zero to 4th Largest Bank in
Singapore within 2 Years Requires Trust
CASE STUDY
A Joint Venture between a Top 3 Bank in the UK
(Operating in Asia) and Singapore Largest Loyalty
Program launched one of Singapore’s first Digital Native
Banks. The ambitious growth goals for the bank meant
there was no time to waste selecting the technologies
that would underpin the business.
Regulators in Singapore keep strong standards on
financial institutions, including the need to maintain a
99.95% uptime or greater as well as ensuring strong
security across the banks infrastructure.
With the help of Solo.io and Gloo, the bank was able to
onboard 100K customers in the first 10 days of operating
Business Goals
Key tenants of the modernization initiative:
● Unified Stack - From Identity to Mesh, to CNI
and GraphQL
● Multi-Cluster Orchestration
● GitOps deployments
● Event-Driven, Real Time Architecture
Region
APJ
Benchmark Scale
● 100% Containerized
● 9 EKS Clusters in
Production
● 400 to 600 Concurrent
Pods During Peak
Processing
● Mandate to meet 99.95%
Uptime
Customer Growth
100K
First 10
Days
450K
First 5
Months
1M+
Today
Differentiators
● Single Solution providing
significant cost savings
through consolidation of
disparate tools
● Multi-Cluster Mesh Enables
transparent failover and
ability to treat EKS clusters
as “cattle”
● Unified Stack allows Bank to
implement a trust “Defense
in Depth” model from
Identity to Network Policy
Competition
58 | Copyright © 2022
59 | Copyright © 2022
API Management at Google
API Management at Google
60 | Copyright © 2022
Massive outage
Massive outage
61 | Copyright © 2022
Optimize Proxy Placement
Optimize Proxy Placement
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 169
- Slides 61
- Age 524 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views