(Go: >> BACK << -|- >> HOME <<)
SlideShare a Scribd company logo

Managing Egress with Istio

Download as PPTX, PDF
Solo.io
Solo.io

The document discusses managing egress traffic from Kubernetes applications using Istio. It describes the challenge of needing a stable outbound IP for compliance or security reasons. It then provides examples of solutions like VM-based NAT and external proxies before introducing Istio's egress gateway as a cluster-native solution. The document demonstrates how to configure an egress gateway to direct traffic to external services and shows how it provides a stable IP and protocol controls. It also discusses new features in Istio 1.2 like improved testing and release processes.

1 of 31
Managing Egress using Istio Christian Posta | @christianposta | Solo.io Sandeep Parikh | @crcsmnky | Google Cloud
What we’ll cover Challenge Examples Solutions Demo What’s new Questions
Challenge
Stable outbound origin for egress traffic
Why? For many deployments that communicate with external services, those outbound communications need to originate from a known source.
Why? This can be for exfiltration or infiltration monitoring, or compliance reasons.
Why? Examples could include downstream APIs or systems that require whitelisting, or PCI compliant deployments, where outbound traffic must come from a stable origin.
Example deployment
Deployment
All outbound traffic must originate from a stable IP Secure application sits behind a firewall IP must be whitelisted in firewall configuration Requirements
Solutions
VM-based NAT Pro Stable outbound IP Con VM management Coarse-grained traffic controls
Managed NAT Pro Stable outbound IP Con Coarse-grained traffic controls
External Proxy Pro Stable outbound IP Protocol controls Con VM and proxy management Coarse-grained traffic controls
Internal Proxy Pro Stable outbound IP Protocol controls Con Deployment management Lack of control plane
What about a cluster-native solution?
kube-static-egress-ip Pro Runs as DaemonSet Con Alpha Single node for egress github.com/nirmata/kube-static-egress-ip
Say hello to istio-egressgateway Ingress Controller
Accessing external service Using ServiceEntry, add the external service to the Kubernetes service registry apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: se-httpbin-egress spec: hosts: - httpbin.gcp.external addresses: - 34.67.71.77 ports: - number: 80 name: http-port protocol: TCP resolution: STATIC location: MESH_EXTERNAL endpoints: - address: 34.67.71.77 exportTo: ["."]
Configuring egressgateway Create a DestinationRule and Gateway that allows traffic from the mesh to the external service apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: dr-httpbin-egress spec: host: istio-egressgateway.istio-system subsets: - name: httpbin --- apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: gw-httpbin-egress spec: selector: istio: egressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - httpbin.gcp.external
Directing traffic Mesh-internal traffic for external service goes to egress gateway. Traffic from gateway goes to external service. apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: vs-httpbin-egress spec: hosts: - httpbin.gcp.external gateways: - gw-httpbin-egress - mesh http: - match: - gateways: - mesh port: 80 route: - destination: host: istio-egressgateway.istio-system subset: httpbin port: number: 80 weight: 100 - match: - gateways: - gw-httpbin-egress port: 80 route: - destination: host: httpbin.gcp.external port: number: 80 weight: 100
Istio-enabled Deployment
Demo
Enforcing egress control $ kubectl label ns istio-system istio=system $ kubectl label ns kube-system kube-system=true $ cat <<EOF | kubectl apply -f - apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: egress-istio-system-and-kube-dns-only spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: kube-system: "true" ports: - protocol: UDP port: 53 - to: - namespaceSelector: matchLabels: istio: system EOF Kubernetes NetworkPolicy prevents bypassing Istio’s egress gateway
Capturing external hosts dns-discovery automatically detects egress traffic and creates ServiceEntry objects. github.com/istio-ecosystem/dns-discovery
What’s New
Istio 1.2 46 improvements 297 commits 78 contributors Full release notes Released 2019-06-18
Istio 1.2 highlights Investing in build, test, and release machinery New subteams: Github Workflow, Source Organization, Testing Methodology, Build & Release Automation Theme of this release is predictability Quality of releases Timing of releases Build, Test, Release New Features Global log levels for data and control planes Validate Kubernetes environment using istioctl Annotate services with traffic.sidecar.istio.io/includeOutboundPorts and eliminate need for containerPort Release Predictability
Istio 1.2 highlights Beta → Stable SNI with ingress Distributed tracing Service tracing Alpha → Beta Cert mgmt on ingress Config resource validation Config processing with Galley
Added traffic.sidecar.istio.io/includeInboundPorts annotation to eliminate the need for service owner to declare containerPort in the deployment yaml file. This will become the default in a future release. Improved locality based routing in multi-cluster environments. Improved outbound traffic policy in ALLOW_ANY mode. Traffic for unknown HTTP/HTTPS hosts on an existing port will be forwarded as is. Unknown traffic will be logged in Envoy access logs. Istio 1.2 for Traffic Management Added support for setting HTTP idle timeouts to upstream services. Improved Sidecar support for NONE mode (without iptables) . Added ability to configure the DNS refresh rate for sidecar Envoys, to reduce the load on the DNS servers. Graduated Sidecar API from Alpha to Alpha API and Beta runtime.
Thank You! Questions or Comments? Find us @christianposta and @crcsmnky Learn More ● Istio istio.io ● Google Cloud cloud.google.com ● Solo.io www.solo.io ● Gloo gloo.solo.io ● Service Mesh Hub servicemeshhub.io Demo ● github.com/crcsmnky/istio-egress-gateway

More Related Content

What's hot

[2018] 오픈스택 5년 운영의 경험
[2018] 오픈스택 5년 운영의 경험[2018] 오픈스택 5년 운영의 경험
[2018] 오픈스택 5년 운영의 경험
NHN FORWARD
 
Kubernetes
KubernetesKubernetes
Kubernetes
Henry He
 
Autoscaling Kubernetes
Autoscaling KubernetesAutoscaling Kubernetes
Autoscaling Kubernetes
craigbox
 
用 Drone 打造 輕量級容器持續交付平台
用 Drone 打造 輕量級容器持續交付平台用 Drone 打造 輕量級容器持續交付平台
用 Drone 打造 輕量級容器持續交付平台
Bo-Yi Wu
 
Kubernetes Application Deployment with Helm - A beginner Guide!
Kubernetes Application Deployment with Helm - A beginner Guide!Kubernetes Application Deployment with Helm - A beginner Guide!
Kubernetes Application Deployment with Helm - A beginner Guide!
Krishna-Kumar
 
Introduction to Helm
Introduction to HelmIntroduction to Helm
Introduction to Helm
Harshal Shah
 
Service Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioService Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with Istio
Michelle Holley
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetes
rajdeep
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 
Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)
Akash Agrawal
 
Automate Your Kafka Cluster with Kubernetes Custom Resources
Automate Your Kafka Cluster with Kubernetes Custom Resources Automate Your Kafka Cluster with Kubernetes Custom Resources
Automate Your Kafka Cluster with Kubernetes Custom Resources
confluent
 
Terraform
TerraformTerraform
Terraform
Phil Wilkins
 
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Vietnam Open Infrastructure User Group
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
Open Source Consulting
 
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Etsuji Nakai
 
GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull Request
Kasper Nissen
 
Kubernetes Architecture
Kubernetes Architecture Kubernetes Architecture
Kubernetes Architecture
Knoldus Inc.
 
Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)
Megan O'Keefe
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Peng Xiao
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
Yevgeniy Brikman
 

What's hot (20)

[2018] 오픈스택 5년 운영의 경험
[2018] 오픈스택 5년 운영의 경험[2018] 오픈스택 5년 운영의 경험
[2018] 오픈스택 5년 운영의 경험
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
Autoscaling Kubernetes
Autoscaling KubernetesAutoscaling Kubernetes
Autoscaling Kubernetes
 
用 Drone 打造 輕量級容器持續交付平台
用 Drone 打造 輕量級容器持續交付平台用 Drone 打造 輕量級容器持續交付平台
用 Drone 打造 輕量級容器持續交付平台
 
Kubernetes Application Deployment with Helm - A beginner Guide!
Kubernetes Application Deployment with Helm - A beginner Guide!Kubernetes Application Deployment with Helm - A beginner Guide!
Kubernetes Application Deployment with Helm - A beginner Guide!
 
Introduction to Helm
Introduction to HelmIntroduction to Helm
Introduction to Helm
 
Service Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with IstioService Mesh on Kubernetes with Istio
Service Mesh on Kubernetes with Istio
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetes
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
 
Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)Kubernetes & Google Kubernetes Engine (GKE)
Kubernetes & Google Kubernetes Engine (GKE)
 
Automate Your Kafka Cluster with Kubernetes Custom Resources
Automate Your Kafka Cluster with Kubernetes Custom Resources Automate Your Kafka Cluster with Kubernetes Custom Resources
Automate Your Kafka Cluster with Kubernetes Custom Resources
 
Terraform
TerraformTerraform
Terraform
 
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
 
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
[오픈소스컨설팅] 쿠버네티스와 쿠버네티스 on 오픈스택 비교 및 구축 방법
 
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
Architecture Overview: Kubernetes with Red Hat Enterprise Linux 7.1
 
GitOps - Operation By Pull Request
GitOps - Operation By Pull RequestGitOps - Operation By Pull Request
GitOps - Operation By Pull Request
 
Kubernetes Architecture
Kubernetes Architecture Kubernetes Architecture
Kubernetes Architecture
 
Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
 

Similar to Managing Egress with Istio

Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Puppet
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
Miguel Zuniga
 
TechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching ProgrammabilityTechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching Programmability
Robb Boyd
 
Threat Hunting at Scale: Auditing Thousands of Clusters With Falco + Fluent ...
Threat Hunting at Scale: Auditing Thousands of Clusters With Falco + Fluent ... Threat Hunting at Scale: Auditing Thousands of Clusters With Falco + Fluent ...
Threat Hunting at Scale: Auditing Thousands of Clusters With Falco + Fluent ...
Furkan Turkal
 
Unmeshing the service mesh
Unmeshing the service meshUnmeshing the service mesh
Unmeshing the service mesh
CodeValue
 
OSMC 2023 | Newest developments in Checkmk Raw – the open-source monitoring s...
OSMC 2023 | Newest developments in Checkmk Raw – the open-source monitoring s...OSMC 2023 | Newest developments in Checkmk Raw – the open-source monitoring s...
OSMC 2023 | Newest developments in Checkmk Raw – the open-source monitoring s...
NETWAYS
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE
 
Automated Infrastructure Testing
Automated Infrastructure TestingAutomated Infrastructure Testing
Automated Infrastructure Testing
Ranjib Dey
 
Automated infrastructure testing - by Ranjib Dey
Automated infrastructure testing - by Ranjib DeyAutomated infrastructure testing - by Ranjib Dey
Automated infrastructure testing - by Ranjib Dey
bhumika2108
 
How to Treat a Network Like a Container (Or Get Close)
How to Treat a Network Like a Container (Or Get Close)How to Treat a Network Like a Container (Or Get Close)
How to Treat a Network Like a Container (Or Get Close)
All Things Open
 
All Things Open 2017: How to Treat a Network as a Container
All Things Open 2017: How to Treat a Network as a ContainerAll Things Open 2017: How to Treat a Network as a Container
All Things Open 2017: How to Treat a Network as a Container
Rosemary Wang
 
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발 [Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
Yunho Maeng
 
Red Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayRed Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your way
Johannes Brännström
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1
Yongyoon Shin
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
Ivanti
 
World Wide Technology | Red Hat Ansible for Networking Workshop
World Wide Technology | Red Hat Ansible for Networking WorkshopWorld Wide Technology | Red Hat Ansible for Networking Workshop
World Wide Technology | Red Hat Ansible for Networking Workshop
Joel W. King
 
CI Implementation with Kubernetes at LivePerson by Saar Demri
CI Implementation with Kubernetes at LivePerson by Saar DemriCI Implementation with Kubernetes at LivePerson by Saar Demri
CI Implementation with Kubernetes at LivePerson by Saar Demri
DoiT International
 
Codeigniter
CodeigniterCodeigniter
Codeigniter
minhrau111
 
Can i service this from my raspberry pi
Can i service this from my raspberry piCan i service this from my raspberry pi
Can i service this from my raspberry pi
Thoughtworks
 
The Age of the Clusters: Offering Kafka as a Service in Your Organisation wit...
The Age of the Clusters: Offering Kafka as a Service in Your Organisation wit...The Age of the Clusters: Offering Kafka as a Service in Your Organisation wit...
The Age of the Clusters: Offering Kafka as a Service in Your Organisation wit...
HostedbyConfluent
 

Similar to Managing Egress with Istio (20)

Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
Exploring the Final Frontier of Data Center Orchestration: Network Elements -...
 
Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014Cloud Platform Symantec Meetup Nov 2014
Cloud Platform Symantec Meetup Nov 2014
 
TechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching ProgrammabilityTechWiseTV Workshop: Catalyst Switching Programmability
TechWiseTV Workshop: Catalyst Switching Programmability
 
Threat Hunting at Scale: Auditing Thousands of Clusters With Falco + Fluent ...
Threat Hunting at Scale: Auditing Thousands of Clusters With Falco + Fluent ... Threat Hunting at Scale: Auditing Thousands of Clusters With Falco + Fluent ...
Threat Hunting at Scale: Auditing Thousands of Clusters With Falco + Fluent ...
 
Unmeshing the service mesh
Unmeshing the service meshUnmeshing the service mesh
Unmeshing the service mesh
 
OSMC 2023 | Newest developments in Checkmk Raw – the open-source monitoring s...
OSMC 2023 | Newest developments in Checkmk Raw – the open-source monitoring s...OSMC 2023 | Newest developments in Checkmk Raw – the open-source monitoring s...
OSMC 2023 | Newest developments in Checkmk Raw – the open-source monitoring s...
 
FIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE Wednesday Webinars - How to Debug IoT Agents
FIWARE Wednesday Webinars - How to Debug IoT Agents
 
Automated Infrastructure Testing
Automated Infrastructure TestingAutomated Infrastructure Testing
Automated Infrastructure Testing
 
Automated infrastructure testing - by Ranjib Dey
Automated infrastructure testing - by Ranjib DeyAutomated infrastructure testing - by Ranjib Dey
Automated infrastructure testing - by Ranjib Dey
 
How to Treat a Network Like a Container (Or Get Close)
How to Treat a Network Like a Container (Or Get Close)How to Treat a Network Like a Container (Or Get Close)
How to Treat a Network Like a Container (Or Get Close)
 
All Things Open 2017: How to Treat a Network as a Container
All Things Open 2017: How to Treat a Network as a ContainerAll Things Open 2017: How to Treat a Network as a Container
All Things Open 2017: How to Treat a Network as a Container
 
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발 [Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
 
Red Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your wayRed Hat and kubernetes: awesome stuff coming your way
Red Hat and kubernetes: awesome stuff coming your way
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
 
World Wide Technology | Red Hat Ansible for Networking Workshop
World Wide Technology | Red Hat Ansible for Networking WorkshopWorld Wide Technology | Red Hat Ansible for Networking Workshop
World Wide Technology | Red Hat Ansible for Networking Workshop
 
CI Implementation with Kubernetes at LivePerson by Saar Demri
CI Implementation with Kubernetes at LivePerson by Saar DemriCI Implementation with Kubernetes at LivePerson by Saar Demri
CI Implementation with Kubernetes at LivePerson by Saar Demri
 
Codeigniter
CodeigniterCodeigniter
Codeigniter
 
Can i service this from my raspberry pi
Can i service this from my raspberry piCan i service this from my raspberry pi
Can i service this from my raspberry pi
 
The Age of the Clusters: Offering Kafka as a Service in Your Organisation wit...
The Age of the Clusters: Offering Kafka as a Service in Your Organisation wit...The Age of the Clusters: Offering Kafka as a Service in Your Organisation wit...
The Age of the Clusters: Offering Kafka as a Service in Your Organisation wit...
 

More from Solo.io

Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS CloudCase Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
Solo.io
 
Gloo 1.0 - API Gateway Overview and Demo
Gloo 1.0 - API Gateway Overview and DemoGloo 1.0 - API Gateway Overview and Demo
Gloo 1.0 - API Gateway Overview and Demo
Solo.io
 
Online Meetup #3 - Solo.io, Tidepool, Weaveworks, Buoyant
Online Meetup #3 - Solo.io, Tidepool, Weaveworks, BuoyantOnline Meetup #3 - Solo.io, Tidepool, Weaveworks, Buoyant
Online Meetup #3 - Solo.io, Tidepool, Weaveworks, Buoyant
Solo.io
 
Service Mesh in the Real World [Raleigh NC Meetup]
Service Mesh in the Real World [Raleigh NC Meetup]Service Mesh in the Real World [Raleigh NC Meetup]
Service Mesh in the Real World [Raleigh NC Meetup]
Solo.io
 
What's New in Gloo v0.18
What's New in Gloo v0.18 What's New in Gloo v0.18
What's New in Gloo v0.18
Solo.io
 
Gloo Shot - Service Mesh Enabled Chaos Engineering
Gloo Shot - Service Mesh Enabled Chaos EngineeringGloo Shot - Service Mesh Enabled Chaos Engineering
Gloo Shot - Service Mesh Enabled Chaos Engineering
Solo.io
 

More from Solo.io (6)

Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS CloudCase Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
Case Study: ParkMobile Builds for Scale with Kubernetes, Gloo and AWS Cloud
 
Gloo 1.0 - API Gateway Overview and Demo
Gloo 1.0 - API Gateway Overview and DemoGloo 1.0 - API Gateway Overview and Demo
Gloo 1.0 - API Gateway Overview and Demo
 
Online Meetup #3 - Solo.io, Tidepool, Weaveworks, Buoyant
Online Meetup #3 - Solo.io, Tidepool, Weaveworks, BuoyantOnline Meetup #3 - Solo.io, Tidepool, Weaveworks, Buoyant
Online Meetup #3 - Solo.io, Tidepool, Weaveworks, Buoyant
 
Service Mesh in the Real World [Raleigh NC Meetup]
Service Mesh in the Real World [Raleigh NC Meetup]Service Mesh in the Real World [Raleigh NC Meetup]
Service Mesh in the Real World [Raleigh NC Meetup]
 
What's New in Gloo v0.18
What's New in Gloo v0.18 What's New in Gloo v0.18
What's New in Gloo v0.18
 
Gloo Shot - Service Mesh Enabled Chaos Engineering
Gloo Shot - Service Mesh Enabled Chaos EngineeringGloo Shot - Service Mesh Enabled Chaos Engineering
Gloo Shot - Service Mesh Enabled Chaos Engineering
 

Recently uploaded

Research Directions for Cross Reality Interfaces
Research Directions for Cross Reality InterfacesResearch Directions for Cross Reality Interfaces
Research Directions for Cross Reality Interfaces
Mark Billinghurst
 
Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...
BookNet Canada
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling in real worldImplementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling in real world
Emerging Tech
 
How Netflix Builds High Performance Applications at Global Scale
How Netflix Builds High Performance Applications at Global ScaleHow Netflix Builds High Performance Applications at Global Scale
How Netflix Builds High Performance Applications at Global Scale
ScyllaDB
 
How to Avoid Learning the Linux-Kernel Memory Model
How to Avoid Learning the Linux-Kernel Memory ModelHow to Avoid Learning the Linux-Kernel Memory Model
How to Avoid Learning the Linux-Kernel Memory Model
ScyllaDB
 
The Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU CampusesThe Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU Campuses
Larry Smarr
 
What's Next Web Development Trends to Watch.pdf
What's Next Web Development Trends to Watch.pdfWhat's Next Web Development Trends to Watch.pdf
What's Next Web Development Trends to Watch.pdf
SeasiaInfotech2
 
DealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 editionDealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 edition
Yevgen Sysoyev
 
Blockchain and Cyber Defense Strategies in new genre times
Blockchain and Cyber Defense Strategies in new genre timesBlockchain and Cyber Defense Strategies in new genre times
Blockchain and Cyber Defense Strategies in new genre times
anupriti
 
Running a Go App in Kubernetes: CPU Impacts
Running a Go App in Kubernetes: CPU ImpactsRunning a Go App in Kubernetes: CPU Impacts
Running a Go App in Kubernetes: CPU Impacts
ScyllaDB
 
Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
Eric D. Schabell
 
20240702 QFM021 Machine Intelligence Reading List June 2024
20240702 QFM021 Machine Intelligence Reading List June 202420240702 QFM021 Machine Intelligence Reading List June 2024
20240702 QFM021 Machine Intelligence Reading List June 2024
Matthew Sinclair
 
INDIAN AIR FORCE FIGHTER PLANES LIST.pdf
INDIAN AIR FORCE FIGHTER PLANES LIST.pdfINDIAN AIR FORCE FIGHTER PLANES LIST.pdf
INDIAN AIR FORCE FIGHTER PLANES LIST.pdf
jackson110191
 
Cookies program to display the information though cookie creation
Cookies program to display the information though cookie creationCookies program to display the information though cookie creation
Cookies program to display the information though cookie creation
shanthidl1
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
SynapseIndia
 
Quality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of TimeQuality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of Time
Aurora Consulting
 
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
Edge AI and Vision Alliance
 
Coordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar SlidesCoordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar Slides
Safe Software
 
Quantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLMQuantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLM
Vijayananda Mohire
 
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design ApproachesKnowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Earley Information Science
 

Recently uploaded (20)

Research Directions for Cross Reality Interfaces
Research Directions for Cross Reality InterfacesResearch Directions for Cross Reality Interfaces
Research Directions for Cross Reality Interfaces
 
Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling in real worldImplementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling in real world
 
How Netflix Builds High Performance Applications at Global Scale
How Netflix Builds High Performance Applications at Global ScaleHow Netflix Builds High Performance Applications at Global Scale
How Netflix Builds High Performance Applications at Global Scale
 
How to Avoid Learning the Linux-Kernel Memory Model
How to Avoid Learning the Linux-Kernel Memory ModelHow to Avoid Learning the Linux-Kernel Memory Model
How to Avoid Learning the Linux-Kernel Memory Model
 
The Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU CampusesThe Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU Campuses
 
What's Next Web Development Trends to Watch.pdf
What's Next Web Development Trends to Watch.pdfWhat's Next Web Development Trends to Watch.pdf
What's Next Web Development Trends to Watch.pdf
 
DealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 editionDealBook of Ukraine: 2024 edition
DealBook of Ukraine: 2024 edition
 
Blockchain and Cyber Defense Strategies in new genre times
Blockchain and Cyber Defense Strategies in new genre timesBlockchain and Cyber Defense Strategies in new genre times
Blockchain and Cyber Defense Strategies in new genre times
 
Running a Go App in Kubernetes: CPU Impacts
Running a Go App in Kubernetes: CPU ImpactsRunning a Go App in Kubernetes: CPU Impacts
Running a Go App in Kubernetes: CPU Impacts
 
Observability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetryObservability For You and Me with OpenTelemetry
Observability For You and Me with OpenTelemetry
 
20240702 QFM021 Machine Intelligence Reading List June 2024
20240702 QFM021 Machine Intelligence Reading List June 202420240702 QFM021 Machine Intelligence Reading List June 2024
20240702 QFM021 Machine Intelligence Reading List June 2024
 
INDIAN AIR FORCE FIGHTER PLANES LIST.pdf
INDIAN AIR FORCE FIGHTER PLANES LIST.pdfINDIAN AIR FORCE FIGHTER PLANES LIST.pdf
INDIAN AIR FORCE FIGHTER PLANES LIST.pdf
 
Cookies program to display the information though cookie creation
Cookies program to display the information though cookie creationCookies program to display the information though cookie creation
Cookies program to display the information though cookie creation
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
 
Quality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of TimeQuality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of Time
 
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
“Intel’s Approach to Operationalizing AI in the Manufacturing Sector,” a Pres...
 
Coordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar SlidesCoordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar Slides
 
Quantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLMQuantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLM
 
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design ApproachesKnowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
 

Managing Egress with Istio

  • 1. Managing Egress using Istio Christian Posta | @christianposta | Solo.io Sandeep Parikh | @crcsmnky | Google Cloud
  • 4. Stable outbound origin for egress traffic
  • 5. Why? For many deployments that communicate with external services, those outbound communications need to originate from a known source.
  • 6. Why? This can be for exfiltration or infiltration monitoring, or compliance reasons.
  • 7. Why? Examples could include downstream APIs or systems that require whitelisting, or PCI compliant deployments, where outbound traffic must come from a stable origin.
  • 10. All outbound traffic must originate from a stable IP Secure application sits behind a firewall IP must be whitelisted in firewall configuration Requirements
  • 12. VM-based NAT Pro Stable outbound IP Con VM management Coarse-grained traffic controls
  • 13. Managed NAT Pro Stable outbound IP Con Coarse-grained traffic controls
  • 14. External Proxy Pro Stable outbound IP Protocol controls Con VM and proxy management Coarse-grained traffic controls
  • 15. Internal Proxy Pro Stable outbound IP Protocol controls Con Deployment management Lack of control plane
  • 16. What about a cluster-native solution?
  • 17. kube-static-egress-ip Pro Runs as DaemonSet Con Alpha Single node for egress github.com/nirmata/kube-static-egress-ip
  • 18. Say hello to istio-egressgateway Ingress Controller
  • 19. Accessing external service Using ServiceEntry, add the external service to the Kubernetes service registry apiVersion: networking.istio.io/v1alpha3 kind: ServiceEntry metadata: name: se-httpbin-egress spec: hosts: - httpbin.gcp.external addresses: - 34.67.71.77 ports: - number: 80 name: http-port protocol: TCP resolution: STATIC location: MESH_EXTERNAL endpoints: - address: 34.67.71.77 exportTo: ["."]
  • 20. Configuring egressgateway Create a DestinationRule and Gateway that allows traffic from the mesh to the external service apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: dr-httpbin-egress spec: host: istio-egressgateway.istio-system subsets: - name: httpbin --- apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: gw-httpbin-egress spec: selector: istio: egressgateway servers: - port: number: 80 name: http protocol: HTTP hosts: - httpbin.gcp.external
  • 21. Directing traffic Mesh-internal traffic for external service goes to egress gateway. Traffic from gateway goes to external service. apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: vs-httpbin-egress spec: hosts: - httpbin.gcp.external gateways: - gw-httpbin-egress - mesh http: - match: - gateways: - mesh port: 80 route: - destination: host: istio-egressgateway.istio-system subset: httpbin port: number: 80 weight: 100 - match: - gateways: - gw-httpbin-egress port: 80 route: - destination: host: httpbin.gcp.external port: number: 80 weight: 100
  • 23. Demo
  • 24. Enforcing egress control $ kubectl label ns istio-system istio=system $ kubectl label ns kube-system kube-system=true $ cat <<EOF | kubectl apply -f - apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: egress-istio-system-and-kube-dns-only spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: kube-system: "true" ports: - protocol: UDP port: 53 - to: - namespaceSelector: matchLabels: istio: system EOF Kubernetes NetworkPolicy prevents bypassing Istio’s egress gateway
  • 25. Capturing external hosts dns-discovery automatically detects egress traffic and creates ServiceEntry objects. github.com/istio-ecosystem/dns-discovery
  • 27. Istio 1.2 46 improvements 297 commits 78 contributors Full release notes Released 2019-06-18
  • 28. Istio 1.2 highlights Investing in build, test, and release machinery New subteams: Github Workflow, Source Organization, Testing Methodology, Build & Release Automation Theme of this release is predictability Quality of releases Timing of releases Build, Test, Release New Features Global log levels for data and control planes Validate Kubernetes environment using istioctl Annotate services with traffic.sidecar.istio.io/includeOutboundPorts and eliminate need for containerPort Release Predictability
  • 29. Istio 1.2 highlights Beta → Stable SNI with ingress Distributed tracing Service tracing Alpha → Beta Cert mgmt on ingress Config resource validation Config processing with Galley
  • 30. Added traffic.sidecar.istio.io/includeInboundPorts annotation to eliminate the need for service owner to declare containerPort in the deployment yaml file. This will become the default in a future release. Improved locality based routing in multi-cluster environments. Improved outbound traffic policy in ALLOW_ANY mode. Traffic for unknown HTTP/HTTPS hosts on an existing port will be forwarded as is. Unknown traffic will be logged in Envoy access logs. Istio 1.2 for Traffic Management Added support for setting HTTP idle timeouts to upstream services. Improved Sidecar support for NONE mode (without iptables) . Added ability to configure the DNS refresh rate for sidecar Envoys, to reduce the load on the DNS servers. Graduated Sidecar API from Alpha to Alpha API and Beta runtime.
  • 31. Thank You! Questions or Comments? Find us @christianposta and @crcsmnky Learn More ● Istio istio.io ● Google Cloud cloud.google.com ● Solo.io www.solo.io ● Gloo gloo.solo.io ● Service Mesh Hub servicemeshhub.io Demo ● github.com/crcsmnky/istio-egress-gateway

Editor's Notes

  1. https://docs.tenable.com/pvs/deployment/Content/GoogleCloudInstructionsNatGateway.htm https://cloud.google.com/vpc/docs/special-configurations#natgateway
  2. https://cloud.google.com/nat/docs/overview#NATwithGKE
  3. https://www.nirmata.com/2018/12/12/open-source-kubernetes-crd-for-egress-ip-address-management/ https://github.com/nirmata/kube-static-egress-ip