Explore the design and implementation of a new Istio certificate management system using Vault in this 34-minute conference talk by Lei Tang and Yonggang Liu from Google. Dive into the Istio identity system, current certificate management architecture, and the new Vault-based system's authentication and authorization mechanisms. Follow a detailed example of a pod requesting and receiving a signed certificate from Vault. Learn about Istio's microservices management, security risks in service meshes, and context-aware access control. Witness demonstrations of authorization and authentication policies, certificate provision flow, and integration with external CAs. Gain insights into signing key injection, Citadel integration, and node agent integration, concluding with a prototype of Istio CA Vault integration.
Overview
Syllabus
Intro
Istio manages your microservices
Istio 30,000-foot view
Security risks for service meshes
Solution: Istio security Beyond Corp
Example flow of context-aware access
Demo: Istio context-aware access control • A user must be in a specific group to • The access must be protected by TS . May also control the caling path
Demo: authorization policies
Demo: authentication policy
Certificate Provision Flow
Integration with external CAS
Signing-key-injection
Citadel-integration
Nodeagent-integration
Prototype: Istio CA Vault integration
Taught by
CNCF [Cloud Native Computing Foundation]
