Traditionally, the security of an application is implemented at the application level by using language-specific libraries to enable certificate-based authentication and then encryption of the network traffic. In modern cloud-native applications, these tasks are delegated to the service mesh providers to implement security so that application developers can focus on the business logic of the application.

In this chapter, we will look at service authentication and authorization using simple and mutual TLS and advanced security enhancements through examples.

In a nutshell, we will cover the following topics:

• Configuring service authentication
• Enabling and disabling service authorization

You will get the best out of this chapter if you have the following:

• This chapter's exercise use dependencies from the previous chapter. Please make sure that you completed the exercises in the previous chapter before starting this one.
• Open a command-line window to follow this chapter to learn about Istio security by examples. Clone this book's GitHub directory:

$ cd ~/istio
$ git checkout $ISTIO_VERSION
$ cd scripts/02-security

• Make sure that all istio-lab pods are in a Ready 2/2 state:

$ kubectl -n istio-lab get pods

Once this is done, we're ready to begin!

Security in Istio is very comprehensive. The high-level overview starts with Citadel, which is a key and certificate manager. It acts as a Certificate Authority (CA) for Istio. An additional component, node_agent, needs to be enabled for certificate and key rotation. The node agent runs as a daemon set on all of the nodes to take care of the certificate and key rotations. The sidecar proxies implement a secure protocol communication between microservices, and this is a self-service model that is enabled through a parameter with no changes being made to the microservices. The following control plane components are used:

• Pilot: Pilot in Istio distributes authentication and provides secure naming conventions for sidecar proxies. Secure naming is a new concept that is gaining traction since it identifies services securely if they are part of the...

From the previous chapter, we configured the Istio ingress gateway to expose the bookinfo HTTP service's endpoints to external traffic. In this section, we will configure simple or mutual TLS to provide HTTPS access to the external traffic to access bookinfo services. It is our assumption that you have an understanding of simple and mutual TLS authentication. Additional information can be found here: https://bit.ly/2voH44c.

Simple or mutual TLS termination at the ingress gateway for incoming requests assumes that downstream services are safe and not liable to external attacks or insider threats. After the ingress gateway has been secured, downstream service communication is done using a plaintext HTTP protocol.

If access is requested to external services, TLS origination should start an egress gateway for secure communication with an external service. It is...

Once someone has been authenticated, what they can or cannot do depends upon authorization. Mixer plays an important role in authorization enablement in Istio. Let's learn about authorization through some examples:

1. First, let's switch to subset v2 of the reviews virtual service so that it shows black stars in the ratings (remember: review-1: no star, review-2: black stars, review-3: red stars(:

$ kubectl -n istio-lab patch vs reviews --type json -p '[{"op":"replace","path":"/spec/http/0/route/0/destination/subset","value": "v2"}]'
virtualservice.networking.istio.io/ratings patched

$ kubectl -n istio-lab get vs reviews -o yaml | grep -B1 subset:
        host: reviews
        subset: v2

2. Refresh https://bookinfo.istio.io/productpage. You should see black stars in the ratings.

Authorization...

Some of the advanced topics of Istio authentication and authorization are beyond the scope of this book. The following is a brief description of a few important ones:

• Istio authorization allows us to work with JSON Web Tokens (JWTs) and open source OpenID connect providers such as Google Auth, Auth0, and ORY Hydra. Refer to https://archive.istio.io/v1.3/docs/concepts/security/ for how to apply authentication policies for JWT and OpenID.
• Istio can integrate with Hashicorp's Vault CA to secure, store, and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets, and other sensitive data.
• Istio multi-cluster installation, control plane replication, and creating shared control planes using single or multi-networks are not explored in this book. Refer to https://archive.istio.io/v1.3/docs/setup/install/multicluster...

Security sometimes creates Fear, Uncertainty, and Doubt (FUD), and many times, it results in unnecessary controls that hamper productivity. Sadly, breaches do still occur. Major corporations have a chief information security officer, but often, the focus is on putting locks and controls in the wrong places and not knowing which backdoors are wide open. Security breaches can harm the reputation of a company and can cause huge financial damage. A recent example is a fine of $148 million that was imposed on a ride-sharing company, which failed to report the security breach to the Federal Trade Commission. The hackers, in this case, found AWS credentials in their GitHub repository and stole the data of millions of people from an AWS S3 bucket.

The security in Istio is enterprise-grade. You must have noticed the granular nature of security at the namespace level. You have also...

1. Istio will not rotate certificates and keys that have been defined for the services through an Ingress gateway to secure traffic from external clients to the edge microservice.
   A) True
   B) False

2. There can only be one MeshPolicy with name as default that will apply mTLS mesh-wide.
   A) True
   B) False

3. Mutual TLS can be as granular as possible from the namespace level to the service level by defining a policy.
   A) True
   B) False

4. Mutual TLS can also be defined through destination rules for the subsets, which can be used to define virtual services.
   A) True
   B) False

5. Istio is capable of shielding modern microservices applications so that they can run in a zero-trust network without the need to make any changes to the application code.
   A) True
   B) False

6. Istio makes VPN and firewalls redundant if security is implemented properly.
   A) True
   B) False

7. It is the responsibility...

• Securing Gateways with HTTPS Using Secret Discovery Service, Istio (2019), available at https://archive.istio.io/v1.3/docs/tasks/traffic-management/ingress/secure-ingress-sds/, accessed 16 May 2019
• Everything you should know about certificates and PKI but are too afraid to ask, Malone, M. (2019), Smallstep, available at https://smallstep.com/blog/everything-pki.html#intermediates-chains-and-bundling, accessed 18 May 2019