apidays LIVE London 2021 - Advanced Authentication patterns at the Edge by Denis Jannot, Solo.io
0 likes505 views
The document discusses advanced authentication patterns for microservices at the edge, focusing on the challenges faced by teams in implementing consistent authentication methods. It introduces Gloo Edge, an API gateway built on Envoy Proxy, which enhances application connectivity, security visibility, and allows teams to focus on business logic. Key benefits include API gateway-level authentication, GitOps-friendly configurations, and enforced security mechanisms.
apidays LIVE London 2021 - Advanced Authentication patterns at the Edge by Denis Jannot, Solo.io
- 1. Advanced Authentication patterns at the Edge Denis Jannot Director of Field Engineering - EMEA
- 2. 2 | Copyright © 2021 About me @djannot denis.jannot@solo.io denisjannot Denis Jannot Director of Field Engineering - EMEA @ Solo.io
- 3. 3 | Copyright © 2021 From Monolith to Microservices MONOLITH MICROSERVICES
- 4. 4 | Copyright © 2021 Kubernetes became the most popular platform MONOLITH MICROSERVICES
- 5. New York JULY Australia SEPTEMBER Singapore APRIL Helsinki & North MARCH Paris DECEMBER London OCTOBER Jakarta FEBRUARY Hong Kong AUGUST JUNE India MAY Check out our API Conferences here 50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees, 300k+ online community Want to talk at one of our conferences? Apply to speak here
- 6. 5 | Copyright © 2021 How do you expose your apps ? The Ingress way MICROSERVICES Ingress TLS Basic routing Kubernetes Service Pods
- 7. 6 | Copyright © 2021 Each team reinvents the wheel MICROSERVICES Ingress
- 8. 7 | Copyright © 2021 Some capabilities must be implemented downstream MICROSERVICES Ingress API GATEWAY Rate limiting WAF
- 9. 8 | Copyright © 2021 Common challenges • Each team reinvents the wheel (setting up the same authentication) • Implementation is different for each language • Application teams should focus on the business logic instead • The security team doesn’t have visibility on what’s configured for each application • Other security mechanisms must be implemented outside of the Kubernetes cluster
- 10. 9 | Copyright © 2021 What about a Kubernete-native API Gateway ? MICROSERVICES API GATEWAY Rate limiting WAF
- 11. 10 | Copyright © 2021 That can even expose services outside of Kubernetes MICROSERVICES API GATEWAY Rate limiting WAF
- 12. 11 | Copyright © 2021 Benefits • Authentication is performed at the API Gateway level • Application teams can focus on the business logic • Everything is configured through Kubernetes Custom Ressources, so it’s Gitops-friendly • Other security mechanisms are enforced by the same Gateway • Visibility for the security team
- 13. 12 | Copyright © 2021 Gloo Edge MICROSERVICES Rate limiting WAF
- 14. 13 | Copyright © 2021 Gloo Edge overview Gloo Edge is an open-source, flexible and extensible API Gateway built on Envoy Proxy for microservices environments. Gloo Edge configures the behavior of the Envoy Proxy data plane to ensure secure application connectivity and policy based traffic management. SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E NORTH-SOUTH TRAFFIC
- 15. 14 | Copyright © 2021 Why Envoy Proxy • Neutral Foundation (CNCF) • Large, diverse, vibrant community • Built ground up for dynamic services environment • Dynamic configuration, driven by API • Highly extensible • L7 filters (HTTP/1, HTTP/2, gRPC, redis, mysql, Kafka, etc) • Deep signals telemetry out of the box • Versatile deployment options
- 16. 15 | Copyright © 2021 Gloo Edge architecture EXTERNAL AUTH RATE LIMITING GLOO FILTERS ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER DATA LOSS PREVENTION LAMBDA TRANSFORMATION WEB APPLICATION FIREWALL (WAF) WEB ASSEMBLY JWT
- 17. 16 | Copyright © 2021 What does Kubernete-native mean ? apiVersion: gateway.solo.io/v1 kind: VirtualService metadata: name: demo namespace: gloo-system spec: sslConfig: secretRef: name: upstream-tls namespace: gloo-system virtualHost: domains: - '*' routes: - matchers: - prefix: /app1 options: extauth: configRef: name: oauth namespace: gloo-system delegateAction: selector: namespaces: - app1 apiVersion: gateway.solo.io/v1 kind: RouteTable metadata: name: httpbin-routetable namespace: app1 spec: routes: - matchers: - prefix: /not-secured options: prefixRewrite: '/' routeAction: single: upstream: name: app1-httpbin-8000 namespace: gloo-system apiVersion: enterprise.gloo.solo.io/v1 kind: AuthConfig metadata: name: oauth namespace: gloo-system spec: configs: - oauth2: oidcAuthorizationCode: appUrl: ${APP_URL} callbackPath: /callback clientId: ${client} clientSecretRef: name: oauth namespace: gloo-system issuerUrl: "${KEYCLOAK_URL}/realms/master/" scopes: - email headers: idTokenHeader: jwt
- 18. 17 | Copyright © 2021 17 | Copyright © 2020
- 19. 18 | Copyright © 2021 Catalog and expose running APIs in Gloo Edge or Istio service mesh to your developers, partners, and community.
- 20. 19 | Copyright © 2021 Enterprise Service Mesh for multi-cluster, cross-cluster and hybrid environments based on upstream Istio https://www.solo.io/products/gloo-mesh/
- 21. 20 | Copyright © 2021
- 22. 21 | Copyright © 2021 21 | Copyright © 2020 https://slack.solo.io/
- 23. 22 | Copyright © 2021 22 | Copyright © 2020 Thank you !
- 24. 23 | Copyright © 2021
- 25. New York JULY Australia SEPTEMBER Singapore APRIL Helsinki & North MARCH Paris DECEMBER London OCTOBER Jakarta FEBRUARY Hong Kong AUGUST JUNE India MAY Check out our API Conferences here 50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees, 300k+ online community Want to talk at one of our conferences? Apply to speak here