apidays LIVE Paris 2021 - Advanced Authentication patterns at the Edge by Denis Jannot, Solo.io
0 likes103 views
The document discusses advanced authentication patterns at the edge for microservices, emphasizing the transition from monoliths to microservices architectures. It highlights common challenges associated with authentication, such as teams reinventing the wheel and lack of visibility for security teams, and introduces the concept of a Kubernetes-native API gateway, specifically Gloo Edge, which offers benefits like centralized authentication and GitOps-friendly configuration. Gloo Edge is presented as an extensible API gateway built on Envoy Proxy that enables secure application connectivity and policy-based traffic management in dynamic microservices environments.
apidays LIVE Paris 2021 - Advanced Authentication patterns at the Edge by Denis Jannot, Solo.io
- 1. Advanced Authentication patterns at the Edge Denis Jannot Director of Field Engineering - EMEA
- 2. 2 | Copyright © 2021 About me @djannot denis.jannot@solo.io denisjannot Denis Jannot Director of Field Engineering - EMEA @ Solo.io
- 3. 3 | Copyright © 2021 From Monolith to Microservices MONOLITH MICROSERVICES
- 4. 4 | Copyright © 2021 Kubernetes became the most popular platform MONOLITH MICROSERVICES
- 5. New York JULY Australia SEPTEMBER Singapore APRIL Helsinki & North MARCH Paris DECEMBER London OCTOBER Jakarta FEBRUARY Hong Kong AUGUST JUNE India MAY Check out our API Conferences here 50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees, 300k+ online community Want to talk at one of our conferences? Apply to speak here
- 6. 5 | Copyright © 2021 How do you expose your apps ? The Ingress way MICROSERVICES Ingress TLS Basic routing Kubernetes Service Pods
- 7. 6 | Copyright © 2021 Each team reinvents the wheel MICROSERVICES Ingress
- 8. 7 | Copyright © 2021 Some capabilities must be implemented downstream MICROSERVICES Ingress API GATEWAY Rate limiting WAF
- 9. 8 | Copyright © 2021 Common challenges • Each team reinvents the wheel (setting up the same authentication) • Implementation is different for each language • Application teams should focus on the business logic instead • The security team doesn’t have visibility on what’s configured for each application • Other security mechanisms must be implemented outside of the Kubernetes cluster
- 10. 9 | Copyright © 2021 What about a Kubernetes-native API Gateway ? MICROSERVICES API GATEWAY Rate limiting WAF
- 11. 10 | Copyright © 2021 That can even expose services outside of Kubernetes MICROSERVICES API GATEWAY Rate limiting WAF
- 12. 11 | Copyright © 2021 Benefits • Authentication is performed at the API Gateway level • Application teams can focus on the business logic • Everything is configured through Kubernetes Custom Resources, so it’s Gitops- friendly • Other security mechanisms are enforced by the same Gateway • Visibility for the security team
- 13. 12 | Copyright © 2021 Gloo Edge MICROSERVICES Rate limiting WAF
- 14. 13 | Copyright © 2021 Gloo Edge overview Gloo Edge is an open-source, flexible and extensible API Gateway built on Envoy Proxy for microservices environments. Gloo Edge configures the behavior of the Envoy Proxy data plane to ensure secure application connectivity and policy based traffic management. SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E NORTH-SOUTH TRAFFIC
- 15. 14 | Copyright © 2021 Why Envoy Proxy • Neutral Foundation (CNCF) • Large, diverse, vibrant community • Built ground up for dynamic services environment • Dynamic configuration, driven by API • Highly extensible • L7 filters (HTTP/1, HTTP/2, gRPC, redis, mysql, Kafka, etc) • Deep signals telemetry out of the box • Versatile deployment options
- 16. 15 | Copyright © 2021 Gloo Edge architecture EXTERNAL AUTH RATE LIMITING GLOO FILTERS ROUTER UPSTREAM EXTERNAL AUTH SERVER RATE LIMITING SERVER DATA LOSS PREVENTION LAMBDA TRANSFORMATION WEB APPLICATION FIREWALL (WAF) WEB ASSEMBLY JWT
- 17. 16 | Copyright © 2021 What does Kubernetes-native mean ? apiVersion: gateway.solo.io/v1 kind: VirtualService metadata: name: demo namespace: gloo-system spec: sslConfig: secretRef: name: upstream-tls namespace: gloo-system virtualHost: domains: - '*' routes: - matchers: - prefix: /app1 options: extauth: configRef: name: oauth namespace: gloo-system delegateAction: selector: namespaces: - app1 apiVersion: gateway.solo.io/v1 kind: RouteTable metadata: name: httpbin-routetable namespace: app1 spec: routes: - matchers: - prefix: /not-secured options: prefixRewrite: '/' routeAction: single: upstream: name: app1-httpbin-8000 namespace: gloo-system apiVersion: enterprise.gloo.solo.io/v1 kind: AuthConfig metadata: name: oauth namespace: gloo-system spec: configs: - oauth2: oidcAuthorizationCode: appUrl: ${APP_URL} callbackPath: /callback clientId: ${client} clientSecretRef: name: oauth namespace: gloo-system issuerUrl: "${KEYCLOAK_URL}/realms/master/" scopes: - email headers: idTokenHeader: jwt
- 18. 17 | Copyright © 2021 17 | Copyright © 2020
- 19. 18 | Copyright © 2021 Catalog and expose running APIs in Gloo Edge or Istio service mesh to your developers, partners, and community.
- 20. 19 | Copyright © 2021 No visibility MICROSERVICES API GATEWAY Rate limiting WAF
- 21. 20 | Copyright © 2021 Welcome Service Mesh SERVICE MESH Control Plane Encryption Telemetry Traffic management Access control Identity Management Certificate management Health check Data Plane
- 22. 21 | Copyright © 2021 Enterprise Service Mesh for multi -cluster, cross- cluster and hybrid environments based on upstream Istio https://www.solo.io/products/gloo-mesh/
- 23. 22 | Copyright © 2021
- 24. 23 | Copyright © 2021 23 | Copyright © 2020 https://slack.solo.io/
- 25. New York JULY Australia SEPTEMBER Singapore APRIL Helsinki & North MARCH Paris DECEMBER London OCTOBER Jakarta FEBRUARY Hong Kong AUGUST JUNE India MAY Check out our API Conferences here 50+ events since 2012, 14 countries, 2,000+ speakers, 50,000+ attendees, 300k+ online community Want to talk at one of our conferences? Apply to speak here
- 26. 24 | Copyright © 2021 24 | Copyright © 2020 Thank you !
- 27. 25 | Copyright © 2021