Peer & Request Authentication - Istio Service Mesh

-

Peer and Request Authentication 

Istio provides two types of authentication: peer authentication and request authentication. 

Peer authentication 

Peer authentication is used for service-to-service authentication to verify the client that's making the connection. 

When two services try to communicate, mutual TLS requires both to provide certificates so both parties know who they are talking to. If we want to enable strict mutual TLS between services, we can use the PeerAuthentication resource to set the mTLS mode to STRICT] 

Using the PeerAuthentication resource, we can turn on mutual TLS (mTLS) across the mesh without making code changes. 

However, Istio also supports a graceful mode where we can opt into mutual TLS one workload or namespace at the time. This mode is called permissive mode. 

Permissive mode is enabled by default when you install Istio. With permissive mode enabled, if a client tries to connect to me via mutual TLS, I'll serve mutual TLS. If the client doesn't use mutual TLS, I can respond in plain text as well. I am permitting the client to do mTLS or not. Using this mode, you can gradually roll out mutual TLS across your mesh.

Request authentication 

The request authentication (RequestAuthentication resource) verifies the credential attached to the request, and we use it for end-user authentication. 

The request-level authentication is done with JSON Web Token  (JWT) validation. Istio supports any OpenID Connect providers, such as AuthO, Firebase or Google Auth, Keycloak, OW Hydra. So just like we used SPIFFE identity to authenticate the services, we can use JWT tokens to authenticate users.


Comments

Post a Comment

Popular posts from this blog

DevOps Interview Questions

-
Questions from GIT, Jenkins, Ansible, Dockers & Containers, Kubernetes, OpenShift, AWS, CI/CD, Scripting, Linux (RHEL), Monitoring, Python GIT ########### * What is GIT ? * What is difference between GIT & Github ? * Why we use GIT ? * What is SCM & VCS ? * What are the process of pushing the code to Github Repository ? * Why do we commit ? * What are the commands of GIT to push the code ? * How you can merge a git repository with another ?  * What is branching in git ? * Different types of branching in GIT ? * What is merge conflict in git ? * How you can resolve merge conflict if you are merging same    project and in the same branch ?    Jenkins ########## * What is Jenkins ? * Why we use Jenkins ? * What are the other tools/technologies present in market other than    Jenkins for CI/CD ? * How to move Jenkins from one server to another ?    * How to create Jenkins backup ?  * What are plugins in Jenkins ? * What are
Read more

Calico Certified Operator: AWS Expert Questions & Answers

-
Section 1 Which one of the following is NOT an AWS networking concept? 1 point possible (graded, results hidden) AWS Region Virtual Private Cloud Elastic Network Interface Cloud NAT submitted Which of the following are network configuration options for the Calico CNI in BYOC clusters? 1 point possible (graded, results hidden) Select all that apply: VLAN based segmentation VXLAN encapsulation IP-IP encapsulation CrossSubnet mode submitted Why does AWS-CNI networking make use of source based routing on the nodes? 1 point possible (graded, results hidden) To provide more available IP addresses To allow the utilisation of all ENIs attached to the node To secure the node’s compute resources To ensure all pods use the same ENI submitted Which of the following are true when using the CrossSubnet mode in Calico CNI on BYOC clusters? 1 point possible (graded, results hidden) Select all that apply: It is recommended that for best performanc
Read more

CKAD Certification Exam Preparation Guide and Tips

-
Image
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. The CNCF/Linux Foundation offers this performance-based exam which targets the developer aspect of Kubernetes skills such as deploying apps, configuring apps, rolling out the application, creating persistent volumes, etc. CKAD (Certified Kubernetes Application Developer) is designed for software developers who would like to develop and deploy their containerized applications in Kubernetes. The curriculum includes the following general domains with the associated weights: Core Concepts – 13% Configuration – 18% Multi-Container Pods – 10% Observability – 18% Pod Design – 20% Services & Networking – 13% State Persistence – 8% ------------------------------------------------------------------------- After my successful achievement of CKAD Certification, I would love to share my experience and tips to clear the exam. I have  practiced a lot on kubectl  commands and
Read more