10. Go-kit microservice + Istio
Golang UK Conference 2015 - Peter Bourgon - Go Kit A Toolkit for Microservices - https://youtu.be/aL6sd4d4hxk?t=1022
auth
+
11. Automatically secure your services through
managed authentication, authorization, and
encryption of communication between services.
Istio security - API
Authorization
12. Istio
● 1.8.0 (released 11/19)
● 1.7 (released 8/21)
● 1.6 (released 5/21)
● 1.5 (released 3/5)
● RequestAuthentication: 1.5 and above
● Mixer: default since Istio 1.3 and istio-telemetry
is disabled by default in Istio 1.5.
● holdApplicationUntilProxyStarts: 1.7 and
above
Istio - https://istio.io/latest/
13. Istio / Istio in 2020 - Following the Trade Winds - https://istio.io/latest/blog/2020/tradewinds-2020/
Istio Architecture
24. type AuthorizationServer interface {
// Performs authorization check based on the attributes associated with the
// incoming request, and returns status `OK` or not `OK`.
Check(context.Context, *CheckRequest) (*CheckResponse, error)
}
func (as *AuthorizationServer) Check(ctx context.Context, req *auth.CheckRequest) (*auth.CheckResponse, error) {
h := req.GetAttributes().GetRequest().GetHttp()
...
s := as.Verify(ctx, h.GetHeaders()["x-envoy-original-path"], h.Method, h.GetHeaders()["x-jwt-playload"])
return &auth.CheckResponse{
Status: s,
}, nil
}
envoy.config.filter.http.ext_authz.v2.ExtAuthz
AuthorizationServer is the server API for Authorization service.
If the request is deemed unauthorized at the HTTP filter the request will be denied with 403
(Forbidden) response.
25. type AuthorizationServer interface {
// Performs authorization check based on the attributes associated with the
// incoming request, and returns status `OK` or not `OK`.
Check(context.Context, *CheckRequest) (*CheckResponse, error)
}
func (as *AuthorizationServer) Check(ctx context.Context, req *auth.CheckRequest) (*auth.CheckResponse, error) {
h := req.GetAttributes().GetRequest().GetHttp()
...
s := as.Verify(ctx, h.GetHeaders()["x-envoy-original-path"], h.Method, h.GetHeaders()["x-jwt-playload"])
return &auth.CheckResponse{
Status: s,
}, nil
}
envoy.config.filter.http.ext_authz.v2.ExtAuthz
AuthorizationServer is the server API for Authorization service.
- env:
- name: QS_AUTHZ_URL
value: "authz:8000"
28. The Open Policy Agent (OPA) is an open source,
general-purpose policy engine that enables
unified, context-aware policy enforcement across
the entire stack.
Open Policy Agent