Kubernetes / Security / Service Mesh / Sponsored

Portshift Attempts ‘More Granular’ Security for What Istio Service Meshes Lack

18 Nov 2019 10:26pm, by

Portworx sponsored The New Stack’s coverage of KubeCon + CloudNativeCon in San Diego.

Organizations often face a number of unforeseen challenges when making the shift to Kubernetes deployments. Even once teams use service meshes to help manage Kubernetes-platform infrastructures and policies, DevOps teams can realize many issues remain — and often when it is too late.

One such concern when deploying on the increasingly popular Istio service mesh is its lack of versatility for managing multiple Kubernetes clusters. This drawback also harbors security challenges, which we will describe in more detail below.

Israel-based Portshift says it can help to solve Istio’s shortcomings for Kubernetes deployments. At KubeCon + CloudNativeCon North America 2019 in San Diego this week, the company will demonstrate its identity-based workload protection platform for containers and microservices. The system, Portshift says, offers more complete mesh-enabled security for Istio thanks to its container workload-identity and other features. This capability assigns digital identities to containers within the CI/CD phase and is extended to Istio service mesh for  “authenticated communication,” Portshift’s CEO Ran Ilany told The New Stack.

The idea is to boost compliance capabilities to become “inherent and continuous,” Ilany said.

For authentication, Istio uses SPIFFE (Secure Production Identity Framework For Everyone) identities and typically offers service account information (SAC), but this is not enough, Portshift says. Security monitoring with the Istio service mesh needs to “allow granular policy enforcement,” Ilany said, and to implement certificates for every pod. Istio proxies, once Portshift is added, are configured to use more granular certificates and identities as an extension of where SACs leave off.

In many respects, Portshift is attempting to offer an often missing security and compliance management link for Istio service meshes. Ilany described how service meshes, in general, are designed to service connectivity, availability and network capacity for Kubernetes deployments. However, their main drawback is their inability to “address security and compliance at the changing pace of DevOps CI/CD environments,” Ilany said.

Most organizations typically make do when running Kubernetes on Istio by configuring their own compliance rules manually for different clusters, depending on where they originate from geographically, Ilany said. “Unfortunately, organizations are really challenged by how current solutions are ‘after the fact’ or have been enforced at runtime.” This means these organizations need to understand the exact connectivity logic manually, “which is impossible to do in these dynamic environments,” Ilany said. “With Portshift, this information is attainable at any given moment and rules for approval are created automatically.”

The ultimate goal is to allow DevOps to create a simple security policy that encrypts communications across all containers on multiple service mesh layers “with a single click,” Ilany said.

The resulting configuration consists of mesh deployments on multi-clusters, with the replicated control plane elements with Istio including Mixer, Pilot and Citadel in each cluster, Ilany wrote in a blog post. “We added a method to share the root certificate authority (root CA) to all clusters, and we opted to add an Istio Ingress to each cluster, thus automating the federation of certificates/identities and services attributes between clusters,” Ilany said.

Portshift works by updating each Istio ingress gateway with the neighboring clusters and “uses the DNS configuration for external services in all clusters,” Ilany said.

Istio ServiceEntry is automated for external services in each cluster, while creating a VirtualService for each external-service IP/FQDN and ServiceEntry, Ilany said. “This changes the security model, based on IP and port identities, to much more granular container identities that are also authenticated at runtime.”

KubeCon + CloudNativeCon North America 2019 is a sponsor of The New Stack.

Feature image via Pixabay.