Modern Service Networking With Consul Connect, Envoy and Kubernetes

This talk and demo were given at KubeCon China 2018.

In the second video below, Nic repeats his demo, due to network limitations at the original event.

Highlights

• Networks and network security are painful enough, but adding dynamism—schedulers, autoscaling groups, etc.—amplifies that pain, and a service mesh makes it even worse
• Perimeter firewalls do not keep your apps safe, because they don't protect against the code-level vulnerabilities in your apps
• After compromising one app, attackers often go on to move "laterally"—with no network isolation and no TLS encryption between services, it's easy once the initial compromise has been made
• But highly-available clustering, auto-scaling, and automated schedulers make it hard to segment your network in the traditional way—it's not an easy problem, so people tend to set up risky security rules
• Dynamic, intention-based security would be better, with permissions based on the app identifiers, not the IP addresses
• Lack of TLS encryption in transit makes it easy for attackers to read sensitive data off the wire
• But (again) it's hard
• HashiCorp's answer is a service-mesh architecture, secured using mTLS, based on Consul Connect and Envoy or a similar data plane