DEV Community: Uri Peled

Zero-Trust Security in K8s Made Simple: Istio Ambient Mesh, No Sidecar Needed

Uri Peled — Tue, 12 Nov 2024 20:36:31 +0000

Service meshes have become a critical tool for managing the complexity and security of microservices architectures. However, the sidecar-based model, while powerful, has often introduced notable operational and resource overheads.

Enter Ambient Mesh: Istio’s new, sidecar-free alternative that simplifies service mesh adoption and reduces resource demands. Introduced as a GA feature, Ambient Mesh offers an innovative way to leverage Istio's robust zero-trust security without the complexity of sidecar proxies.

The Sidecar Challenge

Sidecar proxies are essential in traditional service mesh architectures, providing traffic management, security, and observability features alongside each service. However, they also bring substantial trade-offs, especially in large clusters where each service instance requires its own sidecar. This model often leads to high memory and CPU usage and increased operational complexity due to sidecar management and application restarts. For many teams, these drawbacks can hinder scalability and adoption. Ambient Mesh addresses these pain points by decoupling traffic control and security from individual application containers.

istioctl install --set profile=ambient --skip-confirmation

        |\
        | \
        |  \
        |   \
      /||    \
     / ||     \
    /  ||      \
   /   ||       \
  /    ||        \
 /     ||         \
/______||__________\
____________________
  \__       _____/
     \_____/

✔ Istio core installed ⛵️
✔ Istiod installed 🧠
✔ CNI installed 🪢
✔ Ztunnel installed 🔒
✔ Installation complete
The ambient profile has been installed successfully, enjoy Istio without sidecars!

How Ambient Mesh Works

Ambient Mesh introduces ztunnels (zero-trust tunnels) on each node instead of injecting sidecar proxies into individual services. These ztunnels create a secure Layer 4 overlay network, supporting essential functions like mTLS encryption and basic traffic routing with significantly reduced resource demands. Since ztunnels handle only Layer 4 traffic, their lightweight nature makes Ambient Mesh resource-efficient and straightforward to implement.

For teams needing more advanced Layer 7 functionality, such as detailed routing, retries, and telemetry, waypoint proxies can be deployed selectively to handle these tasks. This division of responsibilities between ztunnels and waypoint proxies offers fine-grained control, allowing teams to adopt a zero-trust foundation and layer on additional features only when needed.

You now have mTLS encryption between all your pods — 
without even restarting or redeploying any of the applications!

Istio's model for redirecting traffic within pods:

The core design principle of Istio's in-pod traffic redirection model in ambient mode is that the ztunnel proxy can capture data paths within the Linux network namespace of the workload pod. This capability is made possible through the collaboration between the istio-cni node agent and the ztunnel node proxy. A significant advantage of this model is that it allows Istio's ambient mode to function seamlessly with any Kubernetes CNI plugin, without disrupting Kubernetes networking features.

Key Benefits of Ambient Mesh

Resource Efficiency: By eliminating sidecars, Ambient Mesh cuts CPU and memory requirements by over 90% in many cases, freeing resources across the Kubernetes cluster.
Simplified Operations: Ambient Mesh streamlines mesh deployment by removing the need for sidecar injection, enabling users to add applications to the mesh without downtime or container restarts.
Flexible Security and Traffic Management: Organizations can begin with lightweight Layer 4 security through ztunnels, adding waypoint proxies only for services that require advanced Layer 7 traffic management, aligning with zero-trust principles and scalability needs.

Ideal Use Cases

Ambient Mesh is particularly suited to organizations aiming to implement a zero-trust architecture with minimal resource and operational overhead. It’s also a perfect fit for teams looking to incrementally scale mesh adoption, starting with security and expanding to more complex traffic management only when required.

In Mesh: a pod that is included in the ambient data plane, 
and has traffic intercepted at the Layer 4 level by ztunnel. 
In this mode, L4 policies can be enforced for pod traffic. 
This mode can be enabled by setting the
 ״istio.io/dataplane-mode=ambient״ label.

Conclusion

Istio's Ambient Mesh mode offers a streamlined approach to service mesh architecture, removing the complexity of sidecar proxies while maintaining robust security and observability. For teams previously deterred by sidecar management, Ambient Mesh provides a compelling path forward, with reduced resource costs and an adaptable model that grows with application needs. As the feature matures, Ambient Mesh is poised to become an essential tool for Kubernetes users managing large, secure, and efficient clusters.

For more details, check out the official Istio documentation on Ambient Mesh

How-to Connect JetBrains IDEs to Amazon RDS with AWS SSO

Uri Peled — Mon, 06 Nov 2023 09:37:55 +0000

Introduction:

Connecting your JetBrains IDE to Amazon RDS databases with AWS Single Sign-On (SSO) can be a powerful way to streamline your development workflow. This guide will walk you through the steps required for setup, both on the administrative and user sides. Let's get started!

Prerequisites for accessing Amazon RDS databases

Before you can connect to an Amazon RDS database using AWS Toolkit for JetBrains, you need to complete the following tasks:

AWS organization with IAM Identity Center authentication configured

AWS IAM Identity Center is the recommended best practice for managing your AWS account authentication.

Create a DB instance and set up its authentication method

AWS Toolkit for JetBrains enables you to connect to an Amazon RDS DB instance that's already been created and configured in AWS. A DB instance is an isolated database environment running in the cloud that can contain multiple user-created databases.

Download and install DataGrip

Step 1: Creating a database account using IAM authentication
(By Admins)

With IAM database authentication, you don't need to assign database passwords to the user accounts you create. If you remove a user that is mapped to a database account, you should also remove the database account with the DROP USER statement.

Using IAM authentication with MariaDB and MySQL

With MariaDB and MySQL, authentication is handled by AWSAuthenticationPlugin—an AWS-provided plugin that works seamlessly with IAM to authenticate your users. Connect to the DB instance as the master user or a different user who can create users and grant privileges. After connecting, issue the CREATE USER statement, as shown in the following example.

CREATE USER data_scientist IDENTIFIED WITH AWSAuthenticationPlugin AS 'RDS';

Using IAM authentication with PostgreSQL

To use IAM authentication with PostgreSQL, connect to the DB instance as the master user or a different user who can create users and grant privileges. After connecting, create database users and then grant them the rds_iam role as shown in the following example.

CREATE USER data_scientist; GRANT rds_iam TO data_scientist;

Step 2: IAM Policy Setup (By Admins)

In the AWS account, an IAM policy needs to be created with the following permissions:

Grant the user permission to DescribeDBInstances and DescribeDBClusters.
Grant the user permission to rds-db:connect, but only to the specified database instance (e.g., data-db) and for the database user (e.g., data_scientist). Note that you can set both permissions with conditional access based on your VPN IP. Here's the IAM policy for reference:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances",
                "rds:DescribeDBClusters"
            ],
            "Resource": [
                "arn:aws:rds:us-east-1:01233456789:db:*",
                "arn:aws:rds:us-east-1:01233456789:cluster:*"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "123.456.78.901"
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "rds-db:connect",
            "Resource": "arn:aws:rds-db:us-east-1:01233456789:dbuser:*data-db*/data_scientist",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "123.456.78.901"
                }
            }
        }
    ]
}

Step 3: Attach the IAM Policy to Permission Set (By Admins)

Attach the IAM policy (Customer managed policies) created in Step 1 to the Developers-Permission-Set or any other existing permission set. This step enables users to use JetBrains IDEs like DataGrip.

Step 4: DataGrip Setup (By Users)

Install DataGrip or any other JetBrains product like PyCharm.
Install the DataGrip's AWS Toolkit plugins:

Go to Preferences > Plugins, search for AWS Toolkit, install it, and restart DataGrip.
The user should have the ~/.aws/credentials file on their computer.
The profile must include the following additional arguments:

[profile test-rds-iam-auth]
sso_session = test-rds-iam-auth
sso_account_id = 01233456789
sso_role_name = test-rds-iam-auth
region = us-east-1
sso_start_url = https://uri-peled.awsapps.com/start#
sso_region = us-east-1

Please note that the below 2 arguments are MUST:

sso_start_url = https://uri-peled.awsapps.com/start#
sso_region = us-east-1

Step 5: SSO Configuration in DataGrip (By Users)

Complete the following steps to authenticate with your AWS account using existing IAM Identity Center credentials, from the AWS Toolkit for JetBrains.

To sign in with IAM Identity Center using the AWS Toolkit for DataGrip (JetBrains), follow these steps:

Open AWS Connection Settings from the AWS Toolkit for JetBrains by clicking the ... (ellipsis) icon.
In the AWS Connection Settings menu, select "Add New Connection" to open the AWS Toolkit: Add Connection dialog.
In the AWS Toolkit: Add Connection dialog, choose the "Connect using AWS IAM Identity Center" option, enter your IAM Identity Center portal URL into the "Start URL" field, and click "Connect."
Follow the prompts to complete the authentication process.

Step 6: Connect to Amazon RDS Database (By Users - when connecting)

In DataGrip:

Open the AWS Explorer if it isn't already open.
Click the Amazon RDS node to expand the list of supported database engines.
Right-click on a database and choose "Connect with IAM credentials."
Verify connection settings and test the connection.

This guide was created based on several AWS, JetBrains and GitHub issues, such as:

Conclusion:

With these steps, you can seamlessly connect your JetBrains IDE to Amazon RDS or even Redshift databases using AWS SSO. If you encounter any issues or have further questions, don't hesitate to reach out to me.

Secure human Identity and access management for AWS EKS with SSO

Uri Peled — Sun, 20 Mar 2022 12:51:37 +0000

Start with the basics:

AWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions.

AWS Single Sign-On (AWS SSO) is a cloud service that allows you to grant your users access to AWS resources, such as Amazon EC2 instances, across multiple AWS accounts

Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.

Role-based access control (RBAC) is a method of restricting network access based on the roles of individual users within an enterprise.

Authentication to your Kubernetes cluster

Amazon EKS uses IAM to provide authentication to your Kubernetes cluster (through the aws eks get-token command, available in version 1.16.156 or later of the AWS CLI, or the AWS IAM Authenticator for Kubernetes), but it still relies on native Kubernetes Role Based Access Control (RBAC) for authorization.

The below should help you configure AWS EKS with SSO:

Ensure the cluster admin or whoever has access to run kubectl commands adds the SSO role to the aws-auth ConfigMap (this is used to manage access on the cluster):

 kubectl create configmap my-config-aws-auth --from-file=path/to/file/aws-auth.properties

The file "aws-auth.properties" can look like this

apiVersion: v1 
kind: ConfigMap 
metadata: 
  name: aws-auth 
  namespace: kube-system 
data: 
  mapRoles: | 
    - rolearn: arn:aws:iam::11122223333:role/EKS-DevOpsAdmin 
      username: system:node:{{EC2PrivateDNSName}} 
      groups: 
        - system:bootstrappers 
        - system:nodes 
  mapUsers: | 
    - userarn: arn:aws:iam::11122223333:user/designated_user 
      username: designated_user 
      groups: 
        - system:masters

Ensure you are logged into the SSO role from your CLI/Shell/CMD. Run ($ 'aws sts get-caller-identity' ) to verify
- If you are not sure how-to login into the SSO role, see this Configuring the AWS CLI to use AWS Single Sign-On . Basically you will need to run aws sso login.
Ensure that the SSO role has access to run eks:DescribeCluster on the cluster you intend to connect to.
You can use AWS Policy Generator tool that enables you to create policies that control access to Amazon Web Services (AWS) products and resources.

For least privilege use the below IAM Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EKSDescribeClusterPolicy",
      "Action": [
        "eks:DescribeCluster"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

For managing the entire AWS EKS service you can either go with your AdministratorAccess role or EKS specific admin policy :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EKSAdminPolicy",
      "Action": "eks:*",
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Configures kubectl so that you can connect to an Amazon EKS cluster: $ aws eks update-kubeconfig --name cluster_name this creates the kubeconfig in /home/user/.kube/config and the kubeconfig also have the aws eks get token command inside

The above instructions are for an existing cluster and you should be able to use them one by one in order to secure human Identity and access management for AWS EKS with SSO.

Please let me know if you have any questions or feedback

Iron Dome = 'Security Policies' at scale for your Multi-Cloud accounts

Uri Peled — Mon, 27 Dec 2021 16:59:27 +0000

IRON DOME (AKA Kippat Barzel) is a mobile all-weather, multi-purpose combat proven system that detects, assesses and intercepts incoming artillery, It truly protects the cloud of Israel day and night.
Also in the Star Trek fictional universe, shields refer to a 23rd and 24th century technology that provides starships, space stations, and entire planets with limited protection against damage.

A Pragmatic Approach to Scaling Security in the Cloud

Companies that provide "cloud" computing services, such as Amazon, Google and Microsoft put in place Defense in Depth strategy, adding an additional layer of protection to mitigate unknown vulnerabilities on complex infrastructures.
In this post we will review some of the best preventive protection you can define in your cloud accounts.

Let's start with AWS

AWS Service Control Policies (SCPs) are a way of restricting the actions that can be taken in an AWS account so that all IAM users and roles, and even the root user cannot perform them. This feature is part of AWS Organizations, and the SCPs are controlled by the Organization Master account.
See the Effects on permissions in the AWS Organizations User Guide and Determining whether a request is allowed or denied within an account in the IAM User Guide.

At asecure.cloud you can find a repository of AWS SCP templates and examples that can be deployed using CloudFormation custom resource or AWS CLI scripts.
Not like in the Israeli film, Operation Grandma, I will quote and will not recommend you "to start your fastest, and slowly to increase the pace", but you can start by deny console access to newly created IAM users, The SCP is constructed to prevent action which would deny creating of password for IAM user. What we achieve with such a policy is that all the new users we create will have only programmatic access, and all human users will login through AWS Single Sign-On.

You will be able to create an IAM user, however, the new user will have the section disabled by default, thus restricting the new IAM users from accessing the console.

One more cool policy you can use is restricted IAM principals in any account from making changes to our Security Audit IAM roles created in each AWS account.

We will continue with GCP

Google's Organization Policy Service gives you centralized and programmatic control over your organization's cloud resources. As the organization policy administrator, you will be able to configure constraints across your entire resource hierarchy.

I would start here from those that will help us minimize as much future misconfiguration as for example
Enforce public access prevention When you apply the publicAccessPrevention constraint on a resource, public access is restricted for all buckets and objects, both new and existing, under that resource.

The 2nd constraint I would go for in GCP is the
Restrict Public IP access on Cloud SQL instances
I encourage you to read this article by Google about Cloud SQL with private IP only: the Good, the Bad and the Ugly

I recommend you to use a native tool that Google has developed that will help you with Investigating issues as to why a user has access to a resource or does not have permission to call an API - you can find more and how to use it in this video about Policy Troubleshooter

And let's wind up with Azure

Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity.
I regularly find that Azure always like to complicate the settings and are most of the time much more difficult for implementation, compared to other cloud providers, so keep that in mind. Therefore I highly recommend you to watch this video that explains (not briefly) the service.

Azure shared with us a GitHub repository contains built-in samples of Azure Policies that can be used as reference for creating and assigning policies to your subscriptions and resource groups.

In some organizations there is a requirement from the FinOps team that all of Azure resources must be tagged with a specific set of tags, which were ultimately to be used for cost accounting when the bill came rolling in.
I found that the best way to ensure that this rule is enforced is to use Azure Policy, You can use the Inherit a tag from the resource group if missing, the policy description: Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed.

Thanks for reading this tutorial.

The Back-Pass Rule That Changed the Game

Uri Peled — Sun, 29 Aug 2021 20:36:15 +0000

It’s good to have goals

With Higuita behind them, the defensive line of Colombia could push higher up the field, pressing the opposition to win the ball back. Then, when in possession, they were a more compact unit, with lots of options for their trademark short passing.

Not even David Beckham, Diego Maradona or Messi can say they changed the game.
But to your surprise, the former Colombian goalkeeper Rene Higuita, changed the game.

At 1992, with Higuita's high-risk 'sweeper-keeper' playing style in mind, it was decided by FIFA that goalkeepers had to play with their feet. You must play the ball back to them and they can’t pick it up.

Pause, rewind, play:

Now days we have video referees and goalline technology, but while this tech have started fresh conversations about the hard laws of the soccer game, the machines themselves have not changed the rules instead they have allowed them to be scrutinised more closely – perhaps too closely, but that’s an argument for another time.

Now you're probably wondering why you're reading a soccer story in a post about cloud security

Just like today's "modern football", these days, the advent of SaaS applications has accelerated the pace of business and introduced a host of new cybersecurity concerns.

Q: So how can goalkeepers in the cloud-native world ensure security?
A: They change the rules!

So while FIFA/Hackers continues to toy with the Laws of the Game, here is a suggested rule change to make this beautiful game of ours even more beautiful/secure:

Imagine you have a group named R.Madrid.
Members of R.Madrid should not be allowed to access any Amazon S3 resources except the Madrid folder in the Spanish League bucket. And certainly not to access anything related to the Barcelona folder.

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "s3:ListBucket"
         ],
         "Resource":[
            "arn:aws:s3:::SpanishLeagueBucket/Madrid"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject"
         ],
         "Resource":[
            "arn:aws:s3:::SpanishLeagueBucket/Madrid/*"
         ]
      },
      {
         "Effect":"Deny",
         "NotAction":"s3:*",
         "NotResource":[
            "arn:aws:s3:::SpanishLeagueBucket/Madrid",
            "arn:aws:s3:::SpanishLeagueBucket/Madrid/*"
         ]
      }
   ]
}

The above is IAM resource-based policy that can be used in order to limit access to a specific resource by explicitly deny all operations that require other services.

"NotResource is an advanced policy element that explicitly matches every resource except those specified"

Cool Links:

github-awsdocs IAM JSON policy elements: NotResource.
awsdocs IAM JSON policy elements reference.
ermetic.com The Importance of Identity and Access Management (IAM) in Cloud Infrastructure.
René Higuita From Wikipedia pioneering in influencing goalkeepers to take more responsibility for situations further from the goal.
Higuita's Incredible Scorpion Kick Goalkeeper René Higuita's Incredible Scorpion Kick.