Modern microservices architectures divvy up application functions into individual services and expose them via APIs using protocols such as HTTP/REST, gRPC, or Kafka. The rise of container-based orchestration platforms, such as Kubernetes, is creating demand for routing, load balancing, and security infrastructure that is highly scalable, application aware, and resilient. At the same time, BPF (the Berkeley Packet Filter) is becoming the fastest growing technology in the Linux kernel and is revolutionizing networking, security and tracing.
What was done for security before microservices is no longer sufficient. The firewall is dead, and there’s a new norm for the modern world: security needs to be distributed and least privilege for pod-to-pod traffic in the container world.
While navigating from an architectural design to the lab and eventually production, it is important to understand the pain points and gaps of traditional firewall methods when exposing services via APIs in microservices architectures. Cynthia Thomas outlines traditional firewall methods and details the evolution of the distributed security model to enforce least privilege for microservices.
Cynthia Thomas is a technology evangelist at Isovalent. Her background includes 10 years spent working with open source cloud and networking solutions in data center, telecommunications, and campus deployments. Cynthia is an advocate of open source technologies. Since 2015, she has been working on Docker and Kubernetes with CNI plugins, currently through the open source project Cilium. She is a frequent speaker at conferences, including ContainerCon, DevOpsDays, DockerCon, Kubernetes meetups, and OpenStack Summits and meetups.
©2018, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org