Shulou(Shulou.com)05/31 Report--

This article mainly introduces "what is the role of Service Mesh". In daily operation, I believe that many people have doubts about the role of Service Mesh. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful for you to answer the doubts about "what is the use of Service Mesh?" Next, please follow the editor to study!

What is Service Meshes? Why is it so important?

Connection issu

To understand why Service Mesh exists, first consider the network connection in the container environment.

Imagine what happens when you run a cloud native application. As long as it has a certain scale and complexity, it usually needs to be composed of a large number of separate services, which need to coordinate with each other in order to run as efficiently as a single desktop application component.

Coupled with the number of instances of each service running at any given time, and the changes in the status and availability of these instances, it is not difficult to see that the simple act of connecting one service to another can become a terrible composition problem in such a situation.

Arrangement is the foundation.

Thanks to orchestration tools such as Kubernetes, cloud native applications don't get messy or frozen from internal logjams, and they organize services and instances into units that are easy to manage and address, so that they can be found and accessed in a systematic way.

These choreography tools are like a housing developer, laying streets and building houses in new neighborhoods-they build frames and transportation routes, but in most cases, it is not their job to deal with the traffic details of the community.

Manage traffic

This is where Service Mesh is needed. When one service needs to send a request to another service, Service Mesh provides a standardized interface that allows the request to be sent and manages the process.

Service Mesh, such as lstio and Linknerd, usually acts as a proxy for requests and other traffic between microservices, responsible for service discovery and performing a variety of related tasks, including ingress, egress, load balancing, and fault handling. When it receives a service request, it finds an available instance of the service that satisfies a set of configurable rules and routed traffic between the requesting service and the target service.

Take over a complex job

This means that you can remove service discovery and most of the tasks associated with it from application design and code (and architecture scripts) and leave them to Service Mesh to handle. The requesting service only needs to use the abstract identifier of the target service to make the request; Service Mesh will take care of the rest.

Of course, Service Mesh can handle more than that, as well as tracking, metrics, encryption, authentication, and other performance and security-related tasks. Lstio and linkerd can be used together to integrate the most powerful features of the two packages for microservice-related traffic management optimization.

Service Mesh and Enterprise Security

What does all of the above mean for enterprise security?

Do the security and overall traffic management features of platforms such as Istio and Linkerd provide adequate protection? Or, on the contrary, will they expose new attack areas, giving intruders the opportunity to attack through the back door?

The fact is that any new element that controls the infrastructure is likely to include both. In the Service Mesh scenario, features such as ingress / egress management, proxy, and encryption add security-related elements to the system. At the same time, these platforms manage traffic and access and are trusted by applications and other infrastructure elements, making them targets.

The overall role of Service Mesh is to provide some enhancements at the boundaries of the application (that is, ingress rules) and to create efficient channels for traffic within that perimeter. In terms of corporate security, this means you need to focus on at least two (or more) potential attack routes.

When the invaders break through the border

What happens if an intruder breaks through the basic boundary defenses of Service Mesh and even invades an instance of a service? If the service sends a request to Service Mesh, or if it responds to Service Mesh's request, then malicious load may be injected into the system to take advantage of Service Mesh's efficient traffic management to pass the load to as many potential targets as possible. If Service Mesh defines the appearance of a service as "trust" and the application mistakenly determines that Service Mesh is passing non-malicious data between services, then any malicious participant can take advantage of this trust to disguise himself as a valid service.

Of course, platforms like Istio and Linkerd do include features to maintain secure traffic, such as TLC authentication; Istio's Role-Based Access Control (role-based access Control, RBAC) provides flexible and customizable multi-level access control. However, if intruders break through these defenses, they can still move within the system and cause damage.

Attack Service Mesh infrastructure

The Service Mesh platform, like any other cloud-based infrastructure element today, is made up of code and is as vulnerable as other types of code. Perhaps the most attractive attack surface for intruders is the rules that govern discovery and routing-if the request can be rerouted to an external location, the entire system may be compromised.

Of course, there will be other points of attack. Functions such as ingress, egress, proxy, and load balancing may have previously undetected pointcuts. In short, the more elements of the infrastructure control the application and the entire system, the easier it is to be targeted and the more attention should be paid to it.

Resist an attack

So is there the best policy to deal with Service Mesh-related security issues? Yes, there is.

The defense capabilities provided by Service Mesh itself can be combined with powerful border defense efforts such as whitelist to further enhance the intrusion prevention capabilities of applications. Among them, internal anomaly detection provides a stronger defense. Any unusual behavior in the program triggers an automatic response. Network security monitoring can detect and offset attacks on the service grid infrastructure itself.

In the cloud-based field, containerized applications and Service Mesh are indispensable tools in enterprise computing. Combined with full-featured enterprise-class security services, intruders are unnecessary and will not compromise the data security of the organization.

At this point, the study on "what is the role of Service Mesh" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.