How well do you know network security measures for Amazon EKS and Istio with ACM...

Network Security Measures for Amazon EKS

• Network security measures for Amazon EKS involve traffic control and encryption in transit.

• Kubernetes network policies provide a mechanism to restrict network traffic between Pods and external services.

• Calico is an open source policy engine that supports extended network policies with a richer set of features.

• Calico Enterprise includes a feature that allows mapping a Kubernetes network policy to an AWS security group.

• Security groups for pods offer an AWS-native way to control network traffic within and outside of a cluster.

• Encryption in transit can be implemented using Nitro instances, Container Network Interfaces, or service meshes like App Mesh, Linkerd v2, and Istio.

• Ingress controllers can be configured to terminate SSL/TLS connections, and ACM Private CA with cert-manager can be used to enable TLS and mTLS to secure EKS application workloads.

• It is recommended to start with a default deny policy and incrementally add rules to selectively allow the flow of traffic between namespaces/pods.

• DNS queries can be allowed by adding a global rule that allows pods to query CoreDNS for name resolution.

• Calico policies can be scoped to Namespaces, Pods, service accounts, or globally.

• AWS VPC Security Groups are used to control the traffic between the Kubernetes control plane and the cluster's worker nodes.

• ACM Private CA is a highly-available, secure, managed CA that secures private keys in FIPS 140-2 Level 3 hardware security modules.Certificate Signing in Istio with ACM Private CA

• Kubernetes uses service accounts as identities, but Istio has its own identity management system and CA.

• Workloads in Istio need an identity assigned from Istio to be deemed trustworthy and communicate with other services in the mesh.

• The istio-agent sends a certificate signing request (CSR) containing the service account token to Istio's control plane to get an identity.

• Istiod acts as both the Registration Authority (RA) and the CA, verifying the CSR and issuing a certificate with a SPIFFE identity.

• The SPIFFE verifiable identity document (SVID) is assigned to the requesting service for identification and to encrypt traffic in transit.

• The Istio Certificate Signing Request agent (istio-csr) integrates Istio with ACM Private CA using cert-manager.

• The istio-csr agent converts incoming CSRs into resources that cert-manager supports and requests certificates from ACM Private CA.

• The AWS Private CA issuer plugin enables communication between istio-csr and ACM Private CA to request signed certificates for workloads.

• Cert-manager uses the issuer plugin to request TLS certificates from ACM Private CA.

• Once the certificate is signed, it is returned to istio-csr, which returns it to the workload that initiated the CSR.

• To set up this integration, Istio must be installed with custom configurations to replace the certificate provider for the mesh.

• This process can be carried out using the Istio Operator Tooling.