Livin’ On the Edge S3 Ep3: Unlocking the Power of Istio and Coraza
November 16, 2023 | 7 min read
Table of contents
On Season Three, Episode Three of the Livin’ on the Edge podcast, I spoke with Jose Carlos Chavez, who is a software engineer at Tetrate and heavily involved with Istio, an open-source service mesh, that has been making waves in the world of microservices and cloud-native applications. Istio offers a range of features for traffic management, security, and observability, making it a valuable tool for developers and DevOps teams.
In this episode, Jose Carlos dove into his background in software and observability, including his experience with open tracing and open telemetry.
Just like Ambassador Labs and our Emissary-Ingress tool, Istio is also a part of the Cloud Native Computing Foundation (CNCF). This reflects Istio's importance within the cloud-native ecosystem, emphasizing its role in modern application development. His alignment with the CNCF extends to considerations of security. Jose Carlos emphasized in our conversation that Istio's role in the CNCF landscape is leading to the implementation of even more security features.
Security Measures: Resiliency & Visualization Matter
For the security buffs out there, this episode was a key one for understanding how to introduce security measures without impacting application performance and understanding the need to identify and mitigate risks. There is a strong focus on security within Istio. Jose Carlos’ team is tasked with continually evolving to address security concerns, making it a reliable choice for organizations.
“Resiliency in security measures, including handling retries, non-happy path scenarios, and degraded modes is the most important thing to keep an eye on as you innovate your security best practices,” shares Jose Carlos. He also highlighted the need to monitor and analyze metrics and logs for detecting anomalies.
On top of that, I would add the importance of visualization in security. In our discussions, I drew a parallel between security and observability, where visualizing network maps and anomalies is crucial for understanding and responding to security threats.
New Developments With Istio
“Security is important, and we’re still investing in Istio. The future looks promising, especially with WebAssembly and other innovations,” shares Jose Carlos.
Jose Carlos’ developer team aren’t just Istio users, but enthusiastic contributors to the project. They have developed products based on Istio and offer subscriptions for support. They emphasize their dedication to keeping Istio compliant with important standards, such as Phipps compliance.
“Istio is actively evolving to meet the security and performance requirements of production environments, and we’re excited to unveil a few more security features in the next few months,” hinted Jose Carlos. Here are a few of the important features that Jose Carlos emphasized as important when understanding an open-source tool like Istio:
- Have a Battle-Tested Service Mesh: One key takeaway from our conversation is the importance of having a battle-tested service mesh like Istio in production environments. Jose Carlos emphasized that a tool like Istio is 100% upstream and available on Amazon keys.
- Embracing WebAssembly: WebAssembly (Wasm) is another exciting technology we discussed in this episode. We delved into how it provides the flexibility to write code in multiple languages and run it within Istio. Jose Carlos’ developer team is actively involved in the WebAssembly community and is building "http-wasm," a tool to load WebAssembly binaries into applications. This opens up a world of possibilities for developers who prefer not to write their code in Lua, as WebAssembly is more versatile and efficient.
We did get into the idea of how eventually, if we had the option of a "playground" type of environment where one could test rules using WebAssembly in their browser, that would be ideal. It would provide a safe and secure environment for testing without the need for servers.
“We have the testing and rule validations tools and playgrounds for testing Istio rules and configurations, which underlines the importance of rigor and testing in the Istio ecosystem. This ensures that Istio users can validate their configurations and policies effectively,” shares Jose Carlos.
The Coraza Project & Testing SecLang Rules
This discussion brought us to the idea of testing SecLang rules. Jose Carlos maintains a tool that allows you to test your rules using a Spring Bean. Jose Carlos is also a co-leader on the Coraza open-source project. These tools ensure that your rules are functional and secure, saving you time and hassle. This is another area that the Istio team is exploring a variety of integrations and collaborations with as they seek to expand their security measures.
However, when using Coraza, I presented the critical challenge of trying to do testing with Istio and Coraza SecLang rules. My concern revolved around the need for effective testing methodologies for security rules and configurations, but thankfully Jose Carlos had a few valuable solutions to combat that valid concern.
In the end, we’re both excited about the future of Istio and Coraza and the growing interest in WebAssembly. We’ll have to see what possibilities it offers down the line, and how it can simplify rule implementation and testing. I’m always down for a riveting conversation about open-source tools, and it was a great chance to delve into the Istio and Coraza communities. These tools are becoming even more robust and versatile, offering valuable solutions for microservices and cloud-native applications.
For those looking to enhance the security, reliability, and flexibility of their applications and services, these are great open-source options in addition to tools like Emissary-Ingress. Of course, if you want a tool with fully robust scalability and security, I’d recommend something like the Edge Stack API Gateway. If you’re seeking more episodes and insights from Livin’ On the Edge, check out our podcast page.