(Thread-1) I’ve just turned on mTLS on a 18 year old PHP monolith and it JUST worked 🤯. Now the traffic originating from it can be validated by other services in our infrastructure using @EnvoyProxy RBAC mechanism. #servicemesh #mTLS #security #microservices @CloudNativeFdn 
(2) Service Mesh enables new features for legacy workloads that would take months to implement. Our system allows gradual and granular migration to mTLS using strict or permissive modes. As a developer you define a list of URLs and clients that are allowed to access them.
(3) In permissive mode requests from clients that are not listed are just logged. In strict mode the request is blocked (403) and also logged for audit purposes. Everything visible in logs is also summarised in grafana.
(4) This allows business facing developers to safely and gradually enable mTLS by enabling permissive mode first then discovering their clients and finally enabling strict mode on individual paths on a case by case basis. AFAIK no other Service Mesh allows that.
(5) Disclaimer: I might be wrong about the Service Meshes I mention below. I might not have found the right documentation or missed something. Please correct me if you know better.
(6) Consul has two modes, allow and deny and the only metric related to intentions is: "consul.fsm.intention" (which measures “time it takes to apply an intention operation”).
(7) Istio has permissive mode but it only allows locking down by namespace istio.io/latest/docs/ta… which is not flexible enough.
(8) Kuma only shows “secured destinations by mTLS” in their dashboards. There is no info in docs (that I could find) about migration steps / permissive mode.
(9) Traefik (which uses SMI-SPEC) has fine grained RBAC capabilities doc.traefik.io/traefik-mesh/c… but I do not see anything about permissive mode.
(10) No one in a large organisation is going to enable strict mode and hope that is just going to work. You need weeks in production with permissive mode and actively searching for clients to be sure that no legitimate traffic is blocked and there is no impact on the end users.
(11) In the past we were accused of NIH (en.wikipedia.org/wiki/Not_inven…) but that is simply not the case. Features that our developers need are not present in other projects and that is why we build them ourselves.
(12) If you want to work on Service Mesh in Allegro we’re currently looking for a team leader: jobs.smartrecruiters.com/Allegro/743999…
(13) Last but not least I would like to thank all of the wonderful people working on this project: @piotrbetkier @p_zmigrodzki @lukaszdziedziak @chemicL @rhobar3 @woookieJ @andrzejwaw1 🎊
• • •
Missing some Tweet in this thread? You can try to
force a refresh
