Open Source Summit Japan & Automotive Linux Summit 2021

In the world of microservice, where various services expose their APIs, it's much difficult to define a security boundary between the public network and the private network. So we need to consider introducing "zero-trust network" to secure each service independently. The technologies underlying zero-trust network are mutual TLS and JWT validation. It is hard to achieve zero-trust network because it typically requires rich resources and architecture modification, especially in the case of using service mesh. In those systems that have limited resources or hard to modify their architecture, the way how to implement it lightly or transit it from the traditional security boundary definition smoothly is requested, something like a lightweight zero-trust network only achieving the underlying technologies. In this presentation, Yoshiyuki Tabata proposes "lightweight zero-trust network" to achieve mutual TLS and JWT validation by only NGINX and Keycloak, an open-source implementation of OAuth2 authz server and widely used in production. And also he proposes how to transit it from the traditional security boundary definition to per service/pod definition smoothly, that is, with changing little setting files. Furthermore, he tackles on chokepoint issue of OAuth2 authz server with OPA.