Versions Compared

Version Old Version 28 New Version 29
Changes made by

Lathishbabu Ganesan

Sonia Sangari

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

rApp is a combination of microservice & platform service components. The PF components could be Policy, Service Orchestrator, etc.

...

  1. one or more microservice
  2. Policy configuration
  3. Camunda Workflow

Tools Used

A study is done to understand how rApp behaves in the Nonrtric & SMO environment. For this analysis we need below components as prerequisite,

  1. Kong Gateway
  2. Istio
  3. Keycloak
  4. Network Policy - Calico
  5. Nonrtric functions - ECS & Policy Service

Kong Gateway

Kong is an open-source API gateway. More information on Kong installation & configuration can be found at https://docs.konghq.com/gateway-oss/2.6.x/kong-for-kubernetes/install/

Istio

Istio is an open source service mesh which provides extensive control over traffic flow between the services. More information can be found at https://istio.io/latest/docs/setup/install/istioctl/

Keycloak

Keycloak is an open source identity & access management solution. Further information can be found at https://www.keycloak.org/docs/latest/getting_started/

Network policy

Kubernetes supports different network policies like Calico, Cilium. For this study we have used Calico https://docs.projectcalico.org/getting-started/kubernetes/helm

Nonrtric

Install the nonrtric functions and Make sure the sidecar injection is enabled for nonrtric namespace,

...

As you can see from the above image, there is a network traffic between Policy Management Service, A1 Simulator & DMaaP. The unknown here represents the postman request to the Enrichment Service.

Configure Istio & Keycloak

We use Keycloak as the identity & access management system and Istio connects to Keycloak over OIDC (OpenID Connect). 

...

Both the Policy Management Service & Enrichment Service endpoint is configured in the Kong gateway. Here Kong gateway acts as the R1 Interface, which means all these services can only be accessed through Kong gateway.

Keycloak Realm

Follow the Keycloak guideline to create Realm, user, role and assign the user to the role that you have created. Once this is done add the realm configuration as policy to the Istio config

Istio Policy

Create the RequestAuthentication & Auhorisation Policy in Istio as shown below.

RequestAuthentication:

AuthorizationPolicy:

Image Modified

As you can see from the policy config, the rule is applied on Enrichment Service. Any call to Enrichment Service, the envoy proxy will apply this rule and invoke the Keycloak over OIDC to authenticate the JWT.

Network Policy

There are various open source network policy libraries available and in this analysis Calico is used. When the rApp is installed in the environment, the nonrtric framework will apply the DENY_ALL rule to all the microservices of the rApp.

...