Istio Service-Mesh Expansion

Cisco Panoptica uses the Kubernetes service mesh architecture to provide runtime security for Kubernetes clusters and their ecosystem, and across multiple clusters, in multi-cluster environments.

You can also apply Panoptica protection to workloads outside your clusters, such as processes on VMs or bare-metal hosts, using an Istio Istio service mesh expansion. This effectively extends the service mesh on a cluster to include a VM or other non-Kubernetes host, and regards the processes running on it as workloads of the extended cluster. Services on the cluster can communicate with processes on the VM, and you can apply Panoptica runtime policies to the VM workloads.
In addition, Panoptica provides runtime visibility about these workloads, alongside the visibility about workloads running on your clusters. With this, you have a complete picture of all workloads constituting your application, regardless of where they are deployed.

Configure mesh expansion

To apply the service mesh expansion, you must select a cluster to which the VM will be attached using the expansion. This cluster must have a Panoptica controller on it, and be managed by a Panoptica server.

This cluster must also have the 'Supports multi-cluster communication' switch enabled (see Deploy on Multi-cluster ).

With this, you can deploy a Panoptica controller on the VM. This controller includes the Istio envoy proxy, which connects with the Istio service mesh on the cooperating cluster.

Deploy the Panoptica controller on VM

1. Navigate to the Deployments page
2. Select the EXPANSION CONTROLLERS tab
3. Click Connect Expansion.

4. Enter a name for the expansion, as it will appear in Panoptica. The name should have lower-case letters and numbers only.
5. Add labels, as necessary.
6. Select the cluster to which the expansion will be connected.
7. Select the namespace with which the expansion will be associated.
8. Enter the IP address for the VM. This will be the address used by Istio for the expansion, to access the processes running on the VM.
9. Click FINISH.

The new expansion will appear in the list of expansion controllers.

Download the deployment tar package from the Installation column, and then follow the onscreen instructions to extract and install the controller on the VM.

📘

Note

The VM must have connectivity with the Panoptica server, at https://appsecurity.cisco.com (34.74.85.197).

Visualize workloads

Workloads running on expansions appear in the Navigator view. In the example below, the DB environment, with the postgres workloads, is a mesh expansion.

Apply Runtime Policies

You can apply runtime connection policy rules to workloads on VMs that have the service mesh expansion deployed on them in the Panoptica controller. They can be selected, as other workloads in clusters, according to the expansion on which they are running, as either the source or destination.