NISTSpecialPublication800-BuildingSecureMicroservices-basedApplicationsUsingService-May

NISTSpecialPublication20205NISTSPNISTSPUsingService-MeshThispublicationisavailablefreeofThispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800-TheInformationTechnologyLaboratory(ITL)attheNationalInstituteofStandardsandTechnology(NIST)promotestheU.S.economyandpublicwelfarebyprovidingtechnicalleadershipfortheNation’smeasurementandstandardsinfrastructure.ITLdevelopstests,testmethods,referencedata,proofofconceptimplementations,andtechnicalanalysestoadvancethedevelopmentandproductiveuseofinformationtechnology.ITL’sresponsibilitiesincludethedevelopmentofmanagement,administrative,technical,andphysicalstandardsandguidelinesforthecost-effectivesecurityandprivacyofotherthannationalsecurity-relatedinformationinFederalinformationsystems.TheSpecialPublication800-seriesreportsonITL’sresearch,guidelines,andoutreacheffortsininformationsystemsecurity,anditscollaborativeactivitieswithindustry,government,andacademicorganizations.Theincreasingtrendinbuildingmicroservices-basedapplicationscallsforaddressingsecurityinallaspectsofservice-to-serviceinteractionsduetotheiruniquecharacteristics.Thedistributedcross-domainnatureofmicroservicesneedssecuretokenservice(STS),keymanagementandencryptionservicesforauthenticationandauthorization,andsecurecommunicationprotocols.Theephemeralnatureofclusteredcontainers(bywhichmicroservicesareimplemented)callsforsecureservicediscovery.Theavailabilityrequirementcallsfor:(a)resiliencytechniques,suchasloadbalancing,circuitbreaking,andthrottling,and(b)continuousmonitoring(forthehealthoftheservice).Theservicemeshisthebest-knownapproachthatcanfacilitatespecificationoftheserequirementsatalevelofabstractionsuchthatitcanbeuniformlyandconsistentlydefinedwhilealsobeingeffectivelyimplementedwithoutmakingchangestoindividualmicroservicecode.Thepurposeofthisdocumentistoprovidedeploymentguidanceforproxy-basedServiceMeshcomponentsthatcollectivelyformarobustsecurityinfrastructureforsupportingmicroservices-basedapplications.APIgateway;ApplicationProgrammingInterface(API);circuitbreaker;loadbalancing;microservices;ServiceMesh;serviceproxy.

A402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcfoeerfelbaliavasinoitacilbup美國(guó)國(guó)家標(biāo)準(zhǔn)與技術(shù)研究院（NIST）的信息技術(shù)實(shí)驗(yàn)室（ITL）通過(guò)為其測(cè)量和標(biāo)準(zhǔn)基礎(chǔ)設(shè)施提供技術(shù)領(lǐng)導(dǎo)力來(lái)促進(jìn)美國(guó)經(jīng)濟(jì)和公共福利。ITLA402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcfoeerfelbaliavasinoitacilbup安全問(wèn)題，由于其獨(dú)特的特性。微服務(wù)的分布式跨域特性需要安全令牌服務(wù)（STS）、b（服務(wù)健康）API（API）；斷路器；負(fù)載均衡；微服務(wù)；ServiceMeshNISTSPNISTSPUsingService-MeshThispublicationisavailableThispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800-NOTICE:TheInformationTechnologyLaboratory(ITL)hasrequestedthatholdersofpatentclaimswhoseusemayberequiredforcompliancewiththeguidanceorrequirementsofthispublicationdisclosesuchpatentclaimstoITL.However,holdersofpatentsarenotobligatedtorespondtoITLcallsforpatentsandITLhasnotundertakenapatentsearchinordertoidentifywhich,ifany,patentsmayapplytothispublication.Asofthedateofpublicationandfollowingcall(s)fortheidentificationofpatentclaimswhoseusemayberequiredforcompliancewiththeguidanceorrequirementsofthispublication,nosuchpatentclaimshavebeenidentifiedtoITL.NorepresentationismadeorimpliedbyITLthatlicensesarenotrequiredtoavoidpatentinfringementintheuseofthispublication.

PatentDisclosure通知：信息技術(shù)實(shí)驗(yàn)室（ITL）已要求持有可能因遵守本出版物指導(dǎo)或要求而需使用的專利ITLITL的專利要求，ITL也沒(méi)有進(jìn)行專利檢索以確定哪些（如果有的話）專利可能適用于本出版物。A402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcA402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcfoeerfelbaliavasinoitacilbupThispublicationisavailablefreeThispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800-Microservices-basedapplicationarchitecturesarebecomingthenormforbuildingcloud-basedandlargeenterpriseapplicationsbecauseoftheirinherentscalability,agilityofdeployment,andavailabilityoftools.Atthesametime,thecharacteristicsofmicroservices-basedapplicationsbringwiththemmodified/enhancedsecurityrequirements.AfewexamplesofthesecharacteristicsandtheirsecurityimpactsThesheernumberofmicroservicesresultsinmoreinterconnectionsandmorecommunicationlinkstobeprotected.TheephemeralnatureofmicroservicescallsforsecureservicediscoveryThefine-grainednatureofmicroservicescallsfortheabilitytosupportfine-grainedauthorizationpolicies.Thesupportingservices(e.g.,authentication/authorization,securitymonitoring,etc.)foramicroservices-basedapplicationmustbetightlycoordinatedthroughadedicatedinfrastructure,suchastheServiceMesh.TherearemultiplewaysofdeployingthecomponentsoftheServiceMesh,includingembeddingthemintheapplication(microservice)code,couplingthemtotheapplicationcodebyimplementingthemaslibraries,orimplementingthemasserviceproxiesthatareindependentofapplicationcode.Thislastdeploymentapproachhasbeenfoundtobethemostefficientintermsofscalabilityandflexibilityinmanyscenariosforimplementingthesupportinginfrastructureformicroservices-basedapplications.Thepurposeofthisdocumentistoprovidedeploymentguidanceforservicemeshcomponentsintheserviceproxy-basedapproach.TheServiceMeshdeploymentrecommendationsspanthefollowingaspects:ConfigurationforcommunicationbetweenserviceConfigurationforingressConfigurationforaccesstoexternalConfigurationforidentityandaccessConfigurationformonitoringConfigurationfornetworkConfigurationforcross-originresourcesharingConfigurationofPermissionsforAdministrative

執(zhí)行摘要 云基礎(chǔ)和大型企業(yè)應(yīng)用的常態(tài)。同時(shí)，基于微服務(wù)的應(yīng)用的特點(diǎn)帶來(lái)了修改/增強(qiáng)的A402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcfoeerfA402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcfoeerfelbaliavasinoitacilbup微服務(wù)應(yīng)用的支持服務(wù)（/）必須通過(guò)專用基礎(chǔ)設(shè)施（務(wù)網(wǎng)格）緊密協(xié)調(diào)。服務(wù)網(wǎng)格的組件有多種部署方式，包括將其嵌入應(yīng)用（微服務(wù)）代碼中、通過(guò)實(shí)現(xiàn)庫(kù)將它們與應(yīng)用代碼耦合，或?qū)崿F(xiàn)為獨(dú)立于應(yīng)用代碼的服務(wù)代理。在許多場(chǎng)景下，對(duì)于實(shí)現(xiàn)微服務(wù)應(yīng)用支持基礎(chǔ)設(shè)施而言，最后這種部署方式在可擴(kuò)展性和靈活性方面已被證明是最有效的?？缬蛸Y源共享（CORS）ThispublicationisavailableThispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800-Executive WhyService Target RelationshiptootherNISTGuidance Organizationofthis Microservices-basedApplication–BackgroundandSecurity AuthenticationandAuthorization Service ImprovingAvailabilitythroughNetworkResilience ApplicationMonitoring ServiceMesh–DefinitionsandTechnology ServiceMeshComponents& Ingress Egress ServiceMeshasCommunicationMiddleware:Whatis ServiceMesh:Stateofthe ServiceMeshDeployment CommunicationConfigurationforService ConfigurationforIngress ConfigurationforAccesstoExternal ConfigurationforIdentityandAccess ConfigurationforMonitoring ConfigurationforNetworkResilience ConfigurationforCross-OriginResourceSharing ConfigurationofPermissionsforAdministrative Summaryand

Executive A402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcfoeerfA402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcfoeerfelbaliavasinoitacilbup 服務(wù)網(wǎng)格部署建 CORS164.817NISTSPNISTSPUsingService-Mesh Thispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800-MicroservicesarchitecturehasThispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800-Agility–Theloosecouplingandincreasedmodularityofmicroserviceshaveenabledindependentandquickermodificationanddeploymentwithoutaffectingothercomponents(microservices)ofamicroservices-basedapplication.Scalability–ThecharacteristicsofthemicroservicesallowthemtobeindependentlyUsability–Theuseofwell-definedapplicationprogramminginterfaces(APIs)makesintegrationoronboardingofvariousmicroserviceseasier.Availabilityoftools–Theincreasingavailabilityofautomationtoolsfacilitateerror-freeconfigurationanddeployment.Inspiteoftheaboveadvantages,thearchitectureofmicroservices-basedapplicationshassomechallengeswithmodified/enhancedsecurityrequirements,suchas:Moremicroservicesleadtomoreinterconnectionsbetweenthesecomponentsaswellasmorecommunicationlinkstobeprotected.Components(microservices)cancomeandgodynamically,sotheenvironmentneedssecureservicediscoveryrequirements.ThereisnoconceptofanetworkAllmicroservicesmustbetreatedasnon-Thefine-grainednatureofmicroservicesrequiresfine-grainedauthorizationsateachmicroservice.However,thismayrequiresecuritypoliciestobecentrallydefinedandtheconfigurationsreflectingthemtobedefinedineachmicroservicetoenableuniform,consistentenforcementacrossallmicroservices.WhyServiceDuetothesecurityrequirementsformicroservices-basedapplicationsstatedabove,theinfrastructurethatsupportstheapplicationandthatinfrastructure’sassociatedservices(e.g.,security)shouldbetightlycoordinated.OnesuchdedicatedinfrastructureistheServiceMesh.ThecodethatimplementstheServiceMeshcanbeorganizedinthefollowingwayswithrespecttothecomponentsofamicroservices-basedapplicationarchitecture(EacharchitecturalpatternisdenotedusingtheacronymSM-ARxwhereSMstandsforServiceMesh,ARstandsforarchitectureandxisthesequencenumber):SM-AR1:ServiceMeshcodecanbeembeddedinthemicroservicesapplicationcode,makingtheServiceMeshanintegralpartoftheapplicationdevelopmentframework.SM-AR2:ServiceMeshcodeimplementedaslibrariesand,therefore,applicationsarecoupledtotheservicesprovidedbytheServiceMeshviaAPIcalls.SM-AR3:ServiceMeshfunctionsareimplementedinproxieswitheachproxydeployedinfrontofamicroserviceinstanceandcollectivelyprovidinginfrastructureservicesforthemicroservices-basedapplication.Theseproxiesarecalled“side-carproxies”andcan

A402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcA402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcfoeerfelbaliavasinoitacilbup（API）●●組件（微服務(wù)）沒(méi)有網(wǎng)絡(luò)邊界概SM?ARxSMARx）：SM?AR1:服務(wù)網(wǎng)格代碼可以嵌入到微服務(wù)應(yīng)用程序代碼中，使服務(wù)網(wǎng)格成為應(yīng)●SM?AR2:服務(wù)網(wǎng)格代碼作為庫(kù)實(shí)現(xiàn)，因此應(yīng)用程API●SM?AR3:side?carproxiesThispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800-beimplementedandoperatedindependentlyoftheapplicationcode.Side-carproxiesenableheterogeneousplatforms(differentlanguagesandapplicationdevelopmentframeworks)tobecontrolledconsistentlybyadoptingThispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800-SM-AR4:ServiceMeshfunctionsareimplementedinproxieswithaproxydeployedpernode(physicalhost)ratherthanpermicroserviceinstance(suchasSM-AR3).Forthepurposeofthisdocument,theonlyServiceMesharchitecturethatwillbeconsideredwillbeSM-AR3,whereadedicatedinfrastructurelayerprovidesallsecurityfunctionalitytothemicroservices-basedapplicationwithoutanymodificationtotheapplicationservice’scode.ComparedtoSM-AR4,SM-AR3avoidsarangeofprivilegeescalationandnoisyneighborproblemsbydeployingoneinstanceoftheserviceproxypermicroserviceinstanceandrelyingontheunderlyingplatform’sisolationguaranteestoensuretheapplication’strafficisonlymediatedbyitsdedicatedserviceproxy.ComparedtoSM-AR1andSM-AR2,SM-AR3decouplestheapplicationlifecyclefromthemodulesthatprovidetheservicemeshfunctionalityandavoidsthecombinatorialexplosionofhavingtomaintainthemultipleversionsofthelibraryacrosslanguages,whichcouldpotentiallyhappeninSM-AR2.Basedonthiscontext,theprimaryfunctionofServiceMeshfromtheperspectiveofthisdocumentistomediateandbrokerclient-to-microserviceandmicroservice-to-microservicecommunicationswherethemediatingandbrokeringagentsorfunctionalmodulesdonothavetightcouplingwiththemicroservice’scode.TargetThetargetaudienceoftheguidancedocumentforsupportingmicroservices-basedapplicationsusingtheServiceMeshframeworkincludessecuritysolutionsarchitectswhowanttodesignasecurityframeworkformicroservices-basedapplicationsandsystemintegratorswhobuildacommoninfrastructureservicesframeworkfordifferentmicroservices-basedapplicationsresidingintheenterpriseandthecloud.RelationshiptootherNISTGuidanceThisguidancedocumentfocusesonbuildingaspecificsecurityframeworkorinfrastructureformicroservices-basedapplications.Understandingthecharacteristicsofmicroservices-basedapplicationsandtheiroverallsecurityrequirementsandstrategiesisbeneficial,andinformationisprovidedintheNISTSpecialPublication(SP)800-204,SecurityStrategiesforMicroservices-basedApplicationSystems[1].OrganizationofthisTheorganizationofthisdocumentisasChapter2recapsthesecurityrequirementsformicroservices-basedapplicationsbyreferencingthosethatwerediscussedin[1].

用程序開發(fā)框架）能夠通過(guò)采用最低共同denominatorAPI——網(wǎng)絡(luò)來(lái)一致地是每個(gè)微服務(wù)實(shí)例（SM?AR3）。A402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcfoeerfelbaliavaA402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcfoeerfelbaliavasinoitacilbupM?AR4SM?AR3SM?AR1SM?AR2SM?AR3SM?AR2NISTNIST版物（SP）800?204[1]。2章通過(guò)參考在[1]Chapter3introducesServiceMeshandprovidesabriefdescriptionofitscomponents,capabilities,anduniqueroleasacommunicationmiddlewareformicroservices-basedChapter4providesdetaileddeploymentrecommendationsforServiceMeshcomponentsspanningconfigurationareassuchasserviceproxies,ingressproxies,egressproxies,identityandaccessmanagement,monitoringcapabilities,networkresiliencetechniques,andcross-originresourcesharing.Chapter5providesthesummaryand

3●4A402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfA402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcfoeerfelbaliavasinoitacilbupThispublicationThispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800- Microservices-based Microservices-basedApplication–BackgroundandSecurity Microservices-basedApplication–BackgroundandSecurityThispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800-Thedefinitionanddescriptionofmicroservices-basedapplication,threats,andsecuritystrategiesforcounteringthosethreatsaredescribedinNISTSP800-204,SecurityStrategiesforMicroservices-basedApplicationSystems[1].ThepurposeofthischapteristorecapandelaborateonthesecurityrequirementsforthisclassofapplicationtoprovidecontextforhowthoserequirementsaremetbythefunctionalityofThispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800-AuthenticationandAuthorizationAuthenticationandaccesspolicymayvarydependingonthetypeofAPIsexposedbymicroservices—somemaybepublicAPIs,privateAPIs,orpartnerAPIs,whichareavailableonlyforbusinesspartners.Therearemultiplemicroservices,andtheauthenticationpoliciesshouldbedefinedtoprovidecoverageforallofthem.Further,certificate-basedauthenticationrequiresapublickeyinfrastructure(PKI)forcertificategeneration/managementandkeymanagement.Furtherauthorizationmodulescoveringresourcesinallmicroservicesmustbebuilttoprovidefine-grainedauthorizationinallservicerequests.ServiceInlegacydistributedsystems,therearemultipleservicesconfiguredtooperateatdesignatedlocations(IPaddressandportnumber).Inthemicroservices-basedapplication,thefollowingscenarioexistsandcallsforarobustservicediscoverymechanism:Thereareasubstantialnumberofservicesandmanyinstancesassociatedwitheachservicewithdynamicallychanginglocations.EachofthemicroservicesmaybeimplementedinVirtualMachines(VMs)orascontainers,whichmaybeassigneddynamicIPaddresses,especiallywhentheyarehostedinanInfrastructureasaService(IAAS)orSoftwareasaService(SAAS)cloudThenumberofinstancesassociatedwithaservicecanvarybasedontheloadfluctuationsusingfeaturessuchasautoscaling.Basedontheabovecharacteristics,afeaturetodiscoveraservicewhilemakingaservicerequestisanessentialrequirement.Acommonapproachtoimplementingthisfeatureistheuseofaserviceregistry.Aserviceregistryconsistsofadirectorywherenewserviceinstancescreatedforthemicroservices-basedapplicationregisterthemselveswhileserviceinstancesgoingofflinearedeletedfromit.ImprovingAvailabilitythroughNetworkResilienceLoadbalancing:Thereisaneedtohavemultipleinstancesofthesameservice,andtheloadsontheseinstancesmustbeevenlydistributedtoavoiddelayedresponsesorservicecrashesduetooverload.

NISTSP800?204微服務(wù)應(yīng)用程序系統(tǒng)的安全策略[1]34A402-008.PS.TSIN/8206.01/gro.iod//:sptthA402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcfoeerfelbaliavasinoitacilbupAPIAPIAPIAPIAPI在傳統(tǒng)的分布式系統(tǒng)中，有多個(gè)服務(wù)配置在指定的位置（IP）運(yùn)行。虛擬機(jī)（VM）IP在基礎(chǔ)設(shè)施即服務(wù)（IAAS）或軟件即服務(wù)（SAAS）云服務(wù)中時(shí)。c)Circuitbreaker:Large-scaledistributedsystems,nomatterhowtheyarearchitected,haveonedefiningcharacteristic—theyprovidemanyopportunitiesforsmall,localizedfailurestoescalateintosystem-widecatastrophicfailures.TheServiceMeshmustbedesignedtosafeguardagainsttheseescalationsbysheddingloadandfailingquicklywhentheunderlyingsystemsapproachtheirlimits.Circuitbreakinginvolvessettingathresholdforthefailedresponsesfromaninstanceofamicroserviceandcuttingoffforwardingrequeststothatinstancewhenthefailureisabovethethreshold(e.g.,whenthecircuitbreakertrips).Thismitigatesthepossibilityofcascadingfailureandallowsfortimetoanalyzelogs,implementthenecessaryfix,andpushanupdateforthefailinginstance.Thus,circuitbreakingisatemporarymeasurethatpreventstotaldisruptiontoresponsesforservicerequests.Theservicerequestswillberestoredtotheinstanceoncetheserviceisresponsive.Ratelimiting(throttling):Therateofrequestscomingintoamicroservicemustbelimitedtoensurecontinuedavailabilityofserviceforallclients.Blue/greendeployments:Whenanewversionofamicroserviceisdeployed,requestsfromcustomersusingtheoldversioncanberedirectedtothenewversionusingtheAPIgatewaythatcanbeprogrammedtomaintainawarenessofthelocationsofbothversions.Canaryreleases:Onlyalimitedamountoftrafficisinitiallysenttoanewversionofamicroservicesincethecorrectnessofitsresponseorperformancemetricunderalloperatingscenariosisnotfullyknown.Oncesufficientdataisgatheredaboutitsoperatingcharacteristics,thenalloftherequestscanbeproxiedtothenewversionoftheApplicationMonitoringTodetectattacksandidentifyfactorsfordegradationofservices(whichmayimpactavailability),itisnecessarytomonitornetworktrafficintoandoutofmicroservicesthroughdistributedlogging,generationofmetrics,performanceofanalytics,andtracing.

A402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfA402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcfoeerfelbaliavasinoitacilbupAPIThispublicationThispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800- Service ServiceMesh–DefinitionsandTechnology ServiceMesh–DefinitionsandTechnologyThispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800-FromthedescriptionofmicroservicesintheThispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800-BusinessLogic,whichimplementsthebusinessfunctionalities,computations,andservicecomposition/integrationlogic,andNetworkFunctions,whichtakecareoftheinter-servicecommunicationmechanisms(e.g.,basicserviceinvocationthroughagivenprotocol,applyresiliencyandstabilitypatterns,servicediscovery,etc.)ThesenetworkfunctionsarebuiltontopoftheunderlyingOSlevelnetworkstack.Thebusinesslogicfunctionmustbeanintegralpartofthemicroservicecodesincethatserviceistheonethatexecutesorsupportsabusinessprocess.Thedifficultywiththemicroservicedirectlyperformingthenetworkfunctionsisthatitusesdifferentlibrariesdependingontheprogramminglanguageitiswritteninorthedevelopmentframeworkitishostedon.Withthepracticalrealityofmicroservicesbeingwritteninmultiplelanguages(e.g.,Java,JavaScript,Python,etc.)withinthesameapplicationtooptimizethedevelopmentorruntimeprocess,itbecomesatedioustasktoprovidethecommunicationcapabilityforeachservicenode.AServiceMeshisadedicatedinfrastructurelayerwithasetofdeployedinfrastructurefunctionsthatfacilitateservice-to-servicecommunicationthroughservicediscovery,routingandinternalloadbalancing,trafficconfiguration,encryption,authentication,authorization,metrics,andmonitoring.Itprovidesthecapabilitytodeclarativelydefinenetworkbehavior,microserviceinstanceidentity,andtrafficflowthroughpolicyinanenvironmentofchangingnetworktopologyduetoserviceinstancescomingandgoingofflineandcontinuouslybeingrelocated.ItcanbelookeduponasanetworkingmodelthatsitsatalayerofabstractionabovethetransportlayeroftheOpenSystemsInterconnection(OSI)model(e.g.,TransmissionControlProtocol/InternetProtocol(TCP/IP))andaddressestheservice’ssessionlayer(Layer5oftheOSImodel)concerns.However,fine-grainedauthorizationmaystillneedtobeperformedatthemicroservicelevelsincethatistheonlyentitythathasfullknowledgeofthebusinesslogic.Alternatively,theServiceMeshcanbedefinedas“adistributedcomputingmiddlewarethatoptimizescommunicationsbetweenapplicationservices[3].”Theservice-to-servicecommunicationismosteffectivelyenabledusingaproxy(seeSection1.1).AServiceMeshistypicallyimplementedasanarrayoflightweightnetworkproxiesthataredeployedalongsideapplicationcodewithouttheapplicationneedingtobeaware[4].Inaddition,theServiceMeshcanbeleveragedtomonitorandsecurecommunication.Becauseitisinterceptingandroutingallclustertrafficandgatheringhealthmetrics,theServiceMeshcanlearnandintelligentlyroutetraffic.Examplesofthishigher-levelfunctionalityincludeA/Btesting,canarydeployments,betachannels,automaticretries,circuitbreakers,andinjectingfaults.ThesefeaturesareonlypossiblebecausetheServiceMeshisabletoviewandlearnfromtheentirecluster’straffic.

從上一章對(duì)微服務(wù)的描述中，應(yīng)該很清楚，微服務(wù)有兩個(gè)主要功能A402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcfoeerfA402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcfoeerfelbaliavasinoitacilbupJavaJavaScriptPython）編寫以優(yōu)化開發(fā)或運(yùn)行時(shí)過(guò)程，因此為每個(gè)服務(wù)節(jié)點(diǎn)為、微服務(wù)實(shí)例身份和流量流量的能力?？梢詫⑵湟暈橐粋€(gè)位于開放系統(tǒng)互連（OSI模型，并解決服務(wù)的會(huì)話層（OSI為、微服務(wù)實(shí)例身份和流量流量的能力?？梢詫⑵湟暈橐粋€(gè)位于開放系統(tǒng)互連（OSI模型，并解決服務(wù)的會(huì)話層（OSI5）模型傳輸層（（TCP/IP））絡(luò)代理實(shí)現(xiàn)，這些代理與應(yīng)用代碼一起部署，而應(yīng)用無(wú)需知曉[4]。A/BBetaThispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800-ItisconsideredeconomicaltodeployServiceMeshwhenthenumberofmicroservicesintheapplicationisintheorderofhundredsorthousands.Thispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800-ServiceMeshComponents&AServiceMeshconsistsoftwomainarchitecturallayersorDataControlTheinterconnectedsetofproxiesinaServiceMeshthatcontroltheinter-servicescommunicationrepresentsitsdataplane.Thedataplaneisthedatapathandprovidestheabilitytoforwardrequestsfromtheapplications.Adataplanemayalsoprovidemoresophisticatedfeatureslikehealthchecking,loadbalancing,circuitbreaking,timeouts,retries,authentication,andauthorization[5].Thespecializedproxythatiscreatedforeachserviceinstance(i.e.,side-carproxy)performstheruntimeoperationsneededforenforcingsecurity(e.g.,accesscontrol,communication-related),whichareenabledbyinjectingpolicies(e.g.,accesscontrolpolicies)intotheproxyfromthecontrolplane.Thisalsoprovidestheflexibilitytodynamicallychangepolicieswithoutmodifyingthemicroservice’scode.AcontrolplaneisasetofAPIsandtoolsusedtocontrolandconfiguredataplane(proxy)behavioracrossthemesh.TheServiceMeshcontrolplaneisdistinctfromtheorchestrator’scontrolplane—theformercontrolstheServiceMesh,whilethelattercontrolsthecluster.Thecontrolplaneiswhereusersspecifyauthenticationpoliciesandnaminginformation,gathermetrics(ingeneraltelemetrycollection),andconfigurethedataplaneasawhole[6].Theintelligence,data,andotherartifactsrequiredforimplementingallsecurityfunctionslieinthecontrolplane.Theseincludethesoftwareforgeneratingauthenticationcertificatesandtherepositoryforstoringthem,policiesforauthentication,authorizationengine,softwareforreceivingtelemetry/monitoringdataregardingeachmicroserviceandaggregatingthem,andAPIsformodifyingthebehaviorofthenetworkthroughvariousfeatures,suchasloadbalancing,circuitbreaking,orratelimiting.ThecontrolplaneoftheServiceMeshplatformhastobeintegratedwiththeorchestrationplatform(asitgetscriticaldatafromtheplatform,suchasserviceregistry)ofthemicroservices-basedapplicationandshouldthereforehavetherequiredintegrationcapabilitiestobeuseful.SincethecontrolplaneisacriticalcomponentoftheServiceMesh,itmustbehighlyavailableanddistributed.Acontrolplanecanbeimplementedthroughconfigurationfiles,APIcalls,anduserinterfaces[7].Aspartoftheprocessofprovidingthecommunication,thefollowingfunctionsaresupported

A402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcfoeerfelbaliavasinoitacilbupAServiceMeshA402-008.PS.TSIN/8206.01/gro.iod//:sptth:morfegrahcfoeerfelbaliavasinoitacilbup控載均衡、斷路器、超時(shí)、重試、身份驗(yàn)證和授權(quán)[5]。為每個(gè)服務(wù)實(shí)例（即邊車代理）創(chuàng)API用程序的編排平臺(tái)（因?yàn)樗鼜钠脚_(tái)獲取關(guān)鍵數(shù)據(jù)，例如服務(wù)注冊(cè)表）控制平面是一組用于控制和配置網(wǎng)格中數(shù)據(jù)平面（代理）API[6]。實(shí)現(xiàn)所有安全功能所需的智能、數(shù)據(jù)和其它工件位于控制平面。這包括API用程序的編排平臺(tái)（因?yàn)樗鼜钠脚_(tái)獲取關(guān)鍵數(shù)據(jù)，例如服務(wù)注冊(cè)表）API[7]。在提供通信的過(guò)程中，支持以下功能Thispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800-Authenticationandauthorization–Thispublicationisavailablefreeofchargefrom:/10.6028/NIST.SP.800-Secureservicediscovery–DiscoveryofserviceendpointsthroughadedicatedserviceSecurecommunication–MutualTransportLayerSecurity(TLS),encryption,dynamicroutegeneration,multipleprotocolsupport,includingprotocoltranslationwhererequired(e.g.,HypertextTransferProtocol(HTTP)1.x,HTTP2,gRPC,etc.)Resilience/stabilityfeaturesforcommunication–Circuitbreakers,retries,timeouts,faultinjection/handling,loadbalancing,failover,ratelimiting,requestshadowingObservability/monitoringfeatures–Logging,metrics,distributedIngressTheserviceproxyofaServiceMeshcanbedeployedforcontrolofingresstraffic(i.e.,externaltrafficcomingintomicroservicesapplicationasopposedtomicroservice-to-microservicecommunication).Inthissense,itrealizesthefunctionsofanAPIgateway.Conceptually,theingresscontrollercanbelookeduponasaside-carproxyforanexternalclient.Theingresscontroller(sometimescalledthefrontproxy)providesthefollowingfunctions:AcommonAPIforallclientsshieldingtheactualAPIinsidetheServiceProtocoltranslationfromweb-friendlyprotocols,suchasHTTP/HypertextTransferProtocolSecure(HTTPS),toprotocolsusedbymicroservices,suchasRPC/gRPC/RepresentationalStateTransfer(REST)CompositionofresultsreceivedfromcallstomultipleservicesinsidetheServiceMeshinresponsetoasinglecallfromtheclientLoadPublicTLSEgressTheserviceproxyofaServiceMeshcanbedeployedforcontrolofegresstraffic(i.e.,internaltrafficcomingfrommicroservicesdestinedformicroservicesoutsideofthemesh).Inthissense,itfunctionsasanegress-onlygateway.Conceptually,theegresscontrollercanbelookeduponasaside-carproxyforoneormoreexternalservers.TheegressproxyprovidesthefollowingAs