Tetrate Service Bridge 1.6
Tetrate Service Bridge (TSB) is an application connectivity platform. It provides enterprises with a consistent, unified way to connect and secure services across multiple Kubernetes clusters, as well as virtual machines and bare-metal workloads.
The 1.6 release furthers TSB's capabilities of availability, security, and visibility, bringing remote clusters closer together for easier management and scale:
- Cross-Cluster High Availability for All Services makes service failover between clusters automatic and transparent, without needing to expose services through external gateways.
- Cross-Cluster Identity Propagation and Security Domains make it easy to create scalable security policies that span clusters and provide for accurate and consistent access control rules for local, remote and failover services.
- Advanced Visibility and Tracing tools empower your App Developers to remotely troubleshoot performance issues in distributed applications, inside and outside your clusters, quickly and accurately.
- Rich possibilities for additional data plane functionality, with support for WASM extensions across gateways and service proxies.
- Support for multi-Istio environments within clusters, enabling isolation boundaries for security-sensitive applications and multiple Istio versions allowing canary Istio upgrades.
- Availability on Red Hat OpenShift, delivered through the Red Hat Ecosystem Catalog.
- Technical Preview of a future Web Application Firewall (WAF) capability to provide advanced protection for all services in a zero-trust architecture (ZTA).
Who benefits from the 1.6 release?
Platform Operators can more effectively manage large, multi-cluster platforms. They can deliver rich availability, security and visibility capabilities to their platform users in a seamless, self-service manner. They can manage highly heterogeneous environments, across clouds, clusters, platforms (Kubernetes, OpenShift) and Istio versions and boundaries.
Service Owners can improve the availability of the services they create and rely on, across clusters and clouds, without needing to arrange for external gateway access such as DNS, certificates, and edge security rules. Their application teams can efficiently troubleshoot performance issues without requiring high-privilege admin access to the production clusters.
Security Teams can apply concise and specific security policies to manage access control within their ZTA architecture, confident that the policies they declare will be accurately applied in the face of unexpected autoscaling and failover scenarios.
Platform Operators, Service Owners and Security Teams can extend the proxies (gateways and sidecars) capabilities with custom function, for example to add security validation or custom business logic. Extending data plane function is seamless with support for WASM extensions.
What are the new capabilities in the 1.6 release?
Easy cross-cluster high-availability for any service
Use the new
EastWestGateway capability to improve availability by making any service highly-available.
EastWestGateway enables failover between different clusters without the need to expose the service though external gateways. This eliminates complexity and avoids extending your attack surface.
- Maximize service availability for any service, reducing downtime and facilitating routine maintenance.
- Completely transparent to each service - no application modifications means no additional development complexity.
- Lightweight - enabled by a simple configuration update, with no DNS or infrastructure changes.
- Highly secure - all cross-cluster traffic is mTLS and no services are exposed.
Quickly locate and investigate under performing services
Enable App Developers to troubleshoot and identify performance issues with production services, examine traces and zoom in on slow requests and errors. Tetrate Service Bridge's
tctl collect exports runtime data for offline analysis, and Application Developers use
tctl troubleshoot and do not require direct access to TSB APIs or management interface.
- Reduced MTTF (mean time to fix) means better application performance and availability.
- Identify performance issues more quickly, and collaborate easily with application developers (the experts in their apps) to investigate and remediate the performance issue.
- Self-service empowers teams to investigate and interpret data themselves.
Use the Red Hat OpenShift Ecosystem
Deploy Tetrate Service Bridge 1.6 with confidence on Red Hat OpenShift, with a certified and compliant software distribution available through the Red Hat Ecosystem Catalog.
- Gain observability, security, and traffic management for workloads in multi-cluster OpenShift environment.
- Benefit from easy-to-implement and easy-to-manage security to create and operate a Zero Trust Architecture (ZTA) platform.
- Span OpenShift, Kubernetes, on premise, and cloud, and extend to physical and virtual-machine workloads, thus eliminating lock-in and accelerating integration.
Extend your application capabilities with WASM extensions
With the 1.6 release, Platform Operators, Service Owners and Security Teams can easily augment their applications by taking advantage of a rich ecosystem of WASM-based extensions or build their own custom extensions.
- Accelerate innovation and the speed of application development by providing services as reusable, easy-to-consume, platform-independent extensions.
- Reduce compliance, security, and development costs.
- Enforce global application policies automatically, at gateways or on selected service instances.
- Extend or modify functionality of application without making application changes.
Rich, scalable access control policies that enforce security across clusters
Deploy straightforward security policies for accurate and consistent access control rules for local, remote and failover services, and propagate service identity securely between clusters.
- Define security policies in the terms and concepts that make sense to your organization, not in low-level terms that align with infrastructure implementation.
- Be confident that your ZTA security policies are applied accurately and consistently, and across tenants and clusters.
- Avoid unintentionally opening attack paths when configuring failover infrastructure.
Segmentation with Istio Isolation Boundaries and Multi-Istio and Canary Deployments with Istio Revisions
Support complex, heterogeneous service mesh environments, with isolation boundaries for compliance-sensitive applications and multiple Istio versions for canary and legacy applications.
- Strong network isolation provides strict and easy-to-demonstrate security by default in highly regulated environments.
- Run different Istio versions within a cluster, to support legacy and modern applications on the same cluster.
- Use Canary Releases for flexibility as you test and deploy TSB upgrades.
Tetrate Web Application Firewall (WAF) - Technical Preview
Get an advance look at forthcoming technology in Tetrate Service Mesh. Tetrate Web Application Firewall will provide advanced L7 protection for all services, from all directions of attack.
Traditional WAF solutions operate at the edge of a network operate on the assumption that a bad actor is external to your internal infrastructure. Tetrate WAF runs within an application, protecting individual services in a very granular way. With Tetrate WAF, you can enhance your zero trust posture by protecting from internal and external attackers alike.
- Understand and instrument traffic patterns, identifying anomalies within an application that may be indicative of compromise, attack, or just unexpected behavior.
- Actively block known bad attacks using the industry-standard OWASP Core Rule Set (CRS) detection rules to neutralize attempts to spread laterally and compromise internal services.
- Tetrate WAF is lightweight, easy to deploy and manage, and fully compatible with CI/CD and GitOps practices.
Refer to TSB 1.6 Release Notes for complete list of additional improvements in TSB 1.6
Get Started with Tetrate Service Bridge
To get started with Tetrate Service Bridge:
- Review the Initial Requirements and identify the target platform
- Determine if you wish to:
- follow a quick demo installation
- perform a more-involved production-ready installation (Management Plane, Cluster Onboarding)
- apply an upgrade to an existing Tetrate Service Bridge deployment
Don't hesitate to reach out to your Tetrate support contact if you have any questions.