istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.13/blog/2020/large-scale-security-policy.../index.html

21 lines
32 KiB
HTML
Raw Blame History

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Large Scale Security Policy Performance Tests"><meta name=description content="The effect of security policies on latency of requests."><meta name=author content="Michael Eizaguirre (Google), Yangmin Zhu (Google), Carolyn Hu (Google)"><meta name=keywords content="microservices,services,mesh,test,security policy,performance"><meta property="og:title" content="Large Scale Security Policy Performance Tests"><meta property="og:type" content="website"><meta property="og:description" content="The effect of security policies on latency of requests."><meta property="og:url" content="/v1.13/blog/2020/large-scale-security-policy-performance-tests/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1024"><meta property="og:image:height" content="1024"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.13 / Large Scale Security Policy Performance Tests</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script>
<script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.13/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.13/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.13/feed.xml><link rel="shortcut icon" href=/v1.13/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.13/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.13/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.13/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.13/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.13/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.13/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.13/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.13/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.13/favicons/android-192x192.png sizes=192x192><link rel=mask-icon href=/v1.13/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.13/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.13/css/all.css><link rel=preconnect href=https://fonts.gstatic.com><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.13/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.13",docTitle="Large Scale Security Policy Performance Tests",iconFile="/v1.13/img/icons.svg",buttonCopy="Copy to clipboard",buttonPrint="Print",buttonDownload="Download"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script>
<script src=/v1.13/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.13/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.13/img/icons.svg#menu-hamburger"/></svg></button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.13/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.13/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.13/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.13/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.13/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.13/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.13/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.13/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.13/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.13/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.13/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.13/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.13/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.13/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label="Search this site" placeholder=Search>
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon menu-close"><use xlink:href="/v1.13/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Large Scale Security Policy Performance Tests</h1><p>The effect of security policies on latency of requests.</p></div><p class=post-author>Sep 15, 2020 <span>|</span> By Michael Eizaguirre - Google, Yangmin Zhu - Google, Carolyn Hu - Google</p><div><h2 id=overview>Overview</h2><p>Istio has a wide range of security policies which can be easily configured into systems of services. As the number of applied policies increases, it is important to understand the relationship of latency, memory usage, and CPU usage of the system.</p><p>This blog post goes over common security policies use cases and how the number of security policies or the number of specific rules in a security policy can affect the overall latency of requests.</p><h2 id=setup>Setup</h2><p>There are a wide range of security policies and many more combinations of those policies. We will go over 6 of the most commonly used test cases.</p><p>The following test cases are run in an environment which consists of a <a href=https://fortio.org/>Fortio</a> client sending requests to a Fortio server, with a baseline of no Envoy sidecars deployed. The following data was gathered by using the <a href=https://github.com/istio/tools/tree/master/perf/benchmark>Istio performance benchmarking tool</a>.<figure style=width:55%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:45.34%><a data-skipendnotes=true href=/v1.13/blog/2020/large-scale-security-policy-performance-tests/istio_setup.svg title><img class=element-to-stretch src=/v1.13/blog/2020/large-scale-security-policy-performance-tests/istio_setup.svg alt="Environment setup"></a></div><figcaption></figcaption></figure></p><p>In these test cases, requests either do not match any rules or match only the very last rule in the security policies. This ensures that the RBAC filter is applied to all policy rules, and never matches a policy rule before before viewing all the policies. Even though this is not necessarily what will happen in your own system, this policy setup provides data for the worst possible performance of each test case.</p><h2 id=test-cases>Test cases</h2><ol><li><p>Mutual TLS STRICT vs plaintext.</p></li><li><p>A single authorization policy with a variable number of principal rules as well as a <code>PeerAuthentication</code> policy. The principal rule is dependent on the <code>PeerAuthentication</code> policy being applied to the system.</p></li><li><p>A single authorization policy with a variable number of <code>requestPrincipal</code> rules as well as a <code>RequestAuthentication</code> policy. The <code>requestPrincipal</code> is dependent on the <code>RequestAuthentication</code> policy being applied to the system.</p></li><li><p>A single authorization policy with a variable number of <code>paths</code> vs <code>sourceIP</code> rules.</p></li><li><p>A variable number of authorization policies consisting of a single path or <code>sourceIP</code> rule.</p></li><li><p>A single <code>RequestAuthentication</code> policy with variable number of <code>JWTRules</code> rules.</p></li></ol><h2 id=data>Data</h2><p>The y-axis of each test is the latency in milliseconds, and the x-axis is the number of concurrent connections. The x-axis of each graph consists of 3 data points that represent a small load (qps=100, conn=8), medium load (qps=500, conn=32), and large load (qps=1000, conn=64).</p><div id=tabset-blog-2020-large-scale-security-policy-performance-tests-1 role=tablist class=tabset><div class=tab-strip data-category-name=platform><button aria-selected=true data-category-value=one aria-controls=tabset-blog-2020-large-scale-security-policy-performance-tests-1-0-panel id=tabset-blog-2020-large-scale-security-policy-performance-tests-1-0-tab role=tab><span>MTLS vs plainText</span>
</button><button tabindex=-1 data-category-value=two aria-controls=tabset-blog-2020-large-scale-security-policy-performance-tests-1-1-panel id=tabset-blog-2020-large-scale-security-policy-performance-tests-1-1-tab role=tab><span>AuthZ mTLS SourcePrincipals</span>
</button><button tabindex=-1 data-category-value=three aria-controls=tabset-blog-2020-large-scale-security-policy-performance-tests-1-2-panel id=tabset-blog-2020-large-scale-security-policy-performance-tests-1-2-tab role=tab><span>AuthZ JWT RequestPrincipal</span>
</button><button tabindex=-1 data-category-value=four aria-controls=tabset-blog-2020-large-scale-security-policy-performance-tests-1-3-panel id=tabset-blog-2020-large-scale-security-policy-performance-tests-1-3-tab role=tab><span>AuthZ sourceIP</span>
</button><button tabindex=-1 data-category-value=five aria-controls=tabset-blog-2020-large-scale-security-policy-performance-tests-1-4-panel id=tabset-blog-2020-large-scale-security-policy-performance-tests-1-4-tab role=tab><span>AuthZ paths</span>
</button><button tabindex=-1 data-category-value=six aria-controls=tabset-blog-2020-large-scale-security-policy-performance-tests-1-5-panel id=tabset-blog-2020-large-scale-security-policy-performance-tests-1-5-tab role=tab><span>RequestAuthN JWT Issuer</span>
</button><button tabindex=-1 data-category-value=seven aria-controls=tabset-blog-2020-large-scale-security-policy-performance-tests-1-6-panel id=tabset-blog-2020-large-scale-security-policy-performance-tests-1-6-tab role=tab><span>Variable AuthZ</span></button></div><div class=tab-content><div id=tabset-blog-2020-large-scale-security-policy-performance-tests-1-0-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2020-large-scale-security-policy-performance-tests-1-0-tab><figure style=width:90%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:45.34%><a data-skipendnotes=true href=/v1.13/blog/2020/large-scale-security-policy-performance-tests/mtls_plaintext.svg title><img class=element-to-stretch src=/v1.13/blog/2020/large-scale-security-policy-performance-tests/mtls_plaintext.svg alt="MTLS vs plaintext"></a></div><figcaption></figcaption></figure>The difference of latency between MTLS mode STRICT and plaintext is very small in lower loads. As the <code>qps</code> and <code>conn</code> increase, the latency of requests with MTLS STRICT increases. The additional latency increased in larger loads is minimal compared to that of the increase from having no sidecars to having sidecars in the plaintext.</div><div hidden id=tabset-blog-2020-large-scale-security-policy-performance-tests-1-1-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2020-large-scale-security-policy-performance-tests-1-1-tab><figure style=width:90%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:45.34%><a data-skipendnotes=true href=/v1.13/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_principals.svg title><img class=element-to-stretch src=/v1.13/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_principals.svg alt="Authorization policy variable number of principals"></a></div><figcaption></figcaption></figure><p>For Authorization policies with 10 vs 1000 principal rules, the latency increase of 10 principal rules compared to no policies is greater than the latency increase of 1000 principals compared to 10 principals.</div><div hidden id=tabset-blog-2020-large-scale-security-policy-performance-tests-1-2-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2020-large-scale-security-policy-performance-tests-1-2-tab><figure style=width:90%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:45.34%><a data-skipendnotes=true href=/v1.13/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_requestPrincipals.svg title><img class=element-to-stretch src=/v1.13/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_requestPrincipals.svg alt="Authorization policy with variable principals"></a></div><figcaption></figcaption></figure>For Authorization policies with a variable number of <code>requestPrincipal</code> rules, the latency increase of 10 <code>requestPrincipal</code> rules compared to no policies is nearly the same as the latency increase of 1000 <code>requestPrincipal</code> rules compared to 10 <code>requestPrincipal</code> rules.</div><div hidden id=tabset-blog-2020-large-scale-security-policy-performance-tests-1-3-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2020-large-scale-security-policy-performance-tests-1-3-tab><p><figure style=width:90%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:45.34%><a data-skipendnotes=true href=/v1.13/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_sourceIP.svg title><img class=element-to-stretch src=/v1.13/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_sourceIP.svg alt="Authorization policy with variable `sourceIP` rules"></a></div><figcaption></figcaption></figure>The latency increase of a single <code>AuthZ</code> policy with 10 <code>sourceIP</code> rules is not proportional to the latency increase of a single <code>AuthZ</code> policy with 1000 <code>sourceIP</code> rules compared to the system with sidecar and no policies.</p><p><figure style=width:90%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:45.34%><a data-skipendnotes=true href=/v1.13/blog/2020/large-scale-security-policy-performance-tests/AuthZ_paths_vs_sourceIP.svg title><img class=element-to-stretch src=/v1.13/blog/2020/large-scale-security-policy-performance-tests/AuthZ_paths_vs_sourceIP.svg alt="Authorization policy with both paths and `sourceIP`"></a></div><figcaption></figcaption></figure>The latency increase of a variable number of <code>sourceIP</code> rules is marginally greater than that of path rules.</p></div><div hidden id=tabset-blog-2020-large-scale-security-policy-performance-tests-1-4-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2020-large-scale-security-policy-performance-tests-1-4-tab><figure style=width:90%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:45.34%><a data-skipendnotes=true href=/v1.13/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_paths.svg title><img class=element-to-stretch src=/v1.13/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_paths.svg alt="Authorization policy with variable number of paths"></a></div><figcaption></figcaption></figure>The latency increase of a single <code>AuthZ</code> policy with 10 path rules is not proportional to the latency increase of a single <code>AuthZ</code> policy with 1000 path rules compared to the system with sidecar and no policies. This trend is similar to that of <code>sourceIP</code> rules.<figure style=width:90%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:45.34%><a data-skipendnotes=true href=/v1.13/blog/2020/large-scale-security-policy-performance-tests/AuthZ_paths_vs_sourceIP.svg title><img class=element-to-stretch src=/v1.13/blog/2020/large-scale-security-policy-performance-tests/AuthZ_paths_vs_sourceIP.svg alt="Authorization policy with both paths and `sourceIP`"></a></div><figcaption></figcaption></figure>The latency of a variable number of paths rules is marginally lesser than that of <code>sourceIP</code> rules.</div><div hidden id=tabset-blog-2020-large-scale-security-policy-performance-tests-1-5-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2020-large-scale-security-policy-performance-tests-1-5-tab><figure style=width:90%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:45.34%><a data-skipendnotes=true href=/v1.13/blog/2020/large-scale-security-policy-performance-tests/RequestAuthN_jwks.svg title><img class=element-to-stretch src=/v1.13/blog/2020/large-scale-security-policy-performance-tests/RequestAuthN_jwks.svg alt="Request Authentication with variable number of JWT issuers"></a></div><figcaption></figcaption></figure>The latency of a single JWT issuer is comparable to that of no policies, but as the number of JWT issuers increase, the latency increases disproportionately.</div><div hidden id=tabset-blog-2020-large-scale-security-policy-performance-tests-1-6-panel role=tabpanel tabindex=0 aria-labelledby=tabset-blog-2020-large-scale-security-policy-performance-tests-1-6-tab><p>To test how the number of Authorization policies affect runtime, the tests can be broken into two cases:</p><ol><li><p>Every Authorization policy has a single <code>sourceIP</code> rule.</p></li><li><p>Every Authorization policy has a single path rule.</p></li></ol><p><figure style=width:90%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:45.34%><a data-skipendnotes=true href=/v1.13/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_policies_sourceIP.svg title><img class=element-to-stretch src=/v1.13/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_policies_sourceIP.svg alt="Authorization policy with variable number of policies, with `sourceIP` rule"></a></div><figcaption></figcaption></figure><figure style=width:90%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:45.34%><a data-skipendnotes=true href=/v1.13/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_policies_paths.svg title><img class=element-to-stretch src=/v1.13/blog/2020/large-scale-security-policy-performance-tests/AuthZ_var_policies_paths.svg alt="Authorization policy with variable number of policies, with path rule"></a></div><figcaption></figcaption></figure>The overall trends of both graphs are similar. This is consistent to the paths vs <code>sourceIP</code> data, which showed that the latency is marginally greater for <code>sourceIP</code> rules than that of path rules.</p></div></div></div><h2 id=conclusion>Conclusion</h2><ul><li><p>In general, adding security policies does not add relatively high overhead to the system. The policies that add the most latency include:</p><ol><li><p>Authorization policy with <code>JWTRules</code> rules.</p></li><li><p>Authorization policy with <code>requestPrincipal</code> rules.</p></li><li><p>Authorization policy with principals rules.</p></li></ol></li><li><p>In lower loads (requests with lower qps and conn) the difference in latency for most policies is minimal.</p></li><li><p>Envoy proxy sidecars increase latency more than most policies, even if the policies are large.</p></li><li><p>The latency increase of extremely large policies is relatively similar to the latency increase of adding Envoy proxy sidecars compared to that of no sidecars.</p></li><li><p>Two different tests determined that the <code>sourceIP</code> rule is marginally slower than a path rule.</p></li></ul><p>If you are interested in creating your own large scale security policies and running performance tests with them, see the <a href=https://github.com/istio/tools/tree/master/perf/benchmark/security/generate_policies>performance benchmarking tool README</a>.</p><p>If you are interested in reading more about the security policies tests, see <a href="https://docs.google.com/document/d/1ZP9eQ_2EJEG12xnfsoo7125FDN38r62iqY1PUn9Dz-0/edit?usp=sharing">our design doc</a>. If you don&rsquo;t already have access, you can <a href=/v1.13/get-involved/>join the Istio team drive</a>.</p></div><nav class=pagenav><div class=left><a title="Announcing the four newest Istio Steering Committee members." href=/v1.13/blog/2020/steering-election-results/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.13/img/icons.svg#left-arrow"/></svg>2020 Steering Committee Election Results</a></div><div class=right><a title="A new deployment model for Istio." href=/v1.13/blog/2020/new-deployment-model/ class=next-link>Deploying Istio Control Planes Outside the Mesh<svg class="icon right-arrow"><use xlink:href="/v1.13/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.13/img/icons.svg#github"/></svg></a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.13/img/icons.svg#drive"/></svg></a><a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.13/img/icons.svg#slack"/></svg></a><a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.13/img/icons.svg#stackoverflow"/></svg></a><a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.13/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.13/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.13/img/icons.svg#tick"/></svg>English</a>
<a tabindex=-1 lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://policies.google.com/privacy>Privacy policy</a> |
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.13/content/en/blog/2020/large-scale-security-policy-performance-tests/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2022 Istio Authors.</span>
<span class=footer-base-version>Version
Archive
1.13.4</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2020/large-scale-security-policy-performance-tests/"),!1'>current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2020/large-scale-security-policy-performance-tests/"),!1'>next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top" tabindex=-1><svg class="icon top"><use xlink:href="/v1.13/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink