Mutual TLS - Istio Service Mesh

-

Mutual TLS 

The communication between workloads in services goes through the Envoy proxies. When a workload sends a request to another workload using mTLS, Istio re-routes the traffic to the sidecar Envoy. 

Once the mTLS connection is established, the request is forwarded from the client Envoy proxy to the server-side Envoy proxy. Then, the sidecar Envoy starts an mTLS handshake with the server-side Envoy. During the handshake, the caller does a secure naming check to verify the service account in the server certificate is authorized to run the target service. After the authorization on the server-side, the sidecar forwards the traffic to the workload. 

We can change the mTLS behavior in the service's destination rule. The supported TLS modes are DISABLE (no TLS connection), SIMPLE (originate a TLS connection to the upstream endpoint), MUTUAL (uses mTLS by presenting client certificates for authentication), and ISTIO_MUTUAL (similar to MUTUAL, but uses Istio's automatically generated certificates for mTLS).


Permissive mode

A permissive mode is a unique option that allows a service to simultaneously accept plaintext traffic and mTLS traffic. The purpose of this feature is to improve the mTLS onboarding experience. 

By default, Istio configures the destination workloads using the permissive mode. Istio tracks the workloads that use the Istio proxies and automatically sends the mTLS traffic to them. If workloads don't have a proxy, Istio sends plain text traffic. 

The server accepts plain text traffic and mTLS traffic without breaking anything when using the permissive mode. The permissive mode gives us time to install and configure sidecars to send mTLS traffic gradually. 

Once all workloads have the sidecars installed, we can switch to the strict mTLS mode. To do that, we can create a PeerAuthentication resource. We can prevent non-mutual TLS traffic and require that all communication uses mTLS. 

We can create the PeerAuthentication resource and enforce strict mode in each namespace separately at first. Then, we can create a policy in the root namespace (istio-system in our case) that implements the policy globally across the mesh: 

apiVersion: security.istio.io/vlbetal 
kind: PeerAuthentication 
metadata: 
    name: default 
    namespace: istio-system 
spec: 
    mtls: 
        mode: STRICT 

Additionally, we can also specify the selector field and apply the policy only to specific workloads in the mesh. The example below enables STRICT mode for workloads with the specified label: 

apiVersion: security.istio.io/vlbetal 
kind: PeerAuthentication 
metadata: 
    name: default 
    namespace: my-namespace 
spec: 
    selector: 
        matchLabels: 
            app: customers 
    mtls: 
        mode: STRICT 

Comments

Post a Comment

Popular posts from this blog

DevOps Interview Questions

-
Questions from GIT, Jenkins, Ansible, Dockers & Containers, Kubernetes, OpenShift, AWS, CI/CD, Scripting, Linux (RHEL), Monitoring, Python GIT ########### * What is GIT ? * What is difference between GIT & Github ? * Why we use GIT ? * What is SCM & VCS ? * What are the process of pushing the code to Github Repository ? * Why do we commit ? * What are the commands of GIT to push the code ? * How you can merge a git repository with another ?  * What is branching in git ? * Different types of branching in GIT ? * What is merge conflict in git ? * How you can resolve merge conflict if you are merging same    project and in the same branch ?    Jenkins ########## * What is Jenkins ? * Why we use Jenkins ? * What are the other tools/technologies present in market other than    Jenkins for CI/CD ? * How to move Jenkins from one server to another ?    * How to create Jenkins backup ?  * What are plugins in Jenkins ? * What are
Read more

Calico Certified Operator: AWS Expert Questions & Answers

-
Section 1 Which one of the following is NOT an AWS networking concept? 1 point possible (graded, results hidden) AWS Region Virtual Private Cloud Elastic Network Interface Cloud NAT submitted Which of the following are network configuration options for the Calico CNI in BYOC clusters? 1 point possible (graded, results hidden) Select all that apply: VLAN based segmentation VXLAN encapsulation IP-IP encapsulation CrossSubnet mode submitted Why does AWS-CNI networking make use of source based routing on the nodes? 1 point possible (graded, results hidden) To provide more available IP addresses To allow the utilisation of all ENIs attached to the node To secure the node’s compute resources To ensure all pods use the same ENI submitted Which of the following are true when using the CrossSubnet mode in Calico CNI on BYOC clusters? 1 point possible (graded, results hidden) Select all that apply: It is recommended that for best performanc
Read more

CKAD Certification Exam Preparation Guide and Tips

-
Image
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. The CNCF/Linux Foundation offers this performance-based exam which targets the developer aspect of Kubernetes skills such as deploying apps, configuring apps, rolling out the application, creating persistent volumes, etc. CKAD (Certified Kubernetes Application Developer) is designed for software developers who would like to develop and deploy their containerized applications in Kubernetes. The curriculum includes the following general domains with the associated weights: Core Concepts – 13% Configuration – 18% Multi-Container Pods – 10% Observability – 18% Pod Design – 20% Services & Networking – 13% State Persistence – 8% ------------------------------------------------------------------------- After my successful achievement of CKAD Certification, I would love to share my experience and tips to clear the exam. I have  practiced a lot on kubectl  commands and
Read more