Red Hat SummitChapter 9. Enabling mutual Transport Layer Security
You can use Red Hat OpenShift Service Mesh for your application to customize the communication security between the complex array of microservices. Mutual Transport Layer Security (mTLS) is a protocol that enables two parties to authenticate each other.
9.1. About mutual Transport Layer Security (mTLS)
In OpenShift Service Mesh 3, you use the Istio resource instead of the ServiceMeshControlPlane resource to configure mTLS settings.
In OpenShift Service Mesh 3, you configure STRICT mTLS mode by using the PeerAuthentication and DestinationRule resources. You set TLS protocol versions through Istio Workload Minimum TLS Version Configuration.
Review the following Istio resources and concepts to configure mTLS settings properly:
PeerAuthentication-
defines the type of mTLS traffic a sidecar accepts.
PERMISSIVEmode allows both plain text and mTLS traffic.STRICTmode requires mTLS for all incoming traffic.. DestinationRule-
configures the type of TLS traffic a sidecar sends. In
DISABLEmode, the sidecar sends plain text. InSIMPLE,MUTUAL, andISTIO_MUTUALmodes, the sidecar establishes a TLS connection. Auto mTLS-
ensures the mesh uses mTLS by default to encrypt all inter-mesh traffic, regardless of the
PeerAuthenticationmode configuration. TheenableAutoMtlsglobal mesh configuration field controlsAuto mTLS, which OpenShift Service Mesh 2 and 3 enable by default. The mTLS setting operates entirely between sidecar proxies, requiring no changes to application or service code.
By default, PeerAuthentication uses PERMISSIVE mode, allowing sidecars in the Service Mesh to accept both plain text and mTLS-encrypted traffic.
9.2. Enabling strict mTLS mode by using the namespace
You can restrict workloads to accept only encrypted mTLS traffic by enabling the STRICT mode in PeerAuthentication.
You can see the following example configuration for reference:
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: default
namespace: <namespace>
spec:
mtls:
mode: STRICT
You can enable mTLS for all destination hosts in the <namespace> by creating a DestinationRule resource with MUTUAL or ISTIO_MUTUAL mode if you disable auto mTLS and apply STRICT mode to PeerAuthentication.
You can see the following example configuration for reference:
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
name: enable-mtls
namespace: <namespace>
spec:
host: "*.<namespace>.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL9.3. Enabling strict mTLS across the whole service mesh
You can configure mTLS across the entire mesh by applying the PeerAuthentication policy to the istiod namespace, such as istio-system. The istiod namespace name must match to the spec.namespace field of your Istio resource.
You can see the following example configuration for reference:
apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: STRICT
Additionally, create a DestinationRule resource to disable mTLS for communication with the API server, as it does not have a sidecar. Apply similar DestinationRule configurations for other services without sidecars.
You can see the following example configuration for reference:
apiVersion: networking.istio.io/v1
kind: DestinationRule
metadata:
name: api-server
namespace: istio-system
spec:
host: kubernetes.default.svc.cluster.local
trafficPolicy:
tls:
mode: DISABLE9.4. Validating encryptions with Kiali
The Kiali console offers several ways to validate whether or not your applications, services, and workloads have Mutual Transport Layer Security (mTLS) encryption enabled.
The Services Detail Overview page displays a Security icon on the graph edges where at least one request with mTLS enabled is present. Also note that Kiali displays a lock icon in the Network section next to ports that use mTLS configuration.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}