Chapter 5. Securing a service network


Skupper provides default, built-in security that scales across clusters and clouds. This section describes additional security you can configure.

See Securing a service network using policies for information about creating granular policies for each cluster.

By default, if you expose a service on the service network, that service is also accessible from other namespaces in the cluster. You can avoid this situation when creating a site using the --create-network-policy option.

Procedure

  1. Create the service network router with a Kubernetes network policy:

    $ skupper init --create-network-policy
    Copy to Clipboard Toggle word wrap
  2. Check the site status:

    $ skupper status
    Copy to Clipboard Toggle word wrap

    The output should be similar to the following:

    Skupper enabled for namespace 'west'. It is not connected to any other sites.
    Copy to Clipboard Toggle word wrap

You can now expose services on the service network and those services are not accessible from other namespaces in the cluster.

By default, the traffic between sites is encrypted, however the traffic between the service pod and the router pod is not encrypted. For services exposed as TCP or HTTP2, the traffic between the pod and the router pod can be encrypted using TLS.

Prerequisites

  • Two or more linked sites
  • A TCP or HTTP2 frontend and backend service

Procedure

  1. Deploy your backend service.
  2. Expose your backend deployment on the service network, enabling TLS.

    For example, if you want to expose a TCP service:

    $ skupper expose deployment <deployment-name> --port 443 --enable-tls
    Copy to Clipboard Toggle word wrap

    Enabling TLS creates the necessary certificates required for TLS backends and stores them in a secret named skupper-tls-<deployment-name>.

  3. Modify the backend deployment to include the generated certificates, for example:

    ...
        spec:
          containers:
          ...
            command:
            ...
            - "/certs/tls.key"
            - "/certs/tls.crt"
            ...
            volumeMounts:
            ...
            - mountPath: /certs
              name: certs
              readOnly: true
          volumes:
          - name: index-html
            configMap:
              name: index-html
          - name: certs
            secret:
              secretName: skupper-tls-<deployment-name>
    Copy to Clipboard Toggle word wrap

    Each site creates the necessary certificates required for TLS clients and stores them in a secret named skupper-service-client.

  4. Modify the frontend deployment to include the generated certificates, for example:

    spec:
      template:
        spec:
          containers:
          ...
            volumeMounts:
            - name: certs
              mountPath: /tmp/certs/skupper-service-client
          ...
          volumes:
          - name: certs
            secret:
              secretName: skupper-service-client
    Copy to Clipboard Toggle word wrap
  5. Test calling the service from a TLS enabled frontend.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat