Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

此内容没有您所选择的语言版本。

Chapter 11. Post-quantum cryptography

Post-quantum cryptography (PQC) provides cryptographic algorithms resistant to quantum computing threats, replacing traditional methods such as RSA and ECDSA that are vulnerable to quantum-based attacks.

11.1. About post-quantum cryptography (PQC) in service mesh
复制链接

Post-quantum cryptography (PQC), also known as quantum-resistant cryptography, uses encryption algorithms designed to resist attacks from quantum computers.

Quantum computers use principles of quantum mechanics to perform certain calculations significantly faster than classical computers, compromising widely used cryptographic algorithms.

Most current encryption methods rely on mathematical problems that classical computers cannot solve in a practical time. Large-scale quantum computers could solve some of these problems more efficiently, which would weaken the security of existing cryptographic systems.

In Red Hat OpenShift Service Mesh, cryptographic algorithms protect control plane and data plane communications, including mutual TLS (mTLS) between workloads. Enabling PQC strengthens these communications by introducing quantum-resistant key exchange mechanisms while maintaining compatibility with existing infrastructure.

Note

Post-quantum cryptography (PQC) algorithms are not available on OpenShift clusters running in FIPS mode.

Configure a quantum-secure gateway by using hybrid key exchange to protect service mesh ingress traffic against quantum computing threats.

Prerequisites

  • You have logged in to the OpenShift Container Platform web console 4.19+ as a user with the cluster-admin role.
  • You have installed the Red Hat OpenShift Service Mesh Operator 3.2.1+.
  • You have deployed the Istio and IstioCNI resources.

  • You have installed the following CLI tools locally:

    • oc
    • podman
    • curl

Procedure

  • Update the Istio control plane to enable PQC by running the following command: 

    $ oc apply -f - <<EOF
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  version: v1.28.5
  namespace: istio-system
  updateStrategy:
    type: InPlace
  values:
    meshConfig:
      accessLogFile: /dev/stdout
      tlsDefaults:
        ecdhCurves:
        - X25519MLKEM768
EOF

    • spec.values.meshConfig.tlsDefaults.ecdhCurves defines the setting that applies to all non-mesh Transport Layer Security (TLS) connections in your Istio deployment, including:

      • Ingress gateways: TLS connections from external clients.
      • Egress gateways: TLS connections to external services.
      • External service connections: Any TLS connections to services outside the mesh.
    Note

    This setting does not apply to mesh-internal mutual Transport Layer Security (mTLS). Communication between services within the mesh uses the default Istio mTLS configuration.

    • spec.values.meshConfig.tlsDefaults defines a configuration that is a mesh-wide setting that applies to all gateways and mesh-internal traffic. You cannot enable PQC algorithms for individual workloads. To use different TLS configurations for specific gateways, you must deploy separate control planes with a unique meshConfig.tlsDefaults settings.

Configure the Istio control plane to enforce a post-quantum cryptography (PQC) compliance policy, enabling quantum-resistant security for service mesh communications.

Prerequisites

  • You have logged in to the OpenShift Container Platform web console 4.19+ as a user with the cluster-admin role.
  • You have installed the Red Hat OpenShift Service Mesh Operator 3.2.1+.
  • You have deployed the Istio and IstioCNI resources.

  • You have installed the following CLI tools locally:

    • oc
    • podman
    • curl

Procedure

  • Update the Istio control plane to enable PQC by running the following command: 

    $ oc apply -f - <<EOF
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  version: v1.28.5
  namespace: istio-system
  updateStrategy:
    type: InPlace
  values:
    pilot:
      env:
        COMPLIANCE_POLICY: "pqc"
EOF
    • spec.values.pilot.env.COMPLIANCE_POLICY specifies the compliance policy that the Istio control plane enforces. Set the field to pqc to enable PQC.

Configure the Istio control plane and ztunnel to enforce a post-quantum cryptography (PQC) compliance policy, enabling quantum-resistant security for ambient mode service mesh communications.

Prerequisites

  • You have logged in to the OpenShift Container Platform web console 4.19+ as a user with the cluster-admin role.
  • You have installed the Red Hat OpenShift Service Mesh Operator 3.2.1+.
  • You have deployed the Istio and IstioCNI resources with ambient mode enabled.

  • You have installed the following CLI tools locally:

    • oc
    • podman
    • curl

Procedure

  • Update the Istio control plane and ztunnel to enable PQC by running the following command: 

    $ oc apply -f - <<EOF
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  name: default
spec:
  version: v1.28.5
  namespace: istio-system
  updateStrategy:
    type: InPlace
  values:
    pilot:
      env:
        COMPLIANCE_POLICY: "pqc"
    ztunnel:
      env:
        COMPLIANCE_POLICY: "pqc"
EOF
    • spec.values.pilot.env.COMPLIANCE_POLICY specifies the compliance policy for the Istio control plane. Set the field to pqc to enable PQC.
    • spec.values.ztunnel.env.COMPLIANCE_POLICY specifies the compliance policy for ztunnel in ambient mode. Set the field to pqc to enable PQC.
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

Legal Notice

Theme

© 2026 Red Hat返回顶部