Skip to content

Enforce mTLS using Rafay's Managed Service Mesh

Earlier this week, we provided "hands-on, labs based training" for approximately 25 technologists on the recently introduced "Managed Service Mesh" capability in the Rafay Kubernetes Operations Platform.

Here's what we setup for the enablement session:

  • Each attendee was provided with their own Kubernetes cluster.
  • We spun up 25 Kubernetes clusters on Digital Ocean just a few hours before the session.
  • Each attendee had their own dedicated "project" in the "Training" Org

25 Training Clusters

Background

It is now becoming a standard operational requirement for applications to require the use of a Zero Trust security model. One of the important aspects of this model is the use of mutual TLS (mTLS) to ensure all communication between services are mutually authenticated and strongly encrypted.

Application teams commonly find themselves having to deal with this in the 11th hour. At this point, it is either "too late" to retrofit their application business logic or the legacy containerized application is not capable of being retrofitted. The service mesh's sidecar based enforcement approach is a perfect solution for scenarios like this.

Sidecar

The Lab Exercise

In the "hands-on" lab, each attendee followed our "Getting Started" guide for MTLS Migration closely. The high level steps were as follows:

Step 1

Create a custom blueprint with the "integrated" Service Mesh enabled and the "default" installation profile. Update the cluster's blueprint with the custom blueprint. In 2-3 minutes, blueprint sync should complete and you should see something like this.

Service Mesh Blueprint

Step 2

  • Create three namespaces called "foo", "bar" and "legacy".
  • Ensure that "sidecar" injection is enabled for the "foo" and "bar" namespaces.

Service Mesh Injection

  • Ensure that "sidecar" injection is disabled for the "legacy" namespace.

Service Mesh Injection

Step 3

Deploy sample workloads into the "foo", "bar" and "legacy" namespaces.

For the workloads deployed into namespaces with sidecar injection "enabled", you will notice that the side car is automatically implemented. The attendees confirmed this by using the Integrated Kubernetes Resources Dashboard for the workload.

Confirm Sidecar Injection

Once the workloads are operational and are interacting with each other, the attendees used the Integrated, Multitenant Kiali Dashboard to visualize the inter-service traffic in their Kubernetes cluster.

Service Mesh Visualization

Note

The "unknown" resource in the screenshot above is the "legacy" workload attempting to interact with the workload in the secure "foo" namespace. But, this is being blocked because it is not capable of using mTLS.

Try It Out

If you are interested in trying this out yourself,

...