Enforce mTLS using Rafay's Managed Service Mesh¶
Earlier this week, we provided "hands-on, labs based training" for approximately 25 technologists on the recently introduced "Managed Service Mesh" capability in the Rafay Kubernetes Operations Platform.
Here's what we setup for the enablement session:
- Each attendee was provided with their own Kubernetes cluster.
- We spun up 25 Kubernetes clusters on Digital Ocean just a few hours before the session.
- Each attendee had their own dedicated "project" in the "Training" Org
It is now becoming a standard operational requirement for applications to require the use of a Zero Trust security model. One of the important aspects of this model is the use of mutual TLS (mTLS) to ensure all communication between services are mutually authenticated and strongly encrypted.
Application teams commonly find themselves having to deal with this in the 11th hour. At this point, it is either "too late" to retrofit their application business logic or the legacy containerized application is not capable of being retrofitted. The service mesh's sidecar based enforcement approach is a perfect solution for scenarios like this.
The Lab Exercise¶
In the "hands-on" lab, each attendee followed our "Getting Started" guide for MTLS Migration closely. The high level steps were as follows:
Create a custom blueprint with the "integrated" Service Mesh enabled and the "default" installation profile. Update the cluster's blueprint with the custom blueprint. In 2-3 minutes, blueprint sync should complete and you should see something like this.
- Create three namespaces called "foo", "bar" and "legacy".
- Ensure that "sidecar" injection is enabled for the "foo" and "bar" namespaces.
- Ensure that "sidecar" injection is disabled for the "legacy" namespace.
Deploy sample workloads into the "foo", "bar" and "legacy" namespaces.
For the workloads deployed into namespaces with sidecar injection "enabled", you will notice that the side car is automatically implemented. The attendees confirmed this by using the Integrated Kubernetes Resources Dashboard for the workload.
Once the workloads are operational and are interacting with each other, the attendees used the Integrated, Multitenant Kiali Dashboard to visualize the inter-service traffic in their Kubernetes cluster.
The "unknown" resource in the screenshot above is the "legacy" workload attempting to interact with the workload in the secure "foo" namespace. But, this is being blocked because it is not capable of using mTLS.
Try It Out¶
If you are interested in trying this out yourself,
- Sign Up for a Free Rafay Org.
- Follow the steps in the Getting Started Guide for mTLS Migration.