Part 3: Enforce strict mTLS
What Will You Do¶
In this part of the self-paced exercise, you will enable strict mTLS for a namespace and visualize the traffic in the Service Mesh dashboard.
You have setup service mesh in your cluster via a blueprint and injected sidecars into foo and bar namespaces. You have deployed the test application on foo, bar and legacy namespaces.
Below is how the service mesh visualization appears after the steps (with security enabled via the dropdown option provided for Display within the dashboard)
The visualization shows lock icons on the edges between foo and bar. This is because we enabled sidecars on these namespaces and Istio installs mTLS in permissive mode i.e., namespaces will use mutual TLS wherever possible but do not restrict non-encrypted communication.
The legacy namespace and the sleep application running in that namespace are represented as unknown as we did not enable sidecar injection for legacy namespace. legacy namespace is communicating with foo and bar namespaces in an unsecure mode (non-https) for the same reason (because sidecar injection is not enabled).
Enable strict mTLS for bar namespace¶
- Navigate to the Namespaces page
- Select the Configuration tab
- Select Service Mesh policies
- Under Policy click on Add Policy
- Select enable-strict-mtls from the dropdown. This is a pre-canned policy (available out of the box)
- Click Save and Go to Placement
- Select the cluster
- Click Save & Go to Publish
- Click Republish
The below spec enables strict mTLS for bar namespace. enable_strict_mtls is a pre-canned policy (available out of the box).
Replace the project and cluster details as appropriate.
apiVersion: infra.k8smgmt.io/v3 kind: Namespace metadata: name: bar project: demo-service-mesh spec: namespaceMeshPolicyParams: meshEnabled: true policies: - name: enable-strict-mtls placement: labels: - key: rafay.dev/clusterName value: demo-service-mesh
Run the below command for the policy to take effect for the bar namespace.
./rctl apply -f bar_namespace_mesh_policy.yaml
Visualize enforcement of mTLS for bar namespace¶
Since we enabled strict mTLS for bar namespace, legacy namespace which doesn't have sidecar injection enabled can no longer communicate with bar namespace. It can still communicate with foo namespace as foo namespace is still in permissive mTLS mode (this is the default mode).
Congratulations! In this 3 part series, you have successfully:
- Installed Istio on a cluster
- Injected sidecars to specific namespaces and visualized service mesh flows
- Enabled strict mTLS mode for a namespace to prevent unsecure communication