Skip to main content

Mutual TLS (mTLS)

mTLS / pod to pod

  • mutual auth
  • bilateral auth
  • both apps have client+server certs each

by default every pod to every pod can talk, unencrypted

Service Meshes

  • manage all the certs between pods
  • decouple our app container from the auth/cert workload
  • these sidecars make up the "mesh" e.g. istio, linkerd
  • all traffic routes through proxy/sidecar

these routes are created via iptable rules in e.g. an init container (needs NET_ADMIN cap), and only when init's are done, does the app container start up e.g. this is how Istio does it.

Scenarios - create a proxy sidecar

root@cks-master:~# k run app --image=bash --command -oyaml --dry-run=client > app.yaml -- sh -c 'ping google.com'

# app.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: app
  name: app
spec:
  containers:
  - command:
    - sh
    - -c
    - ping google.com
    image: bash
    name: app
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

run it

root@cks-master:~# k create -f ./app.yaml 
pod/app created
root@cks-master:~# k logs -f app
Error from server (BadRequest): container "app" in pod "app" is waiting to start: ContainerCreating
root@cks-master:~# k logs -f app
PING google.com (172.217.167.110): 56 data bytes
64 bytes from 172.217.167.110: seq=0 ttl=121 time=1.310 ms
64 bytes from 172.217.167.110: seq=1 ttl=121 time=1.261 ms
64 bytes from 172.217.167.110: seq=2 ttl=121 time=1.403 ms
64 bytes from 172.217.167.110: seq=3 ttl=121 time=1.171 ms
64 bytes from 172.217.167.110: seq=4 ttl=121 time=1.254 ms
64 bytes from 172.217.167.110: seq=5 ttl=121 time=1.237 ms
64 bytes from 172.217.167.110: seq=6 ttl=121 time=1.475 ms

add a "sidecar proxy" into our Pod manifest-- hacky solution of installing iptables into the sidecar on the go.

note your proxy container will need extra permissions to run iptables commands i.e. NET_ADMIN by using securityContext

apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: app
  name: app
spec:
  containers:
  - command:
    - sh
    - -c
    - ping google.com
    image: bash
    name: app
    resources: {}
  - command:
    - sh
    - -c
    - 'apt-get update && apt-get install -y iptables && iptables -L && sleep 1d'
    securityContext:
      capabilities:
        add: ["NET_ADMIN"]
    image: ubuntu
    name: proxy
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

to date no mTLS or service mesh in the exam at the moment.