Skip to main content

Mutual TLS (mTLS)

mTLS / pod to pod

  • mutual auth
  • bilateral auth
  • both apps have client+server certs each

by default every pod to every pod can talk, unencrypted

Service Meshes

  • manage all the certs between pods
  • decouple our app container from the auth/cert workload
  • these sidecars make up the "mesh" e.g. istio, linkerd
  • all traffic routes through proxy/sidecar

these routes are created via iptable rules in e.g. an init container (needs NET_ADMIN cap), and only when init's are done, does the app container start up e.g. this is how Istio does it.

Scenarios - create a proxy sidecar

root@cks-master:~# k run app --image=bash --command -oyaml --dry-run=client > app.yaml -- sh -c 'ping google.com'

# app.yaml
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: app
name: app
spec:
containers:
- command:
- sh
- -c
- ping google.com
image: bash
name: app
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}

run it

root@cks-master:~# k create -f ./app.yaml 
pod/app created
root@cks-master:~# k logs -f app
Error from server (BadRequest): container "app" in pod "app" is waiting to start: ContainerCreating
root@cks-master:~# k logs -f app
PING google.com (172.217.167.110): 56 data bytes
64 bytes from 172.217.167.110: seq=0 ttl=121 time=1.310 ms
64 bytes from 172.217.167.110: seq=1 ttl=121 time=1.261 ms
64 bytes from 172.217.167.110: seq=2 ttl=121 time=1.403 ms
64 bytes from 172.217.167.110: seq=3 ttl=121 time=1.171 ms
64 bytes from 172.217.167.110: seq=4 ttl=121 time=1.254 ms
64 bytes from 172.217.167.110: seq=5 ttl=121 time=1.237 ms
64 bytes from 172.217.167.110: seq=6 ttl=121 time=1.475 ms

add a "sidecar proxy" into our Pod manifest-- hacky solution of installing iptables into the sidecar on the go.

note your proxy container will need extra permissions to run iptables commands i.e. NET_ADMIN by using securityContext

apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: app
name: app
spec:
containers:
- command:
- sh
- -c
- ping google.com
image: bash
name: app
resources: {}
- command:
- sh
- -c
- 'apt-get update && apt-get install -y iptables && iptables -L && sleep 1d'
securityContext:
capabilities:
add: ["NET_ADMIN"]
image: ubuntu
name: proxy
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}

to date no mTLS or service mesh in the exam at the moment.