Skip to main content

Mutual TLS (mTLS)

mTLS / pod to pod#

  • mutual auth
  • bilateral auth
  • both apps have client+server certs each

by default every pod to every pod can talk, unencrypted

Service Meshes#

  • manage all the certs between pods
  • decouple our app container from the auth/cert workload
  • these sidecars make up the "mesh" e.g. istio, linkerd
  • all traffic routes through proxy/sidecar

these routes are created via iptable rules in e.g. an init container (needs NET_ADMIN cap), and only when init's are done, does the app container start up e.g. this is how Istio does it.

Scenarios - create a proxy sidecar#

[email protected]:~# k run app --image=bash --command -oyaml --dry-run=client > app.yaml -- sh -c 'ping google.com'

# app.yamlapiVersion: v1kind: Podmetadata:  creationTimestamp: null  labels:    run: app  name: appspec:  containers:  - command:    - sh    - -c    - ping google.com    image: bash    name: app    resources: {}  dnsPolicy: ClusterFirst  restartPolicy: Alwaysstatus: {}

run it

[email protected]:~# k create -f ./app.yaml pod/app created[email protected]:~# k logs -f appError from server (BadRequest): container "app" in pod "app" is waiting to start: ContainerCreating[email protected]:~# k logs -f appPING google.com (172.217.167.110): 56 data bytes64 bytes from 172.217.167.110: seq=0 ttl=121 time=1.310 ms64 bytes from 172.217.167.110: seq=1 ttl=121 time=1.261 ms64 bytes from 172.217.167.110: seq=2 ttl=121 time=1.403 ms64 bytes from 172.217.167.110: seq=3 ttl=121 time=1.171 ms64 bytes from 172.217.167.110: seq=4 ttl=121 time=1.254 ms64 bytes from 172.217.167.110: seq=5 ttl=121 time=1.237 ms64 bytes from 172.217.167.110: seq=6 ttl=121 time=1.475 ms

add a "sidecar proxy" into our Pod manifest-- hacky solution of installing iptables into the sidecar on the go.

note your proxy container will need extra permissions to run iptables commands i.e. NET_ADMIN by using securityContext

apiVersion: v1kind: Podmetadata:  creationTimestamp: null  labels:    run: app  name: appspec:  containers:  - command:    - sh    - -c    - ping google.com    image: bash    name: app    resources: {}  - command:    - sh    - -c    - 'apt-get update && apt-get install -y iptables && iptables -L && sleep 1d'    securityContext:      capabilities:        add: ["NET_ADMIN"]    image: ubuntu    name: proxy    resources: {}  dnsPolicy: ClusterFirst  restartPolicy: Alwaysstatus: {}

to date no mTLS or service mesh in the exam at the moment.