Skip to content

Part 3: Enforce strict mTLS

What Will You Do

In this part of the self-paced exercise, you will enable strict mTLS for a namespace and visualize the traffic in the Service Mesh dashboard.

Recap

You have setup service mesh in your cluster via a blueprint and injected sidecars into foo and bar namespaces. You have deployed the test application on foo, bar and legacy namespaces.

Below is how the service mesh visualization appears after the steps (with security enabled via the dropdown option provided for Display within the dashboard)

Before

The visualization shows lock icons on the edges between foo and bar. This is because we enabled sidecars on these namespaces and Istio installs mTLS in permissive mode i.e., namespaces will use mutual TLS wherever possible but do not restrict non-encrypted communication.

The legacy namespace and the sleep application running in that namespace are represented as unknown as we did not enable sidecar injection for legacy namespace. legacy namespace is communicating with foo and bar namespaces in an unsecure mode (non-https) for the same reason (because sidecar injection is not enabled).

Enable strict mTLS for bar namespace

  • Navigate to the Namespaces page
  • Select the Configuration tab
  • Select Service Mesh policies
  • Under Policy click on Add Policy
  • Select enable-strict-mtls from the dropdown. This is a pre-canned policy (available out of the box)
  • Click Save and Go to Placement
  • Select the cluster
  • Click Save & Go to Publish
  • Click Republish

Enable Strict mTLS policy

The below spec enables strict mTLS for bar namespace. enable_strict_mtls is a pre-canned policy (available out of the box).

Important

Replace the project and cluster details as appropriate.

apiVersion: infra.k8smgmt.io/v3
kind: Namespace
metadata:
    name: bar
    project: demo-service-mesh
spec:
namespaceMeshPolicyParams:
    meshEnabled: true
    policies:
    - name: enable-strict-mtls        
placement:
    labels:
    - key: rafay.dev/clusterName
    value: demo-service-mesh

Run the below command for the policy to take effect for the bar namespace.

./rctl apply -f bar_namespace_mesh_policy.yaml

Visualize enforcement of mTLS for bar namespace

Since we enabled strict mTLS for bar namespace, legacy namespace which doesn't have sidecar injection enabled can no longer communicate with bar namespace. It can still communicate with foo namespace as foo namespace is still in permissive mTLS mode (this is the default mode).

After

Recap

Congratulations! In this 3 part series, you have successfully:

  1. Installed Istio on a cluster
  2. Injected sidecars to specific namespaces and visualized service mesh flows
  3. Enabled strict mTLS mode for a namespace to prevent unsecure communication