Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable mTLS in the service-mesh #3320

Closed
piotrmsc opened this issue Mar 25, 2019 · 1 comment
Closed

Enable mTLS in the service-mesh #3320

piotrmsc opened this issue Mar 25, 2019 · 1 comment
Assignees
@strekm @kubadz @jakkab @kfurgol
Labels
area/security Issues or PRs related to security area/service-mesh Issues or PRs related to service-mesh

Comments

@piotrmsc
Copy link

Description

Enable mTLS globally (mesh-wide) and if necessary support component owners with creating rules disabling mTLS for their component. If disabling is required then it has to be first double checked that it really need plain text communication + mentioned here.
To enable mTLS in eventing enable sidecar in natss-streaming first.
Remember to update our documentation for istio installation as well.

Reasons
Containers that run on a Kyma cluster communicate with each other over plain network connections. Channel security is generally not being enforced.

While containers are deployed with an istio envoy sidecar, istio mTLS is not enabled.

Attachments
@piotrmsc piotrmsc added area/security Issues or PRs related to security area/service-mesh Issues or PRs related to service-mesh labels Mar 25, 2019
@piotrmsc piotrmsc added this to the Sprint_Goat_9 milestone Mar 25, 2019
@kubadz kubadz self-assigned this Mar 25, 2019
@jakkab jakkab self-assigned this Mar 26, 2019
@piotrmsc
Copy link
Author

piotrmsc commented Mar 27, 2019
edited
Loading

There is a problem with nats-streaming when it has sidecar injected and event-bus-publish/subscribe pods have sidecar as well. When the client tries to connect sing nats protocol it has i/o timeout. Istio does not support nats protocol, however, nats documentation mentions it's a plain text format.
What I have managed to achieve is a successful telnet connection from pod with sidecar to nats-streaming and doing simple hello pub/sub flow.
There are 2 issues reflecting the same problem

I'm still investigating.

@strekm strekm self-assigned this Mar 27, 2019
@kfurgol kfurgol self-assigned this Mar 27, 2019
@strekm strekm modified the milestones: Sprint_Goat_9, Sprint_Goat_10 Apr 8, 2019
This was referenced Apr 9, 2019
Merged
Merged
@montaro montaro mentioned this issue Apr 9, 2019
Closed
3 tasks
This was referenced Apr 10, 2019
Merged
Closed
@kubadz kubadz mentioned this issue Apr 10, 2019
Merged
@jakkab jakkab mentioned this issue Apr 11, 2019
Closed
@kfurgol kfurgol mentioned this issue Apr 12, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@strekm strekm

@kubadz kubadz

@jakkab jakkab

@kfurgol kfurgol

Labels
area/security Issues or PRs related to security area/service-mesh Issues or PRs related to service-mesh
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@strekm @piotrmsc @kubadz @jakkab @kfurgol