mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-06 06:46:26 +01:00
101 lines
3.2 KiB
Plaintext
101 lines
3.2 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * service_mesh/v2x/ossm-security.adoc
|
|
|
|
[id="ossm-security-mtls_{context}"]
|
|
= Enabling mutual Transport Layer Security (mTLS)
|
|
|
|
Mutual Transport Layer Security (mTLS) is a protocol where two parties authenticate each other. It is the default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS).
|
|
|
|
MTLS can be used without changes to the application or service code. The TLS is handled entirely by the service mesh infrastructure and between the two sidecar proxies.
|
|
|
|
By default, {ProductName} is set to permissive mode, where the sidecars in {ProductShortName} accept both plain-text traffic and connections that are encrypted using mTLS. If a service in your mesh is communicating with a service outside the mesh, strict mTLS could break communication between those services. Use permissive mode while you migrate your workloads to {ProductShortName}.
|
|
|
|
[id="ossm-security-enabling-strict-mtls_{context}"]
|
|
== Enabling strict mTLS across the mesh
|
|
|
|
You can quickly enable mTLS across your mesh if your workloads do not communicate with outside services, and communication will not be interrupted by accepting only encrypted connections. Set `spec.security.controlPlane.mtls` to `true` in your `ServiceMeshControlPlane` resource. The operator creates the required resources.
|
|
|
|
[source,yaml]
|
|
----
|
|
kind: ServiceMeshControlPlane
|
|
spec:
|
|
version: v2.0
|
|
security:
|
|
controlPlane:
|
|
mtls: true
|
|
----
|
|
|
|
[id="ossm-security-mtls-sidecars-incoming-services_{context}"]
|
|
=== Configuring sidecars for incoming connections for specific services
|
|
|
|
You can also configure mTLS for individual services or namespaces by creating a policy.
|
|
|
|
[source,yaml]
|
|
----
|
|
apiVersion: security.istio.io/v1beta1
|
|
kind: PeerAuthentication
|
|
metadata:
|
|
name: default
|
|
namespace: <namespace>
|
|
spec:
|
|
mtls:
|
|
mode: STRICT
|
|
----
|
|
|
|
[id="ossm-security-mtls-sidecars-outgoing_{context}"]
|
|
== Configuring sidecars for outgoing connections
|
|
|
|
Create a destination rule to configure {ProductShortName} to use mTLS when sending requests to other services in the mesh.
|
|
|
|
[source,yaml]
|
|
----
|
|
apiVersion: networking.istio.io/v1alpha3
|
|
kind: DestinationRule
|
|
metadata:
|
|
name: default
|
|
namespace: <namespace>
|
|
spec:
|
|
host: "*.<namespace>.svc.cluster.local"
|
|
trafficPolicy:
|
|
tls:
|
|
mode: ISTIO_MUTUAL
|
|
----
|
|
|
|
[id="ossm-security-min-max-tls_{context}"]
|
|
== Setting the minimum and maximum protocol versions
|
|
|
|
If your environment has specific requirements for encrypted traffic in your service mesh, you can control the cryptographic functions that are allowed by setting the `spec.istio.global.tls.minProtocolVersion` or `spec.istio.global.tls.maxProtocolVersion` in your `ServiceMeshControlPlane` resource. Those values, configured in your control plane resource, define the minimum and maximum TLS version used by mesh components when communicating securely over TLS.
|
|
|
|
[source,yaml]
|
|
----
|
|
kind: ServiceMeshControlPlane
|
|
spec:
|
|
istio:
|
|
global:
|
|
tls:
|
|
minProtocolVersion: TLSv1_0
|
|
----
|
|
|
|
The default is `TLS_AUTO` and does not specify a version of TLS.
|
|
|
|
.Valid values
|
|
|===
|
|
|Value|Description
|
|
|
|
|`TLS_AUTO`
|
|
| default
|
|
|
|
|`TLSv1_0`
|
|
|TLS version 1.0
|
|
|
|
|`TLSv1_1`
|
|
|TLS version 1.1
|
|
|
|
|`TLSv1_2`
|
|
|TLS version 1.2
|
|
|
|
|`TLSv1_3`
|
|
|TLS version 1.3
|
|
|===
|