I would like to enable mTLS between services in one K8S namespace. I wonder if I can do it without using service mesh? I considered cert-manager but all the examples I've seen involved Ingress resource which I do not need as my services are not exposed outside of the cluster.Thanks
mTLS between services in K8S
1k Views Asked by Revital Eres At
2
There are 2 best solutions below
0
orisho
On
You need something like SPIRE together with SPIRE integration operator. Together, they can create mTLS keys and certificates for use within a cluster, where the only configuration you need is pod annotations. The mTLS keypairs are provided as secrets, which you mount into your pods. SPIRE & the operator automatically handle keypair and CA rotation and update the Secrets accordingly.
Related Questions in KUBERNETES
- Golang == Error: OCI runtime create failed: unable to start container process: exec: "./bin": stat ./bin: no such file or directory: unknown
- I can't create a pod in minikube on windows
- Oracle setting up on k8s cluster using helm charts enterprise edition
- Retrieve the Dockerfile configuration from the Kubernetes and also change container Java parameter?
- Summarize pods not running, by Namespace and Reason - I'm having trouble finding the reason
- How to get Java running parameters from Spring Boot running inside container in pod where no ps exist
- How do we configure prometheus server to scrape metrics from a pod with Istio sidecar proxy?
- In rke kube-proxy pod is not present
- problem with edge server registration in Eureka
- Unable to Access Kubernetes LoadBalancer Service from Local Device Outside Cluster
- Kubernetes cluster on GCE connection refused error
- Based on my experience, I've outlined the Kubernetes request flow. Could someone please add or highlight any points I might have overlooked?
- how to define StackGres helm chart "restapi" values to use internal LoadBalancer - AWS EKS
- Python3.11 can't open file [Errno 2] No such file or directory
- Cannot find remote pod service - SERVICE_UNAVAILABLE
Related Questions in CERT-MANAGER
- Invalid certificate error on helm release after failed helm release
- older android version not recognizing SSL certificate from Let's Encrypt
- What is the equivalent of this gcloud add-iam-policy-binding in terraform?
- Kserve Sklearn Model Deployment issue
- How to configure an external-secrets.io PushSecret with a cert-manager secret?
- Hetzler LB, cert-manager, nginx-ingress example
- cert-manager not resolving challenge : Waiting for HTTP-01 challenge propagation: wrong status code '401', expected '200'
- Accessing API over url gives 404 error, accesing it over the IP works fine
- cert-manager kubernetes service account does not exist or Permission 'iam.serviceAccount.setIamPolicy' denied
- Error: Address is not allowed while deploying Flink kubernetes operator
- How to exposed ArgoCD using ingress and cert-manager with the Helm Chart?
- Cert-Manager: Challenge stuck on presenting
- element.io installer failed, because of the cert manager. Any ideas?
- cert-manager-webhook Certificate failed
- Cert-Manager Controlled Cert Resource
Related Questions in MTLS
- mTLS not working with FastAPI and Uvicorn
- psql environment variable for sslkey password?
- Mutual TLS support in mbed-TLS
- Configuring NGINX and OCSP Dedicated Private Server
- How can we use mTLS in a dropwizard application
- Why MTLS validation works on CURL, Axios with node.js but not on Axios with React on the browser?
- Oracle ADB TLS connection error in Tomcat
- Unknow CA in rabbitmq Operator (mTLS)
- Optionally enable Scala play to accept mLTS credentials?
- How to enable TLS over all endpoints except for ones that needs mTLS - Spring Boot 3 and Spring Security 6
- TLS 1.2 server client code using schannel - certfificate issue
- How to establish mTLS connection?
- C# http request mtls external private key
- SslPolicyErrors in Custom Certificate Validation Callback
- Using RestSharp to verify server certificate and send client certificate
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Using Service Mesh like Istio or Linkerd for this is currently the only general solution for this.
It should be possible to do this using a library for you app as well, the library typically would need to support certificate management. Service Meshes typically use EnvoyProxy as a sidecar, it has implemented novel "control plane" APIs for management, called xDS protocols - this is something that your library typically would need to implement. In addition you need a control plane interface to manage services.
A drawback with doing this in a library is that it will be language-dependent. But the pro is that it will be better performant.
Google has recently taking this route with Traffic Director - proxyless service mesh