I would like to enable mTLS between services in one K8S namespace. I wonder if I can do it without using service mesh? I considered cert-manager but all the examples I've seen involved Ingress resource which I do not need as my services are not exposed outside of the cluster.Thanks
mTLS between services in K8S
1k Views Asked by Revital Eres At
2
There are 2 best solutions below
0
On
You need something like SPIRE together with SPIRE integration operator. Together, they can create mTLS keys and certificates for use within a cluster, where the only configuration you need is pod annotations. The mTLS keypairs are provided as secrets, which you mount into your pods. SPIRE & the operator automatically handle keypair and CA rotation and update the Secrets accordingly.
Using Service Mesh like Istio or Linkerd for this is currently the only general solution for this.
It should be possible to do this using a library for you app as well, the library typically would need to support certificate management. Service Meshes typically use EnvoyProxy as a sidecar, it has implemented novel "control plane" APIs for management, called xDS protocols - this is something that your library typically would need to implement. In addition you need a control plane interface to manage services.
A drawback with doing this in a library is that it will be language-dependent. But the pro is that it will be better performant.
Google has recently taking this route with Traffic Director - proxyless service mesh