apiVersion: maistra.io/v1
kind: ServiceMeshControlPlane
spec:
istio:
global:
mtls:
enabled: true- Documentation
- OpenShift Container Platform
- Service Mesh
- Service Mesh user guide
- Security history
Soon, all Red Hat OpenShift documentation will only be available on docs.redhat.com, the official location of all Red Hat product documentation. Get familiar with the updated experience today!
- About
- Release notes
- Architecture
- Installing
- Installing on AWS
- Configuring an AWS account
- Installing a cluster quickly on AWS
- Installing a cluster on AWS with customizations
- Installing a cluster on AWS with network customizations
- Installing a cluster on AWS using CloudFormation templates
- Installing a cluster on AWS in a restricted network
- Uninstalling a cluster on AWS
- Installing on Azure
- Installing on GCP
- Installing on bare metal
- Installing on IBM Z and LinuxONE
- Installing on OpenStack
- Installing on vSphere
- Gathering installation logs
- Installation configuration
- Installing on AWS
- Updating clusters
- Support
- Web console
- Authentication
- Understanding authentication
- Configuring the internal OAuth server
- Understanding identity provider configuration
- Configuring identity providers
- Configuring an HTPasswd identity provider
- Configuring a Keystone identity provider
- Configuring an LDAP identity provider
- Configuring a basic authentication identity provider
- Configuring a request header identity provider
- Configuring a GitHub or GitHub Enterprise identity provider
- Configuring a GitLab identity provider
- Configuring a Google identity provider
- Configuring an OpenID Connect identity provider
- Configuring certificates
- Using RBAC to define and apply permissions
- Removing the kubeadmin user
- Configuring the user agent
- Understanding and creating service accounts
- Using service accounts in applications
- Using a service account as an OAuth client
- Scoping tokens
- Managing Security Context Constraints
- Impersonating the system:admin user
- Syncing LDAP groups
- Allowing JavaScript-based access to the API server from additional hosts
- Networking
- Understanding networking
- Accessing hosts
- Understanding the Cluster Network Operator (CNO)
- Understanding the DNS Operator
- Understanding the Ingress Operator
- Configuring network policy
- Multiple networks
- Understanding multiple networks
- Attaching a Pod to an additional network
- Removing a Pod from an additional network
- Configuring a bridge network
- Configuring a macvlan network
- Configuring an ipvlan network
- Configuring a host-device network
- Configuring SR-IOV
- Editing an additional network
- Removing an additional network
- OpenShift SDN
- Configuring Routes
- Configuring ingress cluster traffic
- Configuring the cluster-wide proxy
- Configuring a custom PKI
- Storage
- Understanding persistent storage
- Configuring persistent storage
- Persistent storage using Amazon EFS
- Persistent storage using AWS Elastic Block Store
- Persistent storage using Azure Disk
- Persistent storage using Azure File
- Persistent storage using Cinder
- Persistent storage using Container Storage Interface (CSI)
- Persistent storage using Fibre Channel
- Persistent storage using FlexVolume
- Persistent storage using GCE Persistent Disk
- Persistent storage using hostPath
- Persistent Storage using iSCSI
- Persistent storage using local volumes
- Persistent storage using NFS
- Persistent storage using Red Hat OpenShift Container Storage
- Persistent storage using VMware vSphere
- Persistent storage using volume snapshots
- Expanding persistent volumes
- Dynamic provisioning
- Registry
- Operators
- Understanding Operators
- Understanding the Operator Lifecycle Manager (OLM)
- Understanding the OperatorHub
- Adding Operators to a cluster
- Deleting Operators from a cluster
- Creating applications from installed Operators
- Viewing Operator status
- Creating policy for Operator installations and upgrades
- Configuring OLM for restricted networks
- CRDs
- Operator SDK
- Builds
- Understanding image builds
- Understanding build configurations
- Creating build inputs
- Managing build output
- Using build strategies
- Custom image builds with Buildah
- Performing basic builds
- Triggering and modifying builds
- Performing advanced builds
- Using Red Hat subscriptions in builds
- Securing builds by strategy
- Build configuration resources
- Troubleshooting builds
- Setting up additional trusted certificate authorities for builds
- Images
- Applications
- Machine management
- Nodes
- Working with pods
- Controlling pod placement onto nodes (scheduling)
- About pod placement using the scheduler
- Configuring the default scheduler to control pod placement
- Placing pods relative to other pods using pod affinity and anti-affinity rules
- Controlling pod placement on nodes using node affinity rules
- Placing pods onto overcommited nodes
- Controlling pod placement using node taints
- Placing pods on specific nodes using node selectors
- Using Jobs and DaemonSets
- Working with nodes
- Working with containers
- Using containers
- Using Init Containers to perform tasks before a pod is deployed
- Using volumes to persist container data
- Mapping volumes using projected volumes
- Allowing containers to consume API objects
- Copying files to or from a container
- Executing remote commands in a container
- Using port forwarding to access applications in a container
- Using sysctls in containers
- Working with clusters
- Logging
- About cluster logging
- About deploying cluster logging
- Deploying cluster logging
- Upgrading cluster logging
- Deploying and Configuring the Event Router
- Viewing cluster logs
- Viewing cluster logs using Kibana
- Configuring your cluster logging deployment
- About configuring cluster logging
- Changing cluster logging management state
- Configuring cluster logging
- Configuring Elasticsearch
- Configuring Kibana
- Configuring Curator
- Configuring the logging collector
- Using tolerations to control cluster logging pod placement
- Sending logs to external devices
- Configuring systemd-journald for cluster logging
- Viewing Elasticsearch status
- Viewing cluster logging status
- Moving the cluster logging resources with node selectors
- Manually rolling out Elasticsearch
- Troubleshooting Kibana
- Exported fields
- Uninstalling cluster logging
- Monitoring
- Metering
- Scalability and performance
- Backup and restore
- Migration
- Migrating from OpenShift Container Platform 3
- About migrating from OpenShift Container Platform 3 to 4
- Planning your migration from OpenShift Container Platform 3 to 4
- Migration tools and prerequisites
- Deploying the Cluster Application Migration tool
- Configuring a replication repository
- Migrating applications with the CAM web console
- Migrating control plane settings with the Control Plane Migration Assistant
- Troubleshooting
- Migrating from OpenShift Container Platform 4.1
- Migrating from Openshift Container Platform 4.2
- Migrating from OpenShift Container Platform 3
- CLI tools
- OpenShift CLI (oc)
- OpenShift Do developer CLI (odo)
- Understanding odo
- odo architecture
- Installing odo
- Using odo in a restricted environment
- Creating a single-component application with odo
- Creating a multicomponent application with odo
- Creating an application with a database
- Using sample applications
- Managing environment variables in odo
- Configuring the odo CLI
- odo CLI reference
- odo release notes
- Service Mesh
- Container-native virtualization
- Container-native virtualization installation
- Container-native virtualization user's guide
- Creating virtual machines
- TLS certificates for DataVolume imports
- Importing virtual machine images with DataVolumes
- Editing virtual machines
- Deleting virtual machines
- Controlling virtual machines states
- Accessing virtual machine consoles
- Using the CLI tools
- Automating management tasks
- Using the default Pod network with container-native virtualization
- Attaching a virtual machine to multiple networks
- Installing the QEMU guest agent on virtual machines
- Viewing the IP address of vNICs on a virtual machine
- Configuring PXE booting for virtual machines
- Managing guest memory
- Creating virtual machine templates
- Editing a virtual machine template
- Deleting a virtual machine template
- Cloning a virtual machine disk into a new DataVolume
- Cloning a virtual machine by using a DataVolumeTemplate
- Uploading local disk images by using the virtctl tool
- Uploading a local disk image to a block storage DataVolume
- Expanding virtual storage by adding blank disk images
- Preparing CDI scratch space
- Importing virtual machine images to block storage with DataVolumes
- Cloning a virtual machine disk into a new block storage DataVolume
- Virtual machine live migration
- Live migration limits and timeouts
- Migrating a virtual machine instance to another node
- Monitoring live migration of a virtual machine instance
- Cancelling the live migration of a virtual machine instance
- Configuring virtual machine eviction strategy
- Node maintenance mode
- Setting a node to maintenance mode
- Resuming a node from maintenance mode
- Manually refreshing TLS certificates
- Installing VirtIO driver on an existing Windows virtual machine
- Installing VirtIO driver on a new Windows virtual machine
- Viewing logs
- Viewing cluster information
- OpenShift cluster monitoring, logging, and Telemetry
- Collecting container-native virtualization data for Red Hat Support
- Container-native virtualization 2.1 release notes
- Serverless applications
- Getting started with OpenShift Serverless
- OpenShift Serverless product architecture
- Installing OpenShift Serverless
- Getting started with Knative services
- Monitoring OpenShift Serverless components
- Using metering with OpenShift Serverless
- Cluster logging with OpenShift Serverless
- Configuring Knative Serving autoscaling
- Getting started with Knative Client
- Release Notes
×
Customizing security in a Service Mesh
Table of Contents
If your service mesh application is constructed with a complex array of microservices, you can use Red Hat OpenShift Service Mesh to customize the security of the communication between those services. The infrastructure of OpenShift Container Platform along with the traffic management features of Service Mesh can help you manage the complexity of your applications and provide service and identity security for microservices.
Enabling mutual Transport Layer Security (mTLS)
Mutual Transport Layer Security (mTLS) is a protocol where two parties authenticate each other at the same time. It is the default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS).
MTLS can be used without changes to the application or service code. The TLS is handled entirely by the service mesh infrastructure and between the two sidecar proxies.
By default, Red Hat OpenShift Service Mesh is set to permissive mode, where the sidecars in Service Mesh accept both plain-text traffic and connections that are encrypted using mTLS. If a service in your mesh is communicating with a service outside the mesh, strict mTLS could break communication between those services. Use permissive mode while you migrate your workloads to Service Mesh.
Enabling strict mTLS across the mesh
If your workloads do not communicate with services outside your mesh and communication will not be interrupted by only accepting encrypted connections, you can enable mTLS across your mesh quickly. Set spec.istio.global.mtls.enabled to true in your ServiceMeshControlPlane resource. The operator creates the required resources.
Configuring sidecars for outgoing connections
Create a destination rule to configure Service Mesh to use mTLS when sending requests to other services in the mesh.
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
name: "default"
namespace: <CONTROL_PLANE_NAMESPACE>
spec:
host: "*.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL