Enable Control Plane Security
Kubernetes NetworkPolicies
and optionally Istio are used to protect components of the control plane. Specifically, traffic to connectors that run as part of the control plane must be secured. Follow this page to enable control plane security.
Ingress traffic policy
The installation of Mesh for Data applies a Kubernetes NetworkPolicy
resource to the m4d-system
namespace. This resource ensures that ingress traffic to connectors is only allowed from workloads that run in the m4d-system
namespace and thus disallow access to connectors from other namespaces or external parties.
The NetworkPolicy
is always created. However, your Kubernetes cluster must have a Network Plugin with NetworkPolicy
support. Otherwise, NetworkPolicy
resources will have no affect. While most Kubernetes distributions include a network plugin that enfoces network policies, some like Kind do not and require you to install a separate network plugin instead.
Mutual TLS
If Istio is installed in the cluster then you can use automatic mutual TLS to encrypt the traffic to the connectors.
Follow these steps to enable mutual TLS:
- Ensure that Istio 1.6 or above is installed.
- Enable Istio sidecar injection in the m4d-system
namespace:
kubectl label namespace m4d-system istio-injection=enabled
PeerAuthentication
resource to enable mutual TLS between contains with Istio sidecars:
cat << EOF | kubectl apply -f -
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "premissive-mtls-in-control-plane"
namespace: m4d-system
spec:
mtls:
mode: PERMISSIVE
EOF
Sidecar
resource to allow any egress traffic from the control plane containers:
cat << EOF | kubectl apply -f -
apiVersion: networking.istio.io/v1alpha3
kind: Sidecar
metadata:
name: sidecar-default
namespace: m4d-system
spec:
egress:
- hosts:
- "*/*"
outboundTrafficPolicy:
mode: ALLOW_ANY
EOF
kubectl delete pod --all -n m4d-system