Enable Control Plane Security
Kubernetes NetworkPolicies and optionally Istio are used to protect components of the control plane. Specifically, traffic to connectors that run as part of the control plane must be secured. Follow this page to enable control plane security.
Ingress traffic policy
The installation of Fybrik applies a Kubernetes NetworkPolicy resource to the fybrik-system namespace. This resource ensures that ingress traffic to connectors is only allowed from workloads that run in the fybrik-system namespace and thus disallow access to connectors from other namespaces or external parties.
The NetworkPolicy is always created. However, your Kubernetes cluster must have a Network Plugin with NetworkPolicy support. Otherwise, NetworkPolicy resources will have no affect. While most Kubernetes distributions include a network plugin that enfoces network policies, some like Kind do not and require you to install a separate network plugin instead.
Mutual TLS
If Istio is installed in the cluster then you can use automatic mutual TLS to encrypt the traffic to the connectors.
Follow these steps to enable mutual TLS:
-
Ensure that Istio 1.6 or above is installed.
-
Enable Istio sidecar injection in the
fybrik-systemnamespace:- Create Istiokubectl label namespace fybrik-system istio-injection=enabledPeerAuthenticationresource to enable mutual TLS between containers with Istio sidecars:- Create Istiocat << EOF | kubectl apply -f - apiVersion: "security.istio.io/v1beta1" kind: "PeerAuthentication" metadata: name: "premissive-mtls-in-control-plane" namespace: fybrik-system spec: mtls: mode: PERMISSIVE EOFSidecarresource to allow any egress traffic from the control plane containers:- Restart the control plane pods:cat << EOF | kubectl apply -f - apiVersion: networking.istio.io/v1alpha3 kind: Sidecar metadata: name: sidecar-default namespace: fybrik-system spec: egress: - hosts: - "*/*" outboundTrafficPolicy: mode: ALLOW_ANY EOFkubectl delete pod --all -n fybrik-system