Skip to content

Enable Control Plane Security

Kubernetes NetworkPolicies and optionally Istio are used to protect components of the control plane. Specifically, traffic to connectors that run as part of the control plane must be secured. Follow this page to enable control plane security.

Ingress traffic policy

The installation of Fybrik applies a Kubernetes NetworkPolicy resource to the fybrik-system namespace. This resource ensures that ingress traffic to connectors is only allowed from workloads that run in the fybrik-system namespace and thus disallow access to connectors from other namespaces or external parties.

The NetworkPolicy is always created. However, your Kubernetes cluster must have a Network Plugin with NetworkPolicy support. Otherwise, NetworkPolicy resources will have no affect. While most Kubernetes distributions include a network plugin that enfoces network policies, some like Kind do not and require you to install a separate network plugin instead.

Mutual TLS

If Istio is installed in the cluster then you can use automatic mutual TLS to encrypt the traffic to the connectors.

Follow these steps to enable mutual TLS:

  • Ensure that Istio 1.6 or above is installed.

  • Enable Istio sidecar injection in the fybrik-system namespace:

    kubectl label namespace fybrik-system istio-injection=enabled
    - Create Istio PeerAuthentication resource to enable mutual TLS between containers with Istio sidecars:
    cat << EOF | kubectl apply -f -
    apiVersion: ""
    kind: "PeerAuthentication"
    name: "premissive-mtls-in-control-plane"
    namespace: fybrik-system
        mode: PERMISSIVE    
    - Create Istio Sidecar resource to allow any egress traffic from the control plane containers:
    cat << EOF | kubectl apply -f -
    kind: Sidecar
    name: sidecar-default
    namespace: fybrik-system
    - hosts:
        - "*/*"
        mode: ALLOW_ANY
    - Restart the control plane pods:
    kubectl delete pod --all -n fybrik-system