Service Mesh users frequently have questions about how to secure their applications when using Service Mesh. This is a topic that cross multiple areas of OpenShift, Kubernetes and Service Mesh.

This guide should start once the mesh is created, and should cover:

• Adding project(s) to the Service Mesh Member role (https://issues.redhat.com/browse/OSSMDOC-215)
  • Discuss implication for Kubernetes NetworkPolicy
• RBAC to control who can modify Service Mesh resources (https://issues.redhat.com/browse/OSSMDOC-200)
• Deploying a simple example app (bookinfo? -https://issues.redhat.com/browse/OSSMDOC-215 )
• Setting up mTLS between services (already done for the control plane -https://docs.openshift.com/container-platform/4.6/service_mesh/v2x/ossm-security.html#ossm-security-mtls_ossm-security) https://issues.redhat.com/browse/OSSMDOC-203
• Other areas of interest / recommendations for securing microservices when using a service mesh (discuss wiht engineering team).

Customer Questions that relate:

• How do you secure the control plane? How do you control who is allowed to add projects to a given member roll?
• How do you enforce "zero trust networking"? (admittedly, this has multiple meanings, but we can give guidance)
• How do you restrict namespaces from communicating?
• How do you restrict services from communicating?

This internal document provides a potential outline - though it needs to be updated and reviewed:

https://docs.google.com/document/d/1YsyoZn9gxRP8P3Vwm5-SGxQ1XV9JuGApzgDADiK86KQ/edit?usp=sharing

QE POC: yuaxu@redhat.com