Uploaded image for project: 'Knative Serving'
  1. Knative Serving
  2. SRVKS-715

Encryption of in-cluster traffic with Service Mesh

XMLWordPrintable

    • Encryption of in-cluster traffic with Service Mesh
    • False
    • False
    • To Do
    • 5% To Do, 0% In Progress, 95% Done
    • Undefined
    • 25

            [SRVKS-715] Encryption of in-cluster traffic with Service Mesh

            Kenjiro Nakayama (Inactive) added a comment -

            Release Note:

            New features
            mTLS for OpenShift Serverless moves to GA. Please also refer to the section Integrating Service Mesh with OpenShift Serverless natively

            Kenjiro Nakayama (Inactive) added a comment - Release Note: New features mTLS for OpenShift Serverless moves to GA. Please also refer to the section Integrating Service Mesh with OpenShift Serverless natively

            Kenjiro Nakayama (Inactive) added a comment -

            Although OSSM-458 has a workaround, it sometimes happens on OpenShift.
             

            Kenjiro Nakayama (Inactive) added a comment - Although  OSSM-458 has a workaround, it sometimes happens on OpenShift.  

            Kenjiro Nakayama (Inactive) added a comment - - edited

            Yes, that's correct. We are trying #2 now. (Ah! I noticed a typo in above comment. Updated.)

            Kenjiro Nakayama (Inactive) added a comment - - edited Yes, that's correct. We are trying #2 now. (Ah! I noticed a typo in above comment. Updated.)

            Markus Thömmes (Inactive) added a comment -

            To clarify, we're trying #2, right?

            Markus Thömmes (Inactive) added a comment - To clarify, we're trying #2, right?

            Kenjiro Nakayama (Inactive) added a comment - - edited

            As talked with Markus on slack, we have 3 different routes to get encrypted traffic to fly:

            1. Unblock everything that's blocking it from working with today's Kourier gateway and net-kourier
            2. Support net-istio again and essentially rely on upstream's way of setting things up (beware of the dragons with ServiceMesh and net-istio tho)
            3. Teach the Knative data-plane to speak TLS natively

            We tried #1 but mTLS strict mode is not possible for prober traffic and even permissive mode failed to verify by SRVKS-722

            So now, we are trying #2. It has a critical blocker OSSM-449 in ServiceMesh but otherwise it looks good so far.
             

            Kenjiro Nakayama (Inactive) added a comment - - edited As talked with Markus on slack, we have 3 different routes to get encrypted traffic to fly: Unblock everything that's blocking it from working with today's Kourier gateway and net-kourier Support net-istio again and essentially rely on upstream's way of setting things up (beware of the dragons with ServiceMesh and net-istio tho) Teach the Knative data-plane to speak TLS natively We tried #1 but mTLS strict mode is not possible for prober traffic and even permissive mode failed to verify by  SRVKS-722 So now, we are trying #2. It has a critical blocker OSSM-449  in ServiceMesh but otherwise it looks good so far.  

            Kenjiro Nakayama (Inactive) added a comment -

            Quick note from slack chat:

            • It is difficult to enable mTLS STRICT mode.
              • The reason is that Kourier Control sends probe requests to each service.
              • The probe request is something like curl -H "Host: hello.myns.svc" ${KOURIER_GW_POD_IP}:${KOURIER_GW_POD_PORT}.
              • service filter chain handles the request based on the Host header (=hello.myns.svc) but it does not match port (=KOURIER_GW_POD_PORT).
            • So we use mTLS PERMISSIVE mode with the following conditions:
              • Verify traffic uses TLS even PERMISSIVE mode.
              • Use the minimum permissive configuration.

            Kenjiro Nakayama (Inactive) added a comment - Quick note from slack chat: It is difficult to enable mTLS STRICT mode. The reason is that Kourier Control sends probe requests to each service. The probe request is something like curl -H "Host: hello.myns.svc" ${KOURIER_GW_POD_IP}:${KOURIER_GW_POD_PORT} . service filter chain handles the request based on the Host header (=hello.myns.svc) but it does not match port (=KOURIER_GW_POD_PORT). So we use mTLS PERMISSIVE mode with the following conditions: Verify traffic uses TLS even PERMISSIVE mode. Use the minimum permissive configuration.

              rhn-support-knakayam Kenjiro Nakayama (Inactive)
              markusthoemmes Markus Thömmes (Inactive)
              Markus Thömmes (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: