Enabling Mutual TLS with Aspen Mesh

Difficulty: Beginner

Estimated Time: 60 minutes

In this scenario you will how to apply Mutual TLS (mTLS) security to your Kubernetes cluster using Aspen Mesh.

Prerequisites:

Understanding of deploying Aspen Mesh onto Kubernetes

You will learn:

How to enable mTLS by default
How to disable mTLS for a Service
How to disable mTLS for a Consumer

Congratulations, you have successfully managed mTLS using Aspen Mesh on Kubernetes cluster.

You learned:

How to enable mTLS by default
How to disable mTLS for a Service
How to disable mTLS for a Consumer

Try Aspen Mesh on your Kubernetes cluster with bash <(curl -Ls https://aspenmesh.io/install)

Your environment is currently being packaged as a Docker container and the download will begin shortly. To run the image locally, once Docker has been installed, use the commands

cat scrapbook_aspenmesh_enabling-mutual-tls-with-aspenmesh_container.tar | docker load

docker run -it /aspenmesh_enabling-mutual-tls-with-aspenmesh:

Restart Scenario

Next Scenario

Step 1 of 5

Deploy Aspen Mesh

The first step is to login to the Aspen Mesh dashboard at https://my.aspenmesh.io/. We have already created a temporary account for you. The credentials will be visible in your terminal window.

Task: Deploy Aspen Mesh

To connect Aspen Mesh to the Kubernetes cluster provided, you need to run an installation script. We have downloaded it for you already. You can start it with /opt/install.sh

The script will prompt you for your allocated email address and your chosen password. It will also ask you where to deploy the assets. For now, accept the defaults. The Aspen Mesh installation script will then deploy the required components.

After the script has finished, Istio and the Aspen Mesh Agent will be deployed to the cluster.

View the pods with:

kubectl get pods -n istio-system

Step 2 - Deploying mTLS

Aspen Mesh deployments have Mutual TLS (mTLS) enabled by default! This means all the traffic between services within the cluster is encrypted and secure based on TLS.

You can verify this by going to https://my.aspenmesh.com and viewing the state of the cluster.

You can also verify this from the CLI.

curl -L https://git.io/getLatestIstio | sh -
cd istio-*
sudo mv -v bin/istioctl /usr/local/bin/
cd ~

Deploy the following demo application to the cluster:

kubectl apply -f <(istioctl kube-inject -f tls-demo.yaml)

Istio automatically installs necessary keys and certificates for mutual TLS authentication in all sidecar containers. Once the Pod is running, run command below to confirm key and certificate files exist under /etc/certs:

kubectl exec $(kubectl get pod -l app=httpbin -o jsonpath={.items..metadata.name}) -c istio-proxy -- ls /etc/certs

You can also use tls-check to ensure that a Pod-to-Pod communication has TLS. In this case, we are checking that a client is accessing HTTPBin URL running in a separate Pod over TLS.

SLEEP_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
istioctl authn tls-check ${SLEEP_POD} httpbin.default.svc.cluster.local

Step 3 - Disabling mTLS

While Aspen Mesh recommends you configure to have mTLS enabled by default, it is possible to disable it for certain situations.

To disable mTLS on a service or port of a service, you will need to create or modify an authentication policy for that service, and also create or modify a DestinationRule.

As example, let’s disable mTLS on port 1234 for the “example “service in the “default” namespace.

First, create the following authentication policy to disable mTLS on that port. Note that it specifies the service name and port in the target. It doesn’t include a peers section, which disables mTLS.

cat <<EOF | istioctl create -f -
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
    name: disable-tls-httpbin-8000
    namespace: default
spec:
    targets:
    - name: httpbin
      ports:
      - number: 8000
EOF

If the target ports are omitted, then this policy will disable mTLS on all ports for the service.

Step 4 - Remove TLS from Consumer Calls

The previous step disabled mTLS configuration for the service. However, consumers of the service within the cluster will still be expecting TLS to be required. As a result, if you send a HTTPS response then it will fail.

kubectl exec $(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) -c istio-proxy -- curl https://httpbin:8000/headers -o /dev/null -s -w '%{http_code}\n'

This will error with code 35 relating to TLS. This is what the current consumers of the service will be experiencing.

To fix the error, TLS needs to be disabled for the consumers of the service. This is done by modifying the DestinationRule for the host.

To do that, create the following DestinationRule. Note that the default policy leaves mTLS enabled by specifying ISTIO_MUTUAL, and disables TLS only on port 8000.

cat <<EOF | istioctl create -f -
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata:
    name: "example-dst-rule"
    namespace: default
spec:
    host: httpbin.default.svc.cluster.local
    trafficPolicy:
        tls:
            mode: ISTIO_MUTUAL
        portLevelSettings:
        - port:
            number: 8000
          tls:
            mode: DISABLE
EOF

Now, consumers of the client will not use TLS for communication.

kubectl exec $(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name}) -c istio-proxy -- curl http://httpbin:8000/headers -o /dev/null -s -w '%{http_code}\n'

Terminal

cd <directory>	Change directory
ls	List directory
echo 'contents' > <file>	Write contents to a file
cat <file>	Output contents of file

i	In Command Mode	Change into Insert Mode, you can now insert and edit text in the file
esc	In Insert Mode	Change into Command Mode, you can now execute commands
:wq	In Command Mode	Save and Exit

Welcome!

Enabling Mutual TLS with Aspen Mesh

Congratulations!

You've completed the scenario!

Scenario Rating

Steps