This document discusses using a service mesh to implement zero trust security in Kubernetes environments. It begins by explaining what problems a service mesh addresses in Kubernetes networking and then discusses how a service mesh can provide network policies, mutual TLS encryption between services, role-based access control, and other features to enforce zero trust principles. The document emphasizes that a service mesh allows fine-grained control of inter-service traffic and centralized management of microservices connections in a way that supports strong authentication of identities and authorization of access.
Reg numbers as of 6/2
AMER: 145
APCJ: 158
EMEA: 138
Introduce yourself (no need to read the session takeaways)
Talk about the challenges around K8s networking
Identify where a mesh fits into your traffic management strategy (L7)
Provide overview of service mesh
Click 1: displays L7 Logic (Ingress) with arrow pointing to Ingress box
When traffic enters the cluster via the Ingress controller, it’s managed at the L7
Click 2: displays L3-L3 Networking with arrows pointing to N/S arrows between Ingress-service and service-pod
When traffic passes from the Ingress controller to service and from the service to the pods, it’s only L3-L4.
This can be ok if your app is simple and you don’t have a requirement for end-to-end encryption
Click 3: displays L3-L7 Network Management == Service Mesh with blue circle
Addition of a service mesh gives you the ability to manage traffic within Kubernetes at the L7 level
We’re not here to scare you away from trying a service mesh!
We want to make sure you have a good experience and can get the most out of the technology
We developed this readiness checklist because we were seeing people trying to adopt service mesh before they were ready, and it was causing complexity and headaches.
The more “yeses”, the more likely you’re going to get value from a service mesh
Links to paste into the chat for references:
https://www.nginx.com/resources/datasheets/nginx-service-mesh/
https://www.nginx.com/blog/how-to-choose-a-service-mesh/
#1: You are fully invested in Kubernetes for your production environment.Whether you’ve already moved production apps into Kubernetes or you’re just starting to test app migration to container workloads, your long‑term application management roadmap includes Kubernetes.
#2: You require a zero‑trust production environment and need mutual TLS (mTLS) between services.You either already rely on a zero‑trust model for your production apps and need to maintain that level of security in your containerized environment, or you’re using the migration as a forcing function to increase your service‑level security.
#3: Your app is complex in both number and depth of services.You have a large, distributed app. It has multiple API dependencies and most likely requires external dependencies.
#4: You have a mature, production CI/CD pipeline.“Mature” depends on your organization. We apply the term to procedures that programmatically deploy Kubernetes infrastructure and apps, likely using tools including Git, Jenkins, Artifactory, or Selenium.
#5: You are deploying frequently to production – at least once per day.This is where we find most people answer “no” – although they’ve moved apps into production Kubernetes, they aren’t yet using Kubernetes for the dream goal of constant revisions.
It is important to ask: How often do you rollout changes?
#6: Your DevOps team is ready to rock and start using the right tools for ultra‑modern app deployment!
Even if the service mesh is going to be owned by your NetOps team, administration is often handled within the cluster by DevOps teams and they need to be ready to handle the addition of a mesh to their stack.
Now that you’ve determine you’re ready for a mesh,
Step 1: Why are you looking for a service mesh?In other words, what problems do you need the service mesh to solve?
For example, your organization might mandate mTLS between services or you need end-to-end encryption, including both from the edge in (for ingress traffic) and from within the mesh (for egress traffic). Or perhaps you need enterprise‑grade traffic management tools for your new Kubernetes services.
These are some common use cases for a service mesh
Secure Traffic
Performance: NGINX Plus data plane handling mTLS (envoy tips over after 600, where we go to 2000+) data plane matters story
Orchestration
Light weight control plane = small footprint, dev-friendly control plane “set it and forget it”,
Service Traffic
Advance LB – enterprise ADC (vs packet-pushing proxies)
Visualize Traffic
Prometheus/Grafana, uses SMI spec for portability/easier to replace exiting mesh with NSM, completely open – you can use any visualization tool you want, (open ecosystem)
Step 2: How will you use the service mesh?This depends on who you are.
If you’re a developer:
Do you plan to add security to a legacy app that is moving into Kubernetes?
Are you going to incorporate security as you refactor an app into a native Kubernetes app?
If you’re responsible for platforms and infrastructure:
Are you going to add the service mesh into your CI/CD pipeline so that it’s automatically deployed and configured with every new cluster and available when a developer spins up a new instance?
Step 3: What factors influence your selection?Does your service mesh need to be infrastructure agnostic? Compatible with your visibility tools? Kubernetes‑native? Easy to use? Do you see a future when you’ll want to manage ingress and egress (north‑south) traffic at the edge with the same tool as service-to-service (east‑west) traffic within the mesh?
Once you’ve worked through these questions, you’ll have a solid list of requirements to use as you evaluate options.
The transition to faster, more flexible patterns like DevSecOps and microservices can be challenging for cybersecurity teams. Zero Trust offers a powerful method to manage the security of the constantly moving river of changes and access control handoffs.
- Transitioning to Zero Trust Networking can dramatically increase your security posture, but until recent years, it has been a time consuming and difficult task that required extensive security knowledge within engineering teams, sophisticated internal tooling that could manage workload certificates, and service level authentication and authorization.
- Service mesh technologies allow us to easily implement Zero Trust Networking across our microservices and clusters with little effort, minimal service disruption, and does not require your team to be security experts.
What Is mTLS? | F5 Labs
Nginx is super easy to deploy and available with its open source edition, it is used by many, many organizations, as web server, reverse proxy, load balancer, api gateway, etc. This can however lead to unknow nginx instances spread across your organization, sometimes with NGINX Open Source and NGINX Plus managed by different groups. How do you ensure your nginx instances have up-to-date confirguratiuons and security settings?
I am happy to introduce NGINX Instance Manager and we are now offering free health check service to HK organizations. Please scan the qr code to sign up and we will be contacting you soon.
Introduce yourself (no need to read the session takeaways)