What Is Mutual TLS (mTLS), Why Do We Need It, And How Do We Get It?
Vložit
- čas přidán 27. 07. 2024
- In this video, we'll explore what mutual TLS (mTLS) is, why we need it, and how we can get it with a service mesh (e.g., LinkerD, Istio, etc.).
#mutualtls #mtls #servicemesh #kubernetes
Consider joining the channel: / devopstoolkit
▬▬▬▬▬▬ 🔗 Additional Info 🔗 ▬▬▬▬▬▬
➡ Gist with the commands: gist.github.com/vfarcic/85363...
🎬 What Is Kubernetes Ingress And How Does It Work?: • What Is Kubernetes Ing...
▬▬▬▬▬▬ 💰 Sponsoships 💰 ▬▬▬▬▬▬
If you are interested in sponsoring this channel, please use calendly.com/vfarcic/meet to book a timeslot that suits you, and we'll go over the details. Or feel free to contact me over Twitter or LinkedIn (see below).
▬▬▬▬▬▬ 👋 Contact me 👋 ▬▬▬▬▬▬
➡ Twitter: / vfarcic
➡ LinkedIn: / viktorfarcic
▬▬▬▬▬▬ 🚀 Other Channels 🚀 ▬▬▬▬▬▬
🎤 Podcast: www.devopsparadox.com/
💬 Live streams: / devopsparadox
▬▬▬▬▬▬ ⏱ Timecodes ⏱ ▬▬▬▬▬▬
00:00 Introduction To Mutual TLS (mTLS)?
03:51 What Is Mutual TLS (mTLS)?
08:01 mTLS Benefits
09:58 Applying mTLS With Service Meshes - Věda a technologie
Do you use mTLS inside your clusters?
Actually no... Mostly It is ECS in the background.. and front part is via API gateway and need to implement Mtls layer on APi GW..
I haven't been using ECS for a while now, partly because it is a closed ecosystem. Whatever AWS recommends is typically the best (and often the only) way to accomplish something.
@@DevOpsToolkit do you have any resources or videos covering APi gateway.?
@@swapnilshingote8773 Unfortunately, I don't :(
@@swapnilshingote8773 I wrote about it recently using Apache APISIX? I cannot post the link but it's named "mTLS everywhere!"
Brilliant pitch! In other videos I found on this topic, I thought I was distracted by the language of some non-native english speakers, but I think now that is irrelevant, the simplicity and the way the storyline was built really made my day.
I am amazed each time by the level of quality produced by your videos, kudos for the down to earth and simple to follow explanation of very complex topics!
Thank you for explaining such complex concepts in a very easy and simple way by breaking it down methodically. Please continue to make such amazing videos
You can see the spanish influence on Viktor when he does the "sidecar dance" cha cha cha !
Your style of dictating console commands is very engaging, usually my glaze over when other people do it. Impressive
good explnation . easy to understand.
Implemented , working like charm..🤩
Very clear explanation, thanks :D
thanks brother for this great video!
Best video of this year...
As always, concise high-quality content video.
Hvala ti na nesebicnom sirenju svog znanja Viktore! :)
It would be great if you could make a video on how to enable mTLS with 3rd party services (or other custom-implemented services running in the other cluster).
Adding it to my to-do list as a subject for one of the upcoming videos...
Great video as always, I can only add that by default mTLS is not strict. The "meshed" Pods will still accept plain connections from Pods external to the mesh. To make sure there are no untrusted connections accepted you have to make mTLS strict. That's why you need linkerd Authorization Policies
Great content.
Viktor, nice video but you did not do your homework about encryption and TLS. In fact, TLS is not using asymmetric encryption to encrypt the data. The client is only using the public key to encrypt a session key which is then used by both sides to encrypt the data (symmetric encryption is faster AND in this way, both sides can encrypt the data ;) ).
You are like a teacher, you have to be precise about the facts. What come on top of those (your opinion about things) we either agree with your or not (I tend to see things the same way, hence I am a long time subscriber ;)
You're right. I should have been more precise. My bad... There's always room to improve not only knowledge but also how that knowledge is transmitted. Thanks for pointing out the mistake.
Imho, mTLS is just a lousy mutual authentication, ie not a Authorization nor a very trustable authentication way, which would not likely address mitm and other impersonation attack types. The best practice would be network segmentation and use SCC for enforcing security policies on pods and containers.
I agree with you but authentication comes before the authorisation, you have to take care of both of them
mTLS is only the beginning... as Victor says
Thanks!
Thanks a ton for the donation. It helps a lot keeping the expenses of the channel to a minimum.
Great video! Do you have or plain to make a video about whether all communication between all the apps should go through API Gateway or not? I'm trying to improve how we handle authn/authz between services, initially I was pretty set on making all communication internal using a service mesh and identity/access proxy but I ended seeing quite a few cases where all requests were restricted to the API Gateway, it make me questioning what would usually be the best approach.
For the applications running in kubernetes clusters, service mesh is the way to go. If there are apps elsewhere, the situation is different and the answer depends on where they are.
@@DevOpsToolkit Ah, we're running everything in k8s, thanks for clearing that up!
Nice video (as always); just one thing that your first few slides mention "encripted" instead of "encrypted" 😛
My bad.
Unfortunately, there is no option to re-upload a video so it'll have to stay.
In the future, I'll make sure to double-check animations before publishing videos.
No worries, doesn't change anything about the great quality of the actual content of the video!
If I rely on the policies I can skip mTLS though
Can you explain the difference between mTLS, EAP-TLS and EAP-TTLS
EAP-TLS is yet another Ii mplementation of an authentication protocol that is integrated with TLS.
I was told to use Mtls via api gateway.. Cracking my head around it how will I integrate this...
If all communication paths are going through the API Gateway, than the recommendation to use it for mTLS does make sense. It would be a separate conversation whether all communication between all the apps should go through API Gateway.
Client validates the server cert by using CA and domain name in cert with enter domain in browser like this way client validates server cert
But in client certs when server gets client cert, it verifiy with CA and with whom it validates this cert is from right user/application? As in server cert it validates with CA and domain name present with enterd domain in the browser.
Can you help me here to get clarification
Domain name within the cluster is the name of the service combined with the namespace.
If it's in actual servers how client certs validated apart from CA
I assume by actual servers you mean something other than kubernetes. If that's the case, your best bet is an API Gateway.
I am not able to join your channel while doings payment it's getting error can you guide me
Not sure why is that so. You would need to contact CZcams since it's their payment system.
Very well explained. The only downside with this strategy is that you will have 1 sidecar per pod. And if I have 1000 pods in my cluster, then 1000 sidecars will consume CPU and RAM. Is there another way to have mTLS?
eBPF should fix that issue. I would recommend checking out Cilium.
@@DevOpsToolkit And Istio's Abmient mesh
@@cajgazachar Oh yeah. istio Ambient Mesh as well :)