The Inner Circle

 View Only
Expand all | Collapse all

Encrypting Traffic between Containers

  • 1.  Encrypting Traffic between Containers

    Posted Jan 26, 2023 10:30:00 AM
    Hi Everyone,

    I'm currently trying to determine whether it's the best practice to encrypt traffic between containers in the same pod on a Kubernetes node.  I have been reading up on a few sites and standards, but it's not very clear and quite ambiguous, and most of what I have read is more about encrypting traffic between pods or nodes.

    I'm very new to the cloud-native world, and the answer might have been in my face, which I may have misunderstood.

    It would be great to hear your thoughts, or if there is any documentation that you know of that I could go through would be greatly appreciated.

    Kind regards
    Shawn




  • 2.  RE: Encrypting Traffic between Containers

    Posted Jan 27, 2023 07:49:00 AM
    Yes it should be

    ------------------------------
    Chris Mlynarczyk
    Enterprise Account Executive
    Uptycs
    Chicago IL
    ------------------------------



  • 3.  RE: Encrypting Traffic between Containers

    Posted Jan 27, 2023 07:57:00 AM
    mutual TLS is one of the key concepts in RBAC for K8s and most of the service mesh architecture enforce these...but not sure what the default is for within Pod communication
    K8s control plane can do these


    ------------------------------
    Chris Mlynarczyk
    Enterprise Account Executive
    Uptycs
    Chicago IL
    ------------------------------



  • 4.  RE: Encrypting Traffic between Containers

    Posted Jan 27, 2023 09:12:00 AM
    Interesting question because I've had a similar one. But a couple of things that I've encountered in my journey are:
    1) certificates used to enable the traffic need to be updated and renewed, how donyou automate this process 
    2) side car injection of certificates at time of container initiation. Is this a standard practice? If so where do you pull the cert from to ensure its always an updated one.

    I've not had a ton of experience with service mesh implementations as Chris M. shared above, but definitely would love to see documentation. Sorry for adding to your question and not having any answers, but your question sparked some thoughts for me I never thought to ask before.

    Thanks for sharing! Looking forward to some expert answers

    ------------------------------
    Tasia Mabry
    Sr Cloud Engineer
    Duke Energy
    ------------------------------



  • 5.  RE: Encrypting Traffic between Containers

    Posted Jan 27, 2023 10:32:00 AM
    It really depends on the situation, for example, what data is being transferred.  Without the details, it could be a no, it's not best practice.  It's probably better to figure out how K8s is configured because if there are huge holes there, encryption wouldn't help secure the environment.  Some good information can be found here: https://istio.io/latest/docs/concepts/security/

    ------------------------------
    Ross Kovelman
    Cloud Cybersecurity
    NA
    ------------------------------



  • 6.  RE: Encrypting Traffic between Containers

    Posted Jan 30, 2023 07:54:00 AM
    I agree. The question is what data is being transferred and also where K8S/pods are being run - i.e., do you trust the environment, is it your own DC or public cloud. I erh to the side of caution and thus better to have encryption (and more) though it may be data which does not need high security or is already encrypted at an application level as well as possibly you want highest performance possible and performance is more important than security.

    I am talking at CNCF Security Conference this week on applying zero trust to CNCF - https://sched.co/1FV1i. Pretty sure I should be able to get the recording if you are interested. We are creating a white paper in the CNCF on this topic.

    ------------------------------
    Philip Griffiths
    Head of Business Development
    NetFoundry
    ------------------------------



  • 7.  RE: Encrypting Traffic between Containers

    Posted Jan 31, 2023 07:18:00 AM
    Hi Shawn,

    I reached out to one of our Thales engineers and he replied that "it is actually NOT best practice to encrypt traffic between containers… in fact the whole K8s push has been to have a TLS Endpoint Terminator (like Envoy or NGINIX) to protect the pod and then containers speak in the plain…intentionally… allowing devops to add monitors for logs and performance without further issues AND dev can work in their cubicle in the plain knowing that DevOps processes will add TLS at the end. Now leaving a pod and talking to another pod or elsewhere should always be over TLS."

    Thales does have some solutions that may be applicable for you.  Here is a link for more information. Transparent Encryption for Kubernetes (thalesgroup.com)

    Thank you,
    Scotti Woolery-Price
    Partner Marketing Manager
    Thales

    ------------------------------
    Scotti Woolery-Price
    Partner Marketing Manager
    Thales
    ------------------------------



  • 8.  RE: Encrypting Traffic between Containers

    Posted Jan 31, 2023 08:02:00 AM
    Interesting, although not sure how that would work.  In many cases, you cannot change root-level items within the container OS.  For others like Bottlerocket, you would need to run an API command to import the cert or bootstrap it, storing that cert in a secured location which some companies are not for.  If further information exists for these use cases I would love to read it to learn more-a lot of changes happening in that space for sure.

    ------------------------------
    Ross Kovelman
    Cloud Cybersecurity
    NA
    ------------------------------



  • 9.  RE: Encrypting Traffic between Containers

    Posted Jan 31, 2023 08:16:00 AM
    Hey all - this is a topic that my company has thought of and helps many large enterprises with. I am by no means the expert but my company works in in the PKI/Cert Management space and have a webpage dedicated to this as well as webinars and blogs. Enjoy the reading/watching.

    Webpage:
    1) https://www.keyfactor.com/business-need/accelerate-devops-security/

    Webinars:
    1) https://www.keyfactor.com/resources/unlocking-devops-security-with-pki-automation/

    Blog:
    1) Secure Istio MTLS: https://www.keyfactor.com/blog/secure-istio-mtls/
    2) Securing Containers For Multi-Cloud Operations: https://www.keyfactor.com/blog/securing-containers-and-multi-cloud-operations/


    ------------------------------
    Liam Geither
    Channel Account Manager
    Keyfactor
    ------------------------------



  • 10.  RE: Encrypting Traffic between Containers

    Posted Feb 01, 2023 07:48:00 AM
    You'll need a service mesh like Istio on top of K8S to handle the mutual TLS for this. You'll *also* need a private CA or other providing authority to sign these certificates. Do you need to do all this? "It depends" on your requirements.

    ------------------------------
    Corcoran Smith
    ------------------------------