Clik here to view.
We previously provided “hands-on, labs-based training” for approximately 25 technologists on the recently introduced “Managed Service Mesh” capability in the Rafay Kubernetes Operations Platform.
Here’s what we set up for the enablement session:
- Each attendee was provided with their own Kubernetes cluster.
- We spun up 25 Kubernetes clusters on Digital Ocean just a few hours before the session.
- Each attendee had their own dedicated “project” in the “Training” Org
Image may be NSFW.
Clik here to view.
Background
It is now becoming a standard operational requirement for applications to require the use of a Zero Trust security model. One of the important aspects of this model is the use of mutual TLS (mTLS) to ensure all communication between services are mutually authenticated and strongly encrypted.
Application teams commonly find themselves having to deal with this in the 11th hour. At this point, it is either “too late” to retrofit their application business logic or the legacy containerized application is not capable of being retrofitted. The service mesh’s sidecar based enforcement approach is a perfect solution for scenarios like this.
Image may be NSFW.
Clik here to view.
The Lab Exercise
In the “hands-on” lab, each attendee followed our “Getting Started” guide for MTLS Migration closely. The high-level steps were as follows:
Step 1
Create a custom blueprint with the “integrated” Service Mesh enabled and the “default” installation profile. Update the cluster’s blueprint with the custom blueprint. In 2-3 minutes, blueprint sync should complete and you should see something like this.
Image may be NSFW.
Clik here to view.
Step 2
- Create three namespaces called “foo”, “bar” and “legacy”.
- Ensure that “sidecar” injection is enabled for the “foo” and “bar” namespaces.
Image may be NSFW.
Clik here to view.
- Ensure that “sidecar” injection is disabled for the “legacy” namespace.
Image may be NSFW.
Clik here to view.
Step 3
Deploy sample workloads into the “foo”, “bar” and “legacy” namespaces.
For the workloads deployed into namespaces with sidecar injection “enabled”, you will notice that the sidecar is automatically implemented. The attendees confirmed this by using the Integrated Kubernetes Resources Dashboard for the workload.
Image may be NSFW.
Clik here to view.
Once the workloads are operational and are interacting with each other, the attendees used the Integrated, Multitenant Kiali Dashboard to visualize the inter-service traffic in their Kubernetes cluster.
Image may be NSFW.
Clik here to view.
Try It Out
If you are interested in trying this out yourself,
- Sign Up for a Free Rafay Org.
- Follow the steps in the Getting Started Guide for mTLS Migration.
The post Enforce mTLS using Rafay’s Managed Service Mesh appeared first on Rafay.