Hi guys,
we are using consul helm with connect inject enabled to configure our service mesh. One of the most important security requirements we have is encryption in transit but also that our services can only be called if the incoming request is authenticated via mTLS. We are also not using native k8s services to ensure that all communication is routed through envoy/consul.
One problem that I observed is that even though all our services call each other through the envoy proxies it is still possible to directly call a service via the IP of the pod. This is a major concern if the service relies on the security provided by consul since an attacker with network access would be able to directly send requests to the service.
Based on what I described my conclusion is that it is not enough to rely on the security provided by the consul which means that every service still needs some kind of authentication on top.
Previously we were using docker swarm and directly built the envoy sidecars into our containers and configured our services to only listen on localhost. This ensured that only the envoy sidecar was reachable from the outside and the service itself was properly isolated.
Questions:
-
Is it somehow possible to achieve the same security in k8s while still using connect inject maybe by adding a
NetworkPolicy? -
Is there a good example how ideally a connect inject enabled pod manifest should look like?
Best regards,
Nico
