Introduction to Service Meshes - Hands On

Technologies Available

linkerd
istio

Mutual TLS & Identity Verification

Istio provides transparent mutual TLS to services inside the service mesh where both the client and the server authenticate each others' certificates as part of the TLS handshake. As part of this course, we have deployed Istio with mTLS.

By default istio sets mTLS in PERMISSIVE mode which allows plain text traffic to be sent and accepted by a mesh. We first disallow plain text traffic using PeerAuthentication and setting mTLS mode to STRICT.

Confirm mTLS is being enforced

This can be easily done by executing a simple command:-

Verify mTLS

Citadel is Istio’s key management service. As a first step, confirm that Citadel is up and running:

Output will be similar to:

To experiment with mTLS, let's do so by logging into the sidecar proxy of the productpage pod by executing this command:

We are now in the proxy of the productpage pod. Check that all the ceritificates are loaded in this proxy:

You should see 3 entries:

Now, try to make a curl call to the details service over HTTP:

Since, we have TLS between the sidecar's, an HTTP call will not work. The request will timeout. You will see an error like the one below:

Let us try to make a curl call to the details service over HTTPS but WITHOUT certs:

The request will be denied and you will see an error like the one below:

Now, let us use curl over HTTPS with certificates to the details service:

Output will be similar to this:

This proves the existence of mTLS between the services on the Istio mesh.

Now lets come out of the container before we go to the next section:

Secure Production Identity Framework for Everyone (SPIFFE)


Istio uses SPIFFE to assert the identify of workloads on the cluster. SPIFFE consists of a notion of identity and a method of proving it. A SPIFFE identity consists of an authority part and a path. The meaning of the path in spiffe land is implementation defined. In k8s it takes the form /ns/$namespace/sa/$service-account with the expected meaning. A SPIFFE identify is embedded in a document. This document in principle can take many forms but currently the only defined format is x509.

To start our investigation, let us check if the certs are in place in the productpage sidecar:

Output will be similar to:

Mac users, MacOS should have openssl available. If your machine does not have openssl install, install it using your preferred method.

Here is one way to install it on RHEL or CentOS or its derivatives:

Here is one way to install it on Ubuntu or Debian or its derivatives:

Now that we have found the certs, let us verify the certificate of productpage sidecar by running this command:

Output will be similar to:

Lets also verify the URI SAN:

Output will be similar to:

NEXT CHAPTER

Getting Started

Layer5, the cloud native management company

An empowerer of engineers, Layer5 helps you extract more value from your infrastructure. Creator and maintainer of cloud native standards. Maker of Meshery, the cloud native manager.

RESOURCES

COMMUNITY

SOLUTIONS

COMPANY

2025 Copyright ©Layer5, Inc | All Rights Reserved