K
Q

Kubernetes TLS all the way to the pod

6/26/2019

I just started using Istio and securing service to service communication and have two questions:

  1. When using nginx ingress, will Istio secure the data from the ingress controller to the service with TLS?
  2. Is it possible to secure with TLS all the way to the pod?
-- ItFreak
istio
kubernetes

Similar Questions

GKE: How to handle deployments with CPU intensive initialization?
How does the Kubernetes load balancer service interact with the AWS / GKE load balancer?
"VolumeFailedDelete" error in the k8s cluster provided by docker-for-windows
Add multiple commands in cronjob.yaml
Error in creating backend containers in Azure Kubernetes

1 Answer

6/26/2019

  1. With "Envoy" deployed as sidecar container to both i.e. (a) NGINX POD and (b) Application POD, istio will ensure that both the services communicate to each-other over TLS.

  2. Infact that's the whole idea behind using Istio i.e. to secure all the communication way till the POD using ENVOY side-car. Envoy will intercept all the traffic going in/out of the POD and perform TLS communication with the peer Envoy counterpart.

All this is done in a transparent manner i.e transparent to the application container. The responsibility to perform TLS layer jobs ex. handshake, encryption/decryption, peer discovery etc. are all offloaded to the envoy sidecar.

-- piy26
Source: StackOverflow