Gloo components
Secure the Gloo components and Gloo custom resources.
Gloo Mesh Enterprise sets up one management plane, which includes components such as the management server, Gloo UI, external auth, and rate limiting servers. One Gloo agent is deployed to each workload cluster that is registered with the management plane. These Gloo components are shared by licensed Gloo Mesh Core, Gloo Mesh Enterprise, and Gloo Mesh Gateway products that help you secure and manage L3-L7 traffic across your apps. For more information, see Architecture.
Gloo management server and agent
By default, communication between the Gloo management server and agent is secured via mutual TLS in a relay setup. Gloo provides self-signed certificates for testing purposes, but you can provide your own signed certificates and use a certificate manager for production-level security. Each agent runs in a separate cluster that has its own Istio service mesh. To federate trust across clusters, you configure a root trust policy in the management cluster.
For more information, see Certificate management.
Gloo UI
Set up authentication and authorization (AuthN/AuthZ) for the Gloo UI by using OpenID Connect (OIDC) and Kubernetes role-based access control (RBAC). The Gloo API server has its own external auth service built in. This way, you can manage external auth for the Gloo UI separately from the external auth that you set up for your apps.
For more information, see Set up external auth for the Gloo UI.
External auth and rate limiting
You can optionally deploy the Gloo external auth and rate limiting servers. The servers store configuration data in a Redis instance that is deployed for you by default. You can also replace the default Redis instance with your own, such as to increase the availability or to use an existing Redis.
For more information, set up rate limiting and external authentication by installing Gloo Mesh Enterprise with Helm.
Gloo product versions
Solo periodically updates Gloo to provide new features as well as security updates. You can check the scan results of Gloo container images such as for compliance reports. Make sure to regularly upgrade your Gloo installation to stay within the supported version policy.
As part of your product license, Solo also provides hardened, n-4
support for Istio, including FIPS-certified images with the latest CVE patches. You can use these images when you install or upgrade Istio.
For more information, see the following topics:
Gloo custom resources
For team access, use Gloo workspaces. Gloo simplifies sharing resources across workspaces with import and export settings. You can even enable federation and service isolation across services at the workspace level. For more information, see Multitenancy with workspaces.
For user access, use Kubernetes RBAC. For more information, see User access.
Gloo metrics and alerts
Use the Gloo operations dashboard to gain insight into the health of Gloo components and get notified about issues in your Gloo environment. For example, receive automatic alerts when the translation or reconciliation time of the Gloo management server is too high, or errors during the translation of Gloo resources occur.