A service mesh connects together the microservices that make up your applications. As such, your app design, container platform, and underlying infrastructure provider all impact the security posture of your apps.
App design and deployment
The following general practices can help you deploy your apps securely.
- Follow the twelve-factor app methodology to guide your microservice development.
- Review the security concepts for your container orchestration platform, such as Kubernetes or OpenShift.
- Search for provider-specific app development guides such as IBM Cloud that can help you connect the best practices for app design with tools that the infrastructure provider offers.
- Store your Gloo Mesh and application configuration files in a configuration management system that is integrated into a DevOps pipeline, such as Git.
For example, you might use those guides to make sure that your app deployment includes the following capabilities.
- ✅ Has multiple replicas for high availability
- ✅ Spreads across availability zones for resiliency
- ✅ Runs on machines that are optimized for the workload
- ✅ Runs in isolation from other workloads, such as in separate namespaces
- ✅ Reschedules gracefully in case of unexpected failure, such as with liveness probes, readiness probes, and pod disruption budgets
- ✅ Saves sensitive data in secrets or encrypted storage
- ✅ Automates configuration updates and rolling upgrades
- ❌ Does not run with outdated or unsecure images or versions
- ❌ Does not take up too many resources, by setting resource requests and limits
- ❌ Does not use personally identifiable information as part of its names or other non-secure areas
Istio and Kubernetes reserved ports
For more information, see Reserved ports and pod requirements.
Use Gloo Mesh networking and policy resources to secure the traffic that reaches your app and make your apps more resilient. The Gloo Mesh resources are automatically translated to the Istio resources that you need across your clusters.
These Gloo Mesh resources help you implement security features such as the following:
- Automatic service discovery across clusters
- Pod traffic encryption with mTLS
- A/B traffic testing when you update versions of your app
- Traffic routing, shifting, failover, and more
The following guides can help you set up secure traffic policies for the apps in your service mesh:
Logging and monitoring
Review the performance and health of your service mesh apps with the built-in logging and monitoring tools.
- Service mesh metrics: Gloo includes a built-in Prometheus server that collects metrics of your service mesh. With metrics, you can review success and failure rates of requests and the amount of time it takes for a request to reach its destination in your service mesh.
- Access logs: Collect and review access logs to monitor the traffic to and from individual services in your service mesh.
- Trace requests: Sample request traces to see how a request is processed in your service mesh and the time it takes for a request to reach its target.
This data can help you monitor the health and performance of your apps, find bottlenecks, or troubleshoot issues. In particular, you might use this data to improve the following aspects of your app:
- Kubernetes resource requests and limits, replicas, and scheduling to improve pod performance.
- Gloo Mesh networking resources such as route tables to set up the best paths for connectivity within the service mesh.
- Gloo Mesh policies such as retries, timeouts, and failovers to improve resilience.
Finally, you can use the Gloo UI to review your service mesh environment, including resource status and metrics. For more information, see Gloo UI.