Service mesh traffic
Your installation of Istio affects the security posture of your entire service mesh. Keep in mind that you install Istio separately from Gloo Mesh. For more information about how security works in Istio, see the security and best practices sections in the Istio documentation.
The benefits that Gloo Mesh provides for Istio include hardened Istio images with CVE and security patching for
n-4 version support. Istio alpha and experimental features are prevented by default to avoid unintended consequences to your production environments. You can also try out an experimental managed Istio installation for consistency across clusters with Gloo Mesh and the Istio Operator.
- Install Istio, reviewing in particular the following security points that are covered in the setup documentation.
- Recommended namespace configuration, especially separate namespaces for gateways.
- Persona-driven configuration management.
- Using a Solo distribution of Istio for backported CVE and FIPS support.
- Set up certificates for Istio to federate trust across clusters. For production, use a provider such as AWS Certificate Manager or Vault.
- Repeat the same Istio installation setup for each workload cluster in your service mesh.
- Use Kubernetes RBAC to control who can edit your Gloo Mesh resources, which in turn update your Istio resources.
To control ingress traffic into your service mesh environment, use an API gateway such as Gloo Gateway. With a Gloo Gateway license key, you unlock a variety of security features for ingress traffic to your service meshes, such as HTTPS traffic, authentication and authorization, rate limiting, and other advanced routing capabilities.
To set up user login to your apps, use external auth. Set up an external authentication and authorization to protect the workloads in your cluster. For example, you can set up basic, passthrough, API key, OAuth, OPA, or LDAP authentication. For more information, see External authentication and authorization.
As you set up your service mesh, consider whether your microservices need to be exposed. Instead of exposing services to external, north-south traffic, you might prefer east-west traffic internal to the mesh. You can set up Gloo Mesh virtual destinations for cross-cluster, east-west traffic routing.
Service mesh traffic
With Gloo workspaces, you can quickly set up zero-trust networking by default. Enforce service isolation within workspaces.
- Enabled service isolation: Services are isolated and cannot communicate with services outside the mesh or in another workspace by default. mTLS is used for communication across services. Teams must set up their workspaces to import and export the services that they need. You can enable service isolation if you need to enforce a zero trust model from the start. Note: Service isolation is enabled or disabled at the workspace level. To isolate services within the workspace, use access policies.
- For more information about mTLS, see the Istio docs.
To secure the network traffic to and from your apps, use Gloo policies. In particular, you might use an access policy to permit traffic to select workloads. For more information, see Policy enforcement.
Add trusted endpoints outside your service mesh with Gloo external endpoints and services. Then, use Gloo policies to permit egress only to these trusted external services. For more information, see Route to services external to the mesh.