Secure the Gloo Platform components and Gloo custom resources.
Gloo Platform sets up one control plane, which includes management components such as the management server, Gloo UI, external auth, and rate limiting servers. One Gloo agent is deployed to each workload cluster that is registered with the contrpl plane. These Gloo components are shared by licensed Gateway, Mesh, and Network products that help you secure and manage L3-L7 traffic across your apps. For more information, see Architecture.
Gloo management server and agent
By default, communication between the Gloo management server and agent is secured via mutual TLS in a relay setup. Gloo uses self-signed certificates, but you can provide your own signed certificates and use a certificate manager for production-level security. Each agent runs in a separate cluster that has its own Istio service mesh. To federate trust across clusters, you configure a root trust policy in the management cluster.
For more information, see Certificate management.
Set up authentication and authorization (AuthN/AuthZ) for the Gloo UI by using OpenID Connect (OIDC) and Kubernetes role-based access control (RBAC). The Gloo API server has its own external auth service built in. This way, you can manage external auth for the Gloo UI separately from the external auth that you set up for your apps.
For more information, see Set up external auth for the Gloo UI.
External auth and rate limiting
You can optionally deploy the Gloo Platform external auth and rate limiting servers. Instead of deploying these instances in the same namespace as your management and agent components, create a separate namespace such as
gloo-addons. Then, you can enable Istio injection on that namespace so that communication is secured by mTLS.
The servers store configuration data in a Redis instance that is deployed for you by default. You can also replace the default Redis instance with your own, such as to increase the availability or to use an existing Redis.
For more information, see Set up rate limiting and external authentication.
Gloo Mesh product version
Solo periodically updates Gloo to provide new features as well as security updates. You can check the scan results of Gloo Mesh container images such as for compliance reports. Make sure to reguarly upgrade your Gloo installation to stay within the supported version policy.
As part of Gloo Mesh, Solo also provides hardened,
n-4 support for Istio, including FIPS-certified images with the latest CVE patches. You can use these images when you install or upgrade Istio.
For more information, see the following topics:
Gloo Mesh custom resources
For team access, use Gloo workspaces. Gloo simplifies sharing resources across workspaces with import and export settings. You can even enable federation and service isolation across services at the workspace level. For more information, see Multitenancy with workspaces.
For user access, use Kubernetes RBAC. For more information, see User access.
Gloo Platform metrics and alerts
Use the Gloo Platform operations dashboard to gain insight into the health of Gloo Platform components and get notified about issues in your Gloo Platform environment. For example, receive automatic alerts when the translation or reconciliation time of the Gloo management server is too high, or errors during the translation of Gloo resources occur.
For more information, see Monitor the Gloo control plane.