Securing Gloo Mesh

Review steps that you can take to make the following Gloo Mesh and service mesh components more secure.

Figure: Areas in your cluster environment that you want to secure.
  1. Gloo Mesh Enterprise components
  2. Istio service mesh
  3. Ingress traffic
  4. Your applications
  5. Underlying infrastructure
  6. Lifecycle and operational security guidance

Gloo Mesh Enterprise components

With Gloo Mesh Enterprise, you get a suite of API tools to install hardened images that help you manage multicluster service meshes. You can also optionally set up modules and other extensions for security features such as dashboard authentication, external auth, and rate limiting.

  1. Review the Best practices for production to prepare your Helm chart configuration file to use to install Gloo Mesh. The best practices walk you through setting up the following security features.
    • Certificates to secure communication between the management and data planes.
    • Dashboard authentication.
    • Role-based access control.
    • Enabling rate limiting and external authentication deployments.
  2. Review the available versions of Gloo Mesh Enterprise and Gloo Mesh Istio, and note the image that you want to use when you install Gloo Mesh or Istio. For example, you might want to run a solo-fips version of Istio for compliance purposes.
  3. When you install Gloo Mesh, make sure to use the Helm chart configuration file that you prepared.

Optional: Securing Gloo Portal

If you use the Gloo Portal module, review the following ways to secure access.

Gloo Mesh custom resources

To control which users in your clusters can read or write to the Gloo Mesh custom resources, you can use Gloo Mesh's role-based access control.

You can scope access to traffic policies, access policies, and virtual meshes. Additionally, because Gloo Mesh custom resources are translated to Istio custom resources, you can also use the Gloo Mesh role-based API to control permissions for configuring Istio.

For more information, see the following resources.

Istio service mesh

Your installation of Istio affects the security posture of your entire service mesh. Keep in mind that you install Istio separately from Gloo Mesh. For more information about how security works in Istio, see the security and best practices sections in the Istio documentation.

The benefits that Gloo Mesh provides for Istio include hardened Istio images with CVE and security patching for n-4 version support. Istio alpha and experimental features are prevented by default to avoid unintended consequences to your production environments. You can also try out an experimental managed Istio installation for consistency across clusters with Gloo Mesh and the Istio Operator.

  1. Install Istio, reviewing in particular the following security points that are covered in the setup documentation.
    • Recommended namespace configuration, especially separate namespaces for gateways.
    • Persona-driven configuration management.
    • Using a Solo Istio image for backported CVE support.
    • istiod control plane and Istio gateway setup in the IstioOperator configuration file.
  2. Set up certificates for Istio to federate trust across clusters. For production, use a provider such as AWS Certificate Manager or Vault.
  3. Repeat the same Istio installation setup for each workload cluster in your service mesh.
  4. Use the Gloo Mesh role-based API to control who can edit your Gloo Mesh resources, which in turn update your Istio resources.

Ingress traffic

If you use the Gloo Mesh Gateway module, you unlock a variety of security features for ingress traffic to your service meshes, such as HTTPS traffic, authentication and authorization, rate limiting, and other advanced routing capabilities.

For deployment options and instructions to use these features, see the Gloo Mesh Gateway guides.

Applications

A service mesh connects together the microservices that make up your applications. As such, your app design, container platform, and underlying infrastructure provider all impact the security posture of your service mesh.

Service mesh

Now that you have Gloo Mesh installed, you do not have to edit Istio resources directly. Instead, you configure Gloo Mesh traffic and access policies, and these resources are automatically translated to the Istio resources that you need across your clusters.

These Gloo Mesh resources help you implement security features such as the following:

The following guides can help you set up secure traffic policies for the apps in your service mesh:

Reserved ports and pod requirements

Review the following service mesh and platform docs that outline what ports are reserved, so that you do not use these ports for other functions in your apps. You might use other services such as a database or application monitoring tool that reserve additional ports.

App design

The following general practices can help you design your apps.

Underlying infrastructure

The infrastructure provider for the clusters in your service mesh can affect the security posture of the apps that run in your cluster. Consider the following security areas, and consult your infrastructure provider for more information.

Lifecycle and operational security guidance

Review the following resources to help you maintain security across the lifecycle of your apps in Gloo Mesh.