Normally, pod to pod communication inside of a k8s cluster is sent unencrypted, this is bad practice for security
Mutual TLS between pods uses TLS certs to mutually validate each pod is who they say they are and then to encrypt the symmetric key for encryption
Pod 1 sends a request to Pod 2 –> Pod 2 responds with their public key but it also asks for Pod 1s certificate –> Pod 1 encrypts the symmetric key with Pod 2s public cert but also sends its own public cert with the response –> Pod 2 then validates Pod 1s certificate and decrypts the symmetric key with its private key. If all goes well, they then use the symmetric key to encrypt communication
Both pods proved to each other that they are both the real pods in the cluster.
With the added encryption on top of this our traffic is now very secure
How to Implement
One way is to have the applications themselves do the mutual TLS, however this is very ponderous and not practical
The better approach is to let apps communicate normally and let third party programs facilitate MTLS between pods
Two common solutions are Istio and LinkerD
Istio inserts a sidecar that is responsible for intercepting messages and encrypting / decrypting them
Istio supports two modes for encryption:
- Permissive / Opportunistic mode uses MTLS when it can but supports plain text communication if the caller / target does not support it
- Enforced / Strict mode which ensures MTLS is used every single time. External apps that do not support MTLS will not work