Securing a service network

Skupper provides default, built-in security that scales across clusters and clouds. This section describes additional security you can configure.

See Securing a service network using policies for information about creating granular policies for each cluster.

Restricting access to services using network-policy

By default, if you expose a service on the service network, that service is also accessible from other namespaces in the cluster. You can avoid this situation when creating a site using the --create-network-policy option.

Procedure
  1. Create the service network router with a network policy:

    $ skupper init --create-network-policy
  2. Check the site status:

    $ skupper status

    The output should be similar to the following:

    Skupper enabled for namespace 'west'. It is not connected to any other sites.

You can now expose services on the service network and those services are not accessible from other namespaces in the cluster.

Applying TLS to HTTP2 traffic on the service network

By default, the traffic between sites is encrypted, however the traffic between the service pod and the router pod is not encrypted. For services exposed as HTTP2, the traffic between the pod and the router pod can be encrypted using TLS.

Prerequisites
  • Two or more linked sites

  • A HTTP2 frontend and backend service

Procedure
  1. Deploy your backend service.

  2. Expose your backend deployment on the service network, enabling TLS, for example:

    $ skupper expose deployment <deployment-name> --port 443 --protocol http2 --enable-tls

    Enabling TLS creates the necessary certificates required for TLS backends and stores them in a secret named skupper-tls-<deployment-name>.

  3. Modify the backend deployment to include the generated certificates, for example:

    ...
        spec:
          containers:
          ...
            command:
            ...
            - "/certs/tls.key"
            - "/certs/tls.crt"
            ...
            volumeMounts:
            ...
            - mountPath: /certs
              name: certs
              readOnly: true
          volumes:
          - name: index-html
            configMap:
              name: index-html
          - name: certs
            secret:
              secretName: skupper-tls-<deployment-name>

    Each site creates the necessary certificates required for TLS clients and stores them in a secret named skupper-service-client.

  4. Modify the frontend deployment to include the generated certificates, for example:

    spec:
      template:
        spec:
          containers:
          ...
            volumeMounts:
            - name: certs
              mountPath: /tmp/certs/skupper-service-client
          ...
          volumes:
          - name: certs
            secret:
              secretName: skupper-service-client
  5. Test calling the service from a TLS enabled frontend.