How to communicate between services in Kubernetes in a secure way

How to communicate between services in Kubernetes in a secure way

I have a few node.js microservices running in Kubernetes and now I would need to find a way to communicate between them. I was thinking to expose an endpoint that would only be accessible internally from other pods. I have been searching for hours, but didn’t find a solution that would be secure enough. Is there a way to make it work as such? Thank you!

Solutions/Answers:

Solution 1:

If you want your service to be accessible only from selected pods – you may use Network Policies. They allow to define what pods can talk to what pods on the network level. For example, you may expose your service through ingress and allow only ingress controller to talk to your application. That way you can be sure that your application can only be available through ingress (with authentication) and no other way.

Network Policies are supported only be some network plugins:

  • Calico
  • Open vSwitch
  • Cilium
  • Weave
  • Romana

Solution 2:

communicate between services in Kubernetes in a secure way

Natively, Kubernetes does not provide mutual TLS solution to the services for encrypted communication, that’s where Istio with mutual-tls-authenticatione bring this functionality to the platform.

Solution 3:

Simply use ‘cluster ip’ as service type. this would keep your services exposed within cluster. you can use services by their name over Http.

for any service that is talking publicly you may need to use load balancer service type or ingress controller.

References

Related:  How to deploy SpringBoot Maven application with Jenkins ?