Kubernetesdevops~30 mins

Mutual TLS for service communication in Kubernetes - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Mutual TLS for service communication

📖 Scenario: You are setting up secure communication between two services in a Kubernetes cluster. To protect data and verify identities, you will configure mutual TLS (mTLS) so both services trust each other before exchanging information.

🎯 Goal: Build a simple Kubernetes setup where two services communicate securely using mutual TLS. You will create certificates, configure secrets, and update service deployment manifests to enable mTLS.

📋 What You'll Learn

Create Kubernetes secrets to hold TLS certificates

Configure service deployments to use TLS certificates

Enable mutual TLS between two services

Verify secure communication by checking pod logs

💡 Why This Matters

🌍 Real World

Mutual TLS is used in microservices to ensure encrypted and authenticated communication, preventing eavesdropping and impersonation.

💼 Career

Understanding mTLS setup in Kubernetes is essential for DevOps engineers and SREs to secure service-to-service communication in cloud-native environments.

Progress0 / 4 steps

Create TLS certificates as Kubernetes secrets

Create two Kubernetes secrets named service-a-tls and service-b-tls using TLS certificate files service-a.crt, service-a.key and service-b.crt, service-b.key respectively. Use the kubectl create secret tls command for each secret.

Kubernetes

# Create TLS secrets for service-a and service-b
# Your code here

Need a hint?

Use kubectl create secret tls <secret-name> --cert=<cert-file> --key=<key-file> to create each secret.

Add volume mounts for TLS secrets in service deployments

Edit the deployment YAML files for service-a and service-b to add a volume named tls-certs that uses the corresponding TLS secret (service-a-tls for service-a, service-b-tls for service-b). Then add a volume mount at /etc/tls in the container spec to use this volume.

Kubernetes

kubectl create secret tls service-a-tls --cert=service-a.crt --key=service-a.key
kubectl create secret tls service-b-tls --cert=service-b.crt --key=service-b.key
# Add volumes and volumeMounts for TLS secrets in deployment YAMLs
# Your code here

Need a hint?

Add a volumes section referencing the TLS secret, and a volumeMounts section in the container spec to mount at /etc/tls.

Configure services to use mutual TLS for communication

Update the service configurations or application environment variables to enable mutual TLS. Set variables TLS_CERT_PATH=/etc/tls/tls.crt and TLS_KEY_PATH=/etc/tls/tls.key for both services. Also configure each service to trust the other's certificate by mounting the peer's certificate as a trusted CA.

Kubernetes

kubectl create secret tls service-a-tls --cert=service-a.crt --key=service-a.key
kubectl create secret tls service-b-tls --cert=service-b.crt --key=service-b.key

# Set environment variables TLS_CERT_PATH and TLS_KEY_PATH in both deployments
# Mount peer service certificate as trusted CA
# Your code here

Need a hint?

Set environment variables for TLS cert and key paths. Mount the peer service's TLS secret as a trusted CA at /etc/peer-ca.

Verify mutual TLS communication between services

Use kubectl logs to check the logs of service-a and service-b pods. Confirm that both services report successful TLS handshake and secure communication.

Kubernetes

kubectl create secret tls service-a-tls --cert=service-a.crt --key=service-a.key
kubectl create secret tls service-b-tls --cert=service-b.crt --key=service-b.key

# Use kubectl logs to check service-a and service-b pod logs for TLS handshake success
# Your code here

Need a hint?

Use kubectl logs -l app=service-a and kubectl logs -l app=service-b to see logs from pods labeled app=service-a and app=service-b.