Bird
Raised Fist0
Kubernetesdevops~5 mins

Mutual TLS for service communication in Kubernetes - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is Mutual TLS (mTLS) in service communication?
Mutual TLS is a security method where both client and server verify each other's identity using certificates before exchanging data. This ensures both sides are trusted.
Click to reveal answer
beginner
Why is Mutual TLS important in Kubernetes service communication?
It protects data by encrypting traffic and ensures only trusted services can talk to each other, preventing attackers from impersonating services.
Click to reveal answer
intermediate
Which Kubernetes tool commonly helps implement Mutual TLS automatically?
Istio is a popular service mesh that can automatically manage certificates and enforce Mutual TLS between services.
Click to reveal answer
beginner
What Kubernetes resource is typically used to store TLS certificates for mTLS?
Secrets are used to securely store TLS certificates and keys needed for Mutual TLS authentication.
Click to reveal answer
beginner
How does Mutual TLS differ from regular TLS?
Regular TLS verifies only the server to the client. Mutual TLS verifies both client and server to each other.
Click to reveal answer
What does Mutual TLS ensure in service communication?
ANo authentication is performed
BOnly the server is authenticated
CBoth client and server authenticate each other
DOnly the client is authenticated
Which Kubernetes component can help automate mTLS setup between services?
AIstio
Bkubectl
Ckube-proxy
Dkube-scheduler
Where are TLS certificates usually stored in Kubernetes for mTLS?
ASecrets
BConfigMaps
CPods
DNamespaces
What is the main benefit of using mTLS over regular TLS?
AEncrypts traffic only
BAuthenticates both client and server
CFaster connection setup
DNo certificate needed
Which of these is NOT a feature of mTLS in Kubernetes?
AVerifies identities of both services
BPrevents unauthorized service access
CEncrypts service-to-service traffic
DAutomatically scales pods
Explain how Mutual TLS works to secure communication between two Kubernetes services.
Think about how two friends check each other's ID before sharing secrets.
You got /4 concepts.
    Describe the role of Istio in implementing Mutual TLS in a Kubernetes cluster.
    Istio acts like a security guard for service conversations.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of Mutual TLS (mTLS) in Kubernetes service communication?
      easy
      A. To disable encryption for faster debugging
      B. To increase the speed of service communication
      C. To allow services to communicate without authentication
      D. To encrypt data and verify identities between services

      Solution

      1. Step 1: Understand mTLS purpose

        Mutual TLS encrypts data and verifies both client and server identities to secure communication.

      2. Step 2: Compare options

        Only To encrypt data and verify identities between services correctly describes encryption and identity verification, others are incorrect or opposite.

      3. Final Answer:

        To encrypt data and verify identities between services -> Option D

      4. Quick Check:

        mTLS = encrypt + verify identities [OK]
      Hint: mTLS means both encryption and identity check [OK]
      Common Mistakes:
      • Thinking mTLS only encrypts but doesn't verify identity
      • Confusing mTLS with disabling security
      • Assuming mTLS speeds up communication
      2. Which PeerAuthentication mode in Istio allows both encrypted (mTLS) and plain traffic to a service?
      easy
      A. STRICT
      B. PERMISSIVE
      C. DISABLE
      D. ENFORCED

      Solution

      1. Step 1: Recall PeerAuthentication modes

        STRICT enforces mTLS only, PERMISSIVE allows both mTLS and plain, DISABLE turns off mTLS.

      2. Step 2: Match mode to description

        PERMISSIVE mode allows both encrypted and plain traffic, matching the question.

      3. Final Answer:

        PERMISSIVE -> Option B

      4. Quick Check:

        PERMISSIVE = both encrypted and plain allowed [OK]
      Hint: PERMISSIVE means allow both secure and insecure traffic [OK]
      Common Mistakes:
      • Confusing STRICT with PERMISSIVE
      • Thinking DISABLE allows encrypted traffic
      • Assuming ENFORCED is a valid mode
      3. Given this PeerAuthentication YAML snippet:
      apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: myapp
spec:
  mtls:
    mode: STRICT

      What happens when a service in namespace myapp receives plain HTTP traffic?
      medium
      A. The traffic is rejected because mTLS is enforced
      B. The traffic is accepted without encryption
      C. The traffic is accepted but logged as insecure
      D. The traffic is redirected to HTTPS automatically

      Solution

      1. Step 1: Analyze PeerAuthentication mode

        The mode is STRICT, which enforces mTLS for all incoming traffic in the namespace.

      2. Step 2: Understand effect on plain HTTP

        Plain HTTP traffic without mTLS will be rejected because encryption and identity verification are mandatory.

      3. Final Answer:

        The traffic is rejected because mTLS is enforced -> Option A

      4. Quick Check:

        STRICT mode rejects plain HTTP [OK]
      Hint: STRICT mode blocks non-mTLS traffic [OK]
      Common Mistakes:
      • Assuming plain HTTP is accepted in STRICT mode
      • Thinking traffic is redirected automatically
      • Confusing logging with rejection
      4. You applied this PeerAuthentication config but your service still accepts plain HTTP traffic:
      apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: test
spec:
  mtls:
    mode: STRICT

      What is the most likely reason?
      medium
      A. The service is in a different namespace than 'test'
      B. PeerAuthentication resource is missing the selector field
      C. STRICT mode allows plain HTTP by default
      D. mTLS is disabled globally in Istio

      Solution

      1. Step 1: Check namespace scope

        PeerAuthentication applies only to the specified namespace 'test'. If the service is outside, it won't be affected.

      2. Step 2: Understand effect on service

        If the service is in another namespace, it won't enforce STRICT mode and may accept plain HTTP.

      3. Final Answer:

        The service is in a different namespace than 'test' -> Option A

      4. Quick Check:

        Namespace mismatch causes no mTLS enforcement [OK]
      Hint: PeerAuthentication applies per namespace only [OK]
      Common Mistakes:
      • Assuming STRICT mode allows plain HTTP
      • Thinking selector is mandatory for namespace-wide policy
      • Ignoring namespace differences
      5. You want to enforce mTLS only for service payments in namespace finance, but allow other services to accept plain traffic. Which PeerAuthentication config achieves this?
      hard
      A. 
      apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: permissive-all
  namespace: finance
spec:
  mtls:
    mode: PERMISSIVE
      B. 
      apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: finance-wide
  namespace: finance
spec:
  mtls:
    mode: STRICT
      C. 
      apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: payments-mtls
  namespace: finance
spec:
  selector:
    matchLabels:
      app: payments
  mtls:
    mode: STRICT
      D. 
      apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: payments-disable
  namespace: finance
spec:
  selector:
    matchLabels:
      app: payments
  mtls:
    mode: DISABLE

      Solution

      1. Step 1: Understand requirement

        Enforce mTLS STRICT only for 'payments' service, allow others to accept plain traffic.

      2. Step 2: Analyze options

        apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: payments-mtls
  namespace: finance
spec:
  selector:
    matchLabels:
      app: payments
  mtls:
    mode: STRICT
        applies STRICT mode with selector for 'payments' only. 
        apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: finance-wide
  namespace: finance
spec:
  mtls:
    mode: STRICT
        enforces STRICT for whole namespace, not desired. 
        apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: permissive-all
  namespace: finance
spec:
  mtls:
    mode: PERMISSIVE
        allows both for all services. 
        apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: payments-disable
  namespace: finance
spec:
  selector:
    matchLabels:
      app: payments
  mtls:
    mode: DISABLE
        disables mTLS for payments, opposite of requirement.

      3. Final Answer:

        PeerAuthentication with selector for payments and STRICT mode -> Option C

      4. Quick Check:

        Selector + STRICT = mTLS only for selected service [OK]
      Hint: Use selector with STRICT mode for specific service enforcement [OK]
      Common Mistakes:
      • Applying STRICT mode to whole namespace accidentally
      • Using DISABLE mode when enforcement is needed
      • Not using selector to target specific service