Secure traffic between pods in cluster

Question

In some hosting environments/configurations, the network traffic between pods (applications) may traverse the public Internet. As a result, I'd like to secure the communication between the pods.

For example, I have the following structure:

Service_A - edge service in my product and provides access to my API to external users via public IP.

Service_B and Service_C - microservices that has ClusterIP(s).

As I understand I can secure traffic user<-> Service_A by using Ingress controller with ssl certificate.

But how should I secure Service_A<->Service_B communication? Create additional ingress services to wrap microservices? Are there any best practices for such cases?

One detail: microservices use gRPC for communication.

Thanks

Answer 1

A simple, generic solution that I like is to run a reverse-proxy (such as nginx) in each pod. All of your app containers will listen on localhost or unix sockets, and the ssl proxy will terminate external HTTPS connections. This makes it easy to audit your SSL config across all your apps, since every connection is terminated by the same nginx config.

Certificate distribution is the primary challenge with this approach. For external services, you can use LetsEncrypt to generate certs. For internal services, you'll need a private CA that is trusted by your ssl-proxy. You can mount the CA cert in a config-map at runtime. You'd then generate a cert per app or per-pod, and mount that as a Secret consumed in the ssl-proxy container.

If this sounds like too much work, you might want to look at https://github.com/istio/istio, which aims to automate the cluster CA role, and the provision of per-pod certificates.