Secure access across services

This page explains how secure access is provided across a Kuma deployment:

  • Security between our services, via the mTLS policy.
  • Security between the Kuma control plane and its data plane proxies, via the data plane proxy token.
  • Security when accessing the control plane.
  • Security when external systems access the control plane.

Kuma stores autogenerated certificates and other files in a working directory. The default value for this directory is $HOME/.kuma. You can change the working directory by setting the KUMA_GENERAL_WORK_DIR environment variable.

This section is not to be confused with the mTLS policy that we can apply to a Mesh to secure service-to-service traffic.

Data plane proxy to control plane communication

A data plane proxy connects to the control plane for its configuration, including mTLS certificates described in the following sections.

Encrypted communication

Because the data plane proxy and the control plane exchange sensitive information, the communication needs to be encrypted by TLS. By default, the control plane’s server that is consumed by the data plane proxy is secured by TLS with autogenerated certificates.

It is recommended that the data plane proxy verifies the identity of the control plane. To do so, data plane proxies need to obtain the CA that was used to generate the certificate by which the control plane’s server is secured. Note, this CA is not the same CA for service-to-service communication.

To override autogenerated certificates

1) Prepare certificates

Generate a TLS pair with a PKI of your choice and store it in PEM-encoded format in /tmp/tls.crt, /tmp/tls.key. Store the CA that was used to sign this pair in /tmp/ca.crt

We can also use kumactl to generate self-signed certs.

  1. kumactl generate tls-certificate \
  2. --type=server \
  3. --hostname=kuma-control-plane.kuma-system \ # adjust the name if you are installing Kuma to other namespace
  4. --hostname=kuma-control-plane.kuma-system.svc \ # adjust the name if you are installing Kuma to other namespace
  5. --cert-file=/tmp/tls.crt \
  6. --key-file=/tmp/tls.key
  7. cp /tmp/tls.crt /tmp/ca.crt # since this is self-signed cert, the cert is also a CA

2) Create a secret in the namespace where the control plane is installed

  1. kubectl create secret generic general-tls-certs -n kuma-system \
  2. --from-file=tls.crt=/tmp/tls.crt \
  3. --from-file=tls.key=/tmp/tls.key \
  4. --from-file=ca.crt=/tmp/ca.crt

3) Point to this secret when installing Kuma

  1. kumactl install control-plane \
  2. --tls-general-secret=general-tls-certs \
  3. --tls-general-ca-bundle=$(cat /tmp/ca.crt | base64)

The data plane proxy Injector in the control plane automatically provides the CA to the Kuma DP sidecar so Kuma DP can confirm the control plane identity.

When configured using the --tls-general-secret and --tls-general-ca-bundle flags, Kuma will use the specified CA and certificate to protect data plane proxy to control plane traffic. Additionally, if not configured otherwise using additional options described below, Kuma will also use the specified CA and certificate to protect user to control plane traffic and control plane to control plane traffic when in multizone configurations.

1) Prepare certificates

Generate TLS pair with a PKI of your choice and store it in PEM-encoded format in /tmp/tls.crt, /tmp/tls.key. Store the CA that was used to sign this pair in /tmp/ca.crt

We can also use kumactl to generate self-signed certs.

  1. kumactl generate tls-certificate \
  2. --type=server \
  3. --hostname=kuma-control-plane.kuma-system \ # adjust the name if you are installing Kuma to other namespace
  4. --hostname=kuma-control-plane.kuma-system.svc \ # adjust the name if you are installing Kuma to other namespace
  5. --cert-file=/tmp/tls.crt \
  6. --key-file=/tmp/tls.key
  7. cp /tmp/tls.crt /tmp/ca.crt # since this is self-signed cert, the cert is also a CA

2) Create a secret in the namespace where the control plane is installed

  1. kubectl create secret generic general-tls-certs -n kuma-system \
  2. --from-file=tls.crt=/tmp/tls.crt \
  3. --from-file=tls.key=/tmp/tls.key \
  4. --from-file=ca.crt=/tmp/ca.crt

3) Point to this secret when installing Kuma

Set controlPlane.tls.general.secretName to general-tls-certs and controlPlane.tls.general.caBundle to <BASE64 content of ca.crt>

The data plane proxy Injector in the control plane automatically provides the CA to the Kuma DP sidecar so Kuma DP can confirm the control plane identity.

When configured using the controlPlane.tls.general.secretName and controlPlane.general.caBundle values in Helm, Kuma will use the specified CA and certificate to protect data plane proxy to control plane traffic. Additionally, if not configured otherwise using options described below, Kuma will also use the specified CA and certificate to protect user to control plane traffic and control plane to control plane traffic when in multizone configurations.

1) Prepare certificates Generate TLS pair with a PKI of your choice and store it in PEM-encoded format in /tmp/tls.crt, /tmp/tls.key. Store the CA that was used to sign this pair in /tmp/ca.crt

We can also use kumactl to generate self-signed certs.

  1. kumactl generate tls-certificate \
  2. --type=server \
  3. --hostname=<KUMA_CP_DNS_NAME> \ # set the hostname to a name which will be used by Kuma DP to connect to Kuma CP
  4. --cert-file=/tmp/tls.crt \
  5. --key-file=/tmp/tls.key
  6. cp /tmp/tls.crt /tmp/ca.crt # since this is self-signed cert, the cert is also a CA

2) Configure the control plane with generated certificates

  1. KUMA_DP_SERVER_TLS_CERT_FILE=/tmp/tls.crt \
  2. KUMA_DP_SERVER_TLS_KEY_FILE=/tmp/tls.key \
  3. kuma-cp run

3) Configure the data plane proxy with CA

  1. kuma-dp run \
  2. --cp-address=https://<KUMA_CP_DNS_NAME>:5678 \ # make sure the address matches the hostname in the certificate
  3. --ca-cert-file=/tmp/ca.crt \ # provide a file with CA
  4. --dataplane-file=dp.yaml \
  5. --dataplane-token-file=/tmp/kuma-dp-redis-1-token

You can also provide the CA via environment variable KUMA_CONTROL_PLANE_CA_CERT.

Authentication

See Data plane proxy authentication and Zone Ingress authentication.

User to control plane communication

Users and automation tools can interact with the control plane via the API Server using tools like curl or kumactl. API Server is exposed by default on :5681 on HTTP and :5682 on HTTPS.

Encrypted communication

The API Server HTTPS server is secured by default by autogenerated certificates.

To override autogenerated certificates.

1) Prepare certificates

Generate TLS pair with a PKI of your choice and store it in PEM-encoded format in /tmp/tls.crt, /tmp/tls.key. Store the CA that was used to sign this pair in /tmp/ca.crt

We can also use kumactl to generate self-signed certs.

  1. kumactl generate tls-certificate \
  2. --type=server \
  3. --hostname=<KUMA_CP_DNS_NAME> \ # pick a name that will be used by kumactl or other client to connect to the control plane
  4. --cert-file=/tmp/tls.crt \
  5. --key-file=/tmp/tls.key
  6. cp /tmp/tls.crt /tmp/ca.crt # since this is self-signed cert, the cert is also a CA

2) Configure the control plane with generated certificates

Create a secret in the namespace in which the control plane is installed

  1. kubectl create secret tls api-server-tls -n kuma-system \
  2. --cert=/tmp/tls.crt \
  3. --key=/tmp/tls.key

Point to this secret when installing Kuma

  1. kumactl install control-plane \
  2. --tls-api-server-secret=api-server-tls

Create a secret in the namespace in which the control plane is installed

  1. kubectl create secret tls api-server-tls -n kuma-system \
  2. --cert=/tmp/tls.crt \
  3. --key=/tmp/tls.key

Set controlPlane.tls.apiServer.secretName to api-server-tls

Point to the certificate and the key.

  1. KUMA_API_SERVER_HTTPS_TLS_CERT_FILE=/tmp/tls.crt \
  2. KUMA_API_SERVER_HTTPS_TLS_KEY_FILE=/tmp/tls.key \
  3. kuma-cp run

3) Configure secure connection using kumactl CLI tool.

  1. kumactl config control-planes add \
  2. --name=<NAME> \
  3. --address=https://<KUMA_CP_DNS_NAME>:5682 \
  4. --ca-cert-file=/tmp/ca.crt \

We can also hide the HTTP version of API Server by binding it to localhost KUMA_API_SERVER_HTTP_INTERFACE: 127.0.0.1 or by disabling it altogether KUMA_API_SERVER_HTTP_ENABLED: false

Authentication

See API Server authentication.

Control plane to control plane (Multizone)

A zone control plane connects to a global control plane for policies configuration.

Encrypted communication

Because the global control plane and the zone control plane exchange sensitive information, the communication needs to be encrypted by TLS. By default, the global control plane’s server that is consumed by the zone control plane is secured by TLS with autogenerated certificates.

It is recommended that the zone control plane verifies the identity of the global control plane. To do so, zone control planes need to obtain the CA that was used to generate the certificate by which the control plane’s server is secured.

To override autogenerated certificates

1) Prepare certificates

Generate TLS pair with a PKI of your choice and store it in PEM-encoded format in /tmp/tls.crt, /tmp/tls.key. Store the CA that was used to sign this pair in /tmp/ca.crt

We can also use kumactl to generate self-signed certs.

  1. kumactl generate tls-certificate \
  2. --type=server \
  3. --hostname=<CROSS_ZONE_KUMA_CP_DNS_NAME> \
  4. --cert-file=/tmp/tls.crt \
  5. --key-file=/tmp/tls.key
  6. cp /tmp/tls.crt /tmp/ca.crt # since this is self-signed cert, the cert is also a CA

2) Configure global control plane

Create a secret in the namespace where the global control plane is installed

  1. kubectl create secret tls kds-server-tls -n kuma-system \
  2. --cert=/tmp/tls.crt \
  3. --key=/tmp/tls.key

Point to this secret when installing the global control plane

  1. kumactl install control-plane \
  2. --mode=global \
  3. --tls-kds-global-server-secret=general-tls-certs

Create a secret in the namespace where the global control plane is installed

  1. kubectl create secret tls kds-server-tls -n kuma-system \
  2. --cert=/tmp/tls.crt \
  3. --key=/tmp/tls.key

Set controlPlane.tls.kdsGlobalServer.secretName to kds-server-tls.

Point to the certificate and the key.

  1. KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE=/tmp/tls.crt \
  2. KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE=/tmp/tls.key \
  3. KUMA_MODE=global \
  4. kuma-cp run

3) Configure the zone control plane

Create a secret in the namespace where the zone control plane is installed

  1. kubectl create secret generic kds-ca-certs -n kuma-system \
  2. --from-file=ca.crt.pem=/tmp/ca.crt

Point to this secret when installing the zone control plane

  1. kumactl install control-plane \
  2. --mode=zone \
  3. --tls-kds-zone-client-secret=kds-ca-certs

Create a secret in the namespace where the zone control plane is installed

  1. kubectl create secret generic kds-ca-certs -n kuma-system \
  2. --from-file=ca.crt.pem=/tmp/ca.crt

Set controlPlane.tls.kdsZoneClient.secretName to kds-ca-certs.

Point to the certificate and the key.

  1. KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE=/tmp/ca.crt \
  2. KUMA_MODE=zone \
  3. KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS=grpcs://<CROSS_ZONE_KUMA_CP_DNS_NAME>:5685 \
  4. kuma-cp run

Authentication

Define firewall rules on the global control plane to only accept connections from known IPs of the zone control planes.

Third-party extensions, cloud implementations or commercial offerings may be extending the authentication support.

Control plane to Postgres communication

Since on Universal secrets such as provided CA’s private key are stored in Postgres, a connection between Postgres and Kuma CP should be secured with TLS.

To secure the connection, we first need to pick the security mode using KUMA_STORE_POSTGRES_TLS_MODE. There are several modes:

  • disable - is not secured with TLS (secrets will be transmitted over network in plain text).
  • verifyNone - the connection is secured but neither hostname, nor by which CA the certificate is signed is checked.
  • verifyCa - the connection is secured and the certificate presented by the server is verified using the provided CA.
  • verifyFull - the connection is secured, certificate presented by the server is verified using the provided CA and server hostname must match the one in the certificate.

The CA used to verify the server’s certificate can be set using the KUMA_STORE_POSTGRES_TLS_CA_PATH environment variable.

After configuring the above security settings in Kuma, we also have to configure Postgres’ pg_hba.conf file to restrict unsecured connections.

Here is an example configuration that will allow only TLS connections and will require username and password:

  1. # TYPE DATABASE USER ADDRESS METHOD
  2. hostssl all all 0.0.0.0/0 password

We can also provide a client key and certificate for mTLS using the KUMA_STORE_POSTGRES_TLS_CERT_PATH and KUMA_STORE_POSTGRES_TLS_KEY_PATH variables. This pair can be used in conjunction with the cert auth-method described here.