Mutual TLS

This policy enables automatic encrypted mTLS traffic for all the services in a Mesh, as well as assigning an identity to every data plane proxy. Kuma supports different types of CA backends as well as automatic certificate rotation.

Kuma ships with the following CA (Certificate Authority) supported backends:

  • builtin: it automatically auto-generates a CA root certificate and key, that are also being automatically stored as a Secret.
  • provided: the CA root certificate and key are being provided by the user in the form of a Secret.

Once a CA backend has been specified, Kuma will then automatically generate a certificate for every data plane proxy in the Mesh. The certificates that Kuma generates are SPIFFE compatible and are used for AuthN/Z use-cases in order to identify every workload in our system.

The certificates that Kuma generates have a SAN set to spiffe://<mesh name>/<service name>. When Kuma enforces policies that require an identity like TrafficPermission it will extract the SAN from the client certificate and use it to match the service identity.

Remember that by default mTLS is not enabled and needs to be explicitly enabled as described below. Also remember that by default when mTLS is enabled all traffic is denied unless a TrafficPermission policy is being configured to explicitly allow traffic across proxies.

Always make sure that a TrafficPermission resource is present before enabling mTLS in a Mesh in order to avoid unexpected traffic interruptions caused by a lack of authorization between proxies.

To enable mTLS we need to configure the mtls property in a Mesh resource. We can have as many backends as we want, but only one at a time can be enabled via the enabledBackend property.

If enabledBackend is missing or empty, then mTLS will be disabled for the entire Mesh.

Usage of “builtin” CA

This is the fastest and simplest way to enable mTLS in Kuma.

With a builtin CA backend type, Kuma will dynamically generate its own CA root certificate and key that it uses to automatically provision (and rotate) certificates for every replica of every service.

We can specify more than one builtin backend with different names, and each one of them will be automatically provisioned with a unique pair of certificate + key (they are not shared).

To enable a builtin mTLS for the entire Mesh we can apply the following configuration:

  1. apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4. name: default
  5. spec:
  6. mtls:
  7. enabledBackend: ca-1
  8. backends:
  9. - name: ca-1
  10. type: builtin
  11. dpCert:
  12. rotation:
  13. expiration: 1d
  14. conf:
  15. caCert:
  16. RSAbits: 2048
  17. expiration: 10y

We will apply the configuration with kubectl apply -f [..].

  1. type: Mesh
  2. name: default
  3. mtls:
  4. enabledBackend: ca-1
  5. backends:
  6. - name: ca-1
  7. type: builtin
  8. dpCert:
  9. rotation:
  10. expiration: 1d
  11. conf:
  12. caCert:
  13. RSAbits: 2048
  14. expiration: 10y

We will apply the configuration with kumactl apply -f [..] or via the HTTP API.

A few considerations:

  • The dpCert configuration determines how often Kuma should automatically rotate the certificates assigned to every data plane proxy.
  • The caCert configuration determines a few properties that Kuma will use when auto-generating the CA root certificate.

Storage of Secrets

When using a builtin backend Kuma automatically generates a root CA certificate and key that are being stored as a Kuma Secret resource with the following name:

  • {mesh name}.ca-builtin-cert-{backend name} for the certificate
  • {mesh name}.ca-builtin-key-{backend name} for the key

On Kubernetes, Kuma secrets are being stored in the kuma-system namespace, while on Universal they are being stored in the underlying store configured in kuma-cp.

We can retrieve the secrets via kumactl on both Universal and Kubernetes, or via kubectl on Kubernetes only:

The following command can be executed on any Kuma backend:

  1. kumactl get secrets [-m MESH]
  2. # MESH NAME AGE
  3. # default default.ca-builtin-cert-ca-1 1m
  4. # default default.ca-builtin-key-ca-1 1m

The following command can be executed only on Kubernetes:

  1. kubectl get secrets \
  2. -n kuma-system \
  3. --field-selector='type=system.kuma.io/secret'
  4. # NAME TYPE DATA AGE
  5. # default.ca-builtin-cert-ca-1 system.kuma.io/secret 1 1m
  6. # default.ca-builtin-key-ca-1 system.kuma.io/secret 1 1m

Usage of “provided” CA

If you choose to provide your own CA root certificate and key, you can use the provided backend. With this option, you must also manage the certificate lifecycle yourself.

Unlike the builtin backend, with provided you first upload the certificate and key as Secret resources, and then reference the Secrets in the mTLS configuration.

Kuma then provisions data plane proxy certificates for every replica of every service from the CA root certificate and key.

Sample configuration:

  1. apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4. name: default
  5. spec:
  6. mtls:
  7. enabledBackend: ca-1
  8. backends:
  9. - name: ca-1
  10. type: provided
  11. dpCert:
  12. rotation:
  13. expiration: 1d
  14. conf:
  15. cert:
  16. secret: name-of-secret
  17. key:
  18. secret: name-of-secret

We will apply the configuration with kubectl apply -f [..].

  1. type: Mesh
  2. name: default
  3. mtls:
  4. enabledBackend: ca-1
  5. backends:
  6. - name: ca-1
  7. type: provided
  8. dpCert:
  9. rotation:
  10. expiration: 1d
  11. conf:
  12. cert:
  13. secret: name-of-secret
  14. key:
  15. secret: name-of-secret

We will apply the configuration with kumactl apply -f [..] or via the HTTP API.

A few considerations:

  • The dpCert configuration determines how often Kuma should automatically rotate the certificates assigned to every data plane proxy.
  • The Secrets must exist before referencing them in a provided backend.

Intermediate CA

You can also work with an Intermediate CA with a provided backend. Generate the certificate and place it first in certificate file, before the certificate from the root CA. The certificate from the root CA should start on a new line. Then create the secret to specify in the cert section of the config. The secret for the key should contain only the private key of the certificate from the intermediate CA.

You can chain certificates from multiple intermediate CAs the same way. Place the certificate from the closest CA at the top of the cert file, followed by certificates in order up the certificate chain, then generate the secret to hold the contents of the file.

Sample certificate file for a single intermediate CA:

  1. -----BEGIN CERTIFICATE-----
  2. MIIDdjCCAl6gAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwRDELMAkGA1UEBhMCR0Ix
  3. EDAOBgNVBAgMB0VuZ2xhbmQxEjAQBgNVBAoMCUFsaWNlIEx0ZDEPMA0GA1UEAwwG
  4. S3VtYUNBMB4XDTIxMDUxMjEzMzU1MVoXDTMxMDUxMDEzMzU1MVowUDELMAkGA1UE
  5. BhMCR0IxEDAOBgNVBAgMB0VuZ2xhbmQxEjAQBgNVBAoMCUFsaWNlIEx0ZDEbMBkG
  6. A1UEAwwSS3VtYUludGVybWVkaWF0ZUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
  7. MIIBCgKCAQEA1VzY9vOr8+SINzqA8Rwk4bpeex32Zn9BGAUTweRgomQC7Yfzrm6/
  8. Vk74/T/46n3FydpdEZTdoFKCF8EsA0eqAEfWi6tu7D41GOUFUYpdRJBJEq+HE17Q
  9. N8SFMquy8NhCtK8th8ytSu2ThvCOq1MHT5WjtQUmRGSJMlcfWA5TsCIK0Sb3cSf3
  10. jadjEqcmcvJN6Xa0Y0VivcPg5eB+We7BNnp4ogqmZw0veoPjc14HVZpqxrra9Yez
  11. DRai6rnHqDjnkMMhe9MmSkCKD9Ldwduq0ZfuOQFIBOaX+4MKUyDN4tTMCcRRl/Nl
  12. A4JgrNNWCFfUQV0VmQ0Tc8+cn/+gokHAZwIDAQABo2YwZDAdBgNVHQ4EFgQUGNjz
  13. Te727HX4AqZDMn1L9XzkTaYwHwYDVR0jBBgwFoAUSu2E4Ue5aPzdWQCCNp36Pf3i
  14. YbcwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcN
  15. AQELBQADggEBACuOczJlf4wcT9rfAIrZHuI5aCzYTKOxJllhN5e/eEhMYpsox6Zb
  16. 4CZXS3wdJ3fVugddLWDzIAjrNE1DrOpugUPurNIpHsT6u+SHFXkRsXyHFfMA+CZJ
  17. 0tOYEtP1r3BnqsY/nh0GJqHJxaJolEaqFaKgKTQPTinOxTKFxsHa1OHlsvkdxvot
  18. d2BQhPQYWes3LMPxtGhS5kwKaXaB3gzTnzjGvgGNeJ+l0AiWqXkivixpox3/6mMa
  19. 90mwssl4sRQQLR1kLFU4hwghNm52Pk7o7HSTEXsnB+ZhHB9skpetY6R4uKWh8xap
  20. Xmj4PDrAA5OKZzSO7Yhdt0vXPOIrjShMxvA=
  21. -----END CERTIFICATE-----
  22. -----BEGIN CERTIFICATE-----
  23. MIIDbjCCAlagAwIBAgIJALDMMa9rXKLPMA0GCSqGSIb3DQEBCwUAMEQxCzAJBgNV
  24. BAYTAkdCMRAwDgYDVQQIDAdFbmdsYW5kMRIwEAYDVQQKDAlBbGljZSBMdGQxDzAN
  25. BgNVBAMMBkt1bWFDQTAeFw0yMTA1MTIxMzE2MjFaFw00MTA1MDcxMzE2MjFaMEQx
  26. CzAJBgNVBAYTAkdCMRAwDgYDVQQIDAdFbmdsYW5kMRIwEAYDVQQKDAlBbGljZSBM
  27. dGQxDzANBgNVBAMMBkt1bWFDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
  28. ggEBANCJqVJjYOWFUZcdhrfBxgoCZNE+LFq9sieP2yRGrYzJsCdwphH6L7GsWds8
  29. VjlobfIP4nA23TJiMWlsx126r7pSRbVEq8/JoNa0vMspEmtjHZhSweIXWXX7o8V+
  30. FRKbCW5NyqGiHF0ScE4VpNc3uWCA2zcaU80G9SAKI83cUjnp2JzLPMqppQ+pj6Hs
  31. G+8322FPA2L11fsCAqdCW+gwJWpKzlfBPyeNTUOMpcP8n+Yjcah4tqcCY2PZ7nH7
  32. cZN1vHGhT5/Pn3VRaNHUq4y1Zn/wJnjlOcD4DbVFXYpYIlPx+yAs56FXd3a7Imfg
  33. 56HzOLOZcDY/+Sxy7J2Pq8cipTcCAwEAAaNjMGEwHQYDVR0OBBYEFErthOFHuWj8
  34. 3VkAgjad+j394mG3MB8GA1UdIwQYMBaAFErthOFHuWj83VkAgjad+j394mG3MA8G
  35. A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IB
  36. AQCBqj9F+OJZXifyUGq9bAiybpP9RYnKd0JCiByvO/S95v6Bz9RnwrvgN75mzpPd
  37. OM51MYKyBLFKJpvrmyQ+njcsVMnv//MH7cHE8h6WkwP9IggNg0K21J1zkS8ApfTw
  38. 7buUemZn6NFqHgysAUnWq8WM8YxfEErubbTCm6wslTLzLdblBGLjh7qOzDGh8n0e
  39. BjqWgCYjbEsB4tDxjfSjLjSyldvnIMTyWrA8a/1iCNDXj0wMtHoBji307dsI5drp
  40. VokELweu6SS7M4ODE8/Ci3QLS/mmx++9s2kCCqq49dyA2/ZabLb2nBF96wo/RDp9
  41. 3kIzfNvzMkC3VRwESV+SUG0x
  42. -----END CERTIFICATE-----

CA requirements

When using an arbitrary certificate and key for a provided backend, we must make sure that we comply with the following requirements:

  1. It MUST have basic constraint CA set to true (see X509-SVID: 4.1. Basic Constraints)
  2. It MUST have key usage extension keyCertSign set (see X509-SVID: 4.3. Key Usage)
  3. It MUST NOT have key usage extension ‘keyAgreement’ set (see X509-SVID: Appendix A. X.509 Field Reference)
  4. It SHOULD NOT set key usage extension ‘digitalSignature’ and ‘keyEncipherment’ to be SPIFFE compliant (see X509-SVID: Appendix A. X.509 Field Reference)

Do not use the following example in production, instead generate valid and compliant certificates. This example is intended for usage in a development environment.

Below we can find an example to generate a sample CA certificate + key:

The following command will generate a CA root certificate and key that can be uploaded to Kuma as a Secret and then used in a provided mTLS backend:

  1. SAMPLE_CA_CONFIG="
  2. [req]
  3. distinguished_name=dn
  4. [ dn ]
  5. [ ext ]
  6. basicConstraints=CA:TRUE,pathlen:0
  7. keyUsage=keyCertSign
  8. "
  9. openssl req -config <(echo "$SAMPLE_CA_CONFIG") -new -newkey rsa:2048 -nodes \
  10. -subj "/CN=Hello" -x509 -extensions ext -keyout key.pem -out crt.pem

The command will generate a certificate at crt.pem and the key at key.pem. We can generate the Kuma Secret resources by following the Secret reference.

Development Mode

In development mode we may want to provide the cert and key properties of the provided backend without necessarily having to create a Secret resource, but by using an inline value.

Using the inline modes in production presents a security risk since it makes the values of our CA root certificate and key more easily accessible from a malicious actor. We highly recommend using inline only in development mode.

Kuma offers an alternative way to specify the CA root certificate and key:

Please note the inline properties that are being used instead of secret:

  1. apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4. name: default
  5. spec:
  6. mtls:
  7. enabledBackend: ca-1
  8. backends:
  9. - name: ca-1
  10. type: provided
  11. config:
  12. cert:
  13. inline: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHekNDQWdPZ0F3S... # cert in Base64
  14. key:
  15. inline: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHekNDQWdPZ0F3S... # key in Base64

Please note the inline properties that are being used instead of secret:

  1. type: Mesh
  2. name: default
  3. mtls:
  4. enabledBackend: ca-1
  5. backends:
  6. - name: ca-1
  7. type: provided
  8. config:
  9. cert:
  10. inline: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHekNDQWdPZ0F3S... # cert in Base64
  11. key:
  12. inline: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHekNDQWdPZ0F3S... # cert in Base64

Permissive mTLS

In version 1.4.1 and later, Kuma provides PERMISSIVE mTLS mode to let you migrate existing workloads with zero downtime.

Permissive mTLS mode encrypts outbound connections the same way as strict mTLS mode, but inbound connections on the server-side accept both TLS and plaintext. This lets you migrate servers to an mTLS mesh before their clients. It also supports the case where the client and server already implement TLS.

PERMISSIVE mode is not secure. It’s intended as a temporary utility. Make sure to set to STRICT mode after migration is complete.

  1. apiVersion: kuma.io/v1alpha1
  2. kind: Mesh
  3. metadata:
  4. name: default
  5. spec:
  6. mtls:
  7. enabledBackend: ca-1
  8. backends:
  9. - name: ca-1
  10. type: builtin
  11. mode: PERMISSIVE # supported values: STRICT, PERMISSIVE
  1. type: Mesh
  2. name: default
  3. mtls:
  4. enabledBackend: ca-1
  5. backends:
  6. - name: ca-1
  7. type: builtin
  8. mode: PERMISSIVE # supported values: STRICT, PERMISSIVE

Certificate Rotation

Once a CA backend has been configured, Kuma will utilize the CA root certificate and key to automatically provision a certificate for every data plane proxy that it connects to kuma-cp.

Unlike the CA certificate, the data plane proxy certificates are not permanently stored anywhere but they only reside in memory. These certificates are designed to be short-lived and rotated often by Kuma.

By default, the expiration time of a data plane proxy certificate is 30 days. Kuma rotates these certificates automatically after 4/5 of the certificate validity time (ie: for the default 30 days expiration, that would be every 24 days).

You can update the duration of the data plane proxy certificates by updating the dpCert property on every available mTLS backend.

You can inspect the certificate rotation statistics by executing the following command (supported on both Kubernetes and Universal):

We can use the Kuma CLI:

  1. kumactl inspect dataplanes
  2. # MESH NAME TAGS STATUS LAST CONNECTED AGO LAST UPDATED AGO TOTAL UPDATES TOTAL ERRORS CERT REGENERATED AGO CERT EXPIRATION CERT REGENERATIONS
  3. # default web-01 service=web Online 5s 3s 4 0 3s 2020-05-11 16:01:34 2

Please note the CERT REGENERATED AGO, CERT EXPIRATION, CERT REGENERATIONS columns.

We can use the Kuma HTTP API by retrieving the Dataplane Insight resource and inspecting the dataplaneInsight object.

  1. ...
  2. dataplaneInsight": {
  3. ...
  4. "mTLS": {
  5. "certificateExpirationTime": "2020-05-14T20:15:23Z",
  6. "lastCertificateRegeneration": "2020-05-13T20:15:23.994549539Z",
  7. "certificateRegenerations": 1
  8. }
  9. }
  10. ...

A new data plane proxy certificate is automatically generated when:

  • A data plane proxy is restarted.
  • The control plane is restarted.
  • The data plane proxy connects to a new control plane.