presentation.pdf

1、Improving Secure Pod-to-PodCommunication Using Trust Bundles Ted Hahn,Mark Hahn, Mutual TLS-Secure Pod-to-Pod communicationEvery Kubernetes pod should include a SSL Certificate,verifying itsidentity.This should be signed automatically,and be specific to each pod.We have updated KubeTLS to modularize

2、 the certificate creation andimprove the is a TrustBundle?Note:This is a forward looking feature,KEP-3257,that has yet to beimplemented.We want to show some of the possible usecases.A Trust Anchor,or Root of trust,is a cryptographic entity that youtrust implicity.Typically you express this as an X.5

3、09 certificate withthe CA bit set.A Trust Bundle one or more trust anchors combinedtogether,with the same implicit trust.You already use a Trust Bundle-The Web Roots provided by yourBase OS or by your Web Browser.Brief detour-Certificate AuthoritiesHow to use TrustBundles?TrustBundles implment small

4、 scale scope of trustThe Web Trust Bundle is one of the topmost layers of mostdocker imagesDocker Images should be smallClusterTrustBundles can be mounted like ConfigMaps,replacingThe Web Trust BundleRapid Updates to TrustBundlesLimiting Trust ScopeLimiting Trust from KeyNoteWhat is KubeTLSKubeTLS i

5、s about automatically injecting certificates thatprovide workload identity into every pod and every containterin a cluster.These Certificates provide Privacy,Authentication andAuthorization.These Certificates work with TrustBundles to assist in mutual systemidentification.Secure Networking on Kubern

6、etesThe complicated way:Sidecars or CNI with network policiesSidecars add latency,and a management layer separate from theapplicationsNetwork policies add that management layer separate from theapplicationsThe native way:All application containers natively support TLSApplications are in charge of se