diff --git a/images/ossm-kiali-graph-badge-security.png b/images/ossm-kiali-graph-badge-security.png new file mode 100644 index 000000000000..440bff3ea42b Binary files /dev/null and b/images/ossm-kiali-graph-badge-security.png differ diff --git a/images/ossm-kiali-masthead-mtls-enabled.png b/images/ossm-kiali-masthead-mtls-enabled.png new file mode 100644 index 000000000000..1ffe26bcd3d4 Binary files /dev/null and b/images/ossm-kiali-masthead-mtls-enabled.png differ diff --git a/images/ossm-kiali-masthead-mtls-partial.png b/images/ossm-kiali-masthead-mtls-partial.png new file mode 100644 index 000000000000..5e9302bea975 Binary files /dev/null and b/images/ossm-kiali-masthead-mtls-partial.png differ diff --git a/modules/ossm-security-mtls.adoc b/modules/ossm-security-mtls.adoc index a198293825d3..ce87d0141a75 100644 --- a/modules/ossm-security-mtls.adoc +++ b/modules/ossm-security-mtls.adoc @@ -3,9 +3,9 @@ // * service_mesh/v2x/ossm-config.adoc [id="ossm-security-mtls_{context}"] -= Mutual Transport Layer Security (mTLS) += About mutual Transport Layer Security (mTLS) -Mutual Transport Layer Security (mTLS) is a protocol that enables two parties authenticate each other. It is the default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS). mTLS can be used without changes to the application or service code. The TLS is handled entirely by the service mesh infrastructure and between the two sidecar proxies. +Mutual Transport Layer Security (mTLS) is a protocol that enables two parties to authenticate each other. It is the default mode of authentication in some protocols (IKE, SSH) and optional in others (TLS). You can use mTLS without changes to the application or service code. The TLS is handled entirely by the service mesh infrastructure and between the two sidecar proxies. By default, mTLS in {SMProductName} is enabled and set to permissive mode, where the sidecars in {SMProductShortName} accept both plain-text traffic and connections that are encrypted using mTLS. If a service in your mesh is communicating with a service outside the mesh, strict mTLS could break communication between those services. Use permissive mode while you migrate your workloads to {SMProductShortName}. Then, you can enable strict mTLS across your mesh, namespace, or application. diff --git a/modules/ossm-validate-encryption-kiali.adoc b/modules/ossm-validate-encryption-kiali.adoc new file mode 100644 index 000000000000..3a2402f03639 --- /dev/null +++ b/modules/ossm-validate-encryption-kiali.adoc @@ -0,0 +1,30 @@ +//// +This module included in the following assemblies: +* service_mesh/v2x/prepare-to-deploy-applications-ossm.adoc +//// +:_content-type: CONCEPT +[id="ossm-validating-sidecar_{context}"] += Validating encryption with Kiali + +The Kiali console offers several ways to validate whether or not your applications, services, and workloads have mTLS encryption enabled. + +.Masthead icon mesh-wide mTLS enabled +image::ossm-kiali-masthead-mtls-enabled.png[mTLS enabled] + +At the right side of the masthead, Kiali shows a lock icon when the mesh has strictly enabled mTLS for the whole service mesh. It means that all communications in the mesh use mTLS. + +.Masthead icon mesh-wide mTLS partially enabled +image::ossm-kiali-masthead-mtls-partial.png[mTLS partially enabled] + +Kiali displays a hollow lock icon when either the mesh is configured in `PERMISSIVE` mode or there is a error in the mesh-wide mTLS configuration. + +.Security badge +image::ossm-kiali-graph-badge-security.png[Security badge] + +The *Graph* page has the option to display a *Security* badge on the graph edges to indicate that mTLS is enabled. To enable security badges on the graph, from the *Display* menu, under *Show Badges*, select the *Security* checkbox. When an edge shows a lock icon, it means at least one request with mTLS enabled is present. In case there are both mTLS and non-mTLS requests, the side-panel will show the percentage of requests that use mTLS. + +The *Applications Detail Overview* page displays a *Security* icon on the graph edges where at least one request with mTLS enabled is present. + +The *Workloads Detail Overview* page displays a *Security* icon on the graph edges where at least one request with mTLS enabled is present. + +The *Services Detail Overview* page displays a *Security* icon on the graph edges where at least one request with mTLS enabled is present. Also note that Kiali displays a lock icon in the *Network* section next to ports that are configured for mTLS. diff --git a/service_mesh/v2x/ossm-security.adoc b/service_mesh/v2x/ossm-security.adoc index e82e150e6aeb..03d49b024330 100644 --- a/service_mesh/v2x/ossm-security.adoc +++ b/service_mesh/v2x/ossm-security.adoc @@ -10,9 +10,9 @@ If your service mesh application is constructed with a complex array of microser .Before you begin -If you have a project, add your project to the xref:../../service_mesh/v2x/installing-ossm.adoc#ossm-member-roll-modify_ossm-create-mesh[`ServiceMeshMemberRoll` resource]. +If you have a project, add your project to the xref:../../service_mesh/v2x/ossm-create-mesh.adoc#ossm-member-roll-create_ossm-create-mesh[`ServiceMeshMemberRoll` resource]. -If you don't have a project, install the xref:../../service_mesh/v2x/prepare-to-deploy-applications-ossm.adoc#ossm-tutorial-bookinfo-overview_ossm-create-mesh[Bookinfo sample application] and add it to the `ServiceMeshMemberRoll` resource. The sample application helps illustrate security concepts. +If you don't have a project, install the xref:../../service_mesh/v2x/ossm-create-mesh.adoc#ossm-tutorial-bookinfo-overview_ossm-create-mesh[Bookinfo sample application] and add it to the `ServiceMeshMemberRoll` resource. The sample application helps illustrate security concepts. include::modules/ossm-security-mtls.adoc[leveloffset=+1] @@ -24,6 +24,8 @@ include::modules/ossm-config-sidecar-out-mtls.adoc[leveloffset=+2] include::modules/ossm-config-mtls-min-max.adoc[leveloffset=+2] +include::modules/ossm-validate-encryption-kiali.adoc[leveloffset=+2] + include::modules/ossm-security-auth-policy.adoc[leveloffset=+1] include::modules/ossm-security-cipher.adoc[leveloffset=+1]