An OpenFaaS instance is composed out of two namespaces: one for the core services and one for functions. In order to secure the communication between core services and functions we need to enable mutual TLS on both namespaces.
Create the OpenFaaS namespaces with Istio sidecar injection enabled:
kubectl apply -f https://raw.githubusercontent.com/openfaas/faas-netes/master/namespaces.ymlEnable mTLS on openfaas namespace:
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default
namespace: openfaas
spec:
peers:
- mtls: {}
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: default
namespace: openfaas
spec:
host: "*.openfaas.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUALSave the above resource as of-mtls.yaml and then apply it:
kubectl apply -f ./of-mtls.yamlAllow plaintext traffic to NATS:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: "nats-no-mtls"
namespace: openfaas
spec:
host: "nats.openfaas.svc.cluster.local"
trafficPolicy:
tls:
mode: DISABLESave the above resource as of-nats-no-mtls.yaml and then apply it:
kubectl apply -f ./of-nats-no-mtls.yamlEnable mTLS on openfaas-fn namespace:
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default
namespace: openfaas-fn
spec:
peers:
- mtls: {}
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: default
namespace: openfaas-fn
spec:
host: "*.openfaas-fn.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUALSave the above resource as of-functions-mtls.yaml and then apply it:
kubectl apply -f ./of-functions-mtls.yaml