Concept of tranparent proxy in a cluster

General Discussions
1

Hu, I would like to know if in a k8s or openshift cluster there is the possibility of “managing” cluster or pod outgoing traffic. In my use case I would like to add a public certificate of a self signed key to be able to communicate from a pod with a trusted host without having to configure the public key in the container via volume. Reminiscent of a transparent proxy in a classi network

Thanks

2

You should be able to achieve this with istio.

1. Enable Istio Sidecar Injection

Ensure that your pods are injected with Istio sidecars, either manually or automatically:

  • Enable automatic sidecar injection in the namespace by labeling it:

bash

Copy code

kubectl label namespace <namespace> istio-injection=enabled
  • Alternatively, manually inject sidecars when deploying your pod.

The sidecar proxies (Envoy) will intercept and manage all incoming and outgoing traffic for the pod.

2. Configure TLS Settings

Istio allows you to configure mutual TLS (mTLS) and manage certificates for outgoing traffic using DestinationRule and VirtualService objects.

Add a Public Certificate for Trusted Communication

  • Create a ConfigMap with the public certificate:

bash

Copy code

kubectl create configmap custom-ca-cert --from-file=custom-ca.pem=<path-to-your-certificate>
  • Mount this ConfigMap to the Istio sidecar by editing the istio-sidecar-injector configuration:

yaml

Copy code

proxyMetadata:
  OUTPUT_CERTS: /etc/istio/custom-certs
  • Update the sidecar configuration to point to the custom certificates by configuring meshConfig in Istio.

3. Configure Outbound Traffic Rules

You can define how Istio routes outbound traffic using the following:

a. DestinationRule

Create a DestinationRule to apply TLS settings, referencing the custom certificate:

yaml

Copy code

apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
  name: trusted-host
spec:
  host: <trusted-host>
  trafficPolicy:
    tls:
      mode: SIMPLE # For one-way TLS
      caCertificates: /etc/istio/custom-certs/custom-ca.pem

b. VirtualService

Define a VirtualService to route traffic to the trusted host:

yaml

Copy code

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: trusted-host-route
spec:
  hosts:
    - <trusted-host>
  http:
    - route:
        - destination:
            host: <trusted-host>

4. Transparent Proxy

Istio sidecars act as a transparent proxy:

  • Outbound traffic from pods is intercepted by the Envoy sidecar.
  • The sidecar handles TLS termination, certificate injection, and routing based on DestinationRule and VirtualService.

5. Verify and Test

  • Deploy your pods with sidecar injection enabled.
  • Ensure Istio is routing traffic according to your defined DestinationRule and VirtualService.
  • Test the connectivity with the trusted host to confirm the self-signed certificate is being used transparently.