"Not a Pentest" Hinweis: Dieser Guide dient der Absicherung eigener Service-Mesh-Infrastrukturen. Kein Angriffs-Tool.
Service Mesh Security: Istio & Linkerd Guide
Vollständige Service-Mesh-Absicherung mit mTLS, Zero-Trust-Kommunikation, Zugriffskontrolle und Observability für Microservices.
Service Mesh Security Grundlagen
Sicherheits-Kernkomponenten
- Automatische mTLS-Verschlüsselung zwischen Services
- Feingranulare Zugriffssteuerungs-Policies
- Service-zu-Service-Authentifizierung
- Traffic-Management und Security-Regeln
- Observability und Audit-Logging
Istio Security Implementierung
# Enable mTLS globally
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: istio-system
spec:
mtls:
mode: STRICT
# Authorization policy example
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: allow-frontend
namespace: default
spec:
selector:
matchLabels:
app: backend
rules:
- from:
- source:
principals: ["cluster.local/ns/default/sa/frontend-sa"]
- to:
- operation:
methods: ["GET", "POST"]Linkerd Security Configuration
# Install Linkerd with automatic mTLS
linkerd install | kubectl apply -f -
# Enable mTLS for a namespace
linkerd inject ns/default | kubectl apply -f -
# Service profile for traffic policies
apiVersion: linkerd.io/v1alpha2
kind: ServiceProfile
metadata:
name: frontend
namespace: default
spec:
routes:
- name: /api
condition:
method: GET
pathRegex: /api/.*Security Best Practices
Network Policies
Combine service mesh policies with Kubernetes Network Policies for defense-in-depth.
Certificate Management
Automate certificate rotation and monitor expiration dates.
Observability
Monitor security metrics and audit logs for compliance.
Zero Trust Network
Implement least privilege access for all service communications.