The Kubernetes Current Blog

Enforce mTLS using Rafay’s Managed Service Mesh

We previously provided “hands-on, labs-based training” for approximately 25 technologists on the recently introduced “Managed Service Mesh” capability in the Rafay Kubernetes Operations Platform.

Here’s what we set up for the enablement session:

  • Each attendee was provided with their own Kubernetes cluster.
  • We spun up 25 Kubernetes clusters on Digital Ocean just a few hours before the session.
  • Each attendee had their own dedicated “project” in the “Training” Org


It is now becoming a standard operational requirement for applications to require the use of a Zero Trust security model. One of the important aspects of this model is the use of mutual TLS (mTLS) to ensure all communication between services are mutually authenticated and strongly encrypted.

Application teams commonly find themselves having to deal with this in the 11th hour. At this point, it is either “too late” to retrofit their application business logic or the legacy containerized application is not capable of being retrofitted. The service mesh’s sidecar based enforcement approach is a perfect solution for scenarios like this.

The Lab Exercise

In the “hands-on” lab, each attendee followed our “Getting Started” guide for MTLS Migration closely. The high-level steps were as follows:

Step 1

Create a custom blueprint with the “integrated” Service Mesh enabled and the “default” installation profile. Update the cluster’s blueprint with the custom blueprint. In 2-3 minutes, blueprint sync should complete and you should see something like this.

Step 2

  • Create three namespaces called “foo”, “bar” and “legacy”.
  • Ensure that “sidecar” injection is enabled for the “foo” and “bar” namespaces.

  • Ensure that “sidecar” injection is disabled for the “legacy” namespace.

Step 3

Deploy sample workloads into the “foo”, “bar” and “legacy” namespaces.

For the workloads deployed into namespaces with sidecar injection “enabled”, you will notice that the sidecar is automatically implemented. The attendees confirmed this by using the Integrated Kubernetes Resources Dashboard for the workload.

Once the workloads are operational and are interacting with each other, the attendees used the Integrated, Multitenant Kiali Dashboard to visualize the inter-service traffic in their Kubernetes cluster.

Try It Out

If you are interested in trying this out yourself,

Trusted by leading companies