mTLS
Definition
Mutual TLS (mTLS) is a security protocol that extends the standard TLS (Transport Layer Security) by requiring both the client and server to authenticate each other’s digital certificates during the handshake process. This mutual authentication ensures that both parties are who they claim to be, providing an additional layer of security by preventing unauthorized access and man-in-the-middle attacks.
Secure Settings Example
# Example for a Kubernetes Ingress with mTLS enabled
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
namespace: default
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: "default/ca-secret"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "2"
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
spec:
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
Insecure Settings Example
# Example of a misconfigured Kubernetes Ingress without mTLS
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
namespace: default
spec:
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
In this insecure example, the Ingress does not enforce mTLS, leaving the service vulnerable to unauthorized access and potential man-in-the-middle attacks.