mTLS ใน Service Mesh
mTLS ยืนยันตัวตนทั้ง Client และ Server ด้วย X.509 Certificates ป้องกัน MITM Attack ใช้ใน Service-to-Service Communication Service Mesh จัดการ Certificate อัตโนมัติ
Low Code/No Code สร้าง Application ด้วย Visual Interface ลด Development Time เมื่อรวมกับ Service Mesh ให้ Low Code Apps เชื่อมต่อกับ Microservices อย่างปลอดภัย
Istio mTLS Configuration
# === Istio mTLS Configuration ===
# 1. ติดตั้ง Istio
# curl -L https://istio.io/downloadIstio | sh -
# cd istio-*
# export PATH=$PWD/bin:$PATH
# istioctl install --set profile=demo -y
# 2. Enable Sidecar Injection
# kubectl label namespace default istio-injection=enabled
# 3. PeerAuthentication — Enforce mTLS
# apiVersion: security.istio.io/v1beta1
# kind: PeerAuthentication
# metadata:
# name: default
# namespace: istio-system
# spec:
# mtls:
# mode: STRICT # STRICT = mTLS required
# # PERMISSIVE = allow both plain and mTLS
# # DISABLE = no mTLS
# 4. DestinationRule — mTLS for specific service
# apiVersion: networking.istio.io/v1beta1
# kind: DestinationRule
# metadata:
# name: api-gateway-mtls
# spec:
# host: api-gateway.default.svc.cluster.local
# trafficPolicy:
# tls:
# mode: ISTIO_MUTUAL
# 5. AuthorizationPolicy — Service-level access control
# apiVersion: security.istio.io/v1beta1
# kind: AuthorizationPolicy
# metadata:
# name: api-gateway-policy
# namespace: default
# spec:
# selector:
# matchLabels:
# app: api-gateway
# rules:
# - from:
# - source:
# principals: ["cluster.local/ns/default/sa/frontend"]
# to:
# - operation:
# methods: ["GET", "POST"]
# paths: ["/api/*"]
# - from:
# - source:
# principals: ["cluster.local/ns/default/sa/admin-service"]
# to:
# - operation:
# methods: ["GET", "POST", "PUT", "DELETE"]
# paths: ["/api/admin/*"]
# 6. Certificate Rotation
# Istio auto-rotates certificates (default: 24h)
# ตรวจสอบ Certificate
# istioctl proxy-config secret -o json
# 7. ตรวจสอบ mTLS Status
# istioctl authn tls-check
# kubectl get peerauthentication --all-namespaces
# kubectl get authorizationpolicy --all-namespaces
echo "Istio mTLS configured:"
echo " Mode: STRICT (mTLS required)"
echo " AuthZ: Service-level policies"
echo " Certs: Auto-rotated every 24h"
echo " Verify: istioctl authn tls-check" Service Mesh Observability
# mesh_observability.py — Service Mesh Monitoring
from dataclasses import dataclass, field
from typing import List, Dict
from datetime import datetime
@dataclass
class ServiceMetrics:
name: str
requests_total: int
error_rate: float
p50_latency_ms: float
p99_latency_ms: float
mtls_enabled: bool
connections: int
class MeshObservability:
"""Service Mesh Observability Dashboard"""
def __init__(self):
self.services: Dict[str, ServiceMetrics] = {}
self.traffic_flows: List[Dict] = []
def add_service(self, metrics: ServiceMetrics):
self.services[metrics.name] = metrics
def add_traffic(self, source, dest, rps, error_rate, mtls):
self.traffic_flows.append({
"source": source, "dest": dest,
"rps": rps, "error_rate": error_rate,
"mtls": mtls,
})
def dashboard(self):
"""Mesh Dashboard"""
print(f"\n{'='*60}")
print(f"Service Mesh Dashboard — {datetime.now().strftime('%H:%M')}")
print(f"{'='*60}")
total_rps = sum(s.requests_total for s in self.services.values())
mtls_count = sum(1 for s in self.services.values() if s.mtls_enabled)
total = len(self.services)
print(f" Services: {total}")
print(f" mTLS Coverage: {mtls_count}/{total} ({mtls_count/total*100:.0f}%)")
print(f" Total RPS: {total_rps:,}")
print(f"\n Services:")
for name, m in self.services.items():
mtls = "mTLS" if m.mtls_enabled else "PLAIN"
health = "OK" if m.error_rate < 1 else "WARN" if m.error_rate < 5 else "CRIT"
print(f" [{health:>4}] {name:<25} "
f"RPS:{m.requests_total:>6} "
f"Err:{m.error_rate:.1f}% "
f"P99:{m.p99_latency_ms:.0f}ms "
f"[{mtls}]")
print(f"\n Traffic Flows:")
for flow in self.traffic_flows:
mtls = "mTLS" if flow["mtls"] else "PLAIN"
print(f" {flow['source']:>20} -> {flow['dest']:<20} "
f"{flow['rps']:>4} rps [{mtls}]")
def security_audit(self):
"""Security Audit"""
print(f"\n Security Audit:")
issues = []
for name, m in self.services.items():
if not m.mtls_enabled:
issues.append(f" WARN: {name} — mTLS not enabled")
for flow in self.traffic_flows:
if not flow["mtls"]:
issues.append(f" WARN: {flow['source']} -> {flow['dest']} — Plain text")
if issues:
for issue in issues:
print(f" {issue}")
else:
print(f" All services using mTLS — PASS")
# ตัวอย่าง
mesh = MeshObservability()
services = [
ServiceMetrics("api-gateway", 5000, 0.2, 12, 85, True, 150),
ServiceMetrics("user-service", 2000, 0.1, 8, 45, True, 80),
ServiceMetrics("order-service", 3000, 0.5, 15, 120, True, 100),
ServiceMetrics("payment-service", 1000, 0.3, 20, 200, True, 50),
ServiceMetrics("notification-svc", 500, 0.0, 5, 30, True, 20),
ServiceMetrics("legacy-service", 200, 1.5, 50, 500, False, 10),
]
for svc in services:
mesh.add_service(svc)
mesh.add_traffic("api-gateway", "user-service", 2000, 0.1, True)
mesh.add_traffic("api-gateway", "order-service", 3000, 0.5, True)
mesh.add_traffic("order-service", "payment-service", 1000, 0.3, True)
mesh.add_traffic("order-service", "legacy-service", 200, 1.5, False)
mesh.dashboard()
mesh.security_audit()Low Code Integration
# === Low Code + Service Mesh Integration ===
# 1. Retool Configuration (Low Code Internal Tool)
# retool_config.yaml
# resources:
# - name: "User API"
# type: "rest_api"
# base_url: "https://api-gateway.internal/api/v1"
# headers:
# Authorization: "Bearer {{ RETOOL_API_KEY }}"
# X-Request-ID: "{{ generateUUID() }}"
# # mTLS handled by Service Mesh sidecar
#
# - name: "Analytics DB"
# type: "postgresql"
# host: "analytics-db.internal"
# port: 5432
# database: "analytics"
# # Connection encrypted via mTLS
# 2. Power Automate Flow (No Code Workflow)
# workflow:
# trigger: "When new order is created"
# actions:
# - name: "Validate Order"
# type: "http_request"
# url: "https://api-gateway.internal/api/v1/orders/validate"
# method: "POST"
# body: "@triggerBody()"
#
# - name: "Send Notification"
# type: "http_request"
# url: "https://api-gateway.internal/api/v1/notifications"
# method: "POST"
# body:
# to: "@body('Validate Order').customer_email"
# template: "order_confirmation"
# 3. Kubernetes Deployment สำหรับ Low Code Backend
# apiVersion: apps/v1
# kind: Deployment
# metadata:
# name: retool
# labels:
# app: retool
# spec:
# replicas: 2
# selector:
# matchLabels:
# app: retool
# template:
# metadata:
# labels:
# app: retool
# annotations:
# sidecar.istio.io/inject: "true"
# spec:
# containers:
# - name: retool
# image: tryretool/backend:latest
# ports:
# - containerPort: 3000
# env:
# - name: DATABASE_URL
# valueFrom:
# secretKeyRef:
# name: retool-secrets
# key: database-url
# 4. AuthorizationPolicy สำหรับ Low Code
# apiVersion: security.istio.io/v1beta1
# kind: AuthorizationPolicy
# metadata:
# name: lowcode-policy
# spec:
# selector:
# matchLabels:
# app: api-gateway
# rules:
# - from:
# - source:
# principals: ["cluster.local/ns/default/sa/retool"]
# to:
# - operation:
# methods: ["GET", "POST"]
# paths: ["/api/v1/users/*", "/api/v1/orders/*"]
lowcode_platforms = {
"Retool": {"type": "Internal Tools", "pricing": "Free tier + $10/user"},
"Power Apps": {"type": "Business Apps", "pricing": "$20/user/month"},
"Mendix": {"type": "Enterprise Apps", "pricing": "Contact Sales"},
"OutSystems": {"type": "Enterprise Apps", "pricing": "Contact Sales"},
"Appsmith": {"type": "Internal Tools (OSS)", "pricing": "Free (self-hosted)"},
"Budibase": {"type": "Internal Tools (OSS)", "pricing": "Free (self-hosted)"},
}
print("\nLow Code Platforms:")
for name, info in lowcode_platforms.items():
print(f" {name}: {info['type']} — {info['pricing']}")Best Practices
- STRICT Mode: ใช้ mTLS STRICT Mode ใน Production บังคับ Encryption ทุก Service
- AuthorizationPolicy: กำหนด Policy ระดับ Service ให้เข้าถึงเฉพาะที่จำเป็น
- Certificate Rotation: ใช้ Auto-rotation ที่ Istio จัดการ ตั้ง Lifetime ให้สั้น
- Observability: ใช้ Kiali, Jaeger, Prometheus ดู Traffic Flows และ mTLS Status
- Low Code Security: ให้ Low Code Apps เข้าถึงผ่าน API Gateway มี AuthZ Policy
- Gradual Migration: เริ่มจาก PERMISSIVE แล้วค่อยเปลี่ยนเป็น STRICT
mTLS คืออะไร
Mutual TLS เข้ารหัสยืนยันตัวตนทั้ง Client Server ด้วย X.509 Certificates ป้องกัน MITM ใช้ Service-to-Service Communication Microservices
Service Mesh คืออะไร
Infrastructure Layer จัดการ Service Communication Microservices Sidecar Proxy Envoy Traffic Routing Load Balancing mTLS Observability ไม่แก้ Code Istio Linkerd Consul
Low Code/No Code คืออะไร
Platform สร้าง App ด้วย Visual Interface แทนเขียน Code ลด Dev Time Drag-and-drop UI Workflow Integration Power Apps Mendix OutSystems Retool Business Apps Internal Tools
ทำไมต้องใช้ mTLS ใน Service Mesh
ป้องกัน Service ปลอม Identity Verification เข้ารหัส Traffic Encryption in Transit พื้นฐาน Zero Trust ยืนยันตัวตนทุกครั้ง Mesh จัดการ Certificate อัตโนมัติ
สรุป
mTLS ใน Service Mesh ให้ Zero Trust Communication ระหว่าง Services Istio จัดการ Certificate อัตโนมัติ STRICT Mode บังคับ Encryption AuthorizationPolicy ควบคุมสิทธิ์ Low Code Apps เชื่อมผ่าน API Gateway อย่างปลอดภัย Observability ด้วย Kiali Jaeger
