mTLS ใน Service Mesh
mTLS ยืนยันตัวตนทั้ง Client และ Server ด้วย X.509 Certificates ป้องกัน MITM Attack ใช้ใน Service-to-Service Communication Service Mesh จัดการ Certificate อัตโนมัติ
Low Code/No Code สร้าง Application ด้วย Visual Interface ลด Development Time เมื่อรวมกับ Service Mesh ให้ Low Code Apps เชื่อมต่อกับ Microservices อย่างปลอดภัย
Istio mTLS Configuration
# === Istio mTLS Configuration ===
# 1. ติดตั้ง Istio
# curl -L https://istio.io/downloadIstio | sh -
# cd istio-*
# export PATH=$PWD/bin:$PATH
# istioctl install --set profile=demo -y
# 2. Enable Sidecar Injection
# kubectl label namespace default istio-injection=enabled
# 3. PeerAuthentication — Enforce mTLS
# apiVersion: security.istio.io/v1beta1
# kind: PeerAuthentication
# metadata:
# name: default
# namespace: istio-system
# spec:
# mtls:
# mode: STRICT # STRICT = mTLS required
# # PERMISSIVE = allow both plain and mTLS
# # DISABLE = no mTLS
# 4. DestinationRule — mTLS for specific service
# apiVersion: networking.istio.io/v1beta1
# kind: DestinationRule
# metadata:
# name: api-gateway-mtls
# spec:
# host: api-gateway.default.svc.cluster.local
# trafficPolicy:
# tls:
# mode: ISTIO_MUTUAL
# 5. AuthorizationPolicy — Service-level access control
# apiVersion: security.istio.io/v1beta1
# kind: AuthorizationPolicy
# metadata:
# name: api-gateway-policy
# namespace: default
# spec:
# selector:
# matchLabels:
# app: api-gateway
# rules:
# - from:
# - source:
# principals: ["cluster.local/ns/default/sa/frontend"]
# to:
# - operation:
# methods: ["GET", "POST"]
# paths: ["/api/*"]
# - from:
# - source:
# principals: ["cluster.local/ns/default/sa/admin-service"]
# to:
# - operation:
# methods: ["GET", "POST", "PUT", "DELETE"]
# paths: ["/api/admin/*"]
# 6. Certificate Rotation
# Istio auto-rotates certificates (default: 24h)
# ตรวจสอบ Certificate
# istioctl proxy-config secret -o json
# 7. ตรวจสอบ mTLS Status
# istioctl authn tls-check
# kubectl get peerauthentication --all-namespaces
# kubectl get authorizationpolicy --all-namespaces
echo "Istio mTLS configured:"
echo " Mode: STRICT (mTLS required)"
echo " AuthZ: Service-level policies"
echo " Certs: Auto-rotated every 24h"
echo " Verify: istioctl authn tls-check" Service Mesh Observability
# mesh_observability.py — Service Mesh Monitoring
from dataclasses import dataclass, field
from typing import List, Dict
from datetime import datetime
@dataclass
class ServiceMetrics:
name: str
requests_total: int
error_rate: float
p50_latency_ms: float
p99_latency_ms: float
mtls_enabled: bool
connections: int
class MeshObservability:
"""Service Mesh Observability Dashboard"""
def __init__(self):
self.services: Dict[str, ServiceMetrics] = {}
self.traffic_flows: List[Dict] = []
def add_service(self, metrics: ServiceMetrics):
self.services[metrics.name] = metrics
def add_traffic(self, source, dest, rps, error_rate, mtls):
self.traffic_flows.append({
"source": source, "dest": dest,
"rps": rps, "error_rate": error_rate,
"mtls": mtls,
})
def dashboard(self):
"""Mesh Dashboard"""
print(f"\n{'='*60}")
print(f"Service Mesh Dashboard — {datetime.now().strftime('%H:%M')}")
print(f"{'='*60}")
total_rps = sum(s.requests_total for s in self.services.values())
mtls_count = sum(1 for s in self.services.values() if s.mtls_enabled)
total = len(self.services)
print(f" Services: {total}")
print(f" mTLS Coverage: {mtls_count}/{total} ({mtls_count/total*100:.0f}%)")
print(f" Total RPS: {total_rps:,}")
print(f"\n Services:")
for name, m in self.services.items():
mtls = "mTLS" if m.mtls_enabled else "PLAIN"
health = "OK" if m.error_rate < 1 else "WARN" if m.error_rate < 5 else "CRIT"
print(f" [{health:>4}] {name:<25} "
f"RPS:{m.requests_total:>6} "
f"Err:{m.error_rate:.1f}% "
f"P99:{m.p99_latency_ms:.0f}ms "
f"[{mtls}]")
print(f"\n Traffic Flows:")
for flow in self.traffic_flows:
mtls = "mTLS" if flow["mtls"] else "PLAIN"
print(f" {flow['source']:>20} -> {flow['dest']:<20} "
f"{flow['rps']:>4} rps [{mtls}]")
def security_audit(self):
"""Security Audit"""
print(f"\n Security Audit:")
issues = []
for name, m in self.services.items():
if not m.mtls_enabled:
issues.append(f" WARN: {name} — mTLS not enabled")
for flow in self.traffic_flows:
if not flow["mtls"]:
issues.append(f" WARN: {flow['source']} -> {flow['dest']} — Plain text")
if issues:
for issue in issues:
print(f" {issue}")
else:
print(f" All services using mTLS — PASS")
# ตัวอย่าง
mesh = MeshObservability()
services = [
ServiceMetrics("api-gateway", 5000, 0.2, 12, 85, True, 150),
ServiceMetrics("user-service", 2000, 0.1, 8, 45, True, 80),
ServiceMetrics("order-service", 3000, 0.5, 15, 120, True, 100),
ServiceMetrics("payment-service", 1000, 0.3, 20, 200, True, 50),
ServiceMetrics("notification-svc", 500, 0.0, 5, 30, True, 20),
ServiceMetrics("legacy-service", 200, 1.5, 50, 500, False, 10),
]
for svc in services:
mesh.add_service(svc)
mesh.add_traffic("api-gateway", "user-service", 2000, 0.1, True)
mesh.add_traffic("api-gateway", "order-service", 3000, 0.5, True)
mesh.add_traffic("order-service", "payment-service", 1000, 0.3, True)
mesh.add_traffic("order-service", "legacy-service", 200, 1.5, False)
mesh.dashboard()
mesh.security_audit()Low Code Integration
# === Low Code + Service Mesh Integration ===
# 1. Retool Configuration (Low Code Internal Tool)
# retool_config.yaml
# resources:
# - name: "User API"
# type: "rest_api"
# base_url: "https://api-gateway.internal/api/v1"
# headers:
# Authorization: "Bearer {{ RETOOL_API_KEY }}"
# X-Request-ID: "{{ generateUUID() }}"
# # mTLS handled by Service Mesh sidecar
#
# - name: "Analytics DB"
# type: "postgresql"
# host: "analytics-db.internal"
# port: 5432
# database: "analytics"
# # Connection encrypted via mTLS
# 2. Power Automate Flow (No Code Workflow)
# workflow:
# trigger: "When new order is created"
# actions:
# - name: "Validate Order"
# type: "http_request"
# url: "https://api-gateway.internal/api/v1/orders/validate"
# method: "POST"
# body: "@triggerBody()"
#
# - name: "Send Notification"
# type: "http_request"
# url: "https://api-gateway.internal/api/v1/notifications"
# method: "POST"
# body:
# to: "@body('Validate Order').customer_email"
# template: "order_confirmation"
# 3. Kubernetes Deployment สำหรับ Low Code Backend
# apiVersion: apps/v1
# kind: Deployment
# metadata:
# name: retool
# labels:
# app: retool
# spec:
# replicas: 2
# selector:
# matchLabels:
# app: retool
# template:
# metadata:
# labels:
# app: retool
# annotations:
# sidecar.istio.io/inject: "true"
# spec:
# containers:
# - name: retool
# image: tryretool/backend:latest
# ports:
# - containerPort: 3000
# env:
# - name: DATABASE_URL
# valueFrom:
# secretKeyRef:
# name: retool-secrets
# key: database-url
# 4. AuthorizationPolicy สำหรับ Low Code
# apiVersion: security.istio.io/v1beta1
# kind: AuthorizationPolicy
# metadata:
# name: lowcode-policy
# spec:
# selector:
# matchLabels:
# app: api-gateway
# rules:
# - from:
# - source:
# principals: ["cluster.local/ns/default/sa/retool"]
# to:
# - operation:
# methods: ["GET", "POST"]
# paths: ["/api/v1/users/*", "/api/v1/orders/*"]
lowcode_platforms = {
"Retool": {"type": "Internal Tools", "pricing": "Free tier + $10/user"},
"Power Apps": {"type": "Business Apps", "pricing": "$20/user/month"},
"Mendix": {"type": "Enterprise Apps", "pricing": "Contact Sales"},
"OutSystems": {"type": "Enterprise Apps", "pricing": "Contact Sales"},
"Appsmith": {"type": "Internal Tools (OSS)", "pricing": "Free (self-hosted)"},
"Budibase": {"type": "Internal Tools (OSS)", "pricing": "Free (self-hosted)"},
}
print("\nLow Code Platforms:")
for name, info in lowcode_platforms.items():
print(f" {name}: {info['type']} — {info['pricing']}")Best Practices
- STRICT Mode: ใช้ mTLS STRICT Mode ใน Production บังคับ Encryption ทุก Service
- AuthorizationPolicy: กำหนด Policy ระดับ Service ให้เข้าถึงเฉพาะที่จำเป็น
- Certificate Rotation: ใช้ Auto-rotation ที่ Istio จัดการ ตั้ง Lifetime ให้สั้น
- Observability: ใช้ Kiali, Jaeger, Prometheus ดู Traffic Flows และ mTLS Status
- Low Code Security: ให้ Low Code Apps เข้าถึงผ่าน API Gateway มี AuthZ Policy
- Gradual Migration: เริ่มจาก PERMISSIVE แล้วค่อยเปลี่ยนเป็น STRICT
mTLS คืออะไร
Mutual TLS เข้ารหัสยืนยันตัวตนทั้ง Client Server ด้วย X.509 Certificates ป้องกัน MITM ใช้ Service-to-Service Communication Microservices