why is needed ssl between kubernetes pods?

Question

When I have a kubertenes cluster deployed in the same network, inside my org, with firewall rules and control access in place, what would be de reason for encrypting comunications between pods?

I having a discusion for implementing TLS Side car pattern and i really want to know if is necesary, so far the only argument is to avoid malicius people inside my organization tryinng to do sniffing.

Can help me out what are the valid bussiness scenarios?

Answer 1

It's part of a defense-in-depth strategy. If one of your pods is compromised, it gets harder to exploit that by reading traffic. It might be compromised by insiders or external attackers.

Read access tokens might be used for replay attacks.

Well if this is "necessary" probably depends on your requirements. It might not get you immediate business benefits. However, "just" reading data can already be a serious security breach.

That being said, using service meshes like Istio it is relatively easy to implement mutual TLS between services.

Also, Istio provides more security features then just encrypting communication between pods. It also uses the concept of identity and makes it possible to specify authorization rules on the level of services instead of IP addresses (which might be hard to manage).

In addition to security benefits, Istio can also provide other features like advanced traffic management or features which make it possible to move common cross-cutting concerns like metrics, tracing, CORS policies, JWT validation into the mesh.

Those may provide more tangible benefits for application developers and maintainers (compared to security, which might be only relevant once it is compromised...)

Answer 2

Network layer is never assumed to be trustworthy. How do you know what is installed on the computers and mobile phones connected to your network? It could be spyware sniffing network traffic. For a spyware to sniff on network traffic, it does not need to be installed on the computers communicating, it can be (in some common network topologies) installed on a mobile phone connected onto WiFi of the same organization.