I’m wondering how we can avoid excessive TLS encryption/decryption, specifically in the following cases:
- Can an external client connect via https directly to the linkerd-proxy (bypassing Nginx-ingress TLS termination and linkerd re-encryption) ?
- If 2 meshed pods are on the same kubernetes node, does linkerd-proxy still encrypt and decrypt the traffic between them?
My guesses are decryption at ingress is required so linkerd-proxy can get layer 7 information and that 2 pods on the same node still encrypt their traffic due to man-in-the-middle vulnerabilities?
Any information you could offer would be highly appreciated.
There are multiple reasons you tend to need to funnel external clients to an ingress controller:
- The cluster’s network layer is usually set up to only allow outside access to the ingress controller.
- The ingress controller needs to terminate TLS to be able to make intelligent routing decisions based on L7 information like HTTP path & headers.
- The client usually doesn’t have access to a certificate signed by Linkerd’s trust anchor, which means that the client won’t be able to complete the mTLS negotiation that the proxy needs.
So usually there are important reasons to terminate TLS at the ingress controller before originating mTLS to the workloads. And, yes, Linkerd encrypts everything, no matter whether the traffic is leaving the Node or not.
For the most part, we also find that the cost of mTLS is low enough that it’s not worth trying to optimize it away. Are you seeing something different?