Partially Trusting the Service Mesh Control Plane

TL;DR

This paper enhances the Service Mesh control plane with a Verifiable Configuration mechanism, enabling application owners to enforce internal trust boundaries and prevent unauthorized changes by cluster administrators.

Contribution

It introduces a Verifiable Configuration framework that allows partial trust in the Service Mesh control plane, combining digital signatures and confidential computing for improved security.

Findings

Enables application owners to sign and verify configurations.

Prevents unauthorized modifications by cluster administrators.

Maintains Service Mesh functionalities with enhanced trust controls.

Abstract

Zero Trust is a novel cybersecurity model that focuses on continually evaluating trust to prevent the initiation and horizontal spreading of attacks. A cloud-native Service Mesh is an example of Zero Trust Architecture that can filter out external threats. However, the Service Mesh does not shield the Application Owner from internal threats, such as a rogue administrator of the cluster where their application is deployed. In this work, we are enhancing the Service Mesh to allow the definition and reinforcement of a Verifiable Configuration that is defined and signed off by the Application Owner. Backed by automated digital signing solutions and confidential computing technologies, the Verifiable Configuration allows changing the trust model of the Service Mesh, from the data plane fully trusting the control plane to partially trusting it. This lets the application benefit from all the functions provided by the Service Mesh (resource discovery, traffic management, mutual authentication, access control, observability), while ensuring that the Cluster Administrator cannot change the state of the application in a way that was not intended by the Application Owner.