Ani
Reputation: 119
Configure istio for both tls and MTLS
I have a Kubernetes app and I'm having the istio sidecar set up. Is it possible configure istio MTLS for a subset of APIs and others with simple TLS?
Upvotes: 2
Views: 712
Answers (1)
Jakub
Reputation: 8840
As I mentioned in the comments, you should be able to do that with destination rules, as you can use the tls settings mode to change the mtls for specific hosts.
Take a look at below examples from documentation:
For example, the following rule configures a client to use mutual TLS for connections to upstream database cluster.
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: db-mtls
spec:
host: mydbserver.prod.svc.cluster.local
trafficPolicy:
tls:
mode: MUTUAL
clientCertificate: /etc/certs/myclientcert.pem
privateKey: /etc/certs/client_private_key.pem
caCertificates: /etc/certs/rootcacerts.pem
The following rule configures a client to use TLS when talking to a foreign service whose domain matches *.foo.com.
v1alpha3v1beta1
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: tls-foo
spec:
host: "*.foo.com"
trafficPolicy:
tls:
mode: SIMPLE
The following rule configures a client to use Istio mutual TLS when talking to rating services.
v1alpha3v1beta1
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ratings-istio-mtls
spec:
host: ratings.prod.svc.cluster.local
trafficPolicy:
tls:
mode: ISTIO_MUTUAL
Upvotes: 2
Related Questions
- Istio Sidecar proxy fails to start due to Invalid path on certs mTLS
- Istio Request Time out configurations for https/tls calls
- Configure Istio ingress gateway TLS with istio operator
- istio operator: pass ingress mTLS certs via files
- TLS handshake through Istio ingress gateway fails (tlsMode=passthrough)
- mTLS in OpenShift + Istio (client certificate)
- Why there are two different ways to enable mTLS in istio?
- How to configure TLS origination in ISTIO?
- TLS version and ciphers in Istio mTLS
- Can I run istio without enabling mtls?