CODEWITHSUNDEEP
kubernetesamazon-eksistioistio-gatewayistio-sidecar
santosh2000
santosh2000

Reputation: 1

Istio mTLS Clarification

I am a newbie with Istion. Recently I read from other Stack overflow Posts that communication between Istio Side car and the main container is not encrypted. However in a scenario where, I am performing a TLS passthrough in Istio at the IngressGateway level and also enforcing mTLS within my Istio Mesh, what happens to the TLS traffic that reaches my Application's side car proxy? Does the Proxy (always) strips off the TLS and passes non-SSL traffic to my backend kubernetes Service? or does my Proxy pass the TLS traffic as-is to the Application conatiners? (if So, this is contradicting what I learned)

  1. As traffic b/w Istio Side car and the main container is not encrypted, does this mean I have to always expose a non-SSL port as my container port within my k8s service definition file while using an Istio service mesh?

Thanks

I haven't tried any POC yet as I am still confused about these constructs.

Upvotes: 0

Views: 720

Answers (1)

Nataraj Medayhal
Nataraj Medayhal

Reputation: 1221

If you would like to use TLS Passthrough then its application container responsibility to handle the TLS. So in this case in istio gateway you need to mention below

servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: PASSTHROUGH

Also the in virtual service and service definition it has to be HTTPS details. Please refer istio documentation for detailed explanation.

In case of TLS termination please refer following istio documentation. Additionally PeerAuthentication, DestinationRule resources along with gateway and virtual service resources has to be created.

Upvotes: 0

Related Questions