Reputation: 1
How to Enable MTLS with MultiCluster Service on GKE
I am looking for how to enable mTLS with services exported via the ServiceExport resource. I currently have two clusters in a fleet and i would like to establish multicluster service communication with mTLS. I have an istio mTLS STRICT policy applied on a namespace in cluster 1
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: mcs-mtls-policy
namespace: multi-cluster-demo
spec:
mtls:
mode: STRICT
However when i try to reach the service from a pod cluster 2, i get the following response:
root@mcs-test:/# curl whereami.multi-cluster-demo.svc.clusterset.local -vk
* Trying 10.32.24.79:80...
* Connected to whereami.multi-cluster-demo.svc.clusterset.local (10.32.24.79) port 80 (#0)
> GET / HTTP/1.1
> Host: whereami.multi-cluster-demo.svc.clusterset.local
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 503 Service Unavailable
< content-length: 95
< content-type: text/plain
< date: Tue, 08 Aug 2023 09:50:07 GMT
< server: envoy
<
* Connection #0 to host whereami.multi-cluster-demo.svc.clusterset.local left intact
If i change the mTLS policy mode to PERMISSIVE i get a successful response however, i would like to enforce mTLS within the cluster.
Trying 10.32.24.79:80...
* Connected to whereami.multi-cluster-demo.svc.clusterset.local (10.32.24.79) port 80 (#0)
> GET / HTTP/1.1
> Host: whereami.multi-cluster-demo.svc.clusterset.local
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< server: envoy
< date: Tue, 08 Aug 2023 11:06:25 GMT
< content-type: application/json
< content-length: 390
< access-control-allow-origin: *
< x-envoy-upstream-service-time: 5
<
I am assuming this is due to the traffic being sent without mTLS but even when i try to do it manually as described here, it doesn't work as well. Could this be due to Anthos? or is it related to Traffic Director? I know traffic director supports mTLS but i'm not sure of how to configure that with ServiceExport resource.
Please help guide me, thanks.
Upvotes: 0
Views: 307
Answers (0)
Related Questions
- How do I get logs from all pods of a Kubernetes replication controller?
- Anthos Service Mesh and Istio Ingress Gateway on GKE - Is it the right solution for Multi-Cluster services?
- Route TCP traffic from ingress-nginx to istio service mesh with mTLS mode STRICT
- Istio multicluster configuration on gke
- Istio 503:s between (Public) Gateway and Service
- 503 response when activating an MTLS policy