CODEWITHSUNDEEP
istioistio-gatewayistio-sidecaristio-operator
Gaurav Dwivedi
Gaurav Dwivedi

Reputation: 1

Enable/disable mTLS per service URL path

I have a question: Is it possible to enable/disable mTLS for particular URL?

Lets consider the situation I have: Service_A exposes port 8080 and it serves several URLs like /, /status, /metrics So I want to have following:

enable mTLS for service_A:8080 disable mTLS for: service_A:8080/status, service_A:8080/metrics Is it possible ?

This is how my current config. How can I ensure to have mtls only on path and not on host and port?

kind: Gateway
metadata:
  name: some-gateway-dev
spec:
  selector:
    istio: dev-ingressgateway
  servers:
    - hosts:
        - some.domain.com
      port:
        name: http-some-gateway-dev
        number: 80
        protocol: HTTP
      tls:
        httpsRedirect: true
    - hosts:
        - some.domain.com
      port:
        name: https-some-gateway-dev
        number: 443
        protocol: HTTPS
      tls:
        credentialName: some-gateway-dev-credential
        mode: MUTUAL
        subjectAltNames:
          - allowconnectionfromhost.com
----
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
 name: some-virtualservice
spec:
  gateways:
  - some-gateway-dev
  - mesh
  hosts:
  - some.domain.com
  - service-tcp-some
  http:
  - match:
    - uri:
        prefix: /
    timeout: 30s
    route:
    - destination:
        host: service-tcp-some
        port:
          number: 8080
        subset: some-#VERSION#
      weight: 100

I tried to make use of service entries and also authentication policy but it seems both of them is not having an option to pass subjectAltNames.

Upvotes: 0

Views: 177

Answers (1)

prnvbn
prnvbn

Reputation: 1027

You can try using the PeerAuthentication resource, from the Istio docs - https://istio.io/latest/docs/reference/config/security/peer_authentication/

... PeerAuthentication determines whether or not mTLS is allowed or required for connections to an Envoy proxy sidecar.

Policy that enables strict mTLS for all finance workloads, but leaves the port 8080 to plaintext. Note the port value in the portLevelMtls field refers to the port of the workload, not the port of the Kubernetes service. (this e.g. is from the linked Istio docs)

apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata:
  name: default
  namespace: foo
spec:
  selector:
    matchLabels:
      app: finance
  mtls:
    mode: STRICT
  portLevelMtls:
    8080:
      mode: DISABLE

Upvotes: 0

Related Questions