We currently are using Istio v1.5.10 in our Kubernetes cluster with a PeerAuthentication policy forcing strict mTLS between sidecars. When service A sends a request to service B, we would like to have service B be able to verify that the request originated from service A (and not service C). Is there any convenient way to do this with Istio? Can the sidecar add a header to the incoming HTTP request indicating the name of the peer service (validated by mTLS)?
Is the intent to just prevent service C to service B communication?
This can be achieved indirectly using Authorization policy https://istio.io/latest/docs/tasks/security/authorization/authz-deny/ by adding a “from:” condition based on the service principal. This does assume that there is a destination rule to service B forcing all traffic there to go through Istio Mutual MTLS https://istio.io/latest/docs/reference/config/networking/destination-rule/.
No, both services A and C should be allowed to send requests to service B. We just want B to be able to know definitively which service the request came from. If we were doing mTLS ourselves, we would be able to do this easily be looking at the client certificate in question.
My understanding is that behavior is true with the ISTIO Mutual mode - the x509 cert is also passed to the application in the HTTP header with a SAN indicating the identity of the calling service
How do you turn that on? Right now no such header is being set.