Authentication Policy issues


#1

Looking for some advice/help. I’m struggling with mTls enabled with my service mesh and communicating with the kubernetes api. I have istio 1.0.5 installed. Global mTls is enabled (perhaps this is the problem?). Instructions say to not have it enabled…

Followed the first steps of example (Stopped at “Cleanup part 1”):

The last step seems to have no effect. I always get the 000, command terminated with exit code 35.

I assume, something fundamental like this, I’m just doing something wrong.

Ideas? Trouble shooting ideas?

Also, when I change:

"kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items…metadata.name}) -c sleep -n foo – curl [https]://kubernetes.default/api --header “Authorization: Bearer $TOKEN” --insecure -s -o /dev/null -w “%{http_code}\n”

to

"kubectl exec $(kubectl get pod -l app=sleep -n foo -o jsonpath={.items…metadata.name}) -c sleep -n foo – curl [https]://kubernetes.default.svc.cluster.local/api --header “Authorization: Bearer $TOKEN” --insecure -s -o /dev/null -w “%{http_code}\n”

It gives me a 401(my token must be bad), but i’d really like [https]://kubernetes.default/api and honestly [https]://10.0.0.1:443/api to work as well…

Appologize for mangling the URLs above, Since i’m a first poster it only allows 2 links.


#2

Disregard. I installed istio incorrectly. Just generating the template via helm and applying it with kubectl doesnt work properly. Needed to have helm install it so it could do the post-install hooks etc.